'Light Touch' or 'Soft Touch' - Reflections of a Regulator Implementing a New Privacy Regime

View printable version of this page

Delivered at National Institute of Governance - Canberra and
Committee for Economic Development of Australia - Melbourne

Malcolm Crompton
Privacy Commissioner

• Introduction
• What is a regulator?
• Environmental scan
  • The law
  • Resources Available
  • Government expectations
  • Public expectations, including as expressed through media
  • Global environment
  • Market forces
  • Extent of technological change
• What are the marks of a good regulator?
• Economic impact
  • Social outcomes
  • Public accountability for resources
  • Independence, fairness, transparency and accountability in decision making
  • Active engagement in policy formation
  • Service provision
• Milestones and initiatives 1999-2004
  • Strategic plan - set approach to regulation
  • Private sector privacy provisions came into effect
  • 25th International conference of Commissioners
• How did the Office do against the measures?
  • Office performance against measures of economic impact
  • Office performance against measures of social impact
  • Public accountability for resources
  • Independence, fairness, transparency and accountability in decision making
  • Active engagement in policy formation
  • Ensure clear respect for the law by all parties
  • Service provision
• Glimpse of the future
  • Need to see the bigger picture
  • Range of strategies needed
  • Immediate pressing issues
• Endnotes

Introduction⁽¹⁾

When I became Privacy Commissioner in April 1999, few people could have imagined the dramatic changes in the environment that have taken place by the end of my term. This is symptomatic of the times, and the tough environment, in which many regulators must operate.

The approach that the Office of the Privacy Commissioner has adopted to regulating in this environment was strategic and deliberate. It scanned the environment and then set its course. Having taken this course, it seems appropriate and timely to take stock of whether or not the Office's approach was successful.

The Office's approach to regulating privacy has caused some controversy. For example, has the Office been in the pocket of the big end of town or has it failed to act sufficiently strongly against organisations that breach provisions of the Act? Or has the Office in fact taken too tough a stance, as has been claimed elsewhere?⁽²⁾

This can partly be attributed to the mix of the light touch nature of the private sector legislation the Office was given to implement as well as the Office's particular approach to its implementation.

In order to achieve their aims, governments must be able to make decisions and give effect to their decisions. They are held to account for their decisions and actions and hold to account their agencies and other agents.

The last three decades in Australia have seen enormous focus on reform to improve performance and accountability of governments and their instrumentalities, starting with the Whitlam Government. Almost all of this reform has focussed on two sectors: policy formulation and decision making; and service delivery. Service delivery reform has included significantly increased reporting obligations and budget reform, specific reform packages and frameworks for government business enterprises and other service delivery bodies, privatisation, and outsourcing.⁽³⁾

With few exceptions, however, these reforms have paid little attention to the performance of a very important 'third sector' in the machinery of government. This third sector is the sector that regulates the activities of others but delivers little itself directly. Considerable analysis of the impact of regulation has been undertaken over the years, including by the Productivity Commission and its predecessors, but very little of the impact of the regulators. Yet this sector may even have equal or greater impact on daily lives than the other two sectors, in either social or economic terms. Arguably, exceptions to the lack of reform in this third sector are the administrative law reforms (Administrative Appeals Tribunal Act 1975, Ombudsman Act 1976, Administrative Decisions (Judicial Review) Act 1977 and Freedom of Information Act 1982). The imminent report on the review into the corporate governance of Commonwealth statutory authorities and office holders, being undertaken by John Uhrig AC,⁽⁴⁾ may also impact on the performance of regulators. This does not mean to say that specific regulatory bodies have not been subjected to reform at various times (for example a number of the transport regulatory bodies or the Financial System Inquiry chaired by Stan Wallis). However as a sector, public management reform has largely passed it by.

The purpose of this paper is to reflect on a possible framework for measuring the performance of a regulator, then assess the last five years of the Office of the Privacy Commissioner against it.

However this cannot be done without some understanding of the particular environment in which the Office found itself and the strategic path the Office chose to take in response to this environment. The paper gives examples of events and situations that have arisen during the last five years to discuss the Office's performance against the framework. Finally, having considered these measures and how the Office performed against them, the paper briefly discusses how the future might look for a privacy regulator seeking to promote a culture that respects privacy.

What is a regulator?

A preliminary question when considering these issues is that of what exactly is a regulator? The dictionary says that to regulate is to control, govern, or direct by rule or regulations, to subject to guidance or restrictions. These suggest that regulators would very often have rules or laws as background to their powers and functions which they use as a basis to guide, control, direct, or restrict behaviour. Using this as a guide, one might say that courts and tribunals are not regulators because they are arbiters rather than controllers or guiders. However, many regulators have powers that do, or have in the past, come very close to judicial powers. The Administrative Appeals Tribunal might be seen as something in between. On the other hand, we have people in the Department of Finance and Administration using a range of budgeting and other tools to control, or restrict spending and other behaviour. Are these regulators?

Rather than dwell too much on this question, all that is necessary is to note that it is a non-trivial question, and one that might be a worthy subject of more study. Such study would need to take into account what seem to be some common features that generally apply to regulators in Australia. From the statutes that establish regulators in Australia, these usually include:

• some level of statutory independence from government, for example, by providing that the regulator can only be dismissed in a very narrow range of circumstance and by limiting the extent to which the government can direct the activities of the regulator; 
  
• standard powers to conduct investigations, for example the power to demand evidence under oath, hold hearings, enter premises and seize documents, publish a report; 
  
• indemnity, full or partial, from legal action against decisions taken, reports written or comments made; 
  
• powers to arbitrate or make decisions, although because of the Brandy High Court decision,⁽⁵⁾ at the Federal level at least, these cannot be binding.

In many instances, though, the source of funding is not independent, for example being set in annual government budgets or collected via industry levies at rates set by government. The US Federal Reserve is a noticeable exception because its source of funding is independent of Government.

Well known regulators established by the Australian Government include:

• Australian Competition and Consumer Commission
• Human Rights and Equal Opportunity Commission
• Australian Securities and Investments Commission
• Australian Prudential Regulation Authority
• Australian Communications Authority
• Australian Broadcasting Authority
• Civil Aviation Safety Authority
• Australian Maritime Safety Authority
• Many agricultural marketing bodies
• Office of Film and Literature Classification

Environmental scan

No regulator operates in a vacuum. Its ability to act and what those actions are will always be influenced by the environment in which it operates. A key argument in this paper is that it is not possible to measure the effectiveness of a regulator unless the range of environmental factors that can affect its operations is taken into account. This has been referred to as the 'authorising environment',⁽⁶⁾ which includes both the formal sources of authority such as laws which establish the powers of regulators, and informal sources of authority, which are a wider set of influences which shape the regulator's capacity to exercise power. This is not to say that the regulator cannot influence this environment, and it may even be an important role for the regulator to do so.⁽⁷⁾ However, there are some environmental factors over which a regulator may have very little control. Set out below are some of the factors which influence the capacity of a regulator to exercise power.

The law

Regulator powers

One key factor is the law with which the regulator works. Some regulators have very prescriptive laws, infringement of which can bring heavy criminal penalties. The law may have very extensive powers of investigation, search and seizure, auditing and monitoring. These days, there is a definite trend away from this approach to changing behaviour, especially if it impacts upon businesses.⁽⁸⁾ This is partly a response to the difficulty of regulating behaviour in a varied rapidly changing economic and technological environment. Prescriptive law can also lead to a focus on form over substance rather than achievement of the law's actual objectives. It also reflects a desire to limit red tape applying to businesses.

The private sector provisions⁽⁹⁾ of the Privacy Act 1988 are very much a creature of this trend. The legislation was heralded by the former Attorney-General as implementing 'the government's commitment to promote a light touch, co-regulatory approach to privacy protection'.⁽¹⁰⁾ This light touch approach has manifested itself in the form of a principles based, rather than a prescriptive approach, to changing behaviour for the private sector at large. The core of this approach is set out in the National Privacy Principles in the Privacy Act combined with the provision for privacy codes to replace these principles if they are 'at least the equivalent'. It also meant that the Privacy Commissioner was given, in relation to most aspects of the private sector, no monitoring or audit powers, and limited powers of enforcement, even compared with earlier areas of coverage of the Act, including Australian Government agencies and the credit sector. Enforcement of the new private sector privacy provisions comes basically via a complaint based system with a power to conciliate or make a determination to resolve the complaint (including compensation but no power to impose fines) that can be enforced by taking the case to court if necessary.

Although there may be good reasons for a less prescriptive approach, this kind of legislative regime leaves regulators with substantial uncertainty and ambiguity as they go about implementing and enforcing the law especially in the early phases. In the case of privacy, where the right to privacy is neither unlimited nor absolute⁽¹¹⁾ this ambiguity is further increased and it means that that privacy regulators must go about their role

'knowing that to a greater or lesser degree what constitutes public value or 'good performance' in privacy protection is a contested notion. They must be conscious that there is not necessarily widespread understanding or agreement about ultimate goals and the appropriate scope of the regulator's authority.'⁽¹²⁾

Extent of independence provided for

A regulator may have a greater or lesser degree of independence depending on the provisions in its establishing law. A regulator will have a wider scope to act independently and without fear where its governing law has provisions that restrict the conditions under which the regulator can be removed and limit the extent to which external parties can direct its activities.

The Privacy Commissioner has a considerable level of independence, including:

• Protection from civil actions and against being sued etc, as set out in Part 5 of the Privacy Act;
• Very limited circumstances when a Minister or the Government can issue a direction to the Commissioner (eg to report to the Minister on certain investigations, audits etc under s.30,31 and 32 of the Act);
• Appointment for a fixed term of up to 7 years; strict limitations on when appointment can be terminated; remuneration fixed by the Remuneration Tribunal etc, as set out in Part 4, Division 1 of the Act (without performance pay or other incentives that might be used to attempt to persuade).

Developments in the legal framework across borders in Australia

For many years, there has been a trend of increasing cooperation between the Federal, State and Territory jurisdictions in many areas of public administration, ranging from the informal to the formal including formal referral of powers (usually 'to' the Federal level rather than 'from'). This can sometimes be a very slow process. The gradual reform of corporations law from the 1970s through varying cooperative schemes until the current Australian Securities and Investment Commission was formed is one of the classic examples of such change.

One area where there this trend has become particularly apparent in recent years is in law enforcement, including in areas that support it. This has developed in a number of guises. CrimTrac, for example is an example of a body where much of the cross-border operating arrangements are established by an Inter-Governmental Agreement signed by all Australian police ministers.⁽¹³⁾ The Australian Crime Commission, on the other hand, is established under the Australian Crime Commission Act 2002. The evidence to date suggests that more attention has sometimes been given to the establishment of these bodies and associated working arrangements than to ensuring that corresponding transparency and accountability arrangements are in place. A reasonable test of the latter might be that they are at least equivalent to the transparency and accountability obligations that would operate if such arrangements were contained within one jurisdiction. The recent Cross-Border Investigative Powers for Law Enforcement Report⁽¹⁴⁾ prepared by the Joint Working Group on National Investigation Powers of the Standing Committee of Attorneys-General and Australasian Police Ministers Council, appears to have similar weaknesses, indicating that unchecked, the trend could continue. This trend poses major challenges for all regulators operating in this environment.

In the case of privacy, this weakness has recently been recognised. It was first made brought to light in the report of the Independent Review of Part 1D of the Crimes Act 1914 - Forensic Procedures.⁽¹⁵⁾ That report raised major accountability and regulatory issues for privacy regulators whose legislation constrains their jurisdictional areas of operation to a particular State or Territories' agencies. As a consequence of this report, the Standing Committee of Attorneys-General has asked Australia's Federal and State Ombudsmen and Privacy Commissioners to report to them on how to redress the balance.

There are a number of other initiatives, for example, relating to increasing the integrity of identity documents, which involve both public and private sector organisations which will pose similar problems for achieving redress, transparency and accountability when things go wrong.

Resources Available

How the regulator is resourced is a significant environmental influence. In most instances as noted earlier, resources are provided by the budget which is driven by the law and public policy. However, regulators also must be aware that additional resources can be obtained in a number of ways. They may or may not come with 'strings attached' and may be brought under direct control or be available through indirect influence in a number of ways. For example, it may be possible to gain additional resources via a research grants body or for undertaking additional work in a particular area. Alternatively, it could include selling a component of its activities to outside sources, joining in partnership with other organisations to carry out activities, or persuading other organisations to use their own resources to carry out activities that promote the regulator's objectives.

Very importantly, though, the extent to which the regulator can act ethically and manage any potential conflicts of interests will have an impact on whether, and in what contexts it can draw upon these external resources. For any regulator, integrity has to be a make or break consideration under all circumstances if credibility as an independent body is to be maintained.

Government expectations

As was the case with the introduction of the new private sector provisions of the Privacy Act, Government can be explicit about its expectations of the way the regulator will discharge its functions. This can be legitimately expressed, for example, in actual provisions of the legislation, supporting documentation such as the Explanatory Memorandum and Second Reading Speeches or elsewhere. These expectations obviously impact on the environment of a regulator. It affects the strength of the law that the regulator must work with, and it strongly influences the level of financial support the regulator can attract. Especially where the regulator is working with a law that has ambiguity in the method of implementation and enforcement, government expectations also inevitably affect the extent to which the regulator is expected to operate at the more controversial ends of the spectrum of options, or whether it must adopt the more middle range of the options for implementation and enforcement.

Clearly, a regulator, at one level, can choose to adopt any of the range of options that its governing legislation will allow it to. However, a regulator seeking to be effective according to the measures outlined here, may need to consider whether a regulator that has unduly alienated key stakeholders, including government, is likely to be able to continue to influence its 'authorising environment' and achieve any realistic changes to the behaviour sought to be regulated.

In the case of implementing the new private sector privacy legislation, which has a great deal of ambiguity in the way it could be implemented and enforced, the Office made the strategic decision that it would take the course of providing a 'clear and balanced' approach to implementing and enforcing the new private sector provisions. The Office did this in the strong belief that this would be the most effective option. Its approach to compliance is consistent with this philosophy and was spelt out before the private sector privacy provisions came into effect, in Information Sheet 13-2001, The Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act.⁽¹⁶⁾

Public expectations, including as expressed through media

Public expectations can and should also have an impact on the activities of a regulator. Despite the fact that regulation in a particular area is aimed at protecting or promoting the rights or welfare of the community, a regulator cannot necessarily assume that acting in particular way to enforce the law rigorously will necessarily get public support. A further complication is that research shows that there can be considerable difference between what members of the public claim to be their attitudes and the way they actually behave.⁽¹⁷⁾

In the case of privacy, which is very contextual and individualistic, this is a particular issue. What appears to be breach of privacy for one particular individual may be regarded as an essential activity for another individual. Inflexibly enforcing the law could result in privacy being seen as simply making life bureaucratically difficult, or even unsafe, for some people and could bring the law into disrepute. In this context degree of public support can be strongly influenced by the media. At the time the private sector privacy law in Australia came into effect, it was clear that the media in New Zealand had a significantly negative attitude to private sector privacy law in that country.⁽¹⁸⁾ As a result, the privacy law was constantly being blamed for a whole range of adverse events that were in fact a result of other failures, including a failure of common sense and buck passing.

Local events, particularly those that capture extreme public attention can have a major impact on the degree of public support for the regulator's activities. Even where the regulator had considered that it was implementing best practice, it can find that expectations turn, as in the case of the NSW Health Care Complaints Commissioner which was using 'no blame' techniques to improve practice only to be strongly criticised to having not paid particular attention to naming those to blame.⁽¹⁹⁾ This is also a constant dilemma in the work of bodies such as the Australian Council for Safety and Quality in Health Care.

Global environment

Global events and environments can also have a substantial impact on a whether a regulator can or cannot act in particular ways or to take up particular policy positions.

In the case of privacy, the stand out event was clearly 11 September 2001. In the aftermath of this event the balance between what was regarded as necessary to protect security and what was regarded as an acceptable trade off in terms of loss of privacy suddenly and dramatically shifted. Legislation was introduced, and passed, that even in the months before the event would have been regarded as beyond the pale in terms of privacy invasion. The Office quite properly had to respect the shift in perceptions about the appropriate balance that was caused by this tragedy. The Office was also duty bound to ensure that all sides of the argument were aired, consistent with its approach of projecting a clear and balanced voice in all circumstances, for example, in submissions on such legislation. This includes calling for a long term perspective and wherever possible seeking 'sunset' clauses to measures that compromise civil liberties in a way that may not be necessary when an emergency has passed.

These developments have also led to significant initiatives to improve international cross border data flows of personal information seeking to combat terrorism. This coincides with the increasing evidence of a growing problem with 'cyber-crime', including claims that some of it is used to finance terrorism. Responses have been bilateral and unilateral. The most notable unilateral initiative has been that of the USA in wanting to obtain a lot more information about incoming air passengers, to retain that data for very long periods, and use it and disclose it for seemingly unlimited purposes, including share it among government agencies. The international reaction has been strong, but has ended up in considerable concessions being made.⁽²⁰⁾ Australia has also legislated to facilitate the international exchange of personal information, between customs and other law enforcement bodies.⁽²¹⁾

On the other hand, there is no doubt that the Office's ability to be heard in relation to direct marketing and use of people's publicly available information has been considerably strengthened by the huge public response in the USA to the Federal Trade Commission's 'do not call register'.⁽²²⁾

The move by the FTC to set up a do not call register has changed perceptions about what the community will tolerate. In the first 6 months of operation, over 55 million phone numbers have been registered with the do not call service, covering about a half of the adult population.⁽²³⁾ This demonstrates an enormous pent up demand for more government activity in this area. Although it is not altogether clear that telemarketing has reached so far beyond community tolerance in Australia, it has, I think, created an environment in which calls for stronger measures are likely to get a better hearing. It has opened the way for policy arguments for measures that give consumers greater control over their publicly available information, such as that in various telephone number directories, and greater transparency about what is done with it. The Australian Communications Authority has announced that it will be issuing a telecommunications industry standard that would clearly set out what customer information Integrated Public Number Database (IPND) can be used for and would ensure proper and authorised use of the data in the future. This reflects the ACA's conclusion that "consumer information [was] being used for purposes which the ACA believes are beyond the scope of current authorised uses and the expectations consumers have about how their personal information will be used".⁽²⁴⁾

The fluctuating environment for the privacy regulator can also be seen in the rise and fall of the 'dot.com' industry. Early in my five year term, the dot.com industry was in full flight and very gung ho. It was causing major privacy concerns, leading the FTC to begin to call for privacy legislation in the USA.⁽²⁵⁾ In Australia, this concern was a factor in the government's move to introduce private sector privacy legislation.⁽²⁶⁾ However, even by the time the legislation came into effect in December 2001, the immediate threat to privacy from this source appeared at least in the public's eye to be much less in the face of the dot.com crash and a severely chastened industry. There was therefore much less support for the Office to respond so dramatically in this area.

Market forces

Market forces can have a considerable impact on the extent to which those regulated are willing or able to comply with the law. Where businesses feel that there is a competitive edge to be gained in complying with the law or a real competitive business risk, for example, to branding, if they do not comply, they are more likely to make an effort to comply, and comply well with a law. On the other hand, where competition is not a factor in a business's operations, particularly when combined with a low risk of the law being enforced against them, there is little incentive on a business to make any effort to comply conscientiously with the law.

In the case of privacy, a good example of where there no interest at all in compliance per se is businesses involved in spam. Poor branding image is not a concern. The only issue for these businesses is whether the act of spamming pays. Technological barriers have had some effect but not a lot. Failure to comply with the law has also had minimal impact on their operations - to date the risk of being caught has been very low. But can the combination of improved technology, stronger enforcement of stronger laws, public education and more direct economic measures combine to beat this scourge of the internet? Only if it actually reduces the payback ratio.⁽²⁷⁾

Extent of technological change

Rapid technological change has had an impact on most areas of regulation, from the impact of converging communications and broadcasting technologies on media laws to the control of consumer access to pharmaceuticals via online merchants to the advent of online auction houses (eBay) and booksellers (Amazon).

Privacy issues are no less immune from these developments. In the last five years, technological developments have transformed the privacy environment. In 1999 spam was barely on the radar as a problem except for the e-literate cognoscenti. As just noted, it has now become such a scourge from both privacy and other points of view that it has warranted bringing a whole range of strong legal, technological and market forces to bear on it. Mobile phone technology including SMS messaging, capturing of pictures with a mobile phone then instantly sharing them globally, and the many devices which now report an individual's location including mobile phones, Global Positioning Systems, G-NAF were not yet in widespread use in Australia.

Now we are worried about individuals taking photos in changing rooms, people being marketed with products when they approach a relevant outlet, and parents being able to track down their errant teenagers at the drop of a hat. RFID chips were not on the horizon yet now manufacturers and developers of the chips are wearing the consequences of widespread outcry at the possibility that information about individuals' buying and other habits could be minutely collected and studied.⁽²⁸⁾ The expanded use of biometric technology was in its infancy. Now it is to be used routinely for many purposes, including for checking people entering and leaving the country in many nations of the world.⁽²⁹⁾ Gene technology and the very privacy of an individual's complete genetic makeup and disposition potentially are at risk from such details being put widely on display.⁽³⁰⁾ Significant further capacity has developed to collect and manage data sets as well as to analyse or 'data mine' such information. The movement of court records into the electronic and online environment is a significant example which has given rise to the dilemma of seeking to create greater transparency in court processes at the same time as manage the new privacy issues such greater accessibility creates.⁽³¹⁾

Allan Fels has similarly pointed out how the 'default' protection and 'practical obscurity' of clunky paper based systems is no longer universally present and how the new default position is becoming widespread sharing of private information, with protection only occurring if we elect to obtain it.

'Judgements about what constitutes appropriate regulatory intervention will very clearly shift over time as the technological environment shifts. Constant technological change means that 'best practice' for privacy regulators must change too. What is an effective approach this month, may well be redundant due to technological changes only one month later.' ⁽³²⁾

Finally and very significantly, these technological developments have meant that the movement of personal information is no longer limited by national boundaries, notwithstanding some brave attempts to do so, such as the so-called 'Great Firewall of China' that is aimed at restricting domestic access in that country to foreign websites. The increasingly 'porous' nature of national borders to personal information adds considerably to the difficulty in providing an enforceable, legislative basis for protecting privacy, as illustrated by the spam example discussed earlier.

In short, developments in technology may well be the most significant of all the environmental factors impacting on effective regulation of the data protection of personal information, a fundamental aspect of privacy. Was Scott McNealy right in early 1999 when he said that "you have zero privacy anyway -- get over it"?⁽³³⁾

What are the marks of a good regulator?

As noted at the beginning of the paper, the performance of the regulator has not entered the mainstream of public management reform work in the same way as it has for the other sectors, policy/decision making and service delivery. Outside of academia⁽³⁴⁾, it would seem that not a lot of work has been done in Australia on how to measure whether or not a regulator has done a good job. The Productivity Commission is a notable exception.⁽³⁵⁾ However, the focus is often on the nature of the legal structures and the economic incentives they create as opposed to whether, within the bounds of the law and surrounding environment, the regulator itself has performed well or badly.

At the moment it appears that regulators are often measured by the political expediencies of the times, for example, by the amount of unwelcome noise received from key stakeholders. This noise may or may not have anything to do with the effectiveness and efficiency of the regulator. At a conference on privacy recently it was suggested that being a privacy commissioner is better done in the later stages of ones career. This is probably so in the case of many other regulators who nearly always find themselves between a rock and a hard place in carrying out their duties. It would seem useful in this environment to have some kind of agreed measures about what makes an ethical, effective and efficient regulator, as a buffer to these uncertain forces.

Failure to meet these kinds of tests has been brought home particularly to privacy regulators over the last year. The  Privacy Commissioner of Canada was forced to resign in disgrace over unethical behaviour. ⁽³⁶⁾ The processes leading up to his resignation and the associated audits and inquiries are still having an enormous adverse impact on the ability of his successor to introduce private sector privacy legislation there.

At the highest level, in terms of 'what' a regulator might be aiming to achieve, it is often some notion of acting in the 'public interest'⁽³⁷⁾ or delivering 'public value' in the terms of the Fels paper.⁽³⁸⁾

Just as important, though, is 'how' a regulator delivers. It must be ethical, effective and efficient. In that order of priority. This is by no means a new concept nor exclusive to regulators. For example, similar concepts are also clearly currently at the top of the minds of those concerned with corporate governance. The goal that James Hardie Corporation sets for itself in its Annual Report 2003 captures these ideas well, where they state that:

"We believe that the primary focus of good corporate governance should be clearly fixed upon the achievement of outstanding performance in an ethical manner where high quality outcomes are achieved and where integrity is clearly evident."

In discussing 'what is good regulation' (as opposed to 'a good regulator'), the Chairman of the Productivity Commission puts it this way:

Finally, it [regulation] needs to be administered by accountable bodies in a fair and consistent manner. Governance arrangements for regulators are clearly a big topic in their own right and currently under review at the Commonwealth level. Apart from the nature of reporting responsibilities (to a Minister or the Parliament) and the scope for judicial or administrative review, important features of good governance include clear statutory guidance, transparency of both process and judgement, and public accessibility.⁽³⁹⁾

However, this statement of principle is not developed much further.

This part of the paper outlines the start of a framework to fill out how a regulator's performance might be tested for the extent to which it is ethical, effective and efficient. In outlining these measures, it should be noted that they should not be treated as a check list that each regulator must tick off to be given full marks. No regulator will be able to star on all of these, all of the time. Rather they can be seen as matters that regulators and those assessing their performance will need to balance against each other in a holistic way. For example, regulators might need to consider how to exercise independence, but in a way that will enable it to continue to engage with stakeholders in an effective way that still maintains integrity. In summary, it seems to be a matter of how well a regulator manages to keep the 'balls' (or measures) in the air (at varying heights) without dropping them all at once.

It is also worth reiterating that even with these measures, the beauty of the regulator will remain, to some extent, in the eye of the beholder and seen through the particular lens of interests that preoccupy that beholder.

Some measures are objective, for example, speed of response, some are subjective, for example, whether people consider their lives have improved. Regulators and those assessing their performance will therefore need to adopt a range of tools to evaluate their performance against the measures outlined below.

Finally, the difficulty of separating performance from the nature of the task as set in law and bounded by the real world environment should not be under-estimated. Clear thinking on the impact of the regulator separately from the impact of the regulation is essential.

Economic impact

The activities of a regulator always have the potential to have an impact on economic activity and economic outcomes. While much of the economic impact may be inherent in the law itself (ie the regulation), it is still important to see if it is possible to measure the additional impact, either way, of the performance of the regulator. It would certainly seem to be appropriate for regulators to be aware of this potential and take into account the macroeconomic and microeconomic effect of its activities and decisions.

The regulator should be aware that it may have an impact on the size of the economy (allocative impact) and it may also have an impact on the distribution of economic resources. The impacts may be direct or indirect, positive or negative, and intentional or unintentional. As noted earlier, assessing these impacts is therefore by no means a straight forward matter. For example, enforcement activity taken by a consumer protection regulator may have the direct impact of reducing the size of the economy by shutting out the more innovative who are also fly-by-night, poor quality operators or running scams. This is an intentional and desirable economic impact. An indirect consequence, however, could be that consumers enter into more transactions as a result because they are now confident that they can do so without being ripped off, thus contributing to economic growth.

A regulator helps to avoid the unintended consequences of its decisions by paying attention to the practical impact of its decisions. Decisions that do not take into account the way a particular sector or constituency works, and whether it is going to be able to implement the decision within the constraints under which it operates, are likely to have adverse economic consequences without necessarily achieving the goal sought.

Measures of economic impact
Measures of a good regulator when evaluating economic impacts could be:

• Regulator has had a positive impact on the economy (either allocative or distributive);
• If the regulator has had a negative impact on the economy this is an intended consequence and is outweighed by either positive indirect economic outcomes, or positive social outcomes;
• The regulator has a process for assessing and evaluating economic impacts;
• Economic impacts are fairly distributed across the economic sectors;
• Economic efficiency costs, caused by organisations or individuals having to meet bureaucratic requirements are minimised;
• Decisions the regulator makes are practical, workable and able to be implemented by the constituency;
• Regulator sought to harness market forces rather than oppose them, either by finding explicit pricing models that provide incentives to appropriate behaviour, or by helping businesses and others see the business case behind complying with the regulation or even going beyond that.⁽⁴⁰⁾

This paper does not develop this area much further in light of the considerable body of work on the economic impact of regulation, other than noting once again the need to separate the impact of the regulator from the impact of the regulation.

Benchmarking against regulators with similar functions in Australia or elsewhere may be a good source of comparison for measuring a regulator performance on these measures.

Social outcomes

Social outcomes are equally important. It is very hard to generalise given the range of objectives that different regulators are set. However, a few can be made. In particular, maximum impact is always desirable, so that even though a lot of the regulatory activity may be conducted on a case by case basis, the regulator should be looking for ways in which the rest of the community can learn (either what is the desired behaviour or that inappropriate behaviour will eventually be stopped and not worthwhile).

In particular, creation of a culture that respects the aims of the regulation will be far more effective than a culture limited to compliance with the law only to the extent that it can be, and is, enforced. This applies both to the individual citizen [whose own actions will always be a first defence] and to the individual organisation.

Measures of social impact
Measures of a good regulator when evaluating social impacts could be:

• Regulator has a process for evaluating the social impacts of its activities;
• As a result of the regulator's activities, most people consider their lives have changed for the better;
• People are better able to exercise their rights in the relevant area;
• People are willing and able to protect their interests on their own behalf;
• People are more confident in the way they interact in the relevant area and less likely to be duped;
• If there are unintended negative social impacts, the extent to which these are outweighed by other benefits such as economic benefits;
• Social impacts are fairly distributed across the community;
• The activities of the regulator broadly reflect public opinion;
• Media have an informed and balanced approach to the area being regulated;
• Those regulated have changed their behaviour to comply with regulatory requirements;
• Those regulated see the benefits of changing their behaviour and would continue to do so regardless of the regulatory oversight (in the sense that the regulation should 'contain the seeds of its own destruction')⁽⁴¹⁾.

Pursuing these kinds of social outcomes will usually require a range of educational and promotional initiatives, engagement in policy debates and engagement with the media. The ease with which a regulator can pursue the social outcomes expected of it may depend to some extent on the legislation under which it is operating and the expectations this creates. However, these are all very important primary tools of the regulator. Indeed, they may be the most important means of achieving regulatory goals. Arguably, therefore, they should be pursued whether or not there is direct power in the regulator's statute.⁽⁴²⁾

In the absence of more direct measures of social impact, measures of output of such educational and promotional material may provide some indication of the level of effort being pursued by the regulator to achieve social goals.

Again, benchmarking against similar regulators in Australia or elsewhere may be a good way to test regulator performance according to these measures. Community surveys may be another.

Public accountability for resources

Like most organisations, regulators very rarely have unlimited resources at their disposal. By and large, resources made available to regulators are set by government, so they will never be able to do all the kinds of activities that might be desirable for a regulator to carry out to achieve optimal outcomes in the area regulated. It is therefore unreasonable to measure the performance of a regulator on the basis of whether it has carried out all the activities that a regulator should do, without also considering the quantum of resources it has had at its disposal.

However, while the base level of resources is set externally, regulators may have at least some capacity to source additional resources from elsewhere. In doing so regulators must act ethically and should be fully aware of the potential conflicts of interest and other pitfalls that can arise out of this kind of strategy. These, however, are not insuperable, and this paper will discuss below the strategies the Office adopted to address these.

In the final analysis, though, like most government agencies, a regulator is accountable for how the resources available have been allocated, ensuring that they have been used efficiently and ensuring wide public understanding of the implications of the level of resources allocated to it. If it discharges these accountabilities well, it should not otherwise be held accountable for the level of resources allocated to it - that is an accountability of the government.

Measures for accountability of resources
Measures used to assess accountability for the use of resources are therefore unsurprising and could include:

• Regulator has a strategic plan that prioritises and focuses its activities;
• The plan and the rationale behind the plan is widely known;
• Regulator has adhered to this plan;
• Regulator can account for how it has allocated and spent its resources against its plan;
• Regulator has evaluated its plan;
• Regulator has met all the usual obligations of financial management spelt out in the Financial Management and Accountability Act, the Audit Act;
• Regulator has evidence that the resources are being used efficiently;
• Regulator has explored means of increasing the pool of resources available to it;
• Regulator has policies and procedures in place to ensure that the process for raising and using such additional resources is transparent, ethical and far above any implications that this source of funds could compromise its independence;
• Regulator has made sure that all interested parties, including the government, the media and the public are aware of the implications of budget allocations.

Probably the only difference for regulators, compared with many (especially budget funded agencies), is the degree of emphasis on demonstrating that its independence has not been compromised in raising and allocating resources.

Independence, fairness, transparency and accountability in decision making

It is very important that a regulator acts fairly and in the public interest. It is the ultimate, make or break test of the performance of the regulator and is why tests of 'ethical' performance by the regulator precedes tests of 'effectiveness' and 'efficiency'.

There are a number of aspects to ensuring and measuring performance in this area. Acting in a transparent, principled and consistent way is key.

Policy decision making

Transparency in policy making involves having an open process for development which includes participation by stakeholders in developing the decision making policy if the regulator has discretionary powers, providing information about the reasoning behind the development of policy and then widely distributing the policy and the rationale behind this. Tests such as these apply to the Privacy Commissioner, for example, in regard to the processes to be followed for approving codes that replace the National Privacy Principles under s.18BB of the Privacy Act or Public Interest Determinations under Part VI of the Act that exempt a particular act or practice from meeting the requirements of one or more privacy principle.

Fairness in policy making includes listening to all the relevant stakeholders and then carefully reaching decisions on the basis of accepted criteria which consider all aspects that go into determining the public interest.

Similar considerations apply to circumstances where a regulator develops guidelines and information materials that may have an impact on the way its constituency operates, particularly in cases where the law is principle based rather than prescriptive.

Measures for independence, fairness, transparency and accountability in policy decision making

Measures for determining a regulator's performance in independence, fair, transparent and accountable decision making could include:

• Regulator has recognised and publicly respected processes to enable public participation in policy development processes;
• Participation in such processes takes into account those groups less easy to reach in public consultation processes;
• Decisions made based on the full range of criteria that go towards determining the public interest;⁽⁴³⁾
• Decisions have broad acceptance among key stakeholders;
• The regulator has processes for making its policy and other decisions widely known and easily available, if necessary for years on end.

Approach to law enforcement

If it is a goal for regulators to ensure that those regulated comply with the law, or change their behaviour, then regulators should also make decisions in ways that facilitate understanding and learning. An important key to this is for the regulator to make decisions in a predictable and consistent way. It is only if those regulated know where they stand that they will be able to, and be prepared to, spend significant time and resources to actually change behaviour. Those regulated are much less likely to act if they cannot be reasonably sure that what they do will be compliant with the law, or adequately addresses the risk of non-compliance.

Measures for independence, fairness and accountability in approach to law enforcement:

• Regulator has a well publicised and understood policy on how it will go about implementing and enforcing the law;
• Regulator adheres to this policy;
• Regulator has evidence on the levels of non-compliance;
• Regulator has evidence of the effect of the policy on understanding and learning in the wider community;
• Regulator does not change the policy unless it is planned and well thought out and then the reasons for the change and the new policy are well publicised.

Complaints handling

In the case of a complaints handling mechanism, it should be possible for the community and complainants to be aware of the process the regulator follows, and the regulator should follow the rule of natural justice. It should make efforts to publish the outcome of, and reasoning behind, the cases it handles and keep and public statistics about these things. Publishing case notes for some or all cases decided, for example, is an important way of achieving transparency when cases are not aired through the court process.

Where a complaints handling mechanism is based on Alternative Disputes Resolution techniques, maintaining fairness and transparency while meeting the objectives of an ADR approach is more complex. A balance has to be struck between ensuring resolutions are as transparent as possible and fall within an acceptable outcome range on the one hand, and encouraging the parties to reach a mutually acceptable settlement without being too bogged down in technical details about precedent and other comparisons. This is an argument for being discreet and publishing only extracts of a limited number of de-identified cases.

Measures for independence, fairness, transparency and accountability in complaints handling

A lot of thought has been given over the years to ensuring that a complaints handling body meets criteria such as these. This work has been summarised into the 1997 Benchmarks for Industry-Based Customer Dispute Resolution Schemes.⁽⁴⁴⁾

Measures for determining a regulator's performance in independent, fair, transparent and accountable complaints handling processes could include:

• Regulator ensures that the community, and in particular complainants, can easily find out about the process it follows when handling complaints;
• Regulator has effective processes to ensure that it handles complaints in an impartial fashion;
• When operating as an alternative dispute resolution body adopts best practice standards in dispute resolution;
• Regulator administers complaint handling role in accordance with the administrative law framework and in particular complies with the rules of natural justice when handling complaints;
• Regulator has processes to deal with any power imbalances between the parties when investigating and conciliating complaints;
• Regulator is as open as possible about the outcomes of the complaints it handles and the reasoning behind the decisions it makes about resolving complaints;
• Regulator regularly benchmarks complaint outcomes, including compensation agreed between the parties or specified in a formal decision of the regulator, against those of similar complaints handlers;
• Regulator has mechanisms for monitoring its complaints case loads and processes for independence, fairness, efficiency, consistency with other equivalent complaints handlers, and for trends in complaints that might indicate privacy issues that might be addressed at a systemic level;
• Regulator selects staff with relevant skills and experience and provides training and support for its staff.

Active engagement in policy formation

On one view, it might said that the regulator should simply enforce the law that governs the area it is regulating and that it is the role of other bodies to develop the policy that under pins the law and the way it is implemented. However, particularly in areas where the law underpinning the regulation is principle based, light touch, or best practice based, this view is hard to sustain. Few other bodies are going to have the detailed day to day knowledge of the area to be regulated to make workable decisions in this area. In fact it could be argued that the regulator is best placed to engage in policy debate about the area regulated and is a key way that a regulator can be effective.⁽⁴⁵⁾ In doing so it is important that such engagement is undertaken with a clear and balanced voice that is not unduly influenced by any particular stakeholder perspective.

Measures of active engagement with policy debate:
Measures of active engagement with policy debate could include:

• Regulator engages with the media and with government policy development as issues arise;
• Regulator has successfully influenced policy outcomes;
• Regulator views are regularly sought by key stakeholders and regulator is seen as expert in regulated area.

A law that is seen to have little impact or is not acted upon is not going to be held in respect. This may present problems for some regulators, as it has been observed that:

'. . . it is common for legislators to pass 'symbolic' laws. In reaction to developments in society, emerging pressure points and influence from lobby groups, parliaments do sometimes pass laws to ensure that they are seen to be 'getting something done'. It is surprisingly common how often they are subsequently prepared to allow these laws to be sidelined and not vigorously enforced. The influence of lobby groups or budget constraints are major factors here. Politicians feel more comfortable if these laws are not enforced too strongly.⁽⁴⁶⁾

It could be argued that the best way to ensure that respect for the law is maintained is to enforce the law rigorously and publicly.⁽⁴⁷⁾ However, this may not necessarily maintain respect for the law and may have unintended consequences that impact on other aspects of a regulator's performance. There may be other ways to ensure respect for the law. This may mean ensuring that the law is influential without actually going out and publicly punishing anyone who flouts the law.

Measures of respect for the law:

• The law is held in respect by the community, for example as found by survey;
• Media sentiment does not imply disrespect;
• Audits, sample surveys and other evaluation techniques indicate general compliance with the law;
• The law is not falling into disrepute because it is being applied mindlessly, especially when there is regulator discretion in its application (avoiding 'the law is an ass' criticisms).

Service provision

Where regulators provide services, be they complaints handling, a phone inquiry line or otherwise, it remains essential that the regulator provide efficient, responsive and transparent services.

Measures of efficient and good service provision:

• Regulator has a Service Charter⁽⁴⁸⁾ which covers various service level response measures;
• Regulator has ways of measuring effectiveness of service provision and customer satisfaction with this;
• Regulator complies with the Service Charter, including by publishing performance results regularly;
• Service is accessible to disadvantaged groups;
• Regulator reviews services on a regular basis and revises approach as a result.

Milestones and initiatives 1999-2004

Strategic plan - set approach to regulation

When I started my term as Privacy Commissioner in 1999, one of the first major activities the Office undertook was to develop a new strategic plan. This was essential to ensuring that the Office successfully carried out the major task ahead of implementing new private sector legislation. The Office developed its first strategic plan with key environmental factors in mind. As outlined above, at the time, these were:

• proposed legislation that was likely to leave considerable ambiguity about what is actually required to protect privacy and how to approach enforcement;
• government expectations about how the new private sector legislation was to be implemented and enforced;
• the relatively small size of the Office with new national responsibilities;
• a complex picture of public expectations;
• a rapidly changing technological environment.

The Strategic Plan 2000⁽⁴⁹⁾ had a number of key features that responded to these factors.

Creating a culture that respects privacy

The Strategic Plan 2000 set the Office clear purpose to promote an Australian culture that respects privacy. This reflected an Office ambition to achieve an outcome that encompasses but goes beyond enforcement of the law. This was consistent with the range of functions set out in s.27 of the Privacy Act which, in summary, include input to policy making and public education in addition to its compliance functions. It aimed to achieve change to people's lives by changing the whole culture in which organisations and individuals operate. A community that has a culture that respects privacy is a community that understands and accepts the values that underpin privacy and can apply them flexibly to the situation rather than one that formulaically applies the privacy law regardless of the circumstances. This is very important given that privacy is very much defined by the context. Such a community will adhere to such values whether or not there is a regulator around to enforce the law. This latter is particularly valuable in the case of an Office that has limited resources. In any case, there was a clear expectation on the part of the Government that the new private sector privacy scheme should be light touch and implemented in a way that reflects this.⁽⁵⁰⁾ Taking steps to create understanding of the value of privacy of itself involves wherever possible taking a carrot rather than a more heavy handed stick approach to achieving change in the privacy area.

In this way, this approach also sets out to harness market forces to the maximum extent rather than oppose them. A community that expects and demands its services be provided in a way that respects privacy will react positively to organisations that meet this demand. As I stated in the introduction to the plan:

'My Office is keen to work with others to develop privacy platforms and solutions that give the Australian community confidence in their use of new technologies.'

Partners in developing and promoting privacy solutions

The strategic plan reflected the clear expectation that the private sector scheme should be 'light touch' rather than heavy handed regulation by aiming to ensure that the Office would be known as 'partners in developing and promoting privacy solutions'. It indicated the Office intention to work with business and other stakeholders to get privacy right rather than punishing organisations when they get it wrong. By referring to solutions, it also reflects the very contextual and dynamic nature of privacy, the complex factors involved in implementing privacy and the need to think creatively and practically about how best to implement privacy in the particular circumstances. What is right in one circumstance will not necessarily be right in other circumstances. It also signalled the Office's intention to take a participatory approach to developing policy.

This aspect of the strategic plan also reflected the resources likely to be available to the Office to implement the scheme. In the end, it received approximately $1.4 million in additional annual funding, on top of its existing budget of $2.1 million, to implement the new private sector regime nationally. It was therefore essential that the Office target its resources very carefully and adopt strategies that might widen the pool of resources by seeking partners in carrying out its work. The strategic plan also reflected this partnership approach by seeking as an operational focus to 'develop a network or partners and information to ensure that privacy solutions are delivered in all parts of the community'. In addition, one of its key focuses was to develop a network of influence across the community, including by establishing 'a network of people and organisations ready to support implementation of privacy solutions.⁽⁵¹⁾ Using all these strategies the Office sought to achieve maximum influence and outcomes from its limited resources.

A clear and balanced voice on privacy principles

Given the principles based nature of the proposed regulation, there was a real risk that businesses and other organisations would be left with a great deal of uncertainty about what they should do to implement privacy and how to ensure that they comply with the principles. The strategic plan acknowledges this risk by setting a goal of providing a clear voice on the principles. This signalled the Office intention to present a considered and unambiguous view when providing guidance. In seeking to have a balanced voice, the strategic plan was acknowledging the fact that the right to privacy is not an absolute right. The Office undertook to develop positions that respect personal privacy while taking reasonable account of broader community interests that may conflict with privacy principles.

A comprehensive understanding of current community perceptions of privacy

The Office was aware that it would not be possible to create a culture that respected privacy if it did not have a base line understanding of what current community perceptions of privacy. This was likely to be complex. As a result, the strategic plan includes as a key result area, a need to have a comprehensive understanding of current community perceptions of privacy.⁽⁵²⁾

Risk-management framework

In seeking to focus its efforts within its limited resources the Office also sought to adopt a 'risk management framework'. Using this framework was intended to harness the Office's skills and experience (and those of the Office's counterparts overseas) to identify the areas in Australian society that generate the most pressing privacy issues and allocating the Office's resources to where they could do the most good.

Private sector privacy provisions came into effect

New law

On 21 December 2001 the private sector provisions of the Privacy Act came into effect. Key features of the legislation were:

• Extending coverage of the Privacy Act to many private sector organisations beyond credit reporting;
• National Privacy Principles (NPPs);
• A staged application of the legislation, first to larger businesses and all private sector health services, and a year later to those small high privacy risk businesses that the Act applied to;
• Exemptions for other small businesses, political parties, acts and practices of media organisations and for employment related activities;
• Strengthening of the direction that the Commissioner have:

  '. . . due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way;'⁽⁵³⁾

• Limited powers of enforcement: a complaints based system, the possibility of own motion investigations with no audit power and the power to require compensation but not fines.
  
• Determinations to be enforced in the federal Court;
• Provisions for a unique kind of co-regulation in which industry organisations or whole industrial sectors can develop their own codes which the Commissioner can approve if, overall, they are at least equivalent to the NPPs;
• Provisions for organisations to opt-in if they choose to do so;
• New provisions governing Commonwealth Agency outsourcing;

This generated a need for extensive guidance on how the new provisions were to work and who they would and would not apply to.

Baseline community research

Between February and June 2001, using qualitative and quantitative research, the Office investigated the current understanding, behaviours and attitudes of individuals, businesses and federal government agencies in Australia towards privacy, and sought to identify emerging trends. This research has helped the Office to take a highly focussed approach to issues and communications management to ensure all Australians and organisations are aware of their new privacy rights and responsibilities. This research will also be able to be used as a benchmark against which to compare future research results and to inform policy making and service provision.

A reference committee consisting of key stakeholders, sponsors and members of the Office was established to provide broad guidance for the project. The committee provided feedback and broad direction and was given the opportunity to guide the research tools and examine both the interim reports and the final reports.

For the community research, the methodology included six focus groups and a national CATI survey (Computer Assisted Telephone Interview) of more than 1500 Australian adults; fourteen in depth interviews and five hundred and sixty telephone interviews for the business research; and four focus groups and eighty five self-completion questionnaires for the government research.

For the Privacy and Business and Privacy and Government components of the project, the Office sought sponsorship from both the private and the public sector in the form of partnership agreements. Assistance with resources was provided by four major contributors (Privacy Partners): Pricewaterhouse Coopers, the Australian Information Industry Association, Freehills and Centrelink, and a lower level Privacy Project Sponsor, the Australian Taxation Office. Support from these organisations meant that the Office was able to take a far more thorough look at the attitudes and behaviours of those organisations responsible for meeting the requirements of the Privacy Act. The partnerships were developed against a strict set of published criteria, the Office Partnerships Policy.⁽⁵⁴⁾

The results of all the surveys are available on the Research page of the Office website.⁽⁵⁵⁾ The results of the Privacy and the Community Survey reflected a strong desire among the community to gain control over how their personal information was used. However, there remained a fairly low level of understanding about privacy and the existence of our Office, including how one could go about protecting privacy.

The Privacy and Business Survey results indicated that businesses were generally very receptive to the introduction of the new private sector laws appreciating that the new legislation would deliver benefits to both business and their customers. However, at the time of the survey very few organisations appeared to be well enough prepared for the commencement of the legislation in December 2001. These findings indicate that further education and promotional activities directed towards the private sector were required. In the Privacy and Government Survey, Privacy Contact Officers (PCOs) generally rated their 'knowledge and understanding of the Privacy Act' as good. In contrast most operational managers said that their privacy knowledge 'could be better'. Not all PCOs, in the groups, and relatively few of the operational managers, were aware of changes to the Privacy Act that were about to come into effect in December 2001 bringing the private sector within the ambit of the Act and the Office. Other surveys suggested similar conclusions.⁽⁵⁶⁾

More complaints than expected

The additional funding of $1.4 million received by the Office for the additional workload expected from the extension of the Privacy Act's jurisdiction to the private sector was decided before the legislation was finalised. The estimates were not revised in light of the Act as subsequently passed. For example, these estimates do not reflect the greater complexity of the Act as passed. Much more significantly, the estimates significantly underestimated the actual volume of work created through complaints and enquiries.

The additional funding provided for the private sector provisions, when allocated against the Commissioner's functions under the new provisions, provided for only enough resources to handle an increase in complaints by 120 per annum. In fact the Office received a huge increase in complaints which has now stabilised at around 100 complaints per month. In the 2002-2003 financial year the Office received 1,090 complaints and for this financial year, if extrapolated the Office will receive 1,181 complaints.

This huge, nearly six-fold increase in complaints has been the dominating influence on the Office in its ability to perform over the last two and a half years.

Related activity in terms of phone and written inquiries also increased significantly more than for which funding was provided, increasing some 21/2 and 31/2 respectively.⁽⁵⁷⁾

As the scale of the new levels of complaints and inquiries became clear during 2002, the Office took decisive action to prevent the backlog of complaints continuing to grow. In particular, resources were moved from the Policy/advising Section in the Office into the Compliance Section. Despite this reallocation of resources, as at the beginning of March 2004, the Office currently had some 450 complaints to investigate. Moreover, of these, nearly half are waiting to be actively investigated and may have to wait for up to a year for the investigation to begin. Without a further injection of funds this situation has the potential of bringing the legislation and the Government's policy objectives into disrepute.

The reallocation of resources has obviously reduced significantly the capacity of the Office to provide advice and assistance to organisations implementing the new legislation. The call for this advice vastly exceeds the Office's ability to meet it.

Review of private sector provisions

In his second reading speech the then Attorney-General, the Honourable Daryl Williams MP, noted the 'unique' approach taken in the new legislation and said

' . . . I believe that it would be extremely useful to have a report on the operations of the legislation in due course to ensure that it is achieving all our goals. I will ask the Privacy Commissioner to conduct a formal review of the operation of the legislation and of all the exemptions, in consultation with key stakeholders after it has been in operation for two years.⁽⁵⁸⁾

In the light of this proposed review, the Office worked to set the ground work for this review. It was keen to know not only how well the legislation was working, but also how effective its strategies for implementing the privacy sector provisions had been. It wanted to know if it had achieved the outcomes sought and the impact of new privacy provisions and the method of regulation have had on these. The surveys conducted in 2001 provide part of the baseline data for such a review, along with the complaints and inquiries statistics.

As at March 2004, the review had not commenced. The new Attorney-General, the Honourable Philip Ruddock MP, has advised that the he will take up the terms of reference for such a review with the incoming Privacy Commissioner, once that appointment has been made.

25th International conference of Commissioners

The Office convened the 25th International Conference of Data Protection and Privacy Commissioners at the Sydney Convention and Exhibition Centre, Darling Harbour in Sydney from 10-12 September 2003.⁽⁵⁹⁾ This was the first time that the Office had hosted the conference for over a decade. The conference is held annually, usually in the Northern Hemisphere. Over 400 people attended the conference.

Hosting the conference is not a direct contributor to the strategic objectives and obligations set down for the Office in either its establishing law or its strategic plan, but at the very minimum it is a 'good neighbour' obligation in the international privacy community. More to the point, such gatherings have the potential to contribute indirectly, over the longer term to these objectives by:

• enhancing domestic awareness of privacy issues;
• developing cooperative responses to the potentially debilitating impact on the effectiveness of domestic privacy regulation from the increasingly free flow of personal information across borders;
• exchanging views on emerging technologies and practices.

The Office set out to maximise the benefits of the Conference domestically as well as internationally through the following strategies:

• setting the theme of the Conference around "Practical Privacy for People, Government and Business", to complement recent conferences which had favoured a closer focus on the principles of privacy and theoretical development of the topic;
• encouraging a very successful series of satellite events ranging from a film festival to meetings with specific technology focuses such as biometrics etc;⁽⁶⁰⁾
• sponsoring a conference resolution aimed specifically at improving notice to consumers about organisational privacy policies, to help strengthen the ability of consumers to make better informed privacy decisions;⁽⁶¹⁾
• through this and other resolutions,⁽⁶²⁾ assisting commissioners become a much stronger collective voice in the years to come in developing appropriate regulatory responses to globalisation in much the same way that other global groupings of regulators have already done (two notable examples being the Basle Committee on Banking Supervision or the International Consumer Protection and Enforcement Network, www.icpen.org);
• promoting the Conference in the popular media;
• ensuring the Conference paid for itself through sponsorships, conference fees etc.

By these measures, the conference was extremely successful with the exception of the media profile, which was disappointing. However, given the indirect nature of its contribution to the measures espoused in this paper, the conference is not further assessed here other than to note that it required a top management focus in the second year of operation of the private sector privacy legislation. As such, it had the potential to impact upon the quality of response to domestic responsibilities.

How did the Office do against the measures?

The Office is expecting to rely considerably on the proposed review of the private sector provisions of the Privacy Act to assess the effectiveness of the Office as a regulator.

Had the Office the money and the time, it would have instituted a greater range of research strategies to gain a much richer insight into the necessary information, including business surveys. At this stage, the most it can do is carry out another community attitudes survey, which is a continuation of a survey the Office carried out in 2001 just before the new private sector provisions came into effect.⁽⁶³⁾ This should enable at least some comparison of community attitudes to, and awareness of, privacy and the Office, and to assess whether or not there has been a shift in the ability of people to act to protect their own interests in this area.

Taking this, and other matters, into account, the assessment presented here is necessarily limited in a number of ways. For example, it is also too early in the operation of the private sector provisions of the Privacy Act to get reliable results on many of the measures outlined here. It also suffers from the most obvious bias that a regulator is 'marking his own homework'. Nevertheless, it would seem worthwhile to make a start.

Office performance against measures of economic impact

Measuring economic impacts is not an area of expertise for the Office. For this reason as well, this paper is not able to provide detailed, evidence based, or technical information about its performance in this area. However, there are some limited observations about the Office's performance that could usefully be made about some of these measures.

The regulator has a process for assessing and evaluating economic impacts

The Office does not have a process for assessing and evaluating its economic impacts. It does have some base line information about impact on businesses through the 2001 Privacy and Business Survey Baseline Community Research described earlier. The survey included questions on what impact businesses thought the new privacy law was having on the way they do business. The Office could build on this in future years by gaining comparative data. It is expecting that this might be done as part of the proposed two year review of the private sector provisions of the Privacy Act when it takes place.⁽⁶⁴⁾

Economic efficiency costs, caused by organisations or individuals having to meet bureaucratic requirements are minimised

Some wild claims have been made by some economic sectors of the job losses, for example, that would occur as a result of a particular interpretation of the private sector privacy law. Some of these have had very little analytical backing. Even if there had been some analytical support, they provided no more justification to letting existing practices continue than similar claims would justify the continuing spam explosion or the avoidance of economic losses to the organised crime industry by letting it continue in business. The focus of the regulator has to be to ensure economic losses are minimised if a law requires a change of practice. For example, it should support a less economically costly alternative that still meets the will of the parliament as expressed in the legislation.

Other economic measures

• Regulator has had a positive impact on the economy (either allocative or distributive);
• If the regulator has had a negative impact on the economy this is an intended consequence and is outweighed by either positive indirect economic outcomes, or positive social outcomes;
• Economic impacts are fairly distributed across the economic sectors;
• Decisions the regulator makes are practical, workable and able to be implemented by the constituency;
• Regulator sought to harness market forces rather than oppose them, either by finding explicit pricing models that provide incentives to appropriate behaviour, or by helping businesses and others see the business case behind complying with the regulation or even going beyond that.

Although the Office does not have processes to measure its performance against these remaining measures of economic impact, it has, nonetheless taken conscious steps aimed at meeting them.

Apart from the many other reasons for considering economic impact, it was an obvious consideration for the Office since one of the underlying rationales for the private sector provisions of the Privacy Act was to remove impediments to e-Commerce resulting from community lack of confidence about the way personal information was handled in the online world. Also, s.29(a) of the Privacy Act requires the Office to take into account the right of business to achieve their objectives in an efficient way.

In any case, in implementing the private sector provisions of the Privacy Act, the Office sought to harness market forces and benefit the economy by engaging in a communications program that sought to bring home the message that good privacy practice is good business. It regularly used the slogan 'good privacy - good business' in its brochures, banners, presentations and other material. It emphasised a number of aspects. On the upside, the Office outlined the opportunity that good privacy presents for building trust and keeping customers, with examples where possible. This was backed up by the Office's community attitudes research that showed the importance that the community places on privacy when interacting with a business.⁽⁶⁵⁾ On the business risk downside, it highlighted the damage in the marketplace that poor privacy practice can bring. It backed this up by using two key examples of companies that suffered major share price damage due to failure to implement good privacy practices, one of which was Harts Australasia, a financial service organisation. That company's share price plummeted by some 50% in the time that the Office was investigating an alleged dumping of confidential files in North Sydney and then established had indeed been a breach of privacy.⁽⁶⁶⁾ Finally it also warned of the 'sovereign risk' relating to the kind of regulation in place. If business did not respond well to the current 'light touch' legislative regime, it would run the risk that, after the legislation had been reviewed in two years time, it would have strengthened by its own actions all the arguments for a less 'light touch' regulatory regime.

Examples are now constantly emerging of the economic risks of not getting privacy right. A very current example is outlined in a recent article about the banking sector, which indicates that inadequate security and other privacy protective measures are putting internet banking at risk.⁽⁶⁷⁾

The Office also has considerable anecdotal evidence that the measures businesses have had to take to ensure they are compliant with the Privacy Act has resulted in considerable improvements in information management overall, including customer relations management. The Office is aware for example, that some tens of millions of dollars have been spent on building processes to comply with privacy requirements. However, taking into account the improvements in information and customer relations management, this expenditure is seen by some as being not just capital expenditure, but rather also, business building.⁽⁶⁸⁾

Another reason for the private sector amendments to the Privacy Act was to ensure that there would be a nationally consistent approach to privacy. At the time States were seeking to take their own steps to regulate privacy in the private sector, which would have resulted in duplications and inefficiencies for businesses with national operations. The Office has championed the need for a nationally consistent approach in a number of forums, including in the area of health privacy.⁽⁶⁹⁾

The Office has also always sought to place an emphasis on 'practical privacy' in other ways. In developing guidelines and giving policy advice it seeks to arrive at solutions that provide real privacy outcomes, but also take into account industry practice and are workable.

The Office's Guidelines on Privacy in the Private Health Sector,⁽⁷⁰⁾ which it prepared in the lead up to the commencement of the new private sector provisions in the Privacy Act, provide a particular example of practical privacy in operation. Implementing the NPPs in the health services sector posed particularly complex and sensitive problems. Health service providers were very concerned to ensure that their provision of health care to individuals was not unduly impeded by cumbersome procedures for getting client consent for every collection, use or disclosure of personal information in which they engaged. They were also concerned that it might increase the length of each consultation. The sector was also already subject to professional obligations of confidentiality which appeared to have general acceptance. The Office worked intensively with stakeholders to reach an approach in its guidelines that was workable for health services providers but at the same time built in the necessary protections where they were likely to be needed. No part of these Guidelines reflects this more than the guidance given on Use and Disclosure⁽⁷¹⁾ which was debated over many months with stakeholders during 2001. Indeed, the resulting general Tip for Compliance on Use and Disclosure is disarmingly simple when it suggests that health service providers should assess:

'Is there alignment between the health service provider's intentions and expectations for the use and disclosure of the information and those of the individual? If uncertain, the health service provider should check with the individual.'

Other very complex areas where the Office has sought and achieved practical outcomes are in the areas of privacy and publicly available personal information,⁽⁷²⁾ medical indemnity insurance, property valuation, due diligence and buying and selling businesses,⁽⁷³⁾ and in providing guidance on what are reasonable steps for making individuals aware of collection of personal information under NPPs 1.3 and 1.5.⁽⁷⁴⁾ These were all situations in which failure to take a practical approach would have brought many businesses either to a grinding halt or buried them and their consumers under a hail of paper or cumbersome processes that could have been economically disastrous and enraged consumers at the same time. There are, however, limits to the extent to which taking a practical approach can resolve differences. There were some circumstances in which industry practice butted head on with the principles but the Office did not consider that a Public Interest Determination to relax the principles was justified.⁽⁷⁵⁾ In such circumstances, the only possible approach is for these issues to be considered as part of the proposed two year review of the Privacy Act. Some of these issues included those relating to private investigators and mental health.

Office performance against measures of social impact

As with the economic outcomes, it is too early to gauge many of the possible social impacts of the Office's activities as regulator of the privacy in the private sector. Nevertheless, there are some indicators.

Through both its first and second strategic plans, the Office has a number of systems in place that it could use to evaluate the social impacts of the new private sector legislation and of the Office's activities as regulator of these provisions.

As noted earlier, between February and June 2001, using qualitative and quantitative research, the Office investigated the current understanding, behaviours and attitudes of individuals, businesses and federal government agencies in Australia towards privacy, and sought to identify emerging trends. This research can be used as a benchmark against which to compare future research results and to inform policy making and service provision. In particular, it will be able to inform the two year review on a number of the kinds of measures outlined below including the other measures nominated in this paper such as:

• As a result of the regulator's activities, most people consider their lives have changed for the better
• People are more confident in the way they interact in the relevant area and less likely to be duped

People are better able to exercise their rights in the relevant area

Clearly, the private sector provisions themselves have given people more rights in this area than they had before. For example, they now have the right to ask organisations to see what personal information they hold about them, and correct it if it is wrong. They also now have an avenue for complaint that they did not have before. However, the performance of the Office on this measure is less than optimal because of the long wait that complainants experience before the Office can act on their complaints. The reasons for this long complaints queue include the fact that the Office received more complaints than expected, as described earlier.

People are willing and able to protect their interests on their own behalf

The Office has clear evidence that considerable numbers of people are willing and able to approach this Office to protect their own interests on their own behalf. As noted earlier under the heading More complaints than expected, numbers of people making complaints to the Office have gone from some 200 per year in 2000-2001 to a likely (on current trend) six-fold increase of 1,200 per year in this financial year. Hotline inquiries have nearly trebled from around 8,000 per year to over 20,000 per year, and written inquiries have also nearly trebled from around 900 to around 2,200 per year.

In addition, the 2001 Privacy and the Community Survey has set the ground work for future comparative data on this measure, by including a number of questions that focus on aspects such as the extent to which people protect themselves on the internet.⁽⁷⁶⁾

If there are unintended negative social impacts, the extent to which these are outweighed by other benefits such as economic benefits

There were a number of occasions during the Office's implementation of the new private sector provisions, when claims have been made about the negative social impacts of the legislation and the Office's activities.

One common claim was that concerns about privacy are impeding couples who wish to get access to each other's bank accounts. This is not an unintended consequence of the legislation, rather it is very much an intended consequence of the requirements of the NPPs that consent be given to such arrangements (eg NPP 2.1(b)). In fact, it is more likely that this move by the banks, to obtain better evidence and records of consents for shared access to an account, reflect the fact that the Act had sent the financial institutions a wake up call. They needed to tighten practices that they should have tightened anyway, especially in an era of increasing concern about identity fraud.

Another, more difficult problem has been identified in the mental health area. Some service providers are concerned that the Privacy Act is preventing them from providing adequate care to people with a mental illness, for example entitling patients to access their medical record at a time when it might impede further treatment. The Office has sought to work with the sector to find practical ways, within the scope of the NPPs as they currently stand, to alleviate this concern. However, ultimately it is a matter that may need to be considered as part of the proposed two year review.

Social impacts are fairly distributed across the community

In the course of implementing the private sector provisions it became clear that the Office's activities could have differential impacts on parts of the community. For example, during its consultation on an information sheet on privacy and publicly available personal information⁽⁷⁷⁾ concerns were raised that reducing access to publicly available information might restrict the ability of charities to raise funds and hence result in less support being available for work with the disadvantaged sectors of the community. This is a matter that other law makers have taken into account in developing privacy policy. For example, in the US, the Do Not Call register⁽⁷⁸⁾ provisions do not apply to charities. In any event, the Office was not, in fact, proposing to reduce access to such information in the way feared.

The activities of the regulator broadly reflect public opinion

One of the reasons behind the 2001 survey work was to gain a better understanding of public attitudes on a range of privacy issues. The Office used the information gained in a number of ways to inform its policy positions. For example, the Office stated publicly on a number of occasions that there was a need to review the use of public register information and particular the Electoral Roll.⁽⁷⁹⁾ This reflected responses to a survey question on the use of Electoral Roll information which showed that 70% of those surveyed thought that the Electoral Roll should not be used for marketing purposes. The fact that the community was roughly divided⁽⁸⁰⁾ on the question of whether the telephone directory information should be accessed for marketing purposes was also fed into the Office's policy development thinking.

Media have an informed and balanced approach to the area being regulated

The Office's approach has always been to work with the media to help them understand privacy and to develop more accurate and interesting stories about privacy. The Office's view has been that communicating with the community through the media is vital if the Office is to succeed in promoting an Australian culture that respects privacy.

The Office has a policy of, as far as possible responding promptly to all media requests for interviews. It monitors press coverage in the privacy area and takes steps if it considers that media coverage is unbalanced or not informed. For example, the Office has developed responses to 'privacy furphies' and published them to its media networks and on the Office website. It has also developed frequently asked questions.⁽⁸³⁾ The Office has also, from time to time written articles for media outlets about privacy issues in the areas of security, technology and media. 

Those regulated have changed their behaviour to comply with regulatory requirements

Those regulated see the benefits of changing their behaviour and would continue to do so regardless of the regulatory oversight (in the sense that the regulation should 'contain the seeds of its own destruction')

It is not yet clear how deeply privacy considerations are embedded into business practice nor how deeply privacy is embedded into the spirit of private organisations. It is not yet clear that businesses have sufficiently embraced the idea that good privacy is good business to change their behaviour fundamentally to align with the spirit rather than just the letter of the law. An early demonstration of this was the kind of privacy notices that many companies, particularly in the financial sector, were issuing. This became known within the Office, and then publicly, as the 'bundled consent' approach. There are a number of features of this approach, but in essence it involved organisations aiming, in one document, to gain all the consents they needed in order to continue the information handling practices they had always carried on. In most cases, the consumer was faced with the choice of either consenting to all the practices in one hit, or not at all. In others, consenting was a condition of receiving the service. The Office regards this as a bellwether issue as consent is one of the underpinning protections of the privacy regime. It is clearly an issue that should be closely examined during the proposed two year review.

On the other hand, other organisations, some quite small, have taken the spirit of privacy deeply into their thinking and have sought very detailed advice from the Office about how to implement privacy. Well over 100 businesses⁽⁸⁴⁾ have sought to opt-in to being covered by the Privacy Act. There are signs also that some of the larger organisations are also taking a broader interest in privacy. This has been demonstrated by interest shown by some business in adopting means of better communicating privacy information such as the 'condensed notice' approach endorsed by Privacy Commissioners at the 25th International Conference of Data Protection and Privacy Commissioners in Sydney in September 2003.⁽⁸⁵⁾

The Office has received anecdotal advice from some quarters that deeper implementation of privacy is unlikely until such time as the Office adopts a stronger and more public approach to enforcing the law. They say that business has now reached a level of comfort with the law, and are satisfied that they have the appropriate levels of risk management in place. Although this advice has often come from quarters that may have a business interest in other businesses being concerned about privacy compliance and needing expert assistance to achieving compliance, this is comment that is worthy of consideration and note. It should certainly be a matter for consideration in the proposed two year review of the legislation. It may be that while the low profile partnership strategy the Office has adopted has been effective in implementing privacy to this point, it is now time to adopt a different strategy to achieve greater levels of behaviour change. It maybe the case that, even apart from the regulatory risk, the market down-sides of non-compliance will not be fully recognised and acted upon by business unless the Office adopts a stronger and more public approach to non-compliance. Some sting may be necessary even to promote cultures!

Public accountability for resources

Regulator has a strategic plan that prioritises and focuses its activities

The plan and the rationale behind the plan is widely known

Regulator has adhered to this plan

Regulator can account for how it has allocated and spent its resources against its plan

Regulator has evaluated its plan

As outlined earlier under the heading Strategic plan - set approach to regulation, the Office developed a strategic plan in 2000. It has also subsequently developed a second strategic plan. The Strategic Plan 2000, which spelled out the rationale behind it, was published in an attractive format, launched at a very well attended function, posted on the Office's website, and distributed in hard copy with more than 10,000 kits distributed at the various functions at which the Office was represented. The Office developed detailed project plans for each of the Key Result Areas and progress against the plan was fine tuned and monitored. By the time of the 2002 Annual Report, the Office was able to report continued adherence to the strategic plan and that it had largely delivered the Key Result Areas.⁽⁸⁶⁾

The Office has not otherwise formally evaluated the Strategic Plan 2000. However, in the course of developing its second strategic plan (Strategic Plan 2003), the Office did consider the appropriateness and effectiveness of the earlier plan. Evaluating the Strategic Plan 2000 could appropriately form part of the proposed two year review of the Privacy Act.

The Strategic Plan 2003⁽⁸⁷⁾ was launched at a quieter level, but again a system for monitoring progress against Key Result Areas is in place.

Regulator has met all the usual obligations of financial management spelt out in the Financial Management and Accountability Act 1997, the Audit Act

The Office has met its obligations in this area. Since it was commenced as a separate agency under the Privacy Amendment (Office of the Privacy Commissioner) Act 2000 on 1 July 2000, the Office has received unqualified audit reports and operates very closely within its allocated budget.

Regulator has evidence that the resources are being used efficiently

The Office has undertaken activities particularly in the complaints area to establish whether its complaints process could be improved. The Office commissioned a small external review of complaint handling within the Office.⁽⁸⁸⁾ The purpose of this exercise was to identify areas for possible improvement, in accordance with best practice principles, with a view to ensuring that the Office was well situated to deal with the additional obligations of the Privacy Amendment (Private Sector) Act 2000.

The review focused on understanding and assessing processes and procedures for handling complaints from receipt to finalisation.

Key principles of complaint handling systems were derived from the 1999 complaint handling benchmark project undertaken by the Human Rights and Equal Opportunities Commission (HREOC), assessment of overseas complaint handling processes, Australian complaint handling standards (AS4269)⁽⁸⁹⁾ and benchmarks for Industry-Based Customer Dispute Resolution Schemes (1997)⁽⁹⁰⁾. These sources indicate that an efficient and effective complaint handling service can be described as one which is accessible, fair, responsive, accountable and result focused.

The external review produced 31 recommendations. In line with the key principles the recommendations focused on producing clear, purposeful and accountable complaint handling procedures, which provide fair outcomes. The review made recommendations on complaint assessment, investigation and complaint resolution procedures, and a number of general comments. These recommendations focused on clarifying the procedures in each of these areas for both compliance workers, complainants and respondents and developing a prioritisation system in complaint assessments to identify urgent cases and matters which can be resolved quickly. A number of recommendations focused on developing more detailed timeframes in the complaint handling system to ensure adequate progression of cases.

The office implemented almost all of the recommendations of the review. Many of these recommendations informed the design of an electronic Complaint Management System (CMS), which the offices now uses as a central administrative aid to manage complaints.

Regulator has explored means of increasing the pool of resources available to it

Regulator has policies and procedures in place to ensure that the process for raising and using such additional resources is transparent, ethical and far above any implications that this source of funds could compromise its independence

Increasing the pool of resources available has formed part of the Office thinking from early in the term of the Commissioner as evidenced by the partnership and networking approaches outlined in the Strategic Plan 2000.

As described earlier under the heading Baseline Community Research, in 2001 the Office took partnerships one step further to support joint ventures and joint funding arrangements. The Office paid particular attention to doing all that it could to avoid even perceptions of conflict of interest or loss of independence or integrity. The published partnership policy⁽⁹¹⁾ took into account a number of factors including parameters set by the Australian National Audit Office and the NSW Independent Committee Against Corruption. The policy established a risk assessment framework and a process for assessing and managing partnership opportunities.

The Policy was first applied when finding partners and a sponsor for the Privacy and Business and Privacy and Government components of the 2001 survey research. The Office also received sponsorship from Centrelink, HREOC, Attorney General's Department, AAMI and PricewaterhouseCoopers Legal to host the 25th International Conference of Data Protection and Privacy Commissioners in September 2003 in Sydney.

The Office has a number of other arrangements other than direct monetary sponsorship which serve to increase the offices pool of resources. These include:

Privacy Connections: Networking for Privacy Solutions
The Office has worked to develop a well established network of people and organisations ready to support implementation of privacy solutions. The Privacy Connections Network, launched in April 2000, now has over 1,700 members.⁽⁹²⁾ In months leading up to and following December 2001, and the introduction of the National Privacy Principles, the Office assisted organisations with their preparations and implementation of procedures to comply with the NPPs through provision of information, seminars and networking opportunities to members. More recently it has used the network to circulate draft publications for comment.

Privacy Contact Officer Network
The Office facilitates a network of Privacy Contact Officers (PCOs) drawn from each federal and ACT government agency.⁽⁹³⁾ The network is designed to ensure that agencies have a central point of contact for privacy issues within that agency. The Office provides a secretariat role to the network assisting with arranging meetings, distribution of information, development of resource material and keeping a centralised record of PCOs.

Health Leaders Forum
In 2001-2002, the Office established an informal Health Leader's Forum, membership comprising acknowledged leaders in the health sector. The forum has provided very useful advice to the Commissioner on a range of issues including the Guidelines to Privacy in the Private Health Sector, the Public Interest Determinations on Family Histories,⁽⁹⁴⁾ privacy and genetics, transfer of information between medical practices and in debating issues such as the draft code being developed by the Australian Health Ministers Advisory Committee. The forum has also helped all its members exchange views in educational and other resources material for complying with the Privacy Act.

Privacy Agencies of New Zealand and Australia
The Privacy Agencies of New Zealand and Australia group (PANZA) continues to provide a focus for international discussion and development on privacy issues.

Through PANZA the office has been involved in a number of international forums on privacy.

Federal Privacy Handbook
The Office has a cooperative arrangement with CCH Publishers to develop, maintain and distribute the Federal Privacy Handbook. CCH covers all the costs of publishing and distributing the handbook and the Office provides the Intellectual Property. The Handbook is a comprehensive loose-leaf guide to federal privacy law and practice, and is generally updated twice a year by the Office.

Memoranda of Understanding
The Office has key MOU's with HREOC, Attorney General's Department, Australian Competition and Consumer Commission, ACT Government, Department of Health and Ageing, Centrelink and Australian Customs Service. Each serves a different purpose. Those with Health, Customs, Centrelink and the ACT Government make additional funding available to the Office on an agreed workplan basis. The MOU with HREOC is a financial and human resources common services agreement. The others document agreed strategies to implement more effective working relationships.

Joint Publications
The Office developed Information Sheet 16-2002: Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business in collaboration with the Law Council of Australia.⁽⁹⁵⁾ The information sheet aims to ensure that the privacy of individuals is protected during due diligence and completion of a sale of a business at the same time as enabling the commercially sensitive process to go ahead in a timely an efficient manner.

The Office is presently developing a joint publication with the Australian Institute of Company Directors called "Privacy and Board Directors: What You Don't Know Can Hurt You". This publication aims to provide an easy guide to help company Directors implement efficient and responsible privacy procedures that will add value to their organisations and contribute to the creation of an Australian culture which respects privacy.

The Office has significantly advised on the preparation of other publications funded by other organisations for example, the publications produced by the Royal College of General Practitioners and the Aust