Some fundamental part of human dignity requires privacy. It is part of the claim
to personal autonomy. It supports the various freedoms that democratic countries
value.
As then Professor Zelman Cowen said in the 1969 Boyer lectures:
A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars. 1
He went on to argue that without privacy, one cannot in a meaningful sense be an individual and that an individual's growth and development depends partly on a conceded area of solitude and anonymity.
In 1890, in what is now regarded as the key early modern writing on privacy, Samuel Warren and Louis Brandeis popularised Judge Cooley's suggestion that privacy is the 'right to be let alone' 2 and argued for the need for a legal protection of this right in the face of 'recent inventions and business methods'.
While the face of the world and business methods have changed, 'the right to be let alone' remains one the simplest and most meaningful answers to the question of 'what is privacy?'
In considering the question from a more detailed perspective, David Banisar 3 of EPIC suggests privacy can be divided into four separate but related concepts:
Over the last century thinking about what privacy is, whether and when it is worth protecting, and if it is, how it should be done, has developed as new inventions and business methods have emerged. For example, the development of photography and printing presses meant that candid images of people could be recorded and distributed without consent. This development led to court cases where more complexities about 'the right to be let alone' were debated - including the notion that this right needed to be weighed against the public's right to know about things of legitimate public concern.
1. Zelman Cowen, 1969, 'The Private Man', The
Boyer Lectures, Australian Broadcasting Commission, pp. 9 10.
2.Samuel Warren and Louis Brandeis, 1890, 'The Right to Privacy',
4 Harvard Law Review 193, 1890, and available at www.louisville.edu/library/law/brandeis/privacy.html.
They credit Judge Cooley in his Torts (2nd Edn, 1888, p. 29) with the phrase
'the right to be let alone'.
3.Banisar D, 2000, Privacy and Human rights: an international
survey of privacy laws and developments, Electronic Privacy Information Center,
Washington DC. Available at www.privacyinternational.org/survey/.
In Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, the
High Court recently considered, among other things, whether a tort of privacy
is recognised in Australian law. Some of the judge's reasons provide a useful
summary of the developments in privacy law. 4
A tort of privacy was not found to exist
in Australian law, though some of the judges indicated that the question should
be seriously considered. 5
Privacy is recognised globally as a universal value. In 1948, the General Assembly
of the United Nations adopted the Universal Declaration of Human Rights
6, which at Article 12 provides:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour or reputation. Everyone has the right to the protection of law against such interference or attacks.
Similar privacy articles are found in the European Convention on Human Rights (1950) and the International Covenant on Civil and Political Rights (1966). 7
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) 8 form the basis of most approaches to privacy or data protection around the world. The OECD Guidelines protect the right to be let alone through two core mechanisms: openness and control. Openness requires that individuals be made aware of what information about them is held and how it is handled. Control requires that individuals have a say about whether, and how, their personal information is handled.
Privacy is something that arouses more thought and interest in its absence or when it is threatened than in its presence. Prince Edward illustrated this when he was quoted as saying on the eve of his wedding that you don't value your privacy until you have lost it. We are in a period of rapid technological change where the technology is spawning new information and many new ways of collecting information (for example internet click stream data; data that identifies where you, your car or your phone were at a particular time etc). As a consequence, interest in and debate about privacy appears to be at one of its peaks.
4. Available from SCALEplus at scaleplus.law.gov.au/html/highcourt/0/2001/0/HC000640.htm.
5. See, for example, Kirby, J. at para 189 and Callinan, J.
at para 335 of the judgement.
6. Available at
www.un.org/Overview/rights.html.
7. Available at www.unhchr.ch/html/menu3/b/a_ccpr.htm.
8. Available at www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM.
The new technologies currently feeding debates on privacy include:
What these developments mean for 'the right to be let alone', where the balance of public interests lies, and whether we as a community want to regulate these developments and if so how, are questions that we are constantly having to revisit and reconsider.
The nature of privacy also means its face changes over time. Technology gives us new ways to live our lives, new ways for businesses to do business, new devices to make our lives convenient, workable. These developments give rise to new information about us that can be collected, used and disclosed, and hence the potential for new forms of intrusion.
The development of the internet, and other networks, for example, presents individuals with opportunities to engage in social, commercial and political activities in a borderless, digital environment. Individuals who use the internet often leave behind "'electronic footprints', that is, digital records of where they have been, what they have spent time looking at, the thoughts they aired, the messages they sent, and the goods and services they purchased. Furthermore, these data tend to be detailed, individualised and computer processable." 10
Information and communication technologies have introduced another fundamental change to the way personal information is collected, used and stored. No longer do a relatively small number of large collections of personal information present the sole challenge. Instead, there are now a very large number of small and medium sized collections of personal information. Indeed, many internet companies have had business models explicitly built upon the collection, use and disclosure of personal information. The current 'bust' after the dot com boom is likely only to give rise to a information. The current 'bust' after the dot com boom is likely only to give rise to a small delay in the continuation of this general trend.
9. For example, earlier this year it was widely
reported that face-recognition software surreptitiously scanned everyone passing
through the turnstiles of the US Super Bowl in a trial that detected a number
of probably matches with known criminals. See reports on the issue of face recognition
from Wired News at
www.wired.com/news/politics/0,1283,41571,00.html, www.wired.com/news/technology/0.1282,42317,00.html
and www.wired.com/news/politics/0,1283,45950,00.html.
10. Organisation for Economic Co-operation and Development,
Working Party on Information Security and Privacy, Inventory of Instruments
and Mechanisms Contributing to the Implementation and Enforcement of the OECD
Privacy Guidelines on Global Networks, May 1999 (referred to below as the
OECD Inventory of Instruments), page 7. Available at
www.olis.oecd.org/olis/1998doc.nsf/linkto/dsti-iccp-reg(98)12-final.
Technological developments have also contributed to an increasing flow of information and communications across national borders. E commerce and online interactions potentially take individuals, or information about them, outside their local jurisdictions with an unprecedented frequency and range of purposes.
The increasing flow of information and communications across national borders has challenged the capacity of governments alone to protect the privacy of individuals adequately. The emergence of global information and communications networks requires rethinking of the role of governments and the role of regulators. If nothing else, it means that regulation of all holders and users of personal information by direct contact and supervision is simply no longer possible.
Even though our use of information and communication technologies will continue to accelerate, consumer concerns about the privacy and security of personal information online has emerged as a major barrier to participation in electronic commerce, as have concerns about the proliferation of databases of personal information. 11
The terrible events of 11 September have given rise to increasing calls for surveillance and monitoring in the interests of security. 12 Identity checking and tracking is being put forward by governments as an important weapon in the response to the threat of terrorism.
Such calls imply that responding to this new security environment might require that individuals all but have to give up their privacy, at least so far as law enforcement is concerned.
Privacy, I have suggested, is very basic: it is fundamental to human dignity,
to autonomy, and to democratic political processes. If this is so, then we can
never give up on privacy. How it is protected may need to change with changing
times, but it still needs protection. 13
11. These concerns emerge from any number
of surveys, including:
The Office of the Federal Privacy Commissioner, Research into Community, Business
and Government Attitudes Towards Privacy in Australia, at
www.privacy.gov.au/business/research/index.html,
The IBM Multi National Consumer Privacy Survey of October 1999 at
www-3.ibm.com/security/library/wp_priv-survey.shtml;
and
Beyond Concern: Understanding Net Users' Attitudes About Online Privacy of April
1999, AT&T Labs - Research Technical Report TR 99.4.3 at
www.research.att.com/projects/privacystudy/.
12. For example, "NSW Police Commissioner calls for introduction
of identity cards", ABC news, 15 November 2001, available at www.abc.net.au/news/justin/nat/newsnat-15nov2001-70.htm.
13. "Don't sacrifice privacy for security", Opinion
piece by Malcolm Crompton, Federal Privacy Commissioner, The Australian Financial
Review, 6 October 2001. Available for subscribers at afr.com/premium/commentopinion/2001/10/06/FFXAG1BCFSC.html.
In short, changes to technology, business practice and political environment can change the nature of possible intrusions, and so change the nature of the right to be let alone. However, there must always be some sphere or privacy for each of us.
Legislation, then, is not a sufficient ingredient in the culture change required for appropriate privacy protection. It is, however, necessary. Laws help to drive change because the fact of a new law, and its associated enforcement mechanisms, draws attention to the issue and to the community's approach. In addition, no matter how close to 'ideal' the market place might be, there is always going to be a 'bad element' to whom only effective law enforcement speaks.
These considerations are consistent with broader thinking over the past ten to fifteen years, where there has been a dramatic shift in thinking in many parts of the world about the proper role of government in rapidly changing circumstances. The shift is often portrayed as a move from government as a primary provider to government as a facilitator of the provision of goods and services through more sophisticated models of rule setting and governance. The concept of "steering not rowing", which refers to this change in the role of government, was popularised in the early 1990s by David Osborne and Ted Gaebler. 16
Charles Raab has applied the concept of steering to the role of governments with respect to the protection of privacy. In these circumstances, Raab notes that national or international authorities are now less able to regulate effectively using conventional instruments of administration, legislation and the courts. He describes steering as a process in which a regulator seeks to attain a certain standard or goal by first understanding the boundaries within which the "course" must be steered and of what is actually happening within that system. Steering involves developing a strategy in which a regulator may move towards the desired state of affairs. The process of steering may consist of more conventional forms of intervention through monitoring, supervising, and restricting data practices that involve the use of law and the powers of a regulatory authority. It may also involve exerting influence in the policy making process of government and business in order to incorporate privacy protection more effectively into management systems. 17
It is intriguing, therefore, that an important theoretical premise of the steering approach is, in fact, the recognition that what is steered by the overall regulators are the self controlling mechanisms or sub systems that make up the system. In this conception, there are many points of (self) control, and the overall regulator may develop, institutionalise, and work with them even though formal authoritative oversight is not abandoned.
The role of government is to identify and encourage self policing mechanisms
such as the market, which may lead a company to adopt good privacy practices
to distinguish itself from competitors. Confronted with the numerous surveys
indicating that the lack of privacy protection is a major barrier to consumer
participation in electronic, some business sectors are beginning to take privacy
protection more seriously. The capacity of self regulation to provide adequate
privacy protection continues to be widely debated.
Governments have passed laws that deal with a number of the four aspects of privacy identified by David Banisar (referred to earlier). There are laws limiting interference with bodily privacy (assault laws and laws allowing law enforcement organisations to undertake body searches subject to strict safeguards) and property laws that go part way to providing territorial privacy. Similarly there are laws generally prohibiting interfering with the privacy of communications (e.g. the Telecommunications (Interception) Act 1979). In each of these four areas, rights are given to the individual through a combination of laws and by people agreeing to follow certain rules of behaviour.
In recent times Australian governments have focussed on the privacy of personal
information when drawing up legislation to protect privacy.
17. Raab, Charles D., "From Balancing
to Steering: New Directions for Data Protection" in Bennett, Colin J. and
Grant, Rebecca Visions of Privacy: Policy Choices for the Digital
Age, University of Toronto Press, Toronto, page 85.
18.Raab, page 86.
19.Strongly argued cases against self regulation abound on
the internet. Three examples are at
www.anu.edu.au/people/Roger.Clarke/, www.epic.org
and www.junkbusters.com.
Privacy and data protection acts have tried to solve the contextual and dynamic nature of privacy first by building in control by individuals over their personal information through mechanisms of choice and consent. This goes towards giving individuals a right 'to be let alone' to lead their lives.
The second core element to good privacy legislation is openness. At the point
of collection, generally speaking, individuals should be informed about why
their information is being collected and how it is to be used. Organisations
are encouraged or obliged to be open about their general information handling
practices, and individuals are provided with a general right of access to their
information. In combination, openness and control mean that individuals know
how their information is being handled, and can choose how, and for what purposes,
to release their information. In this way individuals retain their right 'to
be let alone' by having an informed say on when, and how, they are not
let alone.
In 1986 the Federal Government put forward a proposal for a national identity
scheme: the Australia Card. In the public debate over the Australia Card, privacy
was raised as a serious concern. While the Government did not proceed with the
Australia Card, in 1988 Parliament passed the Privacy Act. 21
Australia's privacy law reflects, in part, the country's federal system, which comprises Commonwealth, State and Territory Governments. The Privacy Act 1988 protects personal information held by the federal public sector and tax file numbers wherever held, and regulates the collection, use and disclosure of consumer credit information by private sector organisations. 22 Several Australian States have laws to regulate the handling of personal information held by State public sector agencies (see below).
The Privacy Act 1988 creates the position of Privacy Commissioner as an independent statutory officer responsible for implementing the legislation. The principal functions of the Privacy Commissioner are to, investigate and resolve complaints, audit the compliance of credit providers and the public sector with aspects of the Act, advise in relation to good privacy practice and promote awareness within the general and business community about privacy rights and obligations. 23
20. The law Reform Commission, Report No.
22 Privacy 1983, Volumes 1 and 2, available at www.austlii.edu.au/au/other/alrc/publications/reports/22/.
21. Available at www.privacy.gov.au/business/index.html.
22. The Privacy Act 1988 also gave effect to Australia's agreement
to implement the OECD's Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data, as well as to Australia's obligations
under Article 17 of the International Covenant on Civil and Political Rights;
see earlier references for details.
23. Sections 27, 28 and 29 of the Privacy Act 1988.
The co-regulatory approach to developing the private sector provisions
of the Privacy Act 1988 taken by the Federal Government reflects at least three
considerations.
First, legislation, no matter how created - prescriptive or principles based - has its limitations. As noted earlier, the law generally develops much more slowly than the new technologies such as internet or biotechnology and this can severely limit the effectiveness of the law in practice.
Second, government in Australia has been generally disposed over the last ten to fifteen years towards market based regulatory solutions, consistent with the notions of "steering not rowing". This has also reflected the view that the law has the potential to stifle innovation and reduce freedom of choice.
Third, Australia is part of the global economy and is a relatively small player. Its stock market capitalisation, for example, is only about three percent of the world total. As a result, Australia is rarely in a position to "set the rules", except perhaps at the margin.
The extension of legislative privacy protection law to the private sector has been the subject of regular debate since the Privacy Act 1988 was first passed. The focus of this early debate was on whether there should be privacy protection that is specific to particular industry sectors. For example, the credit reporting provisions of the Privacy Act 1988 were introduced shortly after the passage of the original legislation when the practices of the credit reporting industry came under public scrutiny. Although initially there was some expectation that a sectoral approach to privacy protection would continue, the potential cost and difficulty of integrating industry specific regimes has become more apparent in recent years. There is now more, though not complete, agreement on the need for a nationally consistent approach to privacy protection. Nevertheless, the most appropriate form that privacy law for the private sector should take remains unsettled.
Generally speaking, the approach by successive Australian Governments to regulating business over the past decade has been to encourage industry to develop forms of self regulation. The view is that self-regulation would lower regulatory costs on business and to improve market outcomes for consumers. Consistent with this approach, at one stage the Government's position was to protect the privacy of personal information held in the private sector by implementing a regime based on self regulation.
During this period, the former Privacy Commissioner, Moira Scollay, developed
the National Principles for the Fair Handling of Personal Information
(the National Principles), 24 based
upon the OECD Guidelines and following extensive consultation with business,
privacy advocates and the community. Business was encouraged to develop voluntary
codes of conduct tailored to their industry specific circumstances that were
consistent with the National Principles.
The Government recognised some of the limits of self regulation in protecting personal information when, in 1998, it announced that it would introduce a "co regulatory" scheme for the provision of a comprehensive privacy protection for the private sector. 25
The co regulatory approach is intended to foster industry developed codes, but these will be underpinned by legislation that will establish key privacy principles that will serve as a default framework in the absence of industry codes. As a general principle, most organisations in the private sector will be required either to adopt a code or comply with the legislative privacy principles. Either way, organisations will be required to engage in fair information handling practices.
The key features of this co-regulatory approach are as follows.
The legislation seeks to provide a reasonable balance between consistent standards and giving businesses the flexibility to develop an approach to privacy protection that is relevant to their day-to-day practice and meets community expectations about the handling of personal information. The Privacy Act 1988 should introduce a range of effective and adaptable privacy tools that will remain effective in changing technological and commercial circumstances.
A range of exemptions in the Privacy Act 1988 will restrict the application
of the privacy principles in relation to politicians and political organisations,
media organisations, certain small businesses and employee records.
In his second reading speech, the Attorney General announced that he will ask
the Privacy Commissioner to review the Act after it has been in operation for
two years, including examining the impact of the exemptions. The Attorney General's
announcement acknowledges the need to ensure that the regulatory approach remains
appropriate during a period of such rapid change in information and communication
technologies and will allow the law to be refined in light of actual experience.
24. Available at www.privacy.gov.au/publications/page2.html#59.
25. Attorney General's joint press release with the Minister
for Communications, Information Technology and the Arts of 15 December 1998,
available at www.law.gov.au/aghome/agnews/1998newsag/Joint_13_98.htm.
Recently the Office of the Federal Privacy Commissioner commissioned surveys
of business, government and community attitudes to information privacy. 26
The results of the community survey 27
give a feel for what the general community see as information privacy issues.
For example over 90 per cent of people viewed each of the following activities
as an invasion of privacy:
Attitudes revealed by the survey reflect a desire among the community to gain control over how their information is used. Ninety one per cent of respondents said that business should have to ask permission before using people's personal information for marketing purposes. Similar percentages thought that it was important that organisations advise people about who would have access to their personal information (89%) and how their personal information might be used (92%).
The perceptions and beliefs underlying these results reveal a significant disparity between what people think should happen and what they believe does happen with their personal information. Eighty four per cent of respondents believed that businesses often transfer or sell customer details in mailing lists to other businesses. Some 87% of respondents said they would be 'concerned' or 'very concerned' if a retailer passed on name, age, address and interest details to another retailer without their knowledge. 28
However results of the business survey 29
revealed that 90% of organisations responding to the business survey said they
never sold, rented out or transferred customer details to other organisations.
Only 14% of organisations said they regularly obtained information about customers
or potential customers from other organisations.
26. Office of the Federal Privacy Commissioner,
July 2001, available at privacy.gov.au/research/index.html.
27. Office of the Federal Privacy Commissioner, July 2001,
Privacy and the Community Survey, available at privacy.gov.au/research/index.html.
28. This was much more likely to be an issue of 'great concern'
for older people (73% of people over 50 years old) than younger people (39%
of those aged 18 24). Younger people were also significantly less likely than
older people to believe that businesses often transfer or sell customer details
to other businesses.
29. Office of the Federal Privacy Commissioner, July 2001,
Privacy and Business Survey, available at privacy.gov.au/research/index.html.
Another important disparity between business and consumer view relates to how consumers rank the value of privacy over quality of service. When businesses were asked what factors they thought were important to customers, they rated quality of the product or service first, and protection or security of personal information fifth. Consumers themselves, however, ranked privacy equal first with quality!
Interestingly, 95% of businesses considered the privacy of customers' information to be very important. Eighty per cent saw their business as dependent to a considerable extent upon their ability to protect and responsibly use their customers' personal information.
Consumers also showed a clear interest in controlling how their health information is handled. For example, when asked whether health professionals should be able to discuss the medical details of an individual (in order to better treat them) - in a way which identified them - without the patient's consent, almost half (47%) of consumers disagreed.
The results from this survey are not isolated. A Flinders University Study conducted in 1999 found that almost 1 in 10 (9.6%) South Australians are not confident that healthcare providers keep and use information responsibly. 30
New Zealanders revealed similar attitudes to misuse of personal information
in a survey conducted in September 2001 for the New Zealand Privacy Commissioner.
31
Health issues were given particular attention in the course of the development of the private sector amendments to the Privacy Act 1988.
A number of factors lie behind the approach to protecting health information found in the NPPs. 32 Personal health information is increasingly being stored and communicated electronically. This means that there is a greatly increased capacity to store, sort and communicate personal health information.
There are more and more proposals for greatly increasing the linkage of identified medical records. Telemedicine and health smart card proposals result in information being stored and collected in new ways.
There is growing demand for increased capacity to link health information to
inform policy making and evaluation better. The changing focus of measurement
in the health sector from health service delivery to measurement of health outcomes
means policy analysts are seeking data at a fine level, often at the individual
level.
30. Mulligan Ea C, 2001, "Confidentiality
in health records: evidence of current performance from a population survey
in South Australia", Medical Journal of Australia, 2001; 174: 637 640,
available at www.mja.com.au/public/issues/174_12_180601/mulligan/mulligan.html.
31. Summarised in Issue 42 of the New Zealand Privacy Commissioner's
Private Word, available at www.privacy.org.nz/privword/42pr.html
32. See the Office of the Federal Privacy Commissioner's Background
Paper: Application of the National Principles for the Fair Handling of Personal
Information, May 1999, and Issues Paper: Application of the National Principles
for the Fair Handling of Personal Information, May 1999, both available
at www.privacy.gov.au/publications/page2.html#Health.
More and more people (e.g. quality assurance panels, internal auditors, health insurers) have, or are seeking, to make use of personal health information for secondary purposes, such improving the quality and consistency of care, and to verify payments.
Many people other than doctors hold health information, for example gymnasiums, alternative therapists, allied health professionals, therapists, counsellors, superannuation providers, insurance companies and so on. Some bodies that are now collecting personal health information are not bound by professional codes of ethics or common law duties of confidentiality.
There is also clear evidence that people who are not confident that the privacy of their health information will not be respected, will take defensive action, even if it may affect their health adversely. 33 There are increasingly strong demands for individuals wanting more of a say in their health care and a say in how their personal health information is used.
Importantly, individual rights of access to medical records have been an issue of significant concern in Australia in recent years. The traditional understanding in Australia has been that medical professionals own the medical records about their patients, and it is the practitioner's right to decide whether or not to whom the record on the person concerned is shown. This position was confirmed in the High Court judgement Breen v Williams 34 which also made it clear that without action by the legislature, private patients will not be able to enjoy the certainty, as public patients do, of a general right of access to their health information.
In developing the private sector amendments to the Privacy Act 1988, the Attorney General asked the Privacy Commissioner to consider whether the National Principles would provide the appropriate level of protection for personal health information. 35 Following broad consultation with key stakeholders, the report to the Attorney General concluded that, with modification in a few areas, the National Principles do provide an adequate framework for the protection of personal health information. This conclusion has been broadly endorsed in subsequent legislation, in particular the amendments to the Privacy Act 1988 and in the development of the Health Records Act 2001 (Victoria).
It is important to recognise that the protection for personal health information
should be as consistent as possible with general principles for the handling
personal information. This is because in many cases organisations hold both
health and other personal information. The application of different privacy
principles to specific types of personal information would be costly and create
uncertainty for individuals and organisations.
33. Medical Privacy and Confidentiality Survey
conducted by Princeton Survey Research Associates for the California HealthCare
Foundation, January 1999, available at www.chcf.org/press/view.cfm?itemID=362.
34. Available at:
www.austlii.edu.au/cgi-bin/disp.pl/au/cases/cth/high_ct/unrep277.html?query=title(Breen).
35. See Privacy Commissioner's Report on the Application of
the National Principles for the Fair Handling of Personal Information, December
1999, available at www.privacy.gov.au/publications/page2.html#21.3.
In September 2002, the National Health Information Management Advisory Council (established by Commonwealth, State and Territory Health Ministers as the peak body for progressing key issues regarding the use of information in the health sector) released the second edition of Health Online: A Health Information Action Plan for Australia. 36 Health Online is a national strategy for information management and the use of online technologies within the health sector.
One key component of Health Online is the plan for national electronic health records, 'HealthConnect'. 37 Under HealthConnect it is proposed that health-related information about an individual will be collected in a standard, electronic format at the point of care (such as at a hospital or a general practitioner's surgery). The information would take the form of health summaries rather than all the notes a health care provider may choose to keep after a consultation. Consumers would have access to their own records and HealthConnect would be voluntary for consumers and providers.
Health Online strategies such as HealthConnect have the potential to improve the health care of individuals, and to reduce the rate of growth of health outlays through more efficient use of health information. Properly implemented, a nationally available e health record is likely to provide significant benefits to consumer health and to the health system. The scheme also has the potential to improve the privacy protections relating to health records, by ensuring improved security of health information, improved accuracy of health information and making access easier - all essential elements of good privacy practice.
Unique patient identifiers are emerging as desirable additional components to an electronic health records system. For UPIs to work properly, they need to be supported by a strong evidence of identity (EOI) process. Lowest cost solutions may not be the most appropriate. Lowest cost solutions may deliver low integrity and may be the cheapest option, but may compromise consumer confidence in taking it up and worse, compromise health outcomes.
Community trust in new arrangements such as these will be essential to their success and hence to the desired health, financing and privacy outcomes. In turn, achieving a national uniform privacy scheme in the private sector is essential to getting privacy right.
36. Available at www.health.gov.au/healthonline/ehr_rep.htm.
37. More information is available at www.health.gov.au/healthonline/connect.htm.
Since the passing in 1988 of the Privacy Act, some States and Territories have moved towards legislating for privacy protection using the frameworks provided by the Information Privacy Principles and the National Privacy Principles in the Privacy Act 1988. Generally speaking the Commonwealth, State and Territory laws are broadly consistent with each other; however there are some specific inconsistencies.
The Australian Capital Territory public sector complies with the Privacy Act 1988. However, health records in the ACT were protected by the passing of the Health Records (Access and Privacy) Act 1997 (ACT) . 38 This Act contains principles based on the Information Privacy Principles contained in the Federal legislation and gives individuals in the ACT access to their own health records.
In 1998 the New South Wales Parliament passed The Privacy and Personal Information Protection Act 39 and established the Office of the NSW Privacy Commissioner. The dispute resolution arrangements of this Act are generally limited to the acts and practices of state and local government agencies.
The Victorian Parliament passed its Information Privacy Act in November 2000. 40 This Act creates privacy obligations for the management of personal information across the Victorian public sector. This Act adopts ten Information Privacy Principles that are based on the NPPs, and establishes the Office of the Victorian Privacy Commissioner. The jurisdiction of this Act is also generally limited to state and local government agencies.
These two State public sector privacy Acts complement the Privacy Act 1988 by protecting privacy in the State public sectors, which are not under the jurisdiction of the Privacy Act 1988.
In April 2001, the Victorian Parliament passed the Health Records Act. 41 The law will come into effect from 1 March 2002. The 11 Health Privacy Principles in this Act are again based on the 10 NPPs.
The Victorian and ACT health privacy Acts are intended to regulate the handling of health information across the private and public sectors.
In some areas the Health Records Act 2001 (Vic.) adds a significant
degree of prescriptive detail to the NPPs (for example the procedures to be
followed in providing access in Part 5). Generally speaking, though, while the
Health Records Act 2001 (Vic.) has more detail than the Privacy Act
1988, the privacy protections it offers are sometimes stronger, and sometimes
weaker than those offered in the Privacy Act 1988.
38. Available at scaleplus.law.gov.au/html/actord/0/470/top.htm.
39. Available at www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464/index.html.
40. Available at www.dms.dpc.vic.gov.au/sb/2000_Act/A00937.html.
41. Available at healthrecords.health.vic.gov.au/
There is a clear overlap in the jurisdictional intent of these State and Territory health privacy Acts, with regard to the Privacy Act 1988.
As mentioned earlier, the Privacy Act 1988 regulates information handling (including personal health information) in the private sector, including all health service providers. The Privacy Act 1988 has some exemptions, including an exemption for businesses that have a turnover of $3 million or less and are not health service providers, nor trade in personal information. Acts and practices relating to the employee record of an existing or former employee are also exempt. 42
The Health Records Act 2001 (Vic.), and the Health Records (Access and Privacy) Act 1997 (ACT) do not have similar exemptions.
As a consequence, private sector organisations, including all private sector
health service providers, may be concerned that they are simultaneously regulated
by two similar, but not entirely consistent, privacy protection schemes.
While the privacy protection schemes in the State and Territory health privacy Acts are often similar in aim, direction and focus, there are numerous differences of detail, including some inconsistencies. These inconsistencies would make it extremely difficult, if not impossible in some cases, and certainly costly, to comply with both State or Territory scheme on the one hand, and the Commonwealth scheme on the other.
Australia's Constitution provides a means for resolving questions of overlapping jurisdictional intent. Section 109 of the Constitution provides that
When a law of a State is inconsistent with a law of the Commonwealth, the latter shall prevail and the former shall, to the extent of the inconsistency, be invalid.
Section 3 of the Privacy Amendment (Private Sector) Act 2000 (which introduced the private sector provisions to the Privacy Act 1988), states that one of its main objects is:
…to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and the National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information…
The Privacy Act 1988 (as amended), provides that
It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or Territory that makes provision with respect to the collection, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.
42. See Information Sheet 12 - 2001 for an overview of the coverage of the Privacy Act 1988 and exemptions, available at www.privacy.gov.au/business/index.html#5.
The Office understands that against the background of the Constitution, the Commonwealth's intention to create a 'single national comprehensive scheme' means that laws created by other jurisdictions must be consistent with the Commonwealth legislation. On this basis, the State and Territory health privacy Acts would be restricted in their application to the relevant State or Territory public sector, and perhaps aspects of the private sector which are exempted from the Privacy Act 1988 (e.g. certain small businesses as mentioned above and certain acts or practices relating to employee records).
On this understanding, where an act or practice is regulated by the Commonwealth Privacy Act, then it is not regulated by a State or Territory privacy Act.
Under the Privacy Act 1988, the Commissioner has the function of investigating an act or practice of an organisation that may be an interference with privacy (s27(1)(ab)). The Office has an obligation in the Act to consider investigation of all complaints which come under the jurisdiction of the Act, including those relating to health information in the Victorian and ACT private sectors.
The Office is committed to working with the Office of the Victorian Health Services Commissioner, the Office of the Victorian Privacy Commissioner, the Office of the NSW Privacy Commissioner and the Office of the ACT Community and Health Services Commissioner to ensure that all the legislation for the protection of privacy works well together. At the interface, where it is unclear what is the jurisdiction or scope of one or more of the Acts, I hope to work constructively with the other Commissioners to provide as seamless a regime of privacy protection as is possible. In the end, questions of inconsistency that remain unclear may have to be resolved by legal process.
The need for clarification on this issue is paramount. While the Commonwealth, State and Territory privacy commissioner's around Australia play an important role in administering the various pieces of legislation they are not in themselves able to resolve the complex legal and constitutional questions overlying this issue. It may be that this is an issue for the courts or the various Commonwealth, State and Territory parliaments to address.
Amongst stakeholders, there is a strong interest in establishing a nationally consistent privacy regime in the face of differing views about the appropriate level of privacy protection and the risk that different health privacy laws may emerge at Commonwealth, State and Territory level. A single, consistent privacy framework for the private sector, nationally, has the potential to reduce compliance costs for organisations, reduces forum shopping and allows for consistency in the way alleged breaches of privacy are resolved.
Recognising the emerging importance of the appropriate exchange of health information,
along with other factors already mentioned, Australian Health Ministers have
directed the drafting of a National Health Privacy Code to provide nationally
consistent health privacy protection. 43
The Australian Health Ministers' Advisory Council (AHMAC) plans to release the
code for wide public consultation before moving to a final version.
This code may be submitted the Office for approval as a Code under the Privacy Act 1988, and could also be recognised by States and Territories. This approach may potentially lead to greater consistency than is likely to be achieved by each jurisdiction having its own health privacy legislation.
Along with the important drivers for health privacy protection mentioned earlier,
the issue of genetic privacy is gaining increasing attention. At the request
of the Federal Government, 44 the Australian
Law Reform Commission and the Australian Health Ethics Committee are conducting
a joint inquiry into genetic information, and have recently released an issues
paper. 45 The Office has been consulted
as a relevant stakeholder and is preparing a submission on matters relating
to the protection of privacy. The ALRC and AHEC will publish a discussion paper
by August 2002, after with the Office will make a further submission. The joint
inquiry is to report by March 2003.
The Act promotes greater openness between health service providers and consumers regarding the handling of health information. Clear and open communication between the health service provider and health consumer is integral to good privacy. When such communication occurs, then ordinarily, many of the privacy obligations of health service providers will be met. When providers are open about the health information they hold, and how they use and disclose it, surprises are unlikely and with fewer surprises there are likely to be fewer complaints.
The key to complying with the NPPs is ensuring alignment between the expectations and understanding of the health service provider and those of the individual about what will be done with personal information collected. Providers need to pay most attention to those circumstances where expectations are not shared. If uncertain, the health service provider should check with the individual.
An appropriate combination of openness and individual control will go a long
way to ensure that health service providers are meeting their obligations under
the Privacy Act 1988.
43.Ministers "reaffirmed their commitment
to the adoption of national health privacy standards based on the National Health
Privacy Code currently being developed by a joint Commonwealth, State and Territory
Privacy Working Group", in their Joint Communique of 1 August 2001 from
the Australian Health Ministers' Conference, available at www.health.gov.au/mediarel/yr2001/mw/ahmc2.htm.
44.Joint News Release by the Federal Attorney General and the
Minister for Health and Aged Care dated 7 February 2001, available at www.law.gov.au/aghome/agnews/2001newsag/jointWoolridge_01.htm.
45. Available at www.alrc.gov.au/inquiries/current/genetic/index.htm
The Office of the Federal Privacy Commissioner has been working hard to provide
useful guidance on the provisions of the Privacy Act. We have put a particularly
strong effort into information that will assist organisations in complying with
the Act.
These resources include:
In producing these resources, we have worked closely with industry, the health sector, consumers and government. We have formed and regularly consulted reference groups, met with peak industry and consumer bodies, and with individual organisations. We are providing what assistance we can on education and information packages being developed by peak organisations.
We also host the Privacy Connections Network, which is a group of people from across all sectors of the Australian community and business connected together, through the Office of the Federal Privacy Commissioner, to exchange, discuss and develop good privacy practices and solutions. Network membership is open to any member/employee of an organisation who would like to meet to exchange, discuss and develop good privacy practices and solutions.
46. Available from the Office of the Federal Privacy Commissioner's
website at http://www.privacy.gov.au/business/index.html#3.3
47. Available from the Office of the Federal Privacy Commissioner's website
at http://www.privacy.gov.au/act/public_interest/index.html#2
48. Available from the Office of the Federal Privacy Commissioner's website
at http://www.privacy.gov.au/business/index.html#3.2
49. Available from the Office of the Federal Privacy Commissioner's website
at http://www.privacy.gov.au/business/index.html#5
50. Available from the Office of the Federal Privacy Commissioner's website
at www.privacy.gov.au
Privacy Connections network activities include
More information about the network, including an online registration form, is available from privacy.gov.au/about/connections/index.html.
In 2002, the Office will focus on continued monitoring and assisting the health care sector in the implementation of the private sector privacy legislation. In addition, as with traditional health care providers in 2001, the Office will continue in providing targeted assistance in consultation with the private sector health area in some selected areas. A few of our projects will focus on the development of a consumer health privacy booklet, engagement with the mental health sector to discuss implementation of the legislation, and distributing a brief guide on the new private sector legislation to single-practitioner style health service providers such as occupational therapists and speech therapists. This work will be in addition to our continued advice work around specific work in relation to HealthConnect and other major areas of interest in privacy and health such as the ALRC and AHEC joint inquiry into genetic information.