Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography

PART F

OFFICE OF THE PRIVACY COMMISSIONER

CHAPTER 41

OVERVIEW - OFFICE OF THE PRIVACY COMMISSIONER

1. The Office notes the overview of Part F provided in Chapter 41.

2. The Office supports the notion of ‘compliance - orientated regulation' underpinning the ALRC's recommendations in this Part, which takes an outcomes-based approach to regulatory design. In this way the ALRC puts forward proposals aimed at securing voluntary compliance and an appropriate enforcement regime where voluntary compliance fails.

3. The Office considers that a number of improvements can be made to the current regulatory framework to facilitate a proactive approach to securing good privacy practice. Together with proposals to streamline and increase the effectiveness of complaint handling under the Act and a focus on systemic issues, the Office considers that many of the ALRC's proposals will provide the Office with a greater number of ‘tools' with which to foster compliance.

4. The Office also notes that its ability to provide an efficient and effective complaint handling service was challenged by a ‘backlog' of complaints that grew following the 2001 amendments which expand the coverage of the Privacy Act to the private sector. Following a concerted effort by the Office combined with increased resources, the Office has now allocated all complaints and has in place processes to continue to do so. The Office supports proposals aimed at assisting the Office to provide an effective and efficient compliance service.

5. The Office makes submissions in relation to each of the proposals of Part F below.

CHAPTER 42

FACILITATING COMPLIANCE WITH THE PRIVACY ACT

1. The Office agrees that compliance-oriented regulation is a useful framework for the principal based regime under the Privacy Act 1988 (the Act).

2. The ALRC has taken an ‘enforcement pyramid' approach to compliance. Central to that model is the concept that an escalation of sanctions can occur.

3. The Office agrees that there should be a range of measures which the Office may take, depending on the circumstances. The Office supports using the range of mechanisms under the Act as appropriate.

4. The Office makes submissions in relation to each of the proposals of Part F below.

CHAPTER 43

STRUCTURE OF THE OFFICE OF THE PRIVACY COMMISSIONER

Proposal 43-1 The Privacy Act should be amended to change the name of the ‘Office of the Privacy Commissioner' to the ‘Australian Privacy Commission'.

1. The Office agrees with proposal 43-1 that the name of the Office of the Privacy Commissioner be changed to the Australian Privacy Commission.

2. The proposal is in accordance with the Office's response to question 6-1 in the ALRC's Issues Paper 31 (IP 31).

Proposal 43-2 Part IV, Division 1 of the Privacy Act should be amended to provide for the appointment by the Governor-General of one or more Deputy Privacy Commissioners.  The Act should provide that, subject to the oversight of the Privacy Commissioner, the Deputy Commissioners may exercise all the powers, duties and functions of the Privacy Commissioner under this Act - including a power conferred by s 52 and a power in connection with the performance of the function of the Privacy Commissioner set out in s 28(1)(a) - or any other enactment.

3. The Office does not support the statutory appointment of one or more Deputy Privacy Commissioners.

4. The Office agrees that officers in addition to the Commissioner should have the ability to exercise all of the powers, duties and functions of the Privacy Commissioner, including those conferred by s52 and s28(1)(a) of the Act. However the Office does not consider that it is a requirement that the occupants of those positions be statutorily appointed in order to effectively exercise those powers, duties and functions.

5. The Office's position in its submission to IP 31, question 6-1(iii) was that s 52 of the Privacy Act 1988 (Cth) (Privacy Act) be amended to provide for determinations to be undertaken by certain other senior staff within the Office subject to specified conditions.

6. The exercise of the determination power in s52 is significant, however its proper use is not impacted by the method by which an officer was appointed, but rather by the capacity of that officer to exercise the power in accordance with principles of administrative law. This Office does not consider that the statutory appointment of one or more Deputy Commissioners is necessary for the independent, transparent and accountable exercise of those powers.

7. Currently, both the Deputy Commissioner and Assistant Commissioner positions are not the subject of statutory appointment. Both are positions of public service in which decisions delegated to them are made independently in accordance with administrative decision making principles. As with all delegated powers, it is the appropriate exercise of those powers that is integral to effective regulation irrespective of whether or not those positions were the subject of statutory appointment.

8. The Office considers that consistent with the CEO responsibilities of the Commissioner, it is more appropriate that the Commissioner appoint and manage senior staff.

9. The ALRC's view is that additional statutory appointees give support to changing the name from the ‘Office of the Privacy Commissioner' to the ‘Australian Privacy Commission,' on the basis that this appears consistent with the general understanding that a Commission is a body of persons charged with a particular function, rather than an individual regulator.

10. An ‘Australian Privacy Commission' may be made up of a single statutory appointed Commissioner together with senior staff who are able to exercise all of the powers, duties and functions of the Commissioner. While certain other regulatory agencies, such as the Human Rights and Equal Opportunity Commission, are made up of a number of Commissioners which form the Commission, this is distinct from this Office in that the Commission is responsible for the regulation of a variety of laws, necessitating a number of statutorily appointed Commissioners, whereas this Office regulates only the Privacy Act.

Proposal 43-3 Section 29 of the Privacy Act should be amended to provide that the Privacy Commissioner must have regard to the objects of the Act, as set out in Proposal 3-4, in the performance of his or her functions and the exercise of his or her powers.

11. The Office agrees with proposal 43-3.

12. The proposal is broadly consistent with the Office's response to question 6-2 in IP 31.

Proposal 43-4 Section 82 of the Privacy Act should be amended to make the following changes in relation to the Privacy Advisory Committee:

(a) require the appointment of a person to represent the health sector;

(b) expand the number of members on the Privacy Advisory Committee, in addition to the Privacy Commissioner, to not more than seven; and

(c) replace ‘electronic data-processing' in s 82(7)(c) with ‘information and communication technologies'.

13. The Office agrees with proposal 43-4.

14. The proposal is in accordance with the Office's response to question 6-3 in ALRC's IP 31.

Proposal 43-5 The Privacy Act should be amended to empower the Privacy Commissioner to establish expert panels at his or her discretion to advise the Privacy Commissioner.

15. The Office disagrees with proposal 43-5.

16. The ALRC states at paragraph 43.83 in DP 72, that ‘it is not technically necessary to include such a power in the Act - as the Commissioner could convene such committees already without an express power'.

17. The Office currently convenes expert panels as required, for example, the Health Privacy Forum whose members provide a range of health expertise to the Commissioner.

18. Accordingly, the Office does not consider it appropriate to enact a provision in circumstances where it is not required.

CHAPTER 44

POWERS OF THE OFFICE OF THE PRIVACY COMMISSIONER

Proposal 44-1 The Privacy Act should be amended to delete the word ‘computer' from s 27(1)(c) of the Privacy Act.

1. The Office agrees with proposal 44-1.

2. The proposal is in accordance with the Office's response to question 6-5 in the ALRC's Issues Paper 31 (IP 31).

Proposal 44-2 The Privacy Act should be amended to reflect that where guidelines issued by the Privacy Commissioner are binding they should be renamed ‘rules'.  For example, the following should be renamed to reflect that a breach of rules is an interference with privacy under s 13 of the Privacy Act:

(a) Tax File Number Guidelines issued under s 17 of the Privacy Act should be renamed Tax File Number Rules;

(b) Medicare and Pharmaceutical Benefits Programs Privacy Guidelines (issued under s 135AA of the National Health Act 1953 (Cth)) should be renamed the Medicare and Pharmaceutical Benefits Programs Privacy Rules;

(c) Data-Matching Program (Assistance and Tax) Guidelines (issued under s 12 of the Data-Matching Program (Assistance and Tax) Act 1990 (Cth)) should be renamed the Data Matching Program (Assistance and Tax) Rules; and

(d) Guidelines for National Privacy Principles about genetic information should be renamed Genetic Information Privacy Rules.

3. The Office agrees with proposal 44-2.

4. The Office notes that a significant driver for reform to privacy legislation is the overall simplification of the regulatory framework. The proposal, as currently drafted, does not appear to introduce unnecessary complication or complexity, and has the potential to improve clarity regarding the binding nature of a document produced or recognised under the Privacy Act 1988 (Cth) (Privacy Act). The Office suggests that this context should be an important consideration when implementing this recommendation.

5. The Office considers that the ALRC's proposal to rename existing binding guidelines ‘rules' signifies the mandatory nature of the content and the requirements for compliance, and differentiates those documents from other guidance which seek to provide clarification of obligations and the Office's interpretation. It does not appear that this change in nomenclature would have implications for the development of the particular document, such as requirements to consult with certain bodies, nor does it appear to affect implications under the Legislative Instruments Act 2003 (Cth), such as the requirements for tabling in parliament and the procedure regarding disallowance, however such details and potential consequences should also be kept in mind when implementing this recommendation.

Proposal 44-3 Following the adoption of Proposal 21-1 to require agencies to produce and publish Privacy Policies, the Privacy Act should be amended to remove the requirement in s 27(1)(g) to maintain and publish the Personal Information Digest.

6. The Office agrees with proposal 44-3.

7. The proposal is in accordance with the Office's response to question 6-8 in IP 31.

Proposal 44-4 The Privacy Act should be amended to empower the Privacy Commissioner to:

(a) direct an agency or organisation to provide to the Privacy Commissioner a privacy impact assessment in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information; and

8. The Office does not agree with proposal 44-4(a).

9. While the proposal is similar to the Office's response to question 6-6 in IP 31 in that the Office supports a Privacy Impact Assessment (PIA) being undertaken for agency projects that have a significant impact on the handling of personal information, the Office does not support it being provided with an explicit power to direct agencies or organisations to do this.

10. The Office's submission supported the introduction of a statutory requirement on agencies to conduct a PIA in relation to significant new projects or legislation that significantly impact on the collection or handling of personal information. This Office suggested that a set of criteria should be established to assist agencies to determine when a PIA is required.

11. A requirement that a PIA be conducted at the direction of the Privacy Commissioner may result in a culture where PIAs are underutilised as a planning tool in projects, as it appears to rely upon the Privacy Commissioner having sufficient knowledge about projects at an early enough stage to issue such directions.

12. In addition, the Office's submission recognised that many private sector organisations also undertake projects that would benefit from undergoing a PIA process. However, the Office did not support the introduction of a requirement that an organisation conduct a PIA at the direction of the Privacy Commissioner.

13. The Office considers that PIAs are a tool that can be used by organisations to identify information flows and risks when new proposals are contemplated, and organisations are in a better position to be able to assess when a PIA may be useful. It may be that an organisation will choose to conduct a number of PIAs at different stages of a project as more detail becomes available.

14. The Office considers that imposing a requirement that PIAs be conducted by organisations at the direction of the Privacy Commissioner may result in a perception of privacy being a burden imposed on an organisation by the regulator, rather than adopted and built in by the organisation in an effort to ensure best practice and consumer confidence. This appears to be a departure from the current model which is underpinned by the concept that organisations are best equipped to undertake risk analysis of their own business, and determine how the principle based law can best be applied in their circumstances.

15. As noted in the following recommendation, the Office supports the proposal that it develop a guide for organisations regarding when and how a PIA may be beneficial.

(b) report to the Minister an agency or organisation's failure to comply with such a direction.

16. As outlined above, the Office does not support the proposal that the Commissioner be provided with an explicit power to direct an agency or organisation to undertake a PIA.

Proposal 44-5 The Office of the Privacy Commissioner should develop Privacy Impact Assessment Guidelines tailored to the needs of organisations.

17. The Office agrees with proposal 44-5.

18. The proposal is in accordance with the Office's response to question 6-6 in IP 31.

Proposal 44-6 The Privacy Act should be amended to empower the Privacy Commissioner to conduct audits of the records of personal information maintained by organisations for the purpose of ascertaining whether the records are maintained according to the proposed Unified Privacy Principles (UPPs), Privacy Regulations, Rules and any privacy code that binds the organisation.

19. The Office agrees in part with proposal 44-6 subject to an important qualification.

20. While the proposal is similar to the Office's position in its submission to IP 31, question 6-9, discussed at paragraphs 36-47, it removes the qualification to the power for the Privacy Commissioner to undertake an audit as recommended by the Office.

21. In the interests of ensuring the Commissioner's powers under the Privacy Act are responsive to changing risks to information handling practices over time, the Office sees merit in the introduction of the power to conduct audits of private sector compliance In certain circumstances.

22. The Office refers to the powers and practices of the Privacy Commissioner of Canada, who has a qualified private sector audit power:

The Act gives the Privacy Commissioner of Canada the authority to audit an organization's personal information management practices when she has reasonable grounds to believe the organization is not fulfilling its obligations under Part 1 of the Act or is not respecting the recommendations of Schedule 1.[340]

23. The Office recommends the introduction of a qualified audit power expanding on its own motion investigation functions to allow the Office to audit private sector organisations for compliance where the Privacy Commissioner has reasonable grounds to believe that the organisation is engaging in practices that:

• pose new and significant risks to personal information they hold, or
• contravene the privacy principles in the Act or a commitment made in resolution to a complaint or own motion investigation.

24. This approach allows pro-active assistance to be provided to organisations seeking to introduce new technologies or projects, and to have the power to appropriately react when the Office is made aware of situations where particular risks or practices of concern have been identified such as significant systemic breaches.

25. The Office notes concerns expressed by stakeholders regarding the introduction of an unqualified power to conduct audits. In particular, at page 1215 of DP 72, the Investment and Financial Services Association indicated that its members would be resistant to random compliance audits, but notably, it supported a private sector audit power based on reasonable grounds such as situations where systemic issues arise.

26. In making this recommendation, the Office notes that the Commissioner's audit activities, whilst part of a compliance framework, primarily serve an educative function. However, where appropriate, it would allow the Office to expand its current own motion investigation activities to formally assess the general information handling practices of an organisation and work with the organisation to address any privacy risks or ongoing privacy issues identified.

27. Finally, the Office suggests that use of the word ‘audit' may have inherent negative connotations, which characterise the relationship between the Office and the organisation as that of ‘police officer and suspect.' This may undermine efforts to encourage organisations to recognise the inherent value in good privacy practice, which organisations might adopt and build in to their practices, and the complementary role of the Office to assist. The Office suggests that terminology reflecting this approach might alternatively refer to a ‘privacy performance assessment'.

28. In addition to broadening the Privacy Commissioner's general audit powers, the Office has recommended in proposal 54-3 that the specific audit powers for credit reporting activities, as currently set out in s 28A(1)(g), be retained. Further discussion about this issue appears under proposal 54-3.

Proposal 44-7 The Office of the Privacy Commissioner should maintain and publish on its website a list of all the Privacy Commissioner's functions, including those functions that arise under other legislation.

29. The Office agrees with proposal 44-7.

30. The proposal is broadly consistent with the Office's response to question 6-11 in the ALRC's Issues Paper 31 (IP 31).

31. The Office accepts that given the dynamic environment, it may be impracticable for the legislation to be continually updated as consequential amendments are made which have implications for the functions of the Privacy Commissioner.

Proposal 44-8 The Privacy Act should be amended to empower the Privacy Commissioner to refuse to accept an application for a public interest determination where the Privacy Commissioner is satisfied that the application is frivolous, vexatious, misconceived or lacking in merit.

32. The Office agrees with proposal 44-8.

33. The proposal addresses the Office's concerns outlined in its submission to IP 31.[341] The proposal is in accordance with the Office's position in its submission to IP 31, question 6-18.

Proposal 44-9 Part IIIAA of the Privacy Act should be amended to specify that:

(a) privacy codes approved under Part IIIAA operate in addition to the proposed Unified Privacy Principles (UPPs) and do not replace those principles; and

(b) a privacy code may provide guidance or standards on how any one or more of the proposed UPPs should be applied, or are to be complied with, by the organisation bound by the code, as long as such guidance or standards contain obligations that are at least equivalent to those under the Act.

34. The Office agrees with proposal 44-9.

35. The proposal is in accordance with the Office's positions in its submission to IP 31, question 6-20.

Proposal 44-10 Part IIIAA of the Privacy Act should be amended to empower the Privacy Commissioner to:

(a) request the development of a privacy code to be approved by the Privacy Commissioner pursuant to s 18BB; and

(b) develop and impose a privacy code that applies to designated agencies and organisations.

36. The Office agrees with proposal 44-10.

37. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-20.

CHAPTER 45

INVESTIGATION AND RESOLUTION OF PRIVACY COMPLAINTS

Proposal 45-1 Section 41(1) of the Privacy Act should be amended to provide that, in addition to existing powers not to investigate, the Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under s 36, or which the Commissioner has accepted under s 40(1B), if the Commissioner is satisfied that:

(a) the complainant has withdrawn the complaint; or

(b) the complainant has not responded to the Commissioner for a specified period following a request by the Commissioner for a response in relation to the complaint; or (c) an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances.

1. The Office agrees with proposal 45-1

2. The proposal is consistent with the Office's position in its submission to the ALRC's Issues Paper (IP 31), question 6-13.

Proposal 45-2 The Privacy Act should be amended to empower the Privacy Commissioner to:

(a) decline to investigate a complaint where the complaint is being handled by an approved external dispute resolution scheme; or

(b) decline to investigate a complaint that would be more suitably handled by an approved external dispute resolution scheme, and to refer that complaint to the external dispute resolution scheme with a request for investigation.

3. The Office agrees with proposal 45-2.

4. The proposal is in line with the Office's position in its submission to IP 31, question 6-13.

Proposal 45-3 Section 99 of the Privacy Act should be amended to empower the Privacy Commissioner to delegate to a state or territory authority all or any of the powers, including a power conferred by section 52, in relation to complaint handling conferred on the Commissioner by the Privacy Act.

5. The Office does not support this proposal.

6. The Office is aware of other regulatory environments where such models have been adopted, resulting in significant complexity, uncertainty and funding difficulties. Such a model would require the Privacy Commissioner to be confident that the other complaint handling agency would interpret and apply the principles consistently, as well as follow the same processes as the Office. This could require significant training and development in the Office and would have resource implications. It would also be necessary to ensure that, where a determination was made, any decisions regarding remedies would be equivalent to the decision that would be made by the Privacy Commissioner.

7. Such consistency would be essential to ensure fairness to both the complainant and the respondent, as well as to promoting regulatory predictability.

8. The Office is also mindful that any administrative decisions made by the Commissioner's delegated state or territory authority would be reviewable in the federal court, as a decision of the Commissioner.

9. The ALRC has stated at 45.24 that using existing state complaint-handling bodies for the investigation and resolution of privacy complaints would facilitate complaints being handled by local bodies, which can be more efficient and convenient for the complaint handler and the parties to the complaint.

10. The Office acknowledges that physical proximity of parties to an office that could deal with their complaint could further facilitate resolution of complaints via a face to face conciliation conference. However the time and other costs of handing over a matter to another office for conciliation, is likely to outweigh the cost of the staff simply travelling to the parties, were the Commissioner to consider this an appropriate way of attempting resolution.

11. In addition, in an era of relatively inexpensive, fast and efficient communications, including email, voice and video teleconferencing, the benefits of providing a facility in close proximity to the respondent and complainant are far less than they may have been historically.

12. The Office is of the view that any benefits resulting from physical proximity of a state or territory authority to the parties is outweighed by the potential risks to consistent administrative practice and decision making. The Office considers that the power is unlikely to be exercised and accordingly, the enactment of such a power to be unnecessary.

13. The Office has also raised these issues in response to the ALRC's proposal 56-1 regarding delegating the power to handle complaints under the Privacy Actin relation to interferences with health information privacy.

Proposal 45-4 Section 27(1)(a) and (ab) of the Privacy Act should be amended to make it clear that the Privacy Commissioner's functions in relation to complaint handling include:
(a) to receive complaints about an act or practice that may be an interference with the privacy of an individual;

14. The Office agrees with proposal 45-4(a).

(b) to investigate the act or practice about which a complaint has been made;

15. The Office agrees with aspects of proposal 45-4(b) but is of the view that the function to investigate should be subject to Part V of the Privacy Act. Part V sets out the Commissioner's powers not to investigate or investigate further, an act or practice about which a complaint has been made.

(c) where the Commissioner considers it appropriate to do so and at any stage after acceptance of the complaint, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the complaint or to make a determination in respect of the complaint under s 52.

16. The Office agrees with this proposal.

17. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-12(iii).

Proposal 45-5 The Privacy Act should be amended to include new provisions dealing expressly with conciliation.  These provisions should give effect to the following:
(a) If, at any stage after receiving the complaint, the Commissioner considers it reasonably possible that the complaint may be conciliated successfully, he or she must make all reasonable attempts to conciliate the complaint;

18. The Office agrees with aspects of proposal 45-5(a) but suggests that the proposal be amended to remove reference to the word ‘receiving' and that the word ‘accepting' be substituted.

19. The Office is of the view that this amendment is necessary to ensure consistency in terminology between proposal 45-4(c) and 45-5(a).

20. The Office also considers that the word ‘all' should be deleted. A requirement that the Commissioner make ‘reasonable attempts to conciliate the complaint' provides greater flexibility and efficiency in the process. A requirement that the Commissioner make ‘all' reasonable attempts to conciliate a complaint is uncertain.

21. While the Office notes the ALRC's reference to other privacy legislation which uses this terminology at paragraph 45.53 of DP 72, other complaint handling regimes have more flexible regimes. For example, the NSW Anti-Discrimination Act 1977 provides in section 92A that:

If the President is of the opinion that a complaint, other than a complaint that the President has declined under section 92, may be resolved by conciliation, the President may, at his or her discretion, at any stage after acceptance of the complaint endeavour to resolve the complaint by conciliation.

22. Section 11 of the Human Rights and Equal Opportunity Commission Act 1986 sets out a function of the Commission to ‘attempt to conciliate complaints of unlawful discrimination.' Under section 46PH(1)(i) of that Act, the President may terminate a complaint where the President is satisfied that there is no reasonable prospect of the matter being settled by conciliation.

23. The proposal that conciliation may occur at any stage after accepting the complaint is also in accordance with the Office's position in its submission to IP 31, question 6-12(iii).

(b) Where, in the opinion of the Commissioner, all reasonable attempts to settle the complaint by conciliation have been made and the Commissioner is satisfied that there is no reasonable likelihood that the complaint will be resolved by conciliation, the Commissioner must notify the complainant and respondent that conciliation has failed and the complainant or respondent may require that the complaint be resolved by determination;   

24. The Office does not support proposal 45-5(b) in so far as it proposes that the complainant or respondent may require that the complaint be resolved by determination.

25. As with proposal 45-5(a), the office considers that the word ‘all' be deleted from the proposal.

26. The Office is concerned that incentives for resolving complaints by conciliation may be eroded by the proposal. The Office envisages that there will be cases where a party does not engage in conciliation in an effort to resolve a complaint, but merely to trigger the ability to seek a determination. In those circumstances, the Commissioner may form the opinion that reasonable attempts to settle the complaint by conciliation have been made, in so far as the Commission is unable to take the matter any further, despite a lack of legitimate engagement by the parties in the process. The Office does not agree with the ALRC's view that the proposal ‘requires the complainant and respondent to have made a genuine and concerted effort to conciliate the complaint.'[342]

27. At paragraphs 45.55 and 45.56 of DP 73, the ALRC points to other statutory regimes where a party may require referral to adjudication where conciliation has been unsuccessful. Those regimes are distinguishable from that established under the Privacy Act, as they allow referral to a court or tribunal for hearing. The Commissioner is not resourced as a court or tribunal and a compulsory determination power could also have additional resource implications.

28. The Office is of the view that a regime where the discretion to make a determination rests with the Commissioner and certain senior officers is most appropriate.[343] That regime provides the Commissioner with flexibility to use a number of tools to resolve complaints. The resource intensive determination power need not currently be exercised where the respondent makes an offer to resolve the complaint which adequately deals with the complaint, notwithstanding that a complainant may not be satisfied with the outcome. The current process provides an incentive for resolution and is a more efficient approach. Where the complaint is not adequately dealt with, it is open to the Commissioner to make a determination.

29. The Office considers that the proposal be amended along the lines that, where in the opinion of the Commissioner, reasonable attempts to settle the complaint by conciliation have been made and the Commissioner is satisfied that there is no reasonable likelihood that the complaint will be resolved by conciliation, the Commissioner must notify the complainant and respondent that conciliation has failed and the Commissioner must then decide whether to decline the complaint, investigate or investigate further, or resolve the complaint by determination.

(c) Evidence of anything said or done in the course of a conciliation is not admissible in a determination hearing or any enforcement proceedings relating to the complaint, unless all parties to the conciliation otherwise agree

30. The Office supports this proposal. The experience of the Office is that conciliation is most successful where parties agree to keep conciliation confidential. The proposal would give parties a level of comfort and would facilitate the conciliation process.

Proposal 45-6 Section 52 of the Privacy Act should be amended to empower the Privacy Commissioner to make an order in a determination that an agency or respondent must take specified action within a specified period for the purpose of ensuring compliance with the Act.

31. The Office agrees with proposal 45-6.

32. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-16.

Proposal 45-7 The Privacy Act should be amended to provide that a complainant or respondent can apply to the Administrative Appeals Tribunal for merits review of a determination made by the Privacy Commissioner under s 52 and the current review rights set out in s 61 should be repealed.

33. The Office agrees with proposal 45-7.

34. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-17.

Proposal 45-8 The Office of the Privacy Commissioner should prepare and publish a document setting out its complaint-handling policies and procedures.

35. The Office agrees with proposal 45-8.

36. The Office agrees that this proposal will help increase the accessibility and transparency of the Office's complaint handling process.

Proposal 45-9 Section 38B(2) of the Privacy Act should be amended to allow a class member to withdraw from a representative complaint at any time if the class member has not consented to be a class member.

37. The Office agrees with proposal 45-9.

38. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-12(i).

Proposal 45-10 Section 42 of the Privacy Act should be amended to empower the Privacy Commissioner to make preliminary inquires of third parties as well as the respondent.

39. The Office agrees with proposal 45-10.

40. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-12(iv).

Proposal 45-11 Section 46(1) of the Privacy Act should be amended to empower the Privacy Commissioner to compel parties to a complaint, and any other relevant person, to attend a compulsory conference.

41. The Office agrees with proposal 45-11.

42. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-15(iii).

Proposal 45-12 Section 69(1) and (2) of the Privacy Act should be deleted, which would allow the Privacy Commissioner, in the context of an investigation of a privacy complaint, to collect personal information about an individual who is not the complainant.

43. The Office agrees with proposal 45-12.

44. The proposal is in accordance with the Office's position in its submission to IP 31, question 6-12(v).

Proposal 45-13 The Privacy Act should be amended to provide that the Privacy Commissioner may direct that a hearing for a determination may be conducted without oral submissions from the parties if:

(a) the Privacy Commissioner considers that the matter could be determined fairly on the basis of written submission from the parties; and

(b) the complainant and the respondent consent to the matter being determined without oral submissions.

45. The Office agrees with aspects of proposal 45-13 but suggests that the proposal be amended to make proposals (a) and (b) alternatives, by deleting the word ‘and' and substituting ‘or'.

46. The Office considers that the Commissioner should have the power to direct that a hearing for a determination be conducted without oral submissions from the parties where the Commissioner considers that the matter could be determined fairly on the basis of written submissions from the parties or where the parties consent to the matter being determined without oral submissions.

47. This approach would give the Commissioner greater flexibility to conduct a hearing in a fair and efficient manner. The proposal as drafted requires consent in all circumstances. This requirement is similar to the current provision in section 43(5) of the Privacy Act which provides that the Commissioner must afford the parties an opportunity to appear before the Commissioner and to make submissions, orally in writing or both.

48. The suggestion of the Office would assist the Commissioner in the efficient exercise of the determination power. Were the Commissioner to consider that the matter could be determined fairly on the basis of written submissions for the parties, there would be no need to seek consent of the parties and the matter could be determined on the papers. This would be a less resource intensive process than conducting an oral hearing.

CHAPTER 46

ENFORCING THE PRIVACY ACT

Proposal 46-1 The Privacy Act should be amended to empower the Privacy Commissioner to:

(a) issue a notice to comply to an agency or organisation following an own motion investigation, where the Commissioner determines that the agency or organisation has engaged in conduct constituting an interference with the privacy of an individual;

(b) prescribe in the notice that an agency or organisation must take specified action within a specified period for the purpose of ensuring compliance with the Privacy Act; and (c) commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce the notice.

1. The Office agrees with proposal 46-1.

2. The proposal is in accordance with the Office's position in its submission to The ALRC's Issues Paper 31 (IP 31), question 6-22(ii).

Proposal 46-2 The Privacy Act should be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.  The Office of the Privacy Commissioner should develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty is made.

3. The Office agrees with proposal 46-2 and makes additional proposals.

4. The Office notes that the Privacy Commissioner's power to apply a civil penalty would be discretionary and could be pursued where there is a serious or repeated interference with the privacy of an individual.

5. For reasons of certainty, the definition of ‘serious' should explicitly include cases where a respondent breaches a notice to comply arising from an own motion investigation, or where a respondent fails to report a data breach, contrary to the requirements of the Privacy Act.

6. The Office considers that the definition of ‘serious' should not be exhaustive or act to limit the broader civil penalty provision as to what may constitute serious conduct. Accordingly, the Privacy Commissioner should have the power to apply civil penalties for other breaches of the Privacy Act based on the criteria published in the enforcement guidelines. The Office also makes reference to this issue in relation to the ALRC's proposals on credit reporting and civil penalties.

CHAPTER 47

DATA BREACH NOTIFICATION

Proposal 47-1 The Privacy Act should be amended to include a new Part on data breach notification, to provide as follows:

(a) An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or the Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individuals. 

(b) An agency or organisation is not required to notify any affected individual where:     
(i) the specified information was encrypted adequately; (ii) the specified information was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the proposed Unified Privacy Principles (provided that the personal information is not used or subject to further unauthorised disclosure); or
(iii) the Privacy Commissioner does not consider that notification would be in the public interest. 

(c) Failure to notify the Privacy Commissioner of a data breach as required by the Act may attract a civil penalty.

1. The Office agrees with proposal 47-1.

2. The proposal is in accordance with the Office's position in its submission to the ALRC's Issues Paper 31 (IP 31), question 11-3(xiii) and the IP 32, question 5-6(i).

3. The Office has considered the approaches to mandatory data breach notification adopted in other jurisdictions to date.

4. The Office has considered the security breach notification law enacted in California, and does not consider that this approach is appropriate in the Australian context. The prescriptive and technologically-specific nature of this legislation appears contrary to the principle-based and technology neutral approach adopted by the Privacy Act 1988 (Cth) (Privacy Act).

5. The general approach adopted in Canada is more closely aligned with the Australian privacy approach. The four-step set of guidelines specifies a range of factors for organisations to consider when responding appropriately to a privacy breach. However, the potential threshold notifications under these guidelines are broader than proposal 47-1, and include where there is a reasonable chance of harm (including non-monetary losses) to an individual, or where there is a reasonable expectation that the Privacy Commissioner may receive complaints or inquiries about a breach.

6. While the Canadian approach is relevant to the Australian context, the broader scope of ‘mandatory notifications' under the Canadian model is not preferred. The Office considers that notification should be limited to circumstances where a breach is assessed as giving rise to a real potential for serious harm[344] to an individual. The higher threshold test specified in proposal 47-1 would not require agencies or organisations to notify less serious privacy breaches to affected individuals or the Privacy Commissioner. This proposal also reduces the compliance burden on agencies and organisations, relative to other approaches.

7. The Office also agrees that the Privacy Commissioner should be able to require notification where he or she believes that the unauthorised acquisition gives rise to a real risk of serious harm to any affected individual, even if the agency or organisation disagrees.

8. In terms of the proposed exception (b)(i), the Office notes that an assessment of whether the specified information was ‘adequately encrypted' may require clarification. The Office is of the view that it is preferable that an assessment of what amounts to adequate encryption is made by assessing the encryption employed at the time of the breach against a level of encryption commonly considered to represent an industry standard, rather than against an explicit, technical benchmark (e.g. a specified key-size). Such an approach permits flexibility to ensure the application of the Privacy Act over time in changing privacy environments.

9. The Office notes that the ambit of the exception in (b)(ii) may require clarification. The Office is of the view that the exception should capture the situation where agencies or organisations (otherwise using information in accordance with the UPPs) identify an inadvertent breach by an employee (or agent) who was otherwise acting in good faith.

10. The Office suggests consideration should be given to whether the data breach notification provisions should form part of proposed UPP 8, data security principle.

[340] Office of the Privacy Commissioner of Canada, Your Privacy Responsibilities: A Guide for Businesses and Organizations to the Personal Information Protection and Electronic Documents Act available at: www.privcom.gc.ca/information/guide_e.asp  

[341] Chapter 6 paragraphs 112-113

[342] See paragraph 45.58 of DP 73

[343] See Office position in response to proposal 43-2.

[344] Serious harm is not limited to identity theft or fraud but could include discrimination if sensitive medical information was released.