EXECUTIVE SUMMARY

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

2. In January 2006, the Australian Law Reform Commission ('ALRC') began its Review of Privacy, examining the extent to which the Privacy Act and related laws continue to provide an adequate framework for the protection of privacy in Australia. The Australian Privacy Commissioner, Karen Curtis, welcomed this review as a 'once in a generation opportunity' to enhance the consistency and effectiveness of privacy regulation for the new century. In March 2005, the Commissioner's own review of the private sector provisions of the Privacy Act recommended that such a wider review of privacy laws be conducted.[1]

3. As part of its contribution to this review, the Office made comprehensive submissions to the ALRC's Review of Privacy Issues Paper (IP 31) in February 2007, and to its Review of Privacy-Credit Reporting Provisions (IP 32) in April 2007.[2] In the course of some 570 pages, these submissions drew on almost 20 years of experience as Australia's national privacy regulator, including the inception of the private sector provisions under the Privacy Act in 2001.

4. This submission responds to the ALRC's Discussion Paper 72, Review of Australian Privacy Law (DP 72), which was released in September 2007. The submission addresses all of the 301 proposals and 46 questions raised in DP 72, building on the views and experiences put forward in the Office's previous submissions. This submission considers privacy regulation in a broad sense, as well as discussing a number of specific matters, including in some cases matters not addressed in the Office's response to IP 31 or IP 32. This submission is therefore a pivotal part of the Office's vision for an Australian community in which privacy is respected and protected.[3]

General comments

5. Privacy is important and relevant to us as individuals, and affects the quality of life we are able to lead in our society. Privacy laws affect the level of control we have over our personal information. They are significant determinants of what governments, business and the wider public are able to find out about us, and make sure that once our personal information is collected, it is used appropriately and treated with respect. Fundamentally, privacy is about giving individuals sufficient choice and control over how our personal information is handled, in ways that allow for day-to-day interactions with governments and businesses.

6. The ALRC's review of privacy comes at a time of renewed public interest in privacy issues, and renewed concerns about how personal information should be handled in an age of developing technology, globalised information exchange, increased public surveillance and heightened national security. For example, a recent study commissioned by the Office found that 50 per cent of Australians have become more concerned about providing information online than they were two years ago, while in the past three years, 10 per cent more Australians have become aware of Australia's privacy laws. [4]

7. Since making its submissions on IP 31 and 32 in February and March 2007, the Office has noted a number of significant privacy issues or developments, including:

community concerns about potentially invasive telemarketing have led to the May 2007 launch of the Australian Government's 'Do Not Call Register' for telemarketing;[5]
the Office's community attitude research to privacy, released in August, found that technological developments have increased Australians' privacy concerns, including in regard to ID theft, ID document scanning and online privacy;[6]
community debate has continued regarding how to ensure the right balance is achieved between privacy and a free press, especially in relation to the reporting of medical information or information about vulnerable individuals;[7]
international attention was drawn to the November 2007 announcement that two computer discs holding the personal details of all families in the United Kingdom with a child under 16 had gone missing, in total around 25 million individuals, leading the British Prime Minister to promise additional powers for the United Kingdom Information Commissioner;[8]
an expanded scheme for anti-money laundering and counter-terrorism financing has come into effect from 12 December 2007, requiring a greater number of organisations to collect and report information about Australians' financial transactions;[9] and
privacy issues regarding the internet generally, and online social network sites in particular, have continued to receive prominence.[10]

8. The current review is also a clear signal that governments recognise privacy as a valuable right in a free and fair society, and that laws must be kept up to date and relevant to ensure its proper protection in the 21^st century. This is demonstrated by the number of privacy and data protection law reviews recently commissioned in other jurisdictions, including New South Wales, Victoria, New Zealand and the United Kingdom.[11]

9. In making this submission, the Office recognises that privacy sits alongside many other important public interests that may, on occasions, compete with privacy. Generally though, privacy can enhance the way that governments and businesses interact with individuals, by building trust, aligning expectations and focusing on personal information that is relevant and necessary. It is also relevant to note that the private sector provisions of the Privacy Act were developed to be responsive to both consumer and business needs.[12]

The way forward for privacy protection

10. In many respects, the Privacy Act has operated effectively and the framework has served the Australian community well since its commencement in 1988. For example, in this submission the Office remains of the view that principles-based regulation, rather than prescriptive law, is the most appropriate form for overarching privacy regulation. Similarly, the Office submits that the Privacy Act should remain technology neutral, while providing for the development of privacy codes relevant to a specific organisation, industry or type of activity.

11. Principles-based law is resilient to rapid changes and can apply to personal information regardless of the kind of technology involved. It is important that the Privacy Act remain flexible and technology neutral to remain responsive to evolving privacy needs, while retaining flexibility for government agencies and private sector businesses to interact efficiently with individuals, and implement their own preferred compliance regimes.

12. Another key theme of this submission, building on those before it, is the central importance of achieving greater national consistency in privacy regulation. The lack of consistency between federal and other jurisdictions, and the existence of separate standards for public and private sectors, highlights an important area that should be addressed through privacy law reform. In the Office's view, one of the essential ways of improving national consistency in privacy regulation is to develop and implement a single set of principles that would bind Australian and ACT government agencies and private sector organisations.

13. This view is shared by the ALRC in DP 72, which outlines a set of Unified Privacy Principles (UPPs) to replace the existing separate sets of Information Privacy Principles (IPPs) and National Privacy Principles (NPPs), which regulate the public and private sectors respectively. The benefits of a single set of principles include:

encouraging greater regulatory consistency and simplicity for agencies, organisations and individuals;
reducing compliance difficulties for agencies and organisations; and
empowering individuals to better understand and exercise their privacy rights.

14. In this submission, the Office supports moves towards several new developments in privacy law. Firstly, the Office welcomes the development of a statutory cause of action for privacy, which would give individuals the power to bring actions in court for a breach of privacy. This avenue would have a different focus to and would supplement the existing regulatory model, which allows individuals to complain to the Privacy Commissioner free of charge and provides a more informal method of resolution.

15. Secondly, the Office believes that individual privacy can also be bolstered by a regime for data breach notification. While this is a relatively new development internationally, the Office supports such a regime in principle, and looks forward to collaborating with other relevant stakeholders to develop and implement appropriate and effective breach notification provisions in the Privacy Act.

16. This submission also provides suggestions relating to the powers of the Privacy Commissioner to promote privacy rights and investigate systemic privacy issues. Reform to these powers should allow greater scope to tackle the causes of privacy breaches, as well as their effects.

17. Furthermore, the Office recommends that there be minimal exemptions from the Privacy Act to promote effective protection of privacy rights while reducing regulatory fragmentation. Where exemptions do exist there should be a compelling public interest in retaining them.

18. The Office notes that a number of proposals would have significant resource obligations for the Office, including those that require additional guidance or educative materials.

Structure of this submission

19. This submission follows the structure of DP 72, dealing with each of the 64 chapters in turn, including the sections on credit reporting. A summary of each Part of the submission follows this brief introduction. For ease of reference and for those seeking a quick overview, there is a list of the Office's positions on each of the ALRC's 301 proposals for reform and 46 questions at the end of this Executive Summary. Where appropriate, the Office has also provided positions on other matters not expressly raised in questions or proposals.

[1] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, March 2005 (Office's Private Sector Review).

[2] Both of these submissions are available from the Office's ALRC review page at http://www.privacy.gov.au/news/alrc_link.html.

[3] This is reflected in the Office's Strategic Plan of 2007-2009, available at http://www.privacy.gov.au/about/strategicplan/index.html.

[4] Office of the Privacy Commissioner, Community Attitudes to Privacy 2007, September 2007, available at http://www.privacy.gov.au/business/research/index.html#1b.

[5] https://www.donotcall.gov.au/.

[6] http://www.privacy.gov.au/news/media/2007_15.html.

[7] This issue was most prominently brought to the fore during August and September, when a television journalist broadcast medical information of Australian Football League players, which had allegedly been purchased from two individuals who had stolen the files. This was widely reported, though see for example 'Police question journo over AFL medical records', ABC News Online, 5 September 2007, available at http://www.abc.net.au/news/stories/2007/09/05/2025140.htm. See also, Margaret Simons 'It's wrong to reveal medical records' The Australian, 6 September 2007, available at http://www.theaustralian.news.com.au/story/0,25197,22368974-13243,00.html.

[8] Widely reported, though see for example, BBC News Online, 'UK's families put on fraud alert', 20 November 2007, available at http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm. See also, 'Info chief renews call for data breach crime penalties', available at http://www.theregister.co.uk/2007/11/21/hmrc_spot_checks/.

[9] See, Media Release 'Privacy Commissioner: Remember your privacy obligations when collecting information for anti-money laundering purposes', available at http://www.privacy.gov.au/news/media/2007_20.html.

[10] See, for example,' Facebook apologises for breach' The Australian, 11 December 2007, available at http://www.australianit.news.com.au/story/0,24897,22901807-15306,00.html. Similarly, see 'Facebook 'to drop' creeptech ad system - Beacon extinguished' 29 November 2007, available at http://www.theregister.co.uk/2007/11/29/facebook_beacon_ditch/ and 'Facebook data protection row' 17 November 2007, available at http://www.channel4.com/news/articles/science_technology/facebook%20data%20protection%20row/1060467.

[11] See NSW Law Reform Commission Privacy Inquiry, Terms of Reference, 11 April 2006, available at http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_cref113; Victorian Law Reform Commission, 'Current Projects - Privacy', available athttp://www.lawreform.vic.gov.au/CA256A25002C7735/All/E3573718ED1036D1CA2573050008BF3E?OpenDocument&1=30-Current+projects~&2=30-Privacy~&3=~; New Zealand Law Commission, Terms of Reference, 12 October 2006, available at http://www.lawcom.govt.nz/UploadFiles/Publications/Publication_129_345_TOR%20PRI%20v2.pdf; UK Ministry of Justice, 'Terms of reference for a new review of information sharing', 23 November 2007, http://www.justice.gov.uk/news/announcement_231107a.htm.

[12] Privacy Amendment (Private Sector) Bill 2000 Second Reading Speech, House of Representatives Hansard, 8 November 2000, p 22370.