Chapter 3

General Issues

Introduction

3.1 The Australian Privacy Principles Exposure Draft is the first stage of the Government's proposed reform of the privacy regime. The aim of the reform is to implement a streamlined set of unified privacy principles that provide for privacy rights and obligations so as to protect an individual from the risk of harm through inappropriate sharing and handling of their personal information. As stated in the Government's response to the Australian Law Reform Commission's (ALRC) review, 'underpinning the enhanced protection of privacy is a simple and clear framework' that is principles-based.[1]

3.2 This chapter canvasses general issues raised by submitters to the inquiry which principally go to concerns about the complexity and structure of the APPs, the definition of some terms used, and exemptions from the Privacy Act. Other matters discussed include the consultation process undertaken in developing the exposure draft, implications for state and territory governments, the need for a transition period, and the potential compliance and cost burden of the proposed reforms.

Clarity of the Australian Privacy Principles

3.3 The objective of streamlined principles that are clear and easy to understand is fundamental to the privacy regime and was the subject of much comment by submitters. As a first step to this aim, the two existing sets of privacy principles – the Information Privacy Principles and the National Privacy Principles – have been replaced with a single set of unified principles. Professor Rosalind Croucher, President, ALRC, commented on the benefits of such an approach and noted that having one set of principles applying to private sector organisations and one set applying to public sector agencies may cause confusion and that:

...where there is confusion there is the possibility of an imperfect protection and an imperfect respect for the fundamental protection of personal information. In that context, the development of a unified set of principles would only improve the ability for those governed by it to discharge the responsibility under them.[2]

3.4 Most submitters supported the unified principles approach. The Australian Institute of Credit Management, for example, commented:

...this will result in a consistent approach to the management of personal information irrespective of the nature of the entity that is managing the personal information. Further it will facilitate an individual's understanding of how their personal information is to be managed.[3]

3.5 The committee received some positive comments about the drafting of the APPs. The National Association for Information Destruction (NAID-Australasia) for example, commented that the drafters of the APPs have achieved 'a balance between providing clear guidance while not being over prescriptive' and commended the use of 'reasonableness and technological neutrality to achieve this balance'.[4]

3.6 However, other submitters were of the view that the draft APPs are overly complex and lack clarity and do not achieve the aims of high-level principles-based law. Concern was expressed that this may work against accessibility and compliance. The Office of the Privacy Commissioner (OPC) commented that the following factors should be noted in assessing the APPs:

the importance of clear and accessible language to ensure the overall effectiveness of principle‐based privacy law;
the need for accessibility for individuals to understand and navigate the APPs, often without legal expertise;
the benefits of simplicity and clarity for agencies and businesses to understand and comply with their obligations (including those small businesses currently covered by the Privacy Act).[5]

3.7 It was also noted that the ALRC had recommended that the privacy principles should be drafted to pursue, as much as practicable, the following objectives:

(a) the obligations in the privacy principles generally should be expressed as high-level principles;...

(c) the privacy principles should be simple, clear and easy to understand and apply.[6]

3.8 In its discussion of this objective, the ALRC expressed the view that principles-based regulation should be the primary method used to regulate privacy in Australia. The ALRC noted that a principles-based approach has the advantages of greater flexibility, broader application, a greater degree of 'future-proofing' and has considerable stakeholder support.[7] The ALRC did not recommend the adoption of a pure form of principles-based regulation; rather it acknowledged the benefits of allowing principles to be supplemented by more specific rules in regulations or other legislative instruments. In addition, the ALRC stated that 'a primarily principles-based framework can itself adopt varying degrees of detail and prescription within its principles'.[8]

3.9 Professor Croucher, ALRC, also commented:

So the privacy principles stand as the high-level aspirations and the embodiment of the things that are regarded as the necessary tools to provide or facilitate the protection of personal information at that operational level.[9]

3.10 The Government accepted the ALRC's recommendations for the drafting of the APPs.[10] The Companion Guide commented that the APPs are 'not like other types of legislation' and are principles-based law. It was noted that principles-based law is 'the best regulatory model for information privacy protection in Australia' and that:

By continuing to use high-level principles, the Privacy Act regulates agencies and organisations in a flexible way. They can tailor personal information handling practices to their diverse needs and business models, and to the equally diverse needs of their clients.

The Privacy Act combines principles-based law with more prescriptive rules where appropriate. This regulation is complemented by guidance and oversight by the regulatory body, the Office of the Australian Information Commissioner.

This is comparable to international regulatory models in Canada, New Zealand and the United Kingdom.[11]

3.11 Submitters argued that the APPs do not achieve the objective of high-level principles nor simplicity. The Office of the Victorian Privacy Commissioner (Privacy Victoria) noted that while some of the APPs are successfully expressed as high-level principles, 'in others the level of detail and complexity work against this aim'. For example, a number of exceptions included in various APPs are specific to Commonwealth agencies. Privacy Victoria concluded that:

A better approach would be to draft high-level, simple, lucid principles, which could equally apply to Commonwealth, State or Territory public sector agencies, local councils or private sector organisations. Then, where one or more of these entities needed modification to or exemption from the specific APP, this could be done in a separate section of the Privacy Act.[12]

3.12 The OPC supported a high-level, principles-based, technology-neutral approach 'that is capable of protecting and promoting individuals' privacy into the future'.[13] The OPC noted that one of the significant benefits of principles-based law is that it is generally easier for the public, and entities with obligations, to understand. Further:

...principle‐based privacy law should enable entities to understand the policy underpinning the law and to adapt their practices accordingly. The law should be clear, but also sufficiently flexible, to enable entities to determine how best to pursue their functions and activities in a way that complies with the Privacy Act.[14]

3.13 The OPC went on to state that clear and easily understood obligations, make it easier for entities to comply, and thereby reduces the administrative burden and cost of compliance and the frequency of privacy breaches and complaints.[15]

3.14 Submitters provided specific examples of APPs which were not considered to meet the aim of high-level principles. The Australian Finance Conference (AFC), for example, commented that APP 8 (cross border disclosure) was substantially different to what was recommended by the ALRC and from the current NPP 9. AFC commented that:

...as a matter of policy and drafting it fails to achieve the key objectives (e.g. high-level principles, simple, clear and easy to understand and apply) of the reforms. It also shifts the risk balance heavily to the entity and we query the individual interest justification to support that.[16]

3.15 A significant concern raised by submitters was the complexity of some of the APPs. The OPC noted that during its 2005 Private Sector Review stakeholders called for greater simplicity in the drafting of privacy protections. The OPC concluded that the extent to which the exposure draft and APPs achieve the widely supported objectives of high-level principles that are simple and easy to understand 'is an important yardstick for the success of the overall reforms'.[17]

3.16 However, submitters commented that some of the APPs are highly detailed, lengthy, legalistic and complex, with some provisions having to be read in conjunction with other sections to understand how they will apply. It was concluded that the APPs are not clear or easy to understand and apply, contrary to the ALRC's recommendation.[18] The Victorian Privacy Commissioner commented:

...the current drafting of the APPs works against the simplification and harmonisation which was the core recommendation of the ALRC. The APPs should be redrafted in order to achieve this fundamental objective.[19]

3.17 The Public Interest Advocacy Centre (PIAC) also provided similar comments and argued that a clear and more accessible document should be the aim of the reforms. PIAC stated that this has not been achieved. Rather 'the draft document reads as highly legalistic, and is not designed for easy access by the public'. PIAC noted that the ALRC's recommended principles were approximately 10 pages long, while the APP exposure draft is 41 pages long 'reading often like the most complicated sections of the taxation law'. PIAC concluded:

Whilst it does appear that the Government has admirably adopted many suggestions made in the consultation process, thereby making the document more complex and qualified, the purpose of having clear privacy principles now appears lost. A plain English redraft is clearly needed.[20]

3.18 Qantas also commented on this matter and submitted:

Qantas is concerned that the simple language and structure contained in the current National Privacy Principles (NPPs) has been abandoned in favour of a more verbose and complex set of principles which are more difficult to interpret and discern the intention and meaning of.[21]

3.19 The concerns about the effect of complex nature of the APPs were highlighted by the Law Council of Australia (LCA) which commented that it is particularly important for the APPs to be written in plain English, as 'the purpose of the legislation is to give meaning to the privacy rights of individuals'. The LCA was of the view that those outside of the legal profession will be discouraged from engaging with or even reading the APPs. In addition, in their current form, entities are likely to find it difficult to comply with privacy requirements. While it was acknowledged that guidelines would be established by the Privacy Commissioner, the LCA concluded that 'it is also important that the legislation itself is clear and not unwieldy'.[22]

3.20 In a supplementary submission, the LCA made additional comments in relation to the complexity of the APPs and stated that the APPs should revert to the simpler style of the NPPs which was based on the original OECD guidelines. The LCA added that 'many of the distinctions in the proposed legislation appear unnecessary, making the proposed new principles difficult to interpret, and therefore less accessible to ordinary members of the public at large, to privacy practitioners, regulated organisations and consumers'. The LCA gave examples of the APPs that are more verbose and complex than the NPPs: APP 2 replaces the shorter NPP 8, even though the meaning is essential unchanged.[23]

3.21 The Office of the Guardian for Children and Young People (South Australia) supported the LCA's view and stated that many 'small to medium-sized NGOs would be unable to allocate resources to develop organisational policies and procedures that translate the Principles into operational instruction'.[24]

3.22 Other submitters provided specific examples of where the complexity of the APPs would pose issues with compliance. Privacy Law Consulting, for example, stated that APP 7 (direct marketing) is complex with an equally complex matrix of data types, circumstances and requirements. As a result:

...organisations will find it difficult to develop compliance programs and systems that can distinguish between, and manage, the matrix of data types, circumstances and requirements. This could result in, for example, organisations simply adopting "the lowest common denominator" (e.g. providing opt‐out facilities and/or obtaining consent) in relation to all direct marketing activities, which may be unintended consequences of the principle.[25]

3.23 The OPC provided examples of overly long terms used repeatedly; for example, the use of 'such steps that are reasonable in the circumstances, rather than the shorter, more concise 'reasonable steps'. In addition, the OPC commented that requirements that are substantially similar are repeated, adding to the complexity of the APPs; for example, the requirements relating to the collection of sensitive information in APP 3(2) and (3).[26]

3.24 The many suggestions for simplification of specific APPs are discussed in the relevant chapters of this report. However, the OPC made the following general suggestions to simplify the APPs and make them more readily understandable:

format the principles in the simpler style used by the ALRC in its Model Unified Privacy Principles (UPPs) or the existing NPPs;
use more concise language to reduce length; for example, 'reasonable steps' rather than 'such steps are reasonable in the circumstances';
avoid repeating requirements that are substantively similar (consider grouping them into one clause);
consider the plain meaning of terms and use them consistently; and
keep principles high‐level and generally applicable to all entities (rather than to a specific agency or organisation).[27]

3.25 The OPC noted that there were a range of agency specific exceptions throughout the APPs with the first appearing in APP 3. The OPC stated that the APPs 'are intended to provide a broad framework for the appropriate collection, use or disclosure of personal information by agencies and organisations'. Provisions, including the 'required by or authorised by law' provision, take into account the needs of agencies. Rather than agency specific provisions being incorporated in the APPs, the OPC was of the view that it is preferable that the specific activities are addressed in portfolio legislation and commented:

Keeping the Privacy Act's exceptions generally applicable will maximise the APPs' coherence and relevance to all entities. This is consistent with the recommended objectives that the principles should be 'high‐level', and should be redrafted to achieve greater logical consistency, simplicity and clarity.[28]

3.26 The OPC went on to argue that agencies should be aware of existing and new exceptions (for example, the missing persons and the declared emergencies and disasters exceptions) as a means of providing for flexibility for their operations. The OPC also commented that the inclusion of broadly worded exceptions to the general principles could lead to a reduction in accountability of agency activity; for example, the term 'diplomatic or consular functions or activities' could cover a very wide range of activities. The OPC concluded that the inclusion of agency specific exceptions should be limited to instances where there is no appropriate alternative. In addition, it could be considered whether any such exceptions should be accompanied by rules made by the Privacy Commissioner as is envisaged with the missing person exception. The OPC concluded:

Overall, any such exceptions, or authorisations in other legislation, should balance the agencies' needs to fulfil their functions, with individuals' expectations of personal information protection and agency accountability.[29]

Conclusion

3.27 The committee considers that the task faced in drafting a unified set of privacy principles to achieve the Government's aim has been complex and difficult. Drafters were required to consolidate privacy principles covering both agencies and organisations and incorporate the ALRC's recommendations accepted by the Government as well as a broader range of exceptions in some APPs. This has, in some instances, resulted in longer principles. However, the committee does not agree that longer principles are necessarily more complex as has been argued by some submitters.

3.28 The committee supports the view that the APPs must be clear, simple and accessible to all users, not just legal or privacy practitioners. Without an understandable and accessible privacy regime, there is a danger that compliance issues may arise, that effectiveness of the regime may be undermined and that individuals will not adequately understand their privacy rights. The committee has noted the views of the OPC in relation to the need to simplify some aspects of the APPs. As the national privacy regulator, and given its role in investigating complaints, providing advice on privacy rights and providing guidance to agencies and organisations on their new obligations, the committee takes particular note of the OPC's views.

3.29 The committee therefore considers that there are opportunities to refine the APPs to improve clarity and simplicity, particularly in relation to the use of more concise language to reduce the length of the APPs and avoid the repetition of requirements that are substantially similar.

Recommendation 1

3.30 The committee recommends that the Department of the Prime Minister and Cabinet re-assess the draft Australian Privacy Principles with a view to improving clarity through the use of simpler and more concise terms and to avoid the repetition of requirements that are substantially similar.

3.31 A further matter raised in relation to the complexity of the APPs was the inclusion of agency specific provisions. In particular, submitters pointed to the exceptions provided to agencies in some APPs for example, APP 3 (collection of solicited personal information) and APP 8 (cross border disclosure of personal information). The committee acknowledges that the consolidation of the IPPs and NPPs has resulted in the inclusion of agency specific provisions as the privacy regime must include flexibility for particular agencies to carry out their functions. However, the committee notes the comments of submitters that this may affect adversely the objective of establishing high-level principles. The committee therefore believes that reconsideration be given to the inclusion of agency specific provisions in the light of the OPC's suggestion that agency specific matters should, in the first instance, be dealt with in portfolio legislation.

Recommendation 2

3.32 The committee recommends that reconsideration be given to the inclusion of agency specific provisions in the Australian Privacy Principles in the light of the Office of the Privacy Commissioner's suggestion that agency specific matters should, in the first instance, be dealt with in portfolio legislation.

Structure

3.33 The Companion Guide notes that the order in which the APPs appear is intended to reflect the cycle that occurs as entities 'collect, hold, use and disclose personal information.[30] This approach was supported by submitters.[31] The ALRC further commented:

The manner in which the structure reflects the information cycle also provides great integrity to the structure of the proposed amendments.[32]

3.34 However, Privacy NSW recommended that if the privacy principles are to better reflect the information cycle, and how entities use personal information, APP 10 (quality of personal information) and APP 11 (security of personal information) should be situated after the notification principle (APP 5) and before the use and disclosure principle (APP 6). Privacy NSW commented that the processes of ensuring quality and security of personal information should happen before decisions about use or disclosure of personal information happen.[33]

3.35 Various submitters commented on the inclusion of the APPs within the legislation with each APP forming a separate section of the Act. As a result of this structure, it was noted that the numbering of the sections of the exposure draft is confusing: the number of each APP does not correspond with the section number of the APP. It was recommended that either each APP be numbered the same as the section or clause number, or that the APPs be provided in a schedule to the new Privacy Act.[34]

3.36 Professor Graham Greenleaf and Mr Nigel Waters commented on both these suggestions. They noted that difficulties have arisen in referring to the NPPs as these are located in a schedule to the current Privacy Act. However, they also observed that making each principle a separate section of the Act risks causing confusion. This has occurred with NSW Privacy and Personal Information Protection Act 1998 where references to the principles and the sections of the NSW Act have been confused. Professor Greenleaf and Mr Waters came to the conclusion that having each principle in a separate section means that 'the Act will work better in online research systems', and that this probably outweighs the difficulties of this approach.[35]

3.37 The Department of the Prime Minister and Cabinet (the department) responded that the numbering 'was a drafting issue' but that it should be remembered that this is the first part of the drafting process and concluded:

...once the entire Privacy Act is rewritten it will flow and you will see the flow better in terms of the section numbering et cetera.[36]

Conclusions

3.38 The committee considers that the placement of the APPs properly reflect the information cycle. The committee also notes that while the NPPs are listed in a schedule to the Act, the IPPs are included in the Privacy Act. The committee considers that there are advantages in having the APPs within the Act as it places the APPs at the forefront of the legislation and underscores their importance to the reforms envisaged by the Government.

3.39 The committee also notes that section 18 of the exposure draft has been included to ensure that while the APPs are set out in sections, a reference in the Act to an APP by number is a reference to the APP with that number and not the section in which it appears.[37] This makes it clear that the APPs are to be referred to by their number and part rather than by the sections of the Act within which they appear.

3.40 In addition, the committee acknowledges the department's comments that the APP exposure draft is only the first stage of the drafting process.

Technological neutrality

3.41 As indicated in the Companion Guide, the Government agreed with the ALRC's finding that the privacy of individuals will be best protected through a technologically neutral privacy regime.[38]

3.42 The ALRC welcomed the adoption of a technologically neutral approach taken in the exposure draft.[39] Other submitters also agreed that the APPs should be written in such a way as to apply regardless of the specific technology used in the collection, use and management of personal information.[40] The Australian Direct Marketing Association (ADMA), for example, commented:

The rapid onset of technologies makes it vitally important that the Australian privacy framework applies and protects personal information regardless of the types of technologies that emerge in the future.[41]

3.43 In the event that a technology is developed in the future that is particularly privacy intrusive, Privacy Victoria argued that specific legislation should be enacted to regulate it effectively.[42]

3.44 The department commented that the ALRC made particular recommendations around keeping the principles and the Act technologically neutral. The department considered that the APPs reflected the Government's agreement with those recommendations, in particular, that the area of technology should be the subject of guidance from the OPC. The department concluded:

Certainly the government accepted that that was the way to go and not to try to legislate for technology developments because you really cannot. As soon as you do them, you are 10 years out of date immediately.[43]

Conclusions

3.45 The committee considers that the APPs meet the aim of technological neutrality and notes that the Government supports a 'renewed role for the Privacy Commissioner to conduct research, and to guide and educate Australians on technologies that impact on or enhance privacy'.[44]

Definitions and consistency

3.46 The committee received a range of comments in relation to definitions and the consistent use of terms in the APP exposure draft.

Use of the term 'reasonably necessary'

3.47 It was noted that the term 'reasonably necessary' is used extensively in the exposure draft. The OPC submitted that it had a number of 'significant concerns' regarding the use of this term rather than the term 'necessary'. The concerns related to:

the introduction of 'reasonably necessary' in the new collection test in APP 3(1) (APP 3–collection of solicited information);
multiple interpretations of 'reasonably necessary' in different APPs; and
varied formulations of tests relating to necessity in the exposure draft.[45]

3.48 The OPC observed that while the Companion Guide states that 'reasonably necessary' is intended to be interpreted objectively, the ALRC report suggested that determining what is 'necessary' is already an objective test. In relation to the use of 'reasonably necessary' in APP 3(1), for example, the OPC considered that it could add a qualification to 'necessary' which unintentionally broadened the scope for collection and thus lessened protections provided in the current IPP and NPP requirements, both of which use 'necessary'. The OPC went on to state that it did not agree that 'reasonably necessary' adds a further objective requirement to APP 3(1) or that such a requirement is needed.[46]

3.49 The second matter noted by the OPC was that there appeared to be different meanings of the term 'reasonably necessary' in different APPs. While the Companion Guide provides an explanation of the term in relation to APP 3(1), the OPC argued that the Companion Guide does not provide guidance about the use of the term in other APPs. For example, the use of 'reasonably necessary' in APP 6(2)(e), which relates to the disclosure of personal information without consent for enforcement related activities, may reflect a different meaning of 'reasonably necessary'. The OPC suggested that 'reasonably necessary' be removed from draft APP 3(1) to minimise confusion and complexity.[47]

3.50 The final matter in relation to the term 'reasonably necessary' raised by the OPC concerned varied formulations of tests involving 'necessary'. The OPC provided a table which shows that APP 3(3) contains three different tests across seven provisions and stated that:

It may be unclear to an individual, business or agency reading APP 3(3) what the various different formulations mean, which is intended to be more restrictive, and which more permissive.[48]

3.51 While supporting distinctions to add clarity, the OPC argued that the tests could be streamlined so that inconsistent and confusing language is removed.[49] The OPC concluded that, in order to improve clarity and simplicity, the term 'reasonably necessary' be replaced with 'necessary' throughout the APPs and that, if further clarity is required, an objective test for 'necessary' be included in the Explanatory Memorandum.[50]

3.52 The committee raised this issue with the department which put the view that the while word 'reasonably' qualifies the word 'necessary', it did not do so in an inappropriate way. Rather, the department stated:

The elements of the test are cumulative. So, first, the proposed activity must, from the perspective of a reasonable person, be legitimate for the entity and the intent of purpose; and then, second, the action has to be genuinely necessary for the entity to pursue the intended function or activity. So you have to think of it in two stages.[51]

3.53 The department went on to state that it saw the 'reasonably necessary' test as enhancing the privacy aspects rather than diminishing privacy protections as argued by some submitters.[52]

Reasonable steps test

3.54 The OPC noted that many of the APPs use the term 'such steps as are reasonable in the circumstances' and that this term is based on the older language of the IPPs while the NPPs use the term 'reasonable steps'. The OPC submitted that it is preferable to use the 'reasonable steps' term for the APPs rather than the term 'take steps as are reasonable in the circumstance' as:

it is shorter and simpler and would thus reduce complexity and length of most of the APPs;
it can be implied from a plain reading that 'reasonable steps' has an equivalent meaning to 'such steps as are reasonable in the circumstances' as well being emphasised in explanatory material and the Office's guidance (or if necessary, a note on first use in the APPs);
organisations are already familiar with the concept of 'reasonable steps', and agencies (currently regulated by the longer terminology) will not need to adjust their practices in moving to 'reasonable steps'; and
in some APPs, the words '(if any)' are added in cases where it may be reasonable not to take any steps, depending on the circumstances.[53]

3.55 In response to comments on the use of the term 'such steps as are reasonable in the circumstances', the department stated that in its view, the term used ensures that the specific circumstances of each case have to be considered when determining the reasonableness of the steps in question. The department concluded:

While it is arguable that it is implicit in the expression 'reasonable steps' that the surrounding circumstances must be considered, the changed reasonableness formulation makes this explicit. This Department believes this additional clarity and focus on the circumstances surrounding an entity's specific privacy obligation, will have the overall effect of promoting greater compliance with privacy obligations which will be to the benefit of individuals.[54]

3.56 The Law Council of Australia also commented on the 'reasonable steps' test and noted an inconsistency throughout the APPs, with an entity sometimes required to 'take such steps as are reasonable' and other times required to 'take such steps (if any) as are reasonable'. The Law Council submitted that the latter phrase should be adopted consistently throughout the APPs.[55]

Conclusion

3.57 The committee has noted the comments provided by the Office of the Privacy Commissioner in relation to the use of the term 'such steps as are reasonable in the circumstances'. While the committee agrees that the use of a term to make meaning explicit has benefit, it also adds to the complexity and length of many of the APPs. On balance, the committee leans towards the use of the term 'such steps as are reasonable in the circumstances' to ensure that the meaning is clear. However, the committee suggests that the use of this term should be reviewed in the overall re-assessment of the draft APPs as recommended in recommendation 1.

3.58 In relation to the Law Council's comments on the 'reasonable steps' test, the committee notes that the Companion Guide commented on the requirement to take reasonable steps and stated that:

In some cases the words "(if any)" are used to ensure that, in that particular case, if there are no steps that an entity needs to take to fulfil its obligations, it need not take any steps.[56]

Definition of 'personal information'

3.59 Following its examination of the meaning of the term 'personal information', the ALRC concluded that, as information handling is highly contextual, a significant margin for interpretation and implementation is created and thus:

...elements of the definition of 'personal information' will continue to give rise to theoretical uncertainty. While much information will fall clearly inside or outside the definition, there will be a need for ongoing practical guidance in relation to areas of uncertainty. The OPC has suggested that it issue further guidance on the meaning of 'personal information'. The ALRC agrees that such guidance will be necessary to indicate how the definition operates in specific contexts. In particular, the ALRC recommends that the OPC develop and publish guidance on the meaning of 'identified or reasonably identifiable'.[57]

3.60 The ALRC went on to recommend that 'personal information' should be defined as 'information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual'.[58]

3.61 The Government accepted this recommendation and commented that the proposed recommendation did not significantly change the scope of what is considered to be 'personal information'.[59] The Companion Guide provides commentary on the definition of 'personal information' and states that the scope of the definition is not changed; rather there is a conceptual difference revolving around the concepts of 'identity', as used in the current definition, and 'identification', as referred to in the recommended definition.[60] The definition of 'personal information' is as follows:

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.[61]

3.62 The LCA commented that the definition of 'personal information' 'is a central definition in that it determines the scope of the whole Act' and that the definition proposed should only be supported if 'it is not intended to change the scope of the existing concept'. Further:

This should be supported by an express and official statement that would be available to assist in interpretation (under the Acts Interpretation Act) to the effect that the change in drafting was not intended to change the meaning.[62]

3.63 The ADMA supported the new definition of personal information, in particular the inclusion of a 'reasonable' test, and encouraged inclusion of an explanation of the 'reasonable' test in the Explanatory Memorandum for the new Privacy Act.[63]

3.64 However, some submitters argued that the new definition of 'personal information', and the explanation provided in the Companion Guide, have the potential to substantially expand the scope of what is classified as 'personal information', and thereby the scope of what is covered by the Act.[64] Submitters argued that an expanded scope of personal information would result in more onerous requirements on entities, and potentially an increased cost burden.[65]

3.65 Submitters were concerned to ensure that any expansion of scope is clearly expressed either in the legislation or in the explanatory material accompanying the legislation. Google, for example, commented:

...the legislation should itself make clear that the context and circumstances in which information is held is to be taken into account in determining whether information is or is likely to be aggregated or combined so as to enable an individual to be reasonably identifiable.[66]

3.66 Yahoo!7 and the Law Institute of Victoria (LIV) commented on the inclusion of 'opinion' in the definition of personal information. Yahoo!7 considered that the concept of 'information' is broad enough to incorporate 'opinion' and therefore did not believe that it was necessary to include 'opinion' in the definition.[67]

3.67 The LIV expressed the view that while the APPs currently define 'personal information' as both information and opinions about a person, this should be split into two categories in order to specifically address the issue of ownership and control of personal information. The two categories would be:

'primary personal information' which might include identity information, biometric information etc, and which would be owned by the individual, so that the individual can require an entity to destroy primary personal information which it holds about them (subject, of course, to any statutory obligations or rights of entities to collect or retain information); and
'secondary personal information', which would be opinions held about an individual.[68]

3.68 Submitters also provided suggested amendments to the definition of 'personal information' as follows:

Privacy NSW recommended that the words 'from the information or opinion' be added after 'reasonably identifiable' to provide the appropriate context;[69]
Privacy NSW recommended that the definition exclude certain categories of information, such as information more than 30 years old, as is the case in the NSW privacy legislation, thus removing repeated references to the exclusions;[70]
Professor Graham Greenleaf and Mr Nigel Waters submitted that the definition needs to be broadened by replacing 'reasonably identifiable' with 'potentially identifiable' to ensure that the Act covers 'information which, while not in itself identifying an individual, allows interaction with persons on an individualised basis, or the imparting of consequences on an individualised basis';[71] and
Yahoo!7 also argued that as a person could be reasonably identifiable to one entity and not another, the phrase 'by an entity' be added to the first sentence of the definition so that it encompassed an individual who is 'reasonably identifiable by an entity'. For example, 'an IP address could be considered personal information by an ISP as they are capable of reasonably identifying the person to whom that IP address resolves back to. An online services provider who does not offer Internet access will not be able to use an IP address to identify a person'.[72]

3.69 Submitters supported the recommendation that the OPC develop guidance on the interpretation of 'personal information' to assist entities in ensuring that they have appropriate processes in place for their functions and activities to comply with the Act.[73]

3.70 The department provided a detailed response to concerns raised in relation to the term 'personal information'. The department noted that inclusion of the requirement that the individual be 'reasonably identifiable' ensures that the definition continues to be based on factors which are relevant to the context and circumstances in which the information is collected and held. Generally, this would mean that the information must be able to be linked to other information that can identify the individual thus limiting possible identification based on the context and circumstances. In effect, while it may be technically possible for an entity to identify a person by the information it holds, it may be that it is not practically possible. The department concluded that the 'test requires consideration of all the means that are reasonably open for an information holder to identify an individual'.[74]

3.71 The department reiterated that the inclusion of a 'reasonably identifiable' element within the definition does mean that additional information could fall within the new definition. It went on to state:

Some information on its own would not meet the current definition which requires an individual's identity to be apparent or reasonably ascertainable, from the information (e.g. an IP address). However, that information would fall within the new definition if, in conjunction with other information, it could be used to identify an individual. On that basis, it is arguable that additional information would be subject to the privacy protections in the APPs.

Nevertheless, as noted in the Companion Guide, the proposed definition of 'personal information' does not significantly change the scope of the existing concept in the existing Privacy Act. The key conceptual difference revolves around the concepts of 'identity' as used in the current definition, and 'identification' as referred to in the draft definition. The ALRC considered that 'identification' was more consistent with international language and international jurisprudence, and that explanatory material based on the terms 'identified' and 'identifiable' will be more directly relevant.[75]

Conclusion

3.72 The committee has noted the divergence of views in relation to the definition of 'personal information' and agrees that guidance on this matter should be provided as a matter of priority.

Recommendation 3

3.73 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the interpretation of 'personal information' as a matter of priority.

The term 'Australian law'

3.74 Both Qantas and Google commented on the definition of, and use of, the term 'Australian law'. This term is used in a number of APPs including APPs 2, 3, 5, 6, 8, 9, 11 and 12. The Companion Guide states that the definition of 'Australian law' is new and 'has been included to clarify the scope of provisions that allow collection, use or disclosure where it is required or authorised by or under law'.[76]

3.75 Qantas commented that confining laws to 'Australian law' fails to recognise that organisations operating in foreign jurisdictions are often required to collect, disclose and use personal information under the laws of those jurisdictions.[77] Google raised the same matter and provided the example of where a foreign country may mandate disclosure of personal information in response to a subpoena issued by a court exercising jurisdiction over the operations of the service provider in that foreign country. In papers submitted by Macquarie Telecom, the storage of data offshore by Australian businesses was examined and it was concluded that 'it is possible that storing data within the United States may provide enough of a connection for a United States court to find jurisdiction over an Australian company storing its data there and subject the company to the US discovery obligations'. Further, data stored in the United States is at greater risk of being accessed by government agencies as the Patriot Act provides US government agencies with extensive powers.[78]

3.76 Google commented that it would be inappropriate to place the service provider in jeopardy under Australian law for responding to a valid court process in a foreign jurisdiction.[79]

3.77 Both Qantas and Google recommended amendment of the exposure draft so as to recognise that entities may need to deal with personal information in ways required under laws of other jurisdictions and that such dealings should not be regarded as an interference with the privacy of an individual under Australian law. Qantas submitted that the appropriate means of achieving this was to replace the term 'Australian law' with the term 'applicable law', being laws (including legislation, regulations, directions and rules) applicable in a relevant jurisdiction.[80]

3.78 The department responded to these concerns as follows:

The Government's position is that an entity with an Australian link must comply with the APPs relating to an act done, or practice engaged in, within Australia. The existing policy achieved by subsection 6A(4) and section 13D of the Privacy Act will be retained to ensure that an act or practice that is done or engaged in outside Australia will not be an interference with privacy if it is required by an applicable law of a foreign country. For example, an organisation would not breach the APPs if a foreign court judgment required disclosure of personal information in that jurisdiction to assist in investigating a criminal offence.[81]

Conclusion

3.79 The committee notes the advice provided by the department and has no further comment to add in relation to the use of the term 'Australian law'.

Consent

3.80 The ALRC considered 'consent' as it applies to the privacy principles in the Privacy Act and other issues concerning 'consent'.[82] In considering how best to clarify the meaning of 'consent' in relation to privacy, the ALRC did not support the option to amend the Privacy Act to set out in detail what is required to obtain consent as this approach would require a very large number of prescriptive rules. This would also be inconsistent with a principles-based approach. Similarly, amending the definition of 'consent' was not supported as the ALRC noted that the common law has an important role to play in determining elements of consent and a statutory definition would not capture the evolution of the meaning of 'consent' and may have unintended consequences.[83]

3.81 The ALRC formed the view that the most appropriate way to clarify the meaning of 'consent', as it applies to the privacy principles, is for the OPC to provide further guidance. According to the ALRC, such guidance should address the factors to be taken into account by entities in assessing whether 'consent' has been given. The guidance should also cover express and implied consent as it applies in various contexts; for example, in transactions concerning financial services as well as 'bundled consent'.[84]

3.82 Professor Croucher, President, ALRC, further commented:

In our report we recommended that the Office of the Privacy Commissioner should develop and publish guidance about what is required of agencies and organisations to obtain an individual's consent. This guidance should, for instance, address a number of the things that I am grabbing at—the factors to be taken into account by agencies and organisations in assessing whether it has been obtained, which is kind of what you are asking about in asking how. It should cover express and implied consent as it applies in various contexts and include advice on when it is and is not appropriate to use the mechanism of bundled consent—in other words, a consent to general use.[85]

3.83 The Government response indicated that it encouraged the Privacy Commissioner to develop guidance as recommended by the ALRC. In addition, the response indicated that the definition of 'consent' would be expanded to clarify that an individual may withdraw consent where it is lawful to do so.[86] The Companion Guide notes that term 'consent' is defined within the existing Privacy Act and the new Privacy Act will contain a definition on the same terms, that is, that 'consent' means express or implied consent. The Companion Guide goes on to note that there are some circumstances where it will not be possible for a person to withdraw their consent.[87]

3.84 The issue of the definition of 'consent' was raised by some submitters. Both Privacy NSW and the LIV suggested that the definition of 'consent' be further developed. The LIV commented that individuals cannot consent to the collection of sensitive personal information where consent is obtained in a coercive or unreasonable way. The current definition does not preclude consent being obtained unreasonably or in a way that undermines the objectives or purpose of the APPs and should therefore be further developed.[88]

3.85 Privacy NSW argued that separate definitions of, and references to, both 'implied consent' and 'express consent' are required as, under the existing definition, entities may inappropriately rely on implied consent rather than express consent.[89] In particular, Privacy NSW considered that the collection of sensitive information should be contingent on 'express consent' unless the entity can reasonably rely on a relevant exception. Further:

In circumstances where an individual lacks the capacity to provide express consent (for instance through disability or age), we suggest that there be an exception which permits collection if the entity has obtained express consent from an authorised representative who is empowered to make substitute decisions on behalf of the individual. We suggest that there be an Australian Privacy Rule which governs the means by which an entity be satisfied it is dealing with an authorised representative.[90]

3.86 The Public Interest Advocacy Centre called for the use of the phrase 'express and informed consent' throughout the APPs.[91]

3.87 Professor Greenleaf and Mr Waters viewed the meaning of 'consent' as critical to privacy policy, but argued that the Government, and indeed the ALRC, had not addressed 'one of the most significant weaknesses in the current regime'. The main concern was that the interpretation of 'consent' could be undertaken in ways that weaken the legislation by undermining the effect of a number of principles. They argued that the concept of 'consent' is crucial and should not be left to guidance by the Privacy Commissioner. Rather, the definition should be amended to deal with key issues and other aspects should be included in the Explanatory Memorandum. Professor Greenleaf and Mr Waters considered that the following points should be made clear:

consent must be clear and unambiguous, regardless of whether it is express or implied;
a failure to opt out, on its own, should not be taken as unambiguous consent;
where an individual must disclose personal information to receive a benefit, no consent can be implied for use beyond the purpose of collection – only express consent should apply; and
every proposed purpose of use should require separate consent, to prevent the misuse of the practice of 'bundled consent'.[92]

3.88 In its response to the committee's questions on notice in relation to consent, the department commented that under section 15 of the exposure draft, 'consent' means 'express consent or implied consent' and that the Privacy Commissioner has previously stated that implied consent 'arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation'. The department also stated:

The Government accepted the key thrust of [the ALRC's consent] recommendation and stated that it would encourage the development and publication of appropriate guidance by the Office of the Australian Information Commissioner (AIC), noting that the decision to provide guidance is a matter for the AIC.

While it is ultimately a matter for the AIC, we anticipate that the guidelines will address matters such as those raised by the Law Council of Victoria.[93]

Conclusion

3.89 The issue of a definition of 'consent' was raised by many submitters. The committee notes the Government's acceptance of the ALRC's recommendation in relation to consent and considers that the matter of consent should be considered by the Office of the Australian Information Commissioner as a matter of priority to ensure that appropriate guidance is available concurrently with the new Act.

Recommendation 4

3.90 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the meaning of 'consent' in the context of the new Privacy Act as a matter of priority.

Exemptions

3.91 A number of submitters commented on the way in which the exposure draft dealt with the issue of exemptions, in particular the continuation of the small business exemption. In the APP exposure draft, the definition of organisation explicitly excludes 'a small business operator' and 'a registered political party', but the exposure draft does not include an express reference to the exemption regarding employee records.[94] Further, the Companion Guide states that the small business exemption will be retained for the time being; however, the Government will consider whether the exemption should continue in its second stage response to the ALRC's review.[95]

3.92 In its submission to the committee, the ALRC reaffirmed its view that the exemptions under the current Privacy Act, pertaining to small business, registered political parties, and employee records, should be removed.[96]

Small business exemption

3.93 A number of submitters called for the removal of the small business exemption.[97] The ALRC commented that:

...beginning from first principles there is no logical reason why somebody whose personal information is held by a small business should have less privacy protection than somebody who works for a larger enterprise. I would rather put the emphasis on privacy. As a right, obviously, all rights have to be balanced, including against economic and financial considerations, but that was always where our emphasis lies.[98]

3.94 Submitters also pointed out that small business is the majority business type in Australia, and, with the use of computer systems, small businesses are able to collect, use and disclose relatively vast amounts of personal information some of which may be very sensitive personal information.[99] Further, it was observed that government entities often outsource services involving personal information, and protection is required when personal information is passed on to the private and community sectors.[100]

3.95 The LIV summed up the position of those who did not support the retention of the exemption by stating that 'the nature of information collected, and not the size of the organisation that collects the information, should determine whether restrictions should be imposed on the collection of information.' The LIV further argued that the exemption does not currently diminish the regulatory burden on small business.[101]

3.96 The ALRC noted that the cost of compliance with the legislation was a significant concern for the small business community, who staunchly supported the retention of the exemption. However, the ALRC observed that small businesses are not exempt from the general privacy law in any 'other comparable jurisdiction in the world'. Further, other stakeholders to the ALRC's review argued that 'consumers have the right to expect that their personal information will be treated in accordance with the privacy principles'. Given this support, the ALRC maintained its recommendation that the small business exemption be removed.[102] The ALRC also noted that its research had shown that the compliance costs may not be as great as previously suggested and that the costs of continuing the exemption in relation to international business may outweigh the compliance costs. Professor Croucher, ALRC, stated:

The costs as presented to us at the time and as analysed by our own independent research study were not as great as were suggested, and the international context and the standing of our business community within the context of the European directive was such that retaining the exemption, we thought, was not justified.[103]

3.97 Other submitters supported the retention of the exemption, arguing that removal of the small business exemption would impose an additional compliance and cost burden to small business, which is already subject to significant regulation. It was also noted that there is provision for small businesses to opt-in to the application of privacy legislations, and many small businesses do so. Further, the Australian Hotels Association (AHA) supported the indexation of the current $3 million annual turnover threshold, as fewer small businesses qualify for the exemption every year.[104]

3.98 The Catholic Education Office of the Archdiocese of Melbourne noted that the small business exemption is currently inconsistently applied between Catholic schools. They submitted that an exemption excluding application of the Privacy Act to Catholic schools should be provided, as:

A Catholic school is not technically a 'business' in the normal commercial sense. It does not strive to make a profit. It is supported by the considerable voluntary efforts of the school community and the Catholic Church and relies heavily on government funding for its revenue. The annual turnover amount is an arbitrary sum, and in many cases the actual turnover of the school varies from year to year, often around the exemption limit.[105]

Registered political parties

3.99 The ALRC also recommended the removal of the exemption for registered political parties both in report and its submission to the committee. While a similar exemption exists in the United States and Canada, registered political parties are not exempt in the United Kingdom, New Zealand or Hong Kong.[106] Professor Croucher, ALRC, commented:

The fundamental principle is the importance of the protection of personal information. Consistent with the very first principle identified in the Australian Privacy Principles, the 'open and transparent management of personal information', there should not be an exemption of the kind that is contemplated by the political party exemption.[107]

Employee records

3.100 Under the current Privacy Act, employee records are treated differently by agencies and by organisations. While the existing Act does not require Government agencies to treat employees' records any differently to other personal information, private sector organisations are exempt from the requirements of the Privacy Act where their acts or practices relate directly to an employee record held by the organisation, or the employment relationship between an individual and the organisation. The basis of the exemption of employee records in the private sector is that the protection of such information is more properly a matter for workplace relations legislation.[108]

3.101 In its submission to the committee, the ALRC again called for the removal of the employee records exemption. The ALRC noted that 'there is no sound policy reason why privacy protection for employee records is available to public sector employees but not private sector employees'. Further, as the majority of Australian employees were employed in the private sector, the ALRC considered the exemption resulted in 'a significant gap in privacy regulation'.[109] This position was supported by Privacy NSW.[110]

3.102 The AHA argued for the retention of the exemption, as the collection of information about employees for purposes directly related to their employment is both reasonable and necessary:

Practices such as surveillance measures to prevent theft or even 'mystery shopper' activities designed to improve service standards are common practices in the industry which require the collection of personal information for the purposes of managing the employment relationship. Records of discussions held with employees over performances matters typically include personal information as defined in the Draft Principles. The maintenance of these sorts of records are necessary under workplace relations legislation if the employer needs to discipline or terminate the employee. It should be mentioned that these same records are also used to determine whether an employee is fit for promotion or an increase in remuneration.[111]

Conclusion

3.103 The committee notes that Companion Guide indicates that, at this stage, the small business exemption will be retained. Ms Joan Sheedy, Department of the Prime Minister and Cabinet, stated that in the second stage response to the ALRC recommendations, the Government will consider the recommendations relating to the removal of the exemptions currently in the Act. Ms Sheedy went on to comment that 'there are no government decisions that have been taken yet in relation to those exemptions'.[112]

3.104 The committee considers that no further comment is required at this stage in relation to exemptions from the Privacy Act.

Interaction with state and territory legislation

3.105 Both the Office of the Victorian Privacy Commissioner and the Health Services Commissioner, Victoria (HSC), noted that the Companion Guide indicates that no changes will be made to the Privacy Act provisions which preserve the effect of any state or territory law that makes provisions about interferences with privacy, if it is capable of operating concurrently with the existing Privacy Act. However, they argued that this statement suggests that the approach outlined in the Companion Guide does not reflect the ALRC review recommendations or the approach outlined in the Government response, particularly in relation to private sector health providers.[113]

3.106 While the HSC welcomed the Government's position, as it argued that the interests of consumers and organisations can best be served by having State and Commonwealth regulators working co-operatively, the Office of the Victorian Privacy Commission sought clarity on this issue.[114] Other submitters expressed disappointment that the reforms had not led to a streamlining and harmonisation of privacy law in Australia.[115] Yahoo!7, for example, commented that a level of uncertainty had been introduced 'as we were hoping to operate under a single unified privacy regulation framework'.[116] ADMA went further and stated that the harmonisation:

...should not be done half heartedly and that states and territories should not be permitted to create other, isolated privacy requirements. The benefit to Australian business of knowing, without doubt, that all privacy requirements are stated in a Commonwealth Privacy Act will to a large extent be undone if this is permitted to occur.[117]

Conclusion

3.107 The committee notes that it is stated in the Government response that 'there are clear benefits of nationally consistent privacy regulation in the private sector, including the health sector'.[118] The department also indicated that the first stage response will create a platform from which the Commonwealth Government can pursue national harmonisation through discussion with state and territory governments. Further:

All parties to those discussions will need to carefully consider what changes are necessary to their respective privacy and information-sharing regimes to ensure an effective harmonised system can be implemented.[119]

3.108 The committee considers that the harmonisation of privacy regimes across all jurisdictions is an important goal. However, the matters to be considered are complex with examination of interactions with, and possible inconsistencies between, Commonwealth and state and territory regimes requiring detailed examination.

Implementation

3.109 A number of submitters were concerned to ensure that the implementation process for the new Privacy Act includes an appropriate transition period. It was argued that an adequate transition period would allow for the implementation of any necessary systems changes, staff training and updating of relevant corporate policies required to comply with new obligations.[120] The Insurance Council of Australia, for example, commented that the most common method of notifying insurance policyholders of information is through the Product Disclosure Statement (PDS) that is required under the Corporations Act 2001. The Council suggested an 18 month transition period would allow general insurers to incorporate any required additional notifications in their PDSs in the normal course of them being re-issued.[121] Other submitters called for a transition period of 12 or 18 months duration.

3.110 The AHA noted that following the amendments to the Privacy Act in 2001, the private sector was granted a 12 month 'amnesty', and submitted that a similar transition period should be granted to the business community/entities following the passage of these amendments.[122]

3.111 Some submitters also specifically stated that requirements under the new legislation should only be applied prospectively.[123]

3.112 The AHA also suggested that an education and awareness campaign will be required to assist acceptance and compliance with the new obligations. Such a campaign could be conducted by the Commonwealth in conjunction with relevant industry associations.[124]

Conclusion

3.113 The introduction of the reformed privacy regime may require significant change to practices and policies. The committee considers that due consideration should be given to the provision of an adequate transition period where appropriate. The committee further considers that the Office of the Australian Information Commissioner should be consulted in relation to the length of time of any transition period.

Recommendation 5

3.114 The committee recommends that the Government, in consultation with the Office of the Australian Information Commissioner, give consideration to the provision of a transition period for entities to fully comply with the implementation of the new Privacy Act.

Consultation

3.115 The ALRC undertook extensive consultation during its review of privacy law as did the Government in formulating its response to the ALRC's recommendations. However, the committee received comments in relation to consultations during the development of the exposure draft. The Australian Privacy Foundation (APF) for example, expressed concern that the exposure draft details had 'not been negotiated with a body that includes representatives of all interested parties'. The APF was of the view that the exposure draft reflects the interests of the private sector and government agencies.[125]

3.116 The committee notes, however, that Privacy NSW and the Public Interest Advocacy Centre indicated that they had provided submissions in response to the Government's consultation on the Unified Privacy Principles and related matters.[126] The OPC further noted that it had provided 'informal input' during the development of the exposure draft of the APPs and acknowledged the constructive engagement of the department and its effort to take account of suggestions.[127]

3.117 The committee is satisfied that the department undertook adequate consultation in relation to the APP exposure draft.

Navigation: Previous Page | Contents | Next Page