Chapter 4

Australian Privacy Principle 1–open and transparent management of personal information

Introduction

4.1 Australian Privacy Principle 1 (APP 1) addresses open and transparent management of personal information. The Companion Guide states that the requirement for open and transparent management is the first APP because 'it will emphasise that entities should first plan how they will handle personal information before they collect and process it'. In addition, it will make sure that entities consider their privacy obligations when planning new systems. The Companion Guide noted that this reflects international moves towards a 'privacy by design' approach, so that information systems include privacy and data protection compliance from their inception.[1]

Background

4.2 In its review, the Australian Law Reform Commission (ALRC) considered the openness requirements of the privacy regime. The ALRC concluded that there should be a discrete principle requiring an agency or organisation to operate openly and transparently by providing general information on how it manages personal information. It was noted that compliance with openness requirements generally benefits the regulatory system as a whole and 'therefore, plays a key role in promoting best practice in the handling of personal information'.[2] In addition, the development and publication of privacy policies will promote accountability and increase the transparency of the information handling practices of entities.

4.3 Although both the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) set out openness requirements, openness is achieved by different regulatory mechanisms for agencies and organisations. The ALRC was of the view that there should be one consolidated and simplified openness requirement and stated:

The 'Openness' principle should make it clear that a Privacy Policy is the regulatory mechanism by which agencies and organisations are to achieve openness. Agencies and organisations should be required to set out in Privacy Policies clearly expressed policies on their handling of personal information.[3]

4.4 The ALRC also considered the content of a privacy policy. While the NPPs impose a general obligation to maintain a privacy policy document, the IPPs take a more prescriptive approach and list specific matters to be included in the record summarising how an agency handles personal information.[4] The ALRC concluded that the essential content of a privacy policy should be expressed in high-level terms. The ALRC was of the view that 'the central obligation should be for agencies and organisations to set out in such a document clearly expressed policies on an agency's or organisation's handling of personal information, including how it collects, holds, uses and discloses personal information'. In addition, any matters required in a privacy policy should not be regarded as being exhaustive.[5]

4.5 The ALRC considered specific matters to be included in a privacy policy and recommended that the list of matters should be limited, but include the sort of personal information held, and the purpose for which that information is held. Other matters required in a privacy policy included the steps available to an individual to access and correct personal information and avenues for complaint.[6]

4.6 The mechanisms for making privacy policies available were canvassed in the review, with the ALRC commenting that loading policies onto websites was 'an ideal mechanism for making them generally available'. In addition, the ALRC recommended that hard copies should be made available on request or in a form accessible for those with special needs.[7]

4.7 The development of short form privacy notices was also examined. The ALRC concluded that short form privacy notices serve a useful purpose and recommended that the Office of the Privacy Commissioner (OPC) should continue to encourage and assist entities to make these available.[8]

Government response

4.8 The Government accepted the ALRC's recommendations in relation to the availability of privacy policies and the development of short form privacy notices and accepted, with amendments, the ALRC's main recommendation in relation to a single openness principle and the matters to be included in a privacy policy.

4.9 The Government response stated:

The Government agrees that organisations and agencies should consider their personal information handling policies and practices and clearly set these out in a Privacy Policy available to all individuals. This helps to promote transparency in the handling of personal information, as well as consumer control, choice and trust in how their information will be handled.

The Government also agrees that requiring agencies and organisations to express in their Privacy Policies how they handle personal information at each stage of the information cycle, will encourage them to consider how the Privacy Principles apply to their activities.[9]

4.10 The Government outlined the areas where it intended to make amendments to the ALRC's recommendation as follows:

in order to align the Privacy Principles with the stages of the information handling cycle, the 'openness' principle is to be the first enumerated privacy principle;
in addition to the obligations proposed by the ALRC, the 'openness' principle should also require entities to take reasonable steps, having regard to the circumstances of the agency or organisation, to develop and implement internal policies and practices that enable compliances with the Privacy Principles including staff training;
a general obligation to take reasonable steps to implement policies and practices that ensure compliance with the Privacy Principles is to be included in the openness principle in order to ensure a proactive approach to considering information handling and privacy compliance requirements; and
the obligation to implement policies and practices to enable compliance with the Privacy Principles is to be qualified by a 'reasonable steps' test in recognition that 'the appropriate steps to take will depend upon the circumstances of each agency or organisation' thus adopting a 'risk-based approach'.

4.11 The Government response concluded:

This additional supporting obligation to the 'openness' principle would expressly recognise what is only implicit in the existing Privacy Principles: that agencies and organisations need to take positive steps to ensure they comply with the Privacy Principles. However, it reflects what many agencies and organisations currently do in practice to ensure they meet their obligations under the Privacy Act. It is therefore not intended to impose any unreasonable additional burden on agencies and organisations.[10]

Issues

4.12 The ALRC, OPC, Privacy NSW and the Australian Institute of Credit Management welcomed the positioning of the openness and transparency principle as the first APP. Professor Rosalind Croucher, President, ALRC, commented further:

It brings it up to the front as the first principle and provides, as I described it in the submission, a conceptual mirror to the idea of openness that is captured in the freedom of information legislation. That is a good initiative and we commend the introduction of the principles in that fashion.[11]

4.13 Support was expressed for the Government's aim of encouraging entities to manage personal information openly and transparently, as well as the aim of ensuring that entities take reasonable steps to comply with the Privacy Act and to handle complaints. The Government's intention to ensure that entities undertake appropriate planning prior to the point of dealing with personal information, and when planning new information systems, was also welcomed.[12] However, in order to ensure that this was stated more clearly, the NSW Department of Justice and Attorney General suggested that APP 1(2) be re-titled 'Planning for compliance with the Australian Privacy Principles'.[13]

4.14 The committee also received submissions that did not support the notion that the privacy obligations could, or should, be considered when entities design information systems, that is, the 'privacy by design approach'. Microsoft commented that 'it could be hard to read privacy by design elements into the principle as currently worded'. Microsoft went on to state that it would be wary about trying to load this concept into the principle as it is difficult to see how it would be defined or enforced. In addition, it would raise 'real possibilities of inappropriate government interventions into what should properly be business decisions'. Microsoft also pointed to comments by European Union Data Protection Supervisor, Mr Peter Hustinx, who saw privacy by design not as a matter of law, but something that would be achieved through the practices of organisations. Microsoft supported this view and concluded that legislating for privacy by design would be 'onerous, impractical and would have real potential to stifle innovation'.[14]

4.15 The Office of the Information Commissioner Queensland (OIC) drew attention to the inclusion of a 'reasonable in the circumstances' test in APP 1 and commented that it did not consider that the obligation to comply with the privacy principles should be subject to such a test. The OIC argued that state and territory jurisdictions, which have enacted information privacy laws, impose a mandatory requirement to comply with the relevant privacy principles. In addition, the OIC commented that the adaptable and flexible nature of the APPs provides sufficient scope for entities to implement them in ways which are reasonable, based on the circumstances and context of the entity's personal information handling. As such the OIC recommended that the committee consider APP 1 in terms of whether or not it would be more appropriately stated as a mandatory obligation.[15]

Conclusion

4.16 The committee considers that by placing the 'openness' principle as the first APP, attention is drawn to the need to manage personal information in an open and transparent way. The Government has included in APP 1 an obligation to develop and implement internal policies and practices that enable compliance with the privacy principles. This will strengthen the 'openness' principle and encourage a proactive approach to privacy compliance. The committee believes that by requiring the planning of data systems to take account of privacy requirements, the handling of personal information will be improved and individuals will be confident that entities have taken all necessary steps to provide adequate systems to protect their personal information. Further, the committee does not agree that the 'privacy by design' approach will stifle innovation. Rather, as technology is advancing so rapidly, what is regarded as 'innovation' may in fact pose significant risks to privacy, and thus privacy obligations should be a fundamental consideration in planning information systems.

4.17 The committee also considers that the inclusion of a test of reasonableness ensures that entities have flexibility in the way in which they address the obligations under this principle and, as stated in the Government response, recognises that the appropriate steps to take will depend upon the circumstances of each agency or organisation. In addition, the committee notes that the Government commented in its response to the ALRC's recommendations that:

In this way, the additional requirement adopts a risk-based approach, whereby an agency or organisation would consider what internal practices and policies to implement with regard to such matters as the volume of personal information it handles, the sensitivity of that information and the purpose for which the information is collected, used and disclosed.

In addition to considering the level of risk in their information handling needs and practices, agencies and organisations would also consider what is reasonable for them to do with regard to their size and available resources, the type of functions or activities they undertake, and the extent to which they have already established internal policies and practices.[16]

4.18 The committee concurs with this approach.

Structure and terminology

4.19 Submitters commented on the structure of, and the terminology used in, APP 1. The Law Institute of Victoria (LIV) suggested that, to ensure consistency with APP 1(3) which requires an entity to have 'up-to-date policy' on the management of personal information, APP 1(2) should be amended to read 'implement and review practices'.[17]

4.20 The Law Council of Australia (LCA) commented on the terms used in APP 1(2)(a). First, the LCA was concerned about the strength and the mandatory nature of the language used. Secondly, the LCA noted that APP 1(2)(a) requires an entity to take 'such steps as are reasonable in the circumstances to implement practices, procedures and systems that will ensure that the entity complies with the Australian Privacy Principles'. The LCA suggested that it is not possible for 'practices, procedures and systems' to ensure compliance with the APPs. In order to address this matter, the LCA suggested replacing the word 'will ensure' with words such as 'have the primary purpose of promoting compliance'.[18]

4.21 The department responded to the LCA's comments and stated that, by including the 'will ensure' formula, the Government has gone further than the ALRC recommendation 'in requiring agencies and organisations not only to create and maintain a privacy policy but to also demonstrate that they have taken reasonable steps to comply with both the privacy principles and their own privacy policy'.

4.22 The department went on to state that the term the 'primary purpose of promoting' provides for a different requirement than the term 'will ensure'. The department argued that the terms of APP 1(2)(a) provide a clear requirement for entities to have practices, procedures and systems that will ensure compliance with the APPs. The term suggested by the LCA was seen as a lesser obligation and 'is not consistent with the Government's approach of promoting high standards of compliance that will require entities to consider how the principles apply to their own circumstances and what steps it should take to implement appropriate policies and practices'. The department concluded that:

It was the Government's intention for the compliance standards on agencies and organisations to be sufficiently high to enhance privacy protections. The 'will ensure' obligation was included so that privacy protections are built into the design of an entity's system and not 'bolted on' afterwards.[19]

4.23 Microsoft put the view that APP 1(2) is redundant. Microsoft noted that section 16A of the Privacy Act 1988 provides that 'an organisation must not do an act, or engage in a practice, that breaches a National Privacy Principle'. If, it was argued, a modified version of section 16A is to be enacted to prohibit breaches of the APPs, regulated entities will be required to take steps to comply with the APPs and thus APP 1(2) is redundant. Microsoft concluded:

If APP [1(2)] was enacted as proposed, it would be possible for an entity to be liable for breaching APP [1(2)] simply because it had not prepared a document that described the procedures it would take with the objective of ensuring compliance with the remainder of the APPs. This would be so even if there had been no breach by the entity of any of the substantive APPs...

We just do not believe that APP [1(2)] will assist individuals whose privacy is at risk of being interfered with - they will have remedies if and when a breach of the substantive principles occurs. In a case involving serious and systematic breaches of the APPs, a court has power under section 98 of the Privacy Act to require an entity to take positive steps to prevent future breaches. This power would likely extend to introducing a compliance program - similar orders are commonly made at the request of the ACCC in cases involving contraventions of the Trade Practices Act.[20]

4.24 The OPC also commented on the complexity of the term 'steps as are reasonable in the circumstance' used in APP 1 and other APPs.[21] The committee has addressed these comments in its discussion on the complexity of the APPs in chapter 3.

Privacy policy requirements

4.25 APP 1 also sets out the requirements for an entity's privacy policy: first, that it must be clearly expressed and up-to-date (APP 1(3)); and secondly, that it must contain certain information (APP 1(4)). These provisions were supported by the Health Services Commissioner, Victoria, who noted that the provisions of APP 1 go further than the existing provisions in the Privacy Act and the equivalent provisions in the Victorian Health Records Act.[22] Similarly, the Office of the Victorian Privacy Commission supported the more prescriptive nature of APP 1 as 'it will better allow individuals to identify precisely how entities intend to handle personal information'.[23]

4.26 The committee received comments suggesting improvements to the privacy policy provisions. Professor Graham Greenleaf and Mr Nigel Waters, in their joint submission, commented on the need to make the list of matters to be included in an entity's privacy policy more consistent with the list of matters to be notified when collecting personal information under APP 5. For example, APP 1(4) requires information about how an individual may access information (d) and complain (e), but not 'identity and contact details' (APP 5(2)(a)).[24]

4.27 The NSW Department of Justice and Attorney General suggested that privacy policies should also provide some description of the individuals or entities who are likely to receive personal information and commented that 'this is crucial in terms of giving members of the public a real picture of how personal information is handled and to answer the question: "who are they giving it to?".' It was argued that such a requirement would complement the obligations under the disclosure principle (APP 5(f)).[25]

4.28 Other submitters, however, raised a range of concerns about the prescriptive nature of the information to be included in an entity's privacy policy. For example, the LCA suggested that the privacy policy should only be required to contain 'reasonable information' or 'general information' about the various matters listed.[26]

4.29 The Australian Finance Conference (AFC) also commented that the prescriptive approach was at odds with the objective of providing high level principles and recommended that APP 1(4) be omitted entirely. Both the Australian Association of National Advertisers (AANA) and AFC recommended that the guidance on content of privacy policies be left to the Australian Information Commissioner.[27] Similarly, the AANA submitted that the provisions in relation to privacy policies be limited to core information requirements and that guidance, as is currently the case, be developed to assist entities in meeting their obligations.[28]

4.30 Microsoft's comments concerning APP 1(4) were based on 'evidence that individuals can be overwhelmed but not enlightened by long privacy policies or disclosure statements, even where intended to allow informed consent'. Microsoft submitted that layered privacy notices were one way of improving understanding of privacy policies by providing clear and concise summaries with links to the full privacy statement for those interested in more detailed information. Microsoft suggested APP 1(3)–1(6) (and APP 5) be streamlined by focusing on identifying transparency objectives. Organisations could then choose how best to communicate with individuals to meet these objectives in an effective and cost efficient way. Microsoft concluded that 'this would help reduce the compliance burden on organisations and reduce the load on individuals'.[29]

4.31 A range of comments were received in relation to APP 1(4)(g) which requires that if an entity is likely to disclose personal information to overseas recipients, the entity's privacy policy must, if it is practicable to do so, contain the countries in which such recipients are likely to be located. The inclusion of this requirement was supported by Privacy NSW.[30] In addition, Professor Greenleaf and Mr Waters argued that the inclusion of the term 'if it is practicable to specify those countries' provided a far too subjective qualification, and 'is likely to lead to many entities not including this important information'. It was suggested that entities, which do not include this information, be required to give an explanation as to why countries were not specified in the privacy policy.[31]

4.32 Other submitters did not support the inclusion of the obligation under APP 1(4)(g). It was argued that to comply with the obligation was impractical, onerous and costly.[32] Submitters, for example, Yahoo!7 and the Australian Bankers' Association (ABA), commented on the obligations imposed by APP 1(4)(g) for those entities which use overseas servers and cloud computing. It was argued that it was impractical to list all countries, with the ABA noting that banks do not control the location of an overseas server and the server's location may change without the bank's knowledge. The ABA argued that to keep track of these changes, and to continuously update privacy policies, would be onerous and costly.[33]

4.33 The ABA also suggested that APP 1(4)(g) may lead to an individual drawing an incorrect inference that a country named as the location of the intended overseas recipient is not to be trusted with the personal information and 'this would be an unfortunate signal for Australia's law to send internationally'.[34]

4.34 A number of suggestions to address concerns with APP 1(4)(g) were put to the committee. Yahoo!7 favoured a simple disclosure obligation which referred to international data transfer and backup more generally.[35] However, Telstra suggested that the use of very broad references and catch-alls in a privacy notice would diminish the value of providing the information and may lead to confusion. Thus, Telstra argued that APP 1(4)(g) should be omitted.[36]

4.35 The ABA suggested the addition of the words 'reasonable and' before the word 'practicable' to take into account potential volatility in the location of servers in other countries.[37] A number of submitters suggested that as APP 8 deals specifically with cross-border disclosure of personal information APP 1(4)(g) is irrelevant.[38]

4.36 Again, concerns were raised that consumers would not be assisted by long and complex information, specifically in relation to APP 1(4)(f) and (g). Privacy Law Consulting was also of the view that there may be limited benefit to consumers of the provisions as 'they do not result in consumers being provided with a level of information that will enable them to properly consider privacy issues associated with the overseas disclosure'.[39] The AANA also commented that APP 1(4)(f) and (g) 'are unnecessary and not useful information to an individual'. Rather, the AANA submitted that 'the intent of these provisions is to alert individuals that an overseas recipient may not be subject to privacy legislation similar to that of Australia'.[40]

4.37 Privacy Law Consulting voiced concern with the requirement of APP (4)(f) and (g) in relation to the disclosure of commercially confidential information and stated that these obligations may result in the disclosure of details about an organisation's operational arrangements and 'inner-workings'. Privacy Law Consulting gave the example of the outsourcing of back-office functions such as accounts or dictation transcription and noted that such information is not normally made public.[41]

Conclusion

4.38 The committee considers that there are benefits in including in the APPs a list of requirements for privacy policies: it helps to promote transparency; provides consumers with a clear indication of what must be included in a privacy policy; and by having to provide clear privacy policies, entities will be required to examine how they handle personal information at each stage of the information cycle.

4.39 While the committee acknowledges concerns that such an approach may compromise the aim of high-level principles in the Privacy Act and that consumers do not always comprehend overly long privacy policies, the committee considers that the benefits to transparency and overall compliance with the privacy principles outweigh these concerns. The committee considers it is important that the principle provides for the minimum amount of information that is required in a privacy policy and makes it clear that it is not exhaustive and that further information must be included as the particular circumstances of the entity require. On balance, the committee therefore supports the inclusion of the matters to be addressed by a privacy policy within the body of the principle. The committee also notes that the Government encourages the Office of the Australian Information Commissioner to provide guidance in this matter.

4.40 In relation to APP 1(4)(g), the committee considers that many consumers have concerns about the transfer of personal information overseas and that this practice is increasing as technology changes and global markets expand. The committee therefore believes that privacy policies should include information if an entity is likely to disclose personal information to an overseas entity and the countries in which such recipients are likely to be located. The committee notes that APP 1(4)(g) contains the proviso that 'if it is practicable to specify those countries in the privacy policy'. The committee considers that this provides sufficient flexibility to address concerns raised by Yahoo!7 and the Australian Bankers Association.

Availability of privacy policy

4.41 Both the NSW Department of Justice and Attorney General and Professor Greenleaf and Mr Waters commented that the proposal that an entity's privacy policy need only be made available 'in such form as is appropriate' (APP 1(5)(b)) was different to the ALRC's recommendation that access must be provided 'electronically'. Professor Greenleaf and Mr Waters argued that the proposed provision was both weaker and inferior and went on to argue that the requirement in APP 1(6) for entities to respond to an individual's request for the policy in 'a particular form' is only a partial and relatively weak substitute.[42] The NSW Department of Justice and Attorney General commented that:

In the interests of transparency and accountability, APP1 could explicitly state that entities should take reasonable steps to make the policy available electronically. In practice, this will most likely result in policies being posted on the websites of entities that have them. This is likely to be the first place members of the public will look for privacy policies and it may be appropriate to make explicit the requirement to make them available in this manner.[43]

4.42 The department responded to concerns about APP 1(5) and stated that it believed that an absolute requirement to provide the privacy policy electronically would be a significant burden on organisations without a website or means to otherwise produce an electronic copy. The department went on to state that APP 1(5)(b) puts agencies and organisations under an obligation to provide an appropriate copy of their privacy policy in a way which is reasonable in all the circumstances, having regard to the agencies' or organisations' functions, types of business and restrictions. It also addresses issues around accessibility; for example, clients of some entities may not have computers and therefore are unable to electronically access privacy policies. The department concluded that, as a consequence, there should be the option available of providing the policy in any other appropriate format.[44]

4.43 Professor Greenleaf and Mr Waters also suggested that it was undesirable for APP 1(6) to apply only to requests from individuals as often organisations such as NGOs and the media may seek access to privacy policies, and this should be expressly accommodated.[45] In response to this suggestion, the department stated the provision is based on ALRC recommendation 24-2, which also uses the terminology 'individual'. While there is no definition for 'individual' in either the APPs or the ALRC Report, paragraph 22(1)(aa) of the Acts Interpretations Act defines an 'individual' as a 'natural person'. The department went on to state that there is nothing preventing an individual within an organisation, or the media, from making the request and concluded:

Therefore, in practice, there should be no foreseeable problem in media or organisations gaining access to relevant documents containing the Privacy Policies of an agency or organisation.

It is not the Government's intention to prevent organisations from making requests for an entity's privacy policy. Therefore, the Department will consider the Senate Committee's recommendations on this issue, including suggestions for improving clarity on this issue.[46]

Conclusion

4.44 The committee considers the requirement for an entity to make its privacy policy available 'in such form as appropriate' should be further clarified by the inclusion of a note at the end of APP 5 indicating that the form as is appropriate will usually be an online privacy policy. In relation to concerns about access to privacy policies by organisations including the media, the committee does not believe that an entity would deny access through a narrow reading of the provisions of APP 1(6). However, to ensure that the intent of the provision is clear, the committee considers that the provision be re-drafted to clarify that privacy policies must be available to both individuals and entities.

Recommendation 6

4.45 The committee recommends that a note be added at the end of APP 1(5) which indicates that the form of an entity's privacy policy 'as is appropriate' will usually be an online privacy policy.

Navigation: Previous Page | Contents | Next Page