Chapter 2 - Background

2.1       This chapter provides some background to the Privacy Act, including:

• concepts of privacy;
• privacy under international and common law;
• history of the Privacy Act;
• key provisions of the Privacy Act; and
• community attitudes towards privacy.

Concepts of privacy

2.2       As the Law Reform Commission (as it was then known) noted in its 1983 report on privacy, 'the very term 'privacy' is one fraught with difficulty. The concept is an elusive one.'[5] Privacy is often referred to as the 'right to be let alone'.[6] Professor Zelman Cowen, in the 1969 Boyer lectures, observed that:

A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars.[7]

2.3       Similarly, Mr Bill O'Shea of the Law Institute of Victoria (LIV) remarked during this inquiry that 'an individual's privacy is fundamental to their human dignity'.[8] Mr Paul Chadwick, the Victorian Privacy Commissioner, addressed the committee on the purpose of privacy:

Firstly, it [privacy] is understood to be essential to selfhood—to the creation of the self. It is as fundamental as that, and it is why humans retreat to solitude at times or keep their reserve in the company of others. Secondly, it is understood to be fundamental to the creation and maintenance of intimacy between humans. Unless the privacy of your relationship with your nearest and dearest is observed by the partners, trust is lost. So privacy as essential to intimacy is the second purpose of privacy among humans. Thirdly, not to be downplayed but also not to be overplayed, is privacy as liberty.[9]

2.4       'Privacy' is often broken down into different elements. Mr Chadwick discussed five dimensions of privacy as including: privacy of the body; privacy of the home; privacy from surveillance; privacy from eavesdropping; and information privacy.[10] However, the Privacy Commissioner, Ms Karen Curtis, pointed out to the committee in Sydney that:

...while our Privacy Act is about the protection of personal information or sensitive information, it is really about data protection. It is not about privacy in the broader sense of bodily privacy or privacy in other areas. I think ‘privacy’ is often seen as a catch-all, and so our Privacy Act does not address all aspects of territorial privacy or bodily privacy. The Privacy Act addresses the collection, use, disclosure and storage of personal information held by Commonwealth government departments and agencies, ACT government departments and agencies and also the private sector across Australia.[11]

2.5       Despite this, the Australian Privacy Foundation (APF) urged this inquiry:

...to consider what additional protection needs to be put in place to deal with contemporary threats, going beyond information privacy principles to limit the development of a surveillance society and protect individuals from assaults on their physical integrity such as mandatory drug and DNA testing and increasingly prevalent and intrusive searches, and from other intrusions (such as by telemarketing or media harassment). These forms of privacy invasion may not involve the creation of a record of personal information, and yet are just as important in terms of a more general “right to be let alone”.[12]

2.6       Mr Paul Chadwick argued the significance of privacy is growing, for three key reasons.[13] The first reason was technological developments; the second related to international obligations and developments. Finally, Mr Chadwick argued that we are going through a 'recalibration of liberty and security':[14]

The third factor that explains why the Privacy Act is growing in significance is 11 September 2001 and what has flowed from that in terms of public policy. We are now recalibrating the balance between liberty and security. Privacy is legitimately a subset of liberty, and those of you who have had to address things like the ASIO [Australian Security Intelligence Organisation] legislation et cetera will be aware of those arguments.[15]

2.7       Similarly, Mr Andrew Want of Baycorp Advantage suggested that, among other things, one of the emerging challenges in the area of privacy:

...is the balance between identity management and anonymity in the context of terrorism and security. There is an obvious societal push for greater security following September 11. The risk is that the pendulum might swing too far and individual privacy might be lost in the mix. There needs to be a serious debate about what the benefit for society is and what the policy objective of privacy regulation is in this new context. So it is not just about economic efficiency; it is also about the balance of individual liberty in the face of the challenges society is now dealing with out of the remnants of September 11.[16]

2.8       However, Ms Anna Johnston of the APF raised concerns about the impact of recent events on the Privacy Act, and especially:

...the extent to which the so-called war on terror is used to justify an abandonment of any rationality in our policy process, such that new proposals are not calmly weighed in terms of necessity, proportionality or reasonableness, effectiveness and looking at alternative options.[17]

2.9       In particular, Ms Johnston strongly expressed the view that:

...we reject the notion that we are somehow living in a new age of terror, justifying the abandonment of long-cherished values or hard-won liberties...

...post September 11, we do not believe the world actually changed that much. Even more so, we utterly reject any suggestion that privacy or indeed other human rights somehow stand in the way of security or good government. Privacy ensures the freedom of speech and freedom of association necessary for stable and democratic government. Furthermore, privacy, like openness, transparency and freedom of information, is about ensuring the accountability of government and business. In doing so, respect for privacy and the robust enforcement of privacy principles and privacy rights can only strengthen the fair and expose the corrupt.[18]

2.10      Similarly, Mr Bill O'Shea from the LIV observed:

The default position should be that we protect people’s privacy and that you as legislators do the same...if we have a drift in this community based on 9/11 or the US alliance or whatever else we are concerned about the drift will inexorably be to take away people’s dignity and progressively take away more rights by privacy infringement creep.[19]

2.11      As Mr Timothy Pilgrim of the OPC remarked:

...it is the issue of the balance. We would say that in certain circumstances privacy cannot be an absolute. There has to be that balance achieved between the needs of the individual and the broader community.[20]

Privacy protection under international and other Australian law

International law

2.12      There are several key sources of international law and standards relevant to privacy protection in Australia.[21] In particular, the International Covenant on Civil and Political Rights (ICCPR) recognises the right to privacy in Article 17. It states:

(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

(2) Everyone has the right to the protection of the law against such interference or attacks.

2.13      Article 12 of the Universal Declaration of Human Rights contains an almost identical provision.

2.14      The Organisation for Economic Cooperation and Development's (OECD) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (OECD guidelines) were adopted in 1980. The guidelines set out eight `Basic Principles of National Application' (guidelines 7 to 14) to be followed by OECD countries. The guidelines set out the way personal information about individuals should be collected, stored, used and disclosed – consistent with the above mentioned international laws. They also set out mechanisms by which individuals can gain access to, and have amended, information about them held by others.[22]

2.15      According to the OPC, the Privacy Act gives effect to Article 17 of the ICCPR and the OECD Guidelines. In particular, the OECD guidelines provided the basis for the Information Privacy Principles contained in the Privacy Act.[23] The Preamble to the Privacy Act also specifically refers to the ICCPR and the OECD Guidelines:

WHEREAS Australia is a party to the International Covenant on Civil and Political Rights, the English text of which is set out in Schedule 2 to the Human Rights and Equal Opportunity Commission Act 1986:

AND WHEREAS, by that Covenant, Australia has undertaken to adopt such legislative measures as may be necessary to give effect to the right of persons not to be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence:

AND WHEREAS Australia is a member of the Organisation for Economic Co-operation and Development:

AND WHEREAS the Council of that Organisation has recommended that member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in Guidelines annexed to the recommendation:

AND WHEREAS Australia has informed that Organisation that it will participate in the recommendation concerning those Guidelines...

2.16      The European Union's (EU) Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Data Protection Directive)[24] is also relevant to Australia privacy law. In particular, the EU Data Protection Directive contains provisions to ensure that European individuals do not lose privacy protection rights when information about them is transferred to other jurisdictions outside the EU. If the laws of the destination country do not provide 'adequate' data protection standards, as determined by the EU, then there are restrictions on the transfer of information to that other jurisdiction.[25]

2.17      Indeed, one of the stated purposes of the Privacy Amendment (Private Sector) Act 2000 was to facilitate trade with EU members.[26] However, to date, the EU has not recognised Australia's privacy laws as "adequate" for the purposes of the EU Data Protection Directive. Only a few countries, such as Canada, Switzerland, and the United States have been recognised in this manner.[27] Indeed, the issue of whether the Privacy Act meets the EU directive requirements, and the extent to which this has had any impact on trade with the EU, were issues raised in submissions and evidence to this inquiry. This issue is considered later in this report.

2.18      Another recent international development is the endorsement in November 2004 by Asia-Pacific Economic Cooperation (APEC) Ministers of the APEC Privacy Framework. Again, this is discussed further later in this report.

Other Australian law

2.19      The Australian Constitution does not expressly protect privacy nor does it contain a specific head of Commonwealth legislative power on which to base legislative protection.[28] As Mr O'Shea of the LIV observed, there is no right to privacy under the Australian Constitution.[29] Several submitters expressed support for consideration of the incorporation of a right to privacy in the Constitution, or a Bill of Rights.[30]

2.20      Until recently, there was also no general right of privacy at common law in Australia. However, in 2003, the District Court of Queensland recognised a tort of invasion of privacy in the case of Grosse v Purvis.[31] This case followed the High Court case of Lenah Game Meats, in which the High Court arguably left open the possibility of a tort of invasion of privacy.[32]

2.21      It is also noted that a number of State and Territory jurisdictions have also enacted their own privacy legislation.[33]

History of the Privacy Act

2.22      The Privacy Act was enacted in 1988, following the demise of the 'Australia Card' proposal. The Privacy Act was initially directed at the protection of personal information held by Commonwealth government departments and agencies, as well as safeguards for the collection and use of tax file numbers. In 1990, the Privacy Act was amended to insert Part IIIA, which regulates credit reporting and information held by credit reporting agencies and credit providers.[34]

2.23      The Privacy Amendment (Private Sector) Act 2000 commenced in December 2001, with the aim of strengthening privacy protection in the private sector by establishing national standards for the handling of personal information by the private sector. Before this, the private sector was covered by a voluntary system of 'National Principles for the Fair Handling of Personal Information'. Among other things, the Privacy Amendment (Private Sector) Act 2000 established the 'National Privacy Principles' and provided for approved privacy codes. As noted above, extending privacy protection to the private sector was partly in response to the EU Data Protection Directive. Other aims of the Privacy Amendment (Private Sector) Act 2000 included: ensuring that Australia business and consumers take full advantage of the opportunities presented by electronic commerce and the information economy; and allaying concerns about the security of personal information when doing business online.[35]

Key provisions of the Privacy Act 1988

2.24      The Privacy Act protects personal information in four key ways:

• The Information Privacy Principles (IPPs) in section 14 of the Privacy Act govern the collection, storage, use and disclosure of an individual's personal information. They also provide for individual access to, and correction of, their own personal information. These principles are based on the OECD guidelines and apply to personal information handled by Commonwealth and ACT Government agencies.
• The National Privacy Principles (NPPs) in schedule 3 of the Privacy Act regulate the way private sector organisations handle personal information (unless replaced by a code approved by the Commissioner under section 18BB of the Privacy Act). These principles cover the collection, storage, use and disclosure, and access obligations of organisations.
• The Act also prevents individuals' Tax File Numbers (TFNs) from being used as a national identification system and gives individuals the right to withhold this information. Where a TFN is provided, its use is limited to purposes relating to taxation, government assistance or superannuation. Under the Act, the Privacy Commissioner issues and enforces legally binding guidelines.[36]
• Part IIIA of the Privacy Act places safeguards on the handling of individuals' consumer credit information by the credit industry. Unlike other provisions of the Privacy Act, strict penalties apply where these provisions are knowingly breached.[37]

2.25      A key definition in the Privacy Act is that of 'personal information', which is defined in section 6 to mean:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

2.26      Section 6 also defines 'sensitive information' to mean:

(a) information or an opinion (that is also personal information) about an individual's racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record; or

(b) health information about an individual.

2.27      Part IV of the Privacy Act provides for the establishment of the Office of the Privacy Commissioner and the appointment of a Privacy Commissioner. The Privacy Commissioner has several specific powers and functions under the Privacy Act. These include: complaint handling; investigating breaches of the Act; compliance auditing; providing policy advice and promoting community awareness.[38]

2.28      Part VI of the Privacy Act gives the Privacy Commissioner the power to issue 'public interest determinations'. That is, to determine that an act or practice of a Commonwealth or ACT government agency, or a private sector organisation, which may otherwise constitute a breach of an Information Privacy Principle, a National Privacy Principle or an approved privacy code, shall be regarded as not breaching that principle or approved code. The Privacy Commissioner has also released a number of guidelines, both binding and advisory, to assist organisations to comply with the Act.[39]

2.29      The Privacy Act also contains many exemptions and exceptions. For example, the legislation does not apply to:

• certain small businesses (for example, businesses with an annual turnover of less than $3 million and not disclosing personal information for a benefit);[40]
• political acts and practices;[41]
• employee records held by current or former employers;[42] or
• acts and practices of the media in the course of journalism.[43]

Community attitudes towards privacy

2.30      The OPC has commissioned surveys to gauge community attitudes towards privacy, as well as community knowledge of their privacy rights. The most recent survey, conducted in 2004, contained some interesting findings.[44] The survey showed that there appear to be low levels of knowledge about rights to protect privacy:

Sixty per cent [of respondents] claimed to be aware that Federal privacy laws existed, up from 43% in 2001. By contrast, only 34% of respondents were aware the Federal Privacy Commissioner existed. When asked to whom they would report the misuse of their personal information, 29% said they didn't know.[45]

2.31      In its submission, the Australian Direct Marketing Association (ADMA) noted that it conducted research which also indicated a low level of awareness of the Privacy Act and the Privacy Commissioner.[46]

2.32      However, the survey commissioned by OPC also found that most respondents considered the following hypothetical situations as an invasion of privacy:

• a business that you don't know gets hold of your personal information (94%);
• a business monitors your activities on the internet, recording information on the sites you visit without your knowledge (93%);
• you supply your information to a business for a specific purpose and the business uses it for another purpose (93%); and
• a business asks for irrelevant personal information that doesn't seem relevant to the purpose of the transaction (94%).[47]

2.33      However, only 16% of respondents considered that being asked to show identification, such as a driver’s license or passport, to establish your identity would be an invasion of privacy.[48]

2.34      In relation to interactions with government:

Just over half (53%) of respondents were in favour of being issued with a unique number to be used for identification when accessing all Australian government services, slightly fewer (41%) were against. The majority of respondents agreed governments should be allowed to cross reference or share information, but only in some circumstances (62%) ... To prevent or reduce crime (68%) was the scenario under which most respondents felt it was acceptable to cross reference information, followed by the purpose of updating basic information like address details (58%) and to reduce costs, or improve efficiency (51%).[49]

2.35      With health services, 57% of respondents agreed that to enable the government to better track the use of health care services, individuals should have a number assigned to them for use when accessing any health service.[50]

2.36      Further details of the 2004 survey commissioned by the OPC are contained in the OPC's report on the private sector provisions.[51]

Navigation: Previous Page | Contents | Next Page