Chapter 6 - Resourcing and powers of the office of the privacy commissioner

Chapter 6 - Resourcing and powers of the office of the privacy commissioner

6.1       This chapter will consider issues raised in the course of the committee's inquiry in relation to the resourcing of the OPC, and whether current levels of funding and the powers available to the OPC enable it to properly fulfil its mandate.

Resourcing of the Office of the Privacy Commissioner

6.2       The resourcing challenges faced by the OPC are illustrated starkly by the evidence presented to the committee during the course of its inquiry. On the one hand, there has been a steady increase in the number of privacy-related issues which come within the functions of the OPC; indeed, as the OPC has indicated: 'the introduction of new technologies has increased the range of potential privacy issues within the community'.[703] Yet, on the other hand, there has been no corresponding increase of staff for the OPC.

6.3       In response to a request by the committee to provide staffing numbers for each financial year since 1994-1995, the OPC indicated that it had the same number of staff during the most recent reporting year[704] as it did at the beginning of that decade.[705] A temporary increase in staff numbers during the years 2001-2003 was 'for the purpose of developing and writing guidelines and other information for the commencement of the private sector provisions of the Privacy Act.'[706]

6.4       Given the arguably exponential increase in matters relevant to the functions of the OPC, it seems extraordinary that there has been no corresponding increase in staff over the last decade.

6.5       Many submissions expressed concern that the OPC is inadequately funded or resourced, and gave their support to increased funding for the OPC.[707] For example, the AMA believed that 'the OFPC has insufficient resources to investigate and take action in respect of privacy breaches in a timely manner'.[708] The AMA submitted that:

The work of the OFPC has occurred despite the severe lack of resources provided to it to investigate and rectify privacy complaints, carry out educative campaigns, take action on its own initiative, and be proactive in the administration of the Act.[709]

6.6       Mr Roger Clarke argued that the OPC has had its responsibilities increased in recent years, without a corresponding increase in resources:

The OFPC has had its responsibilities greatly increased, and has no more resources, and possibly fewer resources, than prior to the addition of the private sector to its purview.

...

The impact of this has been that the OFPC is prevented from fulfilling its responsibilities. It conducts few audits, its replies to complaints and submissions are very slow, it is unable to respond quickly to sudden demands, and it is able to conduct very little own-volition research and investigation.[710]

6.7       Some submissions suggested that technological advancement would only exacerbate this situation.[711] For example, the AEEMA suggested that the OPC itself needed a 'better understanding...of the rapid advancements in technology and their obvious benefits to business efficiency and community convenience'.[712]

Failure to address systemic issues

6.8       Several submitters noted that, due to resource constraints, the OPC has been forced to concentrate on dealing with individual consumer complaints, at the expense of other strategic functions, such as audits, policy making, enforcement and education.[713] For example, the ACA suggested that the OPC should be doing more in terms of enforcement action. However, it noted that this would require greater resources to allow the OPC to meet its complaints load and to discharge other duties.[714] Indeed, the OPC itself has reported that resources have been reallocated from audit activities to other 'priority areas'.[715]

6.9       The ACA's observation in relation to strategic direction issues regarding the OPC was as follows:

...resource constraints...have bound the Office tightly to one aspect of its compliance role, dealing with complaints from individuals. Public sector audits, inputs to policymaking and effective engagement of public education have all suffered, while at the same time, speedy complaint resolution has proven difficult to deliver. This is acknowledged in the Issues Paper by the OFPC into its review of its own operations, which indicates that having identified complaint handling as a priority the Office diverted resources from other areas of responsibility. This clearly indicates that the strategic direction of the Office has been subverted by short-term contingencies.[716]

6.10      The APF made a similar argument:

Both by design and by failure to provide the Privacy Commissioner with adequate resources, the regime relies largely on complaints. This is a completely inadequate way of seeking to promote privacy compliance. Many interferences with privacy go unnoticed by the particular individuals involved, and even where they are noticed, they rarely cause such significant harm as to warrant the time and effort of complaining. This does not mean that they are unimportant – the cumulative effect of repeated small scale intrusions is just as corrosive of trust in organisations as a few major privacy breaches.[717]

6.11      The APF contended further:

Problems that we see constantly repeated over many years are not being adequately addressed. It should not be necessary to keep bringing individual or even representative complaints, which are a very inefficient way of addressing systemic problems.

...

Slavishly giving priority to individual complaints helps fewer people in the long term than using enquiries, complaints and third party referral of issues to identify systemic issues which can then be addressed with own-motion investigation powers (and audit powers in those jurisdictions where they are available).[718]

6.12      The APF also made the point that there is currently no incentive for respondents to make complaints to correct systemic flaws in the privacy regime since '(i)n most cases, the worst outcome for a respondent, regardless of how bad the conduct, is that they must amend the records'.[719] Further:

There is a lack of information provided to complainants (or their advisers) when raising repeated (or systemic) problems. While the specific complainant’s problem may be resolved, the adviser is rarely informed whether there has been any response to what might be a broader problem with a particular respondent. We understand that the OFPC sometimes provides advice to major respondents that goes beyond anything made public. Consumer advisers should be aware of what that advice is.[720]

6.13      At the public hearing in Melbourne, Ms Loretta Kreet from Legal Aid Queensland also submitted that, in her view, limited resources have resulted in the OPC being overwhelmed by individual complaints, at the expense of addressing more strategic compliance issues:

I understand that, in a climate where resources are limited, enforcement should be strategic so that the successful enforcement action changes industry practice. If all the office is capable of doing is handling individual complaints then industry practice will not change, because there does not seem to be effective enforcement across the industry.[721]

6.14      The Privacy Commissioner's recent review of the private sector provisions of the Privacy Act considered the OPC's capacity to respond to systemic issues raised in complaints or identified by other means. The review noted evidence suggesting that the OPC's limited focus on systemic issues and its lack of power to deal with these issues 'is out of step with best practice for complaint handlers'.[722] The review also noted that '(a) greater focus on analysing complaints, following up leads, conducting more own motion investigations to identify systemic issues and so on could also feed into education and guidance activities'.[723]

6.15      The review recommended that the OPC 'will consider options for providing more feedback on systemic issues either in advice or guidance or in some form of regular update to stakeholders.'[724]

Flaws in complaints handling process

6.16      Several submissions noted that, despite the OPC's emphasis on the complaints handling process, even that process appears to be under-resourced.[725] In particular, several submissions expressed concern about certain aspects of complaints handling by the OPC, particularly the delays in complaints handling.[726] The ACA suggested that the OPC's funding needed to be commensurate with the volume of complaints coming to the OPC.[727] Further, the ACA submitted that:

...the OFPC has a high rate of discouraged complainants, abandoned complaints and unhappy consumers. Consumers must have confidence that if their rights are flouted, they can easily seek speedy and effective redress. This is not the case for privacy rights in Australia following the passage of the Act.[728]

6.17      EFA made some strong criticisms of the complaint-handling process, arguing that it requires 'greater transparency and considerably more information about the OFPC's views about application of the NPPs needs to be made publicly available'. EFA also expressed concerns in relation to the delays in dealing with complaints:

We consider the OFPC should be sufficiently well-funded to deal with complaints promptly, and without need to remove staff from other important areas such as policy and auditing of government agencies as has reportedly occurred.

Without adequate complaints handling procedures, backed up ultimately by strong legal sanctions, the P[rivacy] A[ct] will continue to be a generally ineffective and token piece of legislation.[729]

6.18      In response to the committee's questions on notice in relation to private sector provisions complaints, the OPC stated that in the financial year to date, 'the average time it has taken for complaints...to be resolved or closed is 88 working days or 4.5 months'.[730] Further, the OPC stated that in the financial year to date, '99 complaints...have taken more than 12 months to resolve; this represents 12% of all private sector complaints closed in this period'.[731] However, the committee notes that, since these figures only relate to private sector complaints, they may not be an accurate representation of the total number of complaints subject to delayed resolution.

6.19      At the Sydney hearing, Mr Andrew Want, Chief Executive Officer of Baycorp Advantage, told the committee that his organisation is a strong supporter 'of a significant investment in the capabilities...and in the resources of the [OPC]'.[732] In particular, Mr Want spoke about the need for increased resources in the area of complaints resolution:

Certainly in the area of complaints resolution there need to be some additional resources. We feel the commissioner’s office and the community would benefit from having additional resources to aid in the policy debate—to help explore the areas that we have been discussing about this very sensitive balance that needs to emerge over the next couple of years between freedom of information and freedom of anonymity, if you like.[733]

6.20      At the Sydney hearing, Mr Timothy Pilgrim from the OPC expanded on this point. He noted the constraints placed on the OPC:

Under the Act currently it states that, on receiving a complaint such as that, the Privacy Commissioner shall investigate. As you can imagine, that has resource implications if we are looking at that sort of issue. One of the things we would prefer to do is to be able to advise the person that we have received that sort of complaint and will monitor it to see if that is a particular systemic issue and look to see if there is a broader systemic issue over time that we need to resolve rather than having to devote immediate resources to that one particular issue. I am not trying in any way to belittle an individual’s complaint—please understand that—but that is just an example of an instance where there is something that you probably would not want to devote an entire person to trying to resolve that at that point.[734]

6.21      The FIA suggested an alternative – and, in its view, preferable – way of dealing with complaints:

OFPC has acknowledged that it does not have the capacity to deal with complaints within a reasonable time and that the process may lack transparency (including the lack of right of review).

...

Complaints are most likely to be made to the offending organisation in the first instance. Requiring their examination by the organisation, through a self-audit-self-regulatory process sanctioned through standards of practice that underlie the legislation would ensure appropriate consideration of the complaint and enhancement of community awareness of their rights and methods by which they can exercise them. These methods would be easier, cheaper and more efficient than the current complaint handling by the OFPC.[735]

6.22      The ACA argued that one of the ways in which greater community confidence in protection of privacy rights could be encouraged is by 'more vigorous and apparent enforcement action'.[736] This would encompass further action than 'simple awareness-raising' in order to 'convince consumers that there really is a viable avenue for privacy complaints at the OFPC'.[737] The ACA submitted that:

This would involve establishment of a resource stream to the Office sufficient to meet the complaints load and to discharge the other duties of the Office in providing policy advice, researching and anticipating innovation, and conducting audits and other active information seeking programs, such as shadow shopping perhaps.[738]

6.23      Further, the ACA argued that:

...a mechanism should be established that provides a funding stream to the dispute resolution activities of the Office that is commensurate with and scales to meet the volume of complaints coming to the OFPC. Preferably this funding would be provided by a scheme whereby organisations complained against bear the cost. Indeed our preference would be for a separation of the dispute resolution aspects of the Office from its regulatory functions – the two do not always sit comfortably in the same structure. As a regulator the OFPC should have a role in defining and monitoring the effectiveness of A[lterative] D[ispute] R[esolution] functions as well as being required to respond to systemic problems revealed by the individual complaints data.[739]

6.24      The increased availability of dispute resolution processes was a measure supported by others. For example, Legal Aid Queensland submitted that:

...it would also assist in easing the load on the Commissioner's Office if entities, particularly in the credit reporting area were required to make available an approved internal dispute resolution process. Aggrieved consumers should also have access to efficient no cost external dispute resolution processes either via the Privacy Commissioner or an industry scheme meeting the requirements for external dispute resolution schemes contained in the Australia Securities and Investment Commission Policy Statement 139.[740]

6.25      The ACA stressed that, in its view, the Privacy Act imposes merely a 'bare bones' privacy framework with, for example, no required reporting and no real capacity for the OPC to impose direct cost on industry. However, the ACA raised an interesting point in relation to the resourcing issues faced by the OPC and the efforts made by industry to comply with privacy obligations:

Where we have sympathy with industry is in the point that companies have in many sectors devoted some not-inconsiderable effort to ensuring they meet the prescriptions of the Act in a consistent and reliable way, while the resources assigned to the OFPC to achieve its mission in the private sector are derisory. In our view, while the OFPC has laboured mightily with the scant resources it has been given, the overall impression is that the Government has actually taken its own legislation a lot less seriously than the organisations to which it applies. If this persists, it inspires an atmosphere of demolition by neglect, scarcely a credible position for any organisation, let alone a regulator with an enforcement role, albeit a restricted one.[741]

6.26      The committee notes that the Privacy Commissioner's recent review of the private sector provisions recommended that:

The Australian Government should consider the strong calls by a wide range of stakeholders for the Office to be adequately resourced to meet its complaint handling functions.[742]

6.27      The Privacy Commissioner's review also recommended that the Australian Government consider amending the Privacy Act to give the Privacy Commissioner a further discretion not to investigate complaints where the harm to individuals is minimal and there is no public interest in pursuing the matter.[743]

6.28      The APF was particularly critical of this recommendation:

Although at first glance this appears to be a reasonable position, possibly due to limited resources, we do not agree that the Privacy Commissioner should be able to pick and choose which complaints to investigate.[744]

6.29      Amongst other things, the APF pointed out a practical issue that may arise if such an approach were to be adopted:

...how would the Office determine what ‘harm’ the person has suffered, or where the ‘public interest’ lies, without conducting at least a preliminary investigation? The Office’s resources may well be taken up debating the relative ‘harm’ and the ‘public interest’ between the two parties, instead of just getting on with resolving the matter.[745]

6.30      The APF submitted that it did not support this recommendation. However, it made the following concession:

...if recommendation 46 is to be followed, purely on the basis of a measure to allow the Office to focus its resources on complaints that suggest systemic problems, we argue that there must be a corresponding allowance for direct civil action by individuals against organisations that breach the Act.[746]

Awareness and education

6.31      Several submissions noted that there appears to be a low level of awareness among consumers about the privacy legislation and the OPC.[747] These submissions argued that the OPC needs increased resources in order to play a greater role in promoting education and awareness of the Privacy Act.[748]

6.32      For example, the NHMRC noted that the Australian Health Ethics Committee had worked in collaboration with the OPC to develop and conduct a series of training workshops in every capital city to assist ethics committees and researchers to understand relevant guidelines under the Privacy Act.[749] The NHMRC noted that it alone had provided funding for these workshops. It argued that such privacy training should be funded 'largely if not exclusively' by the Privacy Commissioner, as the responsible agency.[750] The NHMRC concluded by recommending that Privacy Commissioner be given sufficient resources to ensure that education and awareness programs can be funded and implemented.[751]

6.33      At the Sydney hearing, the Privacy Commissioner, Ms Karen Curtis, told the committee that her recent review of the private sector provisions of the Privacy Act revealed a general call by all sectors for increased resourcing for the OPC in a variety of areas:

It is clear throughout the report that there has been a call by all sectors—business large and small, individuals, consumer representatives—for increased resourcing for the office in terms of our complaints handling and also for an education and awareness program. I have made recommendations to the Attorney that he should take into account those strong calls for increased funding for those areas in particular. We have not developed an education and awareness program, so we have not costed what that might be, so I cannot give you a specific figure.[752]

6.34      Ms Curtis reiterated the importance of promoting awareness and education at the committee's May 2005 Budget Estimates hearing, in response to questioning by the committee in relation to priority funding areas:

In the review that I recently completed about the private sector provisions it was clear that there was a general call by industry, as well as by the consumers and the government departments and agencies, for increased awareness and education about both the right of individuals and the responsibilities and obligations of business. So I think an education and awareness program would be a priority.

...

Within our current funding we do provide advice and we do have education and awareness. We maintain a web site. We have lists of people that we send information to. We try to communicate as effectively as possible with the wider community, but an integrated education awareness program would be of use.[753]

Powers of the Office of the Privacy Commissioner

6.35      Some submissions and witnesses argued that the powers of the Privacy Commissioner are inadequate. For example, the ACA was of the view that the powers of the OPC are 'too restricted', and argued that the Privacy Commissioner should have greater powers including:

  • an audit power in relation to the private sector;
  • the capacity to address systemic privacy problems outside the context of resolving an individual complaint;
  • the power to fine an organisation that breaches privacy provisions;
  • ability to enforce any directions given in relation to findings after an own motion investigation;
  • ability to seek court enforceable undertakings; and
  • power to issue a standard or binding code to address systemic failings.[754]

6.36      The ACA stated that, while not advocating 'a draconian or a legalistic "black letter" approach', it was of the opinion that 'a credible set of powers and penalties connects the regulator with the legal framework of enforcement, and ensures that more "light handed" interventions have the weight of possible further action attached to them'.[755]

6.37      Moreover, while acknowledging that its suggested changes may have considerable resource implications, the ACA noted that if changes were implemented, this may result in long-term cost saving measures:

The prospect of more vigorous regulatory action may well lower the number of complaints over time, while enforceable fines would in fact yield revenue, albeit to consolidated government funds. Coupled with a more industry funded A[lternative] D[ispute] R[esolution] scheme as outlined above, these changes could well mean the OFPC becoming a far more cost-effective instrument.[756]

6.38      The Victorian Privacy Commissioner submitted that the powers, independence, resources and accountability for the OPC should be commensurate with the significance of the right to privacy as a basic human right; and the complexity of OPC’s tasks in the contemporary and foreseeable governmental, commercial, social and technological context. The Victorian Privacy Commissioner also suggested that Privacy Commissioner should be able to table reports directly in Parliament.[757]

6.39      The APF submitted that the functions and powers of the Privacy Commissioner are generally adequate, but ineffective due to lack of resources. Nevertheless, the APF recommended a number of extended or additional powers for the Privacy Commissioner, including:

  • extending the audit function to compliance by private sector organisations with the NPPs;
  • the power to initiate a code of practice to deal with particular issues affecting the private sector;
  • the power to selectively require agencies and organisations to publish details of major projects or proposals with significant privacy implications;
  • an express role in relation to privacy impact assessments;
  • the power to issue or require corrective statements; and
  • a more systematic and streamlined complaints process.[758]

6.40      The Centre for Law and Genetics submitted similarly that current enforcement powers in the Privacy Act are 'relatively weak'.[759] At the Canberra hearing, Dr Dianne Nicol from the Centre for Law and Genetics provided the committee with more information on this point and suggested how this might be changed:

Certainly, at the moment, determinations of the commissioner are not binding on either of the parties. So it is then up to the commissioner or the complainant to bring a further action to the Federal Court and there is another hearing de novo, so it is a fairly lengthy process to get anything in the form of enforceable requirements. One area that might be instructive is schedule 5 of the Broadcasting Services Act relating to censorship of the internet. The provisions in schedule 5 relate to determinations of the Australian Broadcasting Authority. They define them as online provider rules, and those rules are binding such that, if the rules are not followed, it becomes an offence, so it is an offence not to follow the determinations of the Australian Broadcasting Authority. Perhaps a similar procedure could be put in place for the Privacy Commissioner so as to give the determinations of the Privacy Commissioner some binding force.[760]

6.41      The AEEMA also observed that, compared to European Union jurisdictions, the enforcement powers and procedures under the Australian regime 'engender a more subtle approach to breaches.'[761]

6.42      At the Melbourne hearing, Ms Irene Graham from EFA argued that a more prescriptive approach than is currently set out in the Privacy Act would be a preferable approach to enforcing privacy rights:

...it is [currently] almost impossible for an individual to enforce their supposed privacy rights...So at the moment for an individual to enforce their alleged rights, it is a very complex and expensive exercise. You may be lucky and have the commissioner make a decision quickly and the business just agree to do that—and that certainly does happen with some smaller aspects. But if you have a serious breach of privacy, it is more likely that you will end up having to go to the Federal Court to get the decision heard again. We think that is too hard for most people—too hard and too expensive.[762]

6.43      The Privacy Commissioner's recent review of the private sector provisions also considered many of these issues.[763] The review recommended, amongst other things, that:

  • the OPC will consider promoting privacy audits by private sector organisations;[764]
  • the OPC will review its complaints handling processes;[765]
  • the OPC will consider measures to increase the transparency of its complaints processes and complaint outcomes;[766]
  • the Australian Government should consider amending the Privacy Act to provide for enforceable remedies following own motion investigations where the Privacy Commissioner finds a breach of the NPPs;[767] and
  • the Australian Government should consider amending the Privacy Act to provide a power for the development of binding codes and/or binding guidelines in certain circumstances.[768]

6.44      The APF's response to the Privacy Commissioner's review noted that:

...less timidity in the presentation of many of the recommendations could have spurred more action by the Government, such that instead of being encouraged to just "consider" doing something...it could have been given the permission as a result of this review to just "do it".[769]

6.45      This is particularly pertinent to many of the recommendations set out above in paragraph 6.43.

6.46      The APF also argued that 'there are few recommendations that could bring about genuine and systemic improvements, such as private sector auditing powers for the [OPC]'.[770]

Navigation: Previous Page | Contents | Next Page