Chapter 7 - The Committee's conclusions
7.1
The committee is concerned that the Privacy Act is not
proving to be an effective or appropriate mechanism to protect the privacy of
Australians. The committee considers that a combination of factors are undermining
the Privacy Act, including lack of consistency with other legislation; the
challenges of emerging technologies; the numerous exemptions under the Privacy
Act; lack of resourcing of the OPC; and lack of effective complaints handling
and enforcement mechanisms.
A comprehensive review
7.2
The committee therefore considers that there is considerable
merit in the recommendation by the OPC that the Australian Government undertake
a wider review of privacy for Australians in the 21st century. Some of the
matters that should be considered by this review will be discussed further in
this chapter. For example, the committee believes that the review should
include a 'stock take' of emerging technologies and their privacy implications,
and ways in which privacy regulation could be improved to deal with these
technologies.
7.3
The committee believes that the most appropriate body
to conduct this review is the Australian Law Reform Commission (ALRC), as independent
statutory corporation with responsibility for, and a proven track record in,
reviewing areas of Commonwealth law reform as referred by the Attorney-General.
In particular, the committee notes that, under the Australian Law Reform Commission Act 1996, the functions of the
ALRC in reviewing Commonwealth law include to simplify the law; remove obsolete
or unnecessary laws; eliminate defects in the law; and to ensure harmonisation
of Commonwealth, state and territory laws where possible.[771] The committee notes that the ALRC
also has extensive experience in undertaking thorough public consultation with
key stakeholders. The committee also recognises that the ALRC has relevant
technical expertise, having conducted previous inquiries relevant to privacy
legislation, including the recent inquiry into the protection of genetic
information, and also the 1983 privacy inquiry which became the foundation for
the Privacy Act 1988.[772]
Recommendation 1
7.4 The
committee recommends that the Australian Government undertake a comprehensive review
of privacy regulation, including a review of the Privacy Act 1988 in its entirety, with the object of
establishing a nationally consistent privacy protection regime which
effectively protects the privacy of Australians.
Recommendation 2
7.5 The committee recommends that the Australian Law Reform
Commission undertake the review proposed in recommendation 1 and present a
report to Government and to Parliament.
Consistency
7.6
The committee is greatly concerned at the significant
level of fragmentation and inconsistency in privacy regulation. This
inconsistency occurs across Commonwealth legislation, between Commonwealth and
state and territory legislation, and between the public and private sectors. As
mentioned above, the committee believes that this inconsistency is one of a number
of factors undermining the objectives of the Privacy Act and adversely
impacting on government, business, and mostly importantly, the protection of
Australians' privacy. The ALRC review proposed above should consider this
issue.
Recommendation 3
7.7 The committee recommends that the review by the
Australian Law Reform Commission, as proposed in recommendations 1 and 2,
examine measures to reduce inconsistency across Commonwealth, state and
territory laws relating to, or impacting upon, privacy.
7.8
Another key area of inconsistency is within the Privacy
Act itself – in the two different sets of privacy principles, the IPPs and
NPPs, applying to the public and private sectors respectively. The committee agrees
that there is no clear policy reason for having two separate sets of principles
applying to these two sectors, and it simply creates unnecessary confusion and
inconsistency. The committee supports the recommendation by the OPC that the
Australian Government consider a systematic examination of both the IPPs and
the NPPs with a view to developing a single set of consistent principles to be
applied to both the public and private sector. The committee considers that the
development of such principles could be undertaken by the ALRC as part of the
review proposed in recommendations 1 and 2. However, the committee considers
that it is crucial to ensure that there is no lowering of the standards
currently applied by the IPPS and NPPs.
Recommendation 4
7.9 The committee recommends the development of a single
set of privacy principles to replace both the National Privacy Principles and
Information Privacy Principles, in order to achieve consistency of privacy
regulation between the private and public sectors. These principles could be
developed as part of the review by the Australian Law Reform Commission, as
proposed in recommendations 1 and 2.
Emerging technologies
7.10
The committee is particularly concerned that the
Privacy Act is simply not keeping up with the privacy challenges posed by new
and emerging technologies. While the Privacy Act may have been an appropriate
mechanism to respond to the technologies of the 1970s and 1980s, technology has
moved at a rapid pace in the past few decades, and the Privacy Act has not been
updated accordingly. The committee considers that the introduction of other
legislation to deal with the emerging technologies, such as the Spam Act 2003, is a clear demonstration
of the failure of the Privacy Act to adequately respond to new technologies.
7.11
The committee acknowledges calls for the Privacy Act to
remain 'technology neutral'. Indeed, the committee considers that it is
desirable for the Privacy Act to remain as 'technology neutral' as possible.
However, the committee believes that it is possible update the Privacy Act in a
'technology neutral' way to reflect the technological changes that have
occurred and to enable the Privacy Act to deal with these new technologies.
7.12
As mentioned above, the committee proposes that the ALRC
review at recommendations 1 and 2 should examine ways to improve privacy
regulation to improve its capacity to respond to emerging technologies. At the
same time, the committee also agrees with some of the suggestions that were put
forward during this inquiry. In particular, the committee considers that the
Privacy Act should be amended to set out a statutory process for the conduct of
privacy impact assessments in relation to new proposals which may have a
significant impact on privacy. This assessment process could be a transparent
and accountable way of ensuring that privacy concerns are addressed. The
committee notes that privacy impact assessments are being conducted in relation
to some new proposals such as biometric passports. However, the committee is
concerned that these assessments are not being conducted in an open and
transparent manner. The committee considers that such assessments need to
involve full public consultation and should be occurring in a transparent and
accountable manner. The committee considers that the details of this statutory
privacy impact assessment process could be developed by the Australian Law
Reform Commission as part of the review proposed in recommendations 1 and 2.
Recommendation 5
7.13 The committee recommends the Privacy Act be amended to
include a statutory privacy impact assessment process to be conducted in
relation to new projects or developments which may have a significant impact on
the collection, use or matching of personal information.
7.14
The committee recognises suggestions that the definition
of 'personal information' be updated to deal with new technologies and new
methods of collecting information. In particular, the committee believes that
consideration should be given to extending the definition to include information
that enables an individual not only to be identified, but also contacted. This
is also matter which should be examined by the review proposed at
recommendations 1 and 2.
Recommendation 6
7.15 The committee recommends that the review by the
Australian Law Reform Commission, as proposed in recommendations 1 and 2, examine
the definition of 'personal information' in the Privacy Act 1988, and also any amendments to the definition which
may reflect technological advances and international developments in privacy
law.
Genetic information
7.16
In relation to the potential disclosure and
discrimination use of genetic information, the committee endorses the
recommendations of the report by the ALRC and NHMRC on the protection of human
genetic information.[773] The committee
notes that this report has been favourably received around the world, and
indeed, established Australia
as a world leader in relation to these issues. However, the committee considers
the government's failure to date to respond to the report's recommendations is somewhat
embarrassing. As a result, Australia
is now starting to lag behind many other countries in dealing with this issue,
to the possible detriment of many individual Australians.
7.17
The committee welcomes the recent budget announcement
that funding will be provided for the establishment of a human genetics
advisory committee as a principal committee of the NHMRC. The committee is
disappointed that this does not fully match the ALRC and NHMRC's
recommendations of an independent human genetic commission, but nevertheless
welcomes any progress in addressing these issues and implementing the ALRC and
NHMRC's report. However, the committee considers that the other recommendations
in the ALRC and NHMRC's report should be implemented in full as a high
priority.
Recommendation 7
7.18 The committee recommends that the Australian Government
responds to, and implements, the recommendations of the Essentially Yours report into the protection of genetic information
by the Australian Law Reform Commission and the Australian Health Ethics
Committee of the National Health and Medical Research Council, as a high
priority.
Other technologies
7.19
The committee notes the evidence received in relation
to the privacy implications of smartcard technology, and that such technology
can be either privacy enhancing or privacy invasive. The area of most immediate
concern to the committee is the Medicare smartcard. The committee heard
evidence of the lack of wider public consultation in relation to the privacy
implications of the Medicare smartcard. Indeed, the committee is disturbed that
it appears that key stakeholders were not consulted prior to the introductory
trial of the Medicare smartcard. The committee is also concerned about the
potential for function creep in the use of the Medicare smartcard.
7.20
The committee is similarly concerned about the lack of
public consultation, and indeed, the lack of publicly available information, in
relation to the government's proposed national document verification service.
7.21
The committee also acknowledges concerns raised in
submissions and evidence in relation to the privacy implications of biometric
technology and the proposed biometric passports. The committee also notes the
evidence of DFAT that a privacy impact assessment is being prepared in relation
to the proposed biometric passports, in consultation with the OPC. However,
once again, the committee is concerned that the privacy impact assessment does
not appear to be being conducted in a particularly open or transparent manner.
7.22
The committee notes with concern the recent
authorisation by the US FDA of human microchip implants. However, the committee
was reassured to learn from relevant government departments that there are no
similar proposals currently planned here in Australia.
Nevertheless, the committee considers that this is an issue that has
significant privacy implications, and that such microchip implants should be properly
regulated here in Australia.
7.23
The committee also notes the extensive list of other
technologies raised in submissions to the inquiry, including, but not limited
to: RFID; spyware; location-based services; electronic messaging; and other
telecommunications technology. The committee considers that the ALRC review
should examine the privacy implications of these technologies, and whether
appropriate regulatory measures are in place to ensure that privacy is
adequately protected in relation to these technologies. Such regulatory
measures should also be consistent and as technologically neutral as possible.
Recommendation 8
7.24 The committee recommends that the review by the
Australian Law Reform Commission, as proposed in recommendations 1 and 2,
include consideration of the privacy implications of new and emerging technologies
with a view to ensuring that these technologies are subject to appropriate
privacy regulation.
7.25
The committee notes in particular the recommendations
of the OPC to address the issue of inconsistency between the Privacy Act and the
Telecommunications Act. However, the committee considers that further measures
could be taken, and therefore recommends that the ALRC review include a
detailed examination of the interaction between the Privacy Act and the Telecommunications
Act. This should include consideration of measures to reduce any inconsistency
between these pieces of legislation and to ensure that privacy is adequately
protected in the telecommunications area.
Recommendation 9
7.26 The committee recommends that the review by the Australian
Law Reform Commission, as proposed in recommendations 1 and 2, consider the
interaction of the Privacy Act 1988
and the Telecommunications Act 1997
with a view to recommending measures to reduce inconsistency between these
pieces of legislation and to ensure that privacy is adequately protected in the
telecommunications area.
Private sector provisions
7.27
The committee notes and endorses the findings and
recommendations made by the OPC in its review of the private sector provisions
of the Privacy Act. However, the committee considers that the OPC could have
gone further in many of its recommendations. Further, the committee disagrees
with the Privacy Commissioner's conclusions that the private sector provisions are
'working well'. Nevertheless, the committee recommends that the Australian
Government responds to, and implements, the recommendations of OPC review as a
high priority.
Recommendation 10
7.28 The committee recommends that the Australian Government
responds to, and implements, the recommendations of the review of the private
sector provisions by Office of the Privacy Commissioner as a high priority.
Exemptions
7.29
However, the committee notes that the OPC review's
terms of reference were limited by the Attorney-General. The OPC review
therefore failed to consider a number of relevant, and problematic, aspects of
the private sector provisions, such as the exemptions for employee records and
for political acts and practices. Hence, the committee repeats the need for the
comprehensive review of the Privacy Act as proposed at recommendations 1 and 2.
7.30
In particular, the committee is concerned that the many
exemptions under the Privacy Act are undermining the operation of the Privacy Act
and adding to the problem of inconsistency across jurisdictions and sectors. Of
particular concern to the committee are the small business exemption, employee
records exemption and the political acts and practices exemption. The committee
considers that a wider range of activities should be protected under the
Privacy Act 1988, and is not convinced of the need for such broad exemptions.
Recommendation 11
7.31 The committee recommends that the review by the
Australian Law Reform Commission, as proposed at recommendations 1 and 2,
examine the operation of, and need for, the exemptions under the Privacy Act
1988, particularly in relation to political acts and practices.
Small business
7.32
The committee recognises that the Office of the Privacy
Commissioner made a number of recommendations to address concerns about the
small business exemption, including modifying the definition of small business so
that it is based on the number of employees, rather than annual turnover. However,
the committee is concerned that regulating some small businesses, such as in
the areas of tenancy databases and telecommunications, but not others, will
simply add to the complexity of the legislation. Indeed, the committee
questions the need to retain the small business exemption at all. The committee
recognises the evidence of organisations such EFA and APF that the exemption is
too broad and too complex. In particular the committee notes that evidence of EFA
that 'privacy rights do not disappear just because a consumer happens to be
dealing with a small company.'[774]
Similarly, the APF pointed out that some of the 'most privacy intrusive
activities are carried out by very small companies and even sole traders.'[775]
7.33
Further, the committee considers that protecting the
privacy of personal information also makes good commercial sense for all
businesses, large and small. The committee notes that the privacy regimes of
other jurisdictions, such as New Zealand,
operate effectively without any small business exemption. Finally, the
committee received evidence that the small business exemption is one of the key
outstanding issues in negotiations with the European Union for recognition of Australia's
privacy laws under the EU Data Protection Directive. Therefore, notwithstanding
the proposed ALRC review, the committee recommends that the small business
exemption be removed altogether from the Privacy Act.
Recommendation 12
7.34 The committee recommends that the small business
exemption be removed from the Privacy Act
1988.
Employee records
7.35
In relation to the employee records exemption, the
committee notes that a review of the employee records exemption was being
undertaken by the Attorney-General's Department and the Department of
Employment, Workplace Relations and Small Business. Indeed, this was the
justification for excluding that exemption from the OPC's review of the private
sector provisions. However, the progress of the review of the employee records
exemption is unclear. The committee is disappointed at the slow progress of
this review, and considers that this review should be finalised, and the
results released, as a matter of urgency.
7.36
In any case, the committee notes with concern the
evidence received that current workplace relations legislation does not
adequately protect privacy in the workplace. The committee agrees with the
evidence of the Australian Law Reform Commission that the most appropriate
place to protect employee privacy is in the Privacy Act, not workplace
relations legislation. The committee also notes that state governments are acting
to fill the legislative gaps by regulating workplace surveillance, but is
concerned that this will only add to problems of inconsistency and
fragmentation. The committee considers that employee records deserve
appropriate and adequate privacy protection, and therefore recommends that the
Privacy Act be amended to cover employee records.
Recommendation 13
7.37 The committee recommends that the privacy of employee
records be protected under the Privacy
Act 1988.
Recommendation 14
7.38 The committee recommends that the review by the
Australian Law Reform Commission, as proposed at recommendations 1 and 2,
should examine the precise mechanisms under the Privacy Act to best protect
employee records.
Direct marketing
7.39
The committee again supports the recommendations of the
OPC review in relation to direct marketing, particularly the proposal to amend
the Privacy Act to require an organisation to take reasonable steps, on
request, to advise an individual where it acquired the individual's personal information.[776] The committee also supports that the
establishment of a national 'Do Not Contact' register. However, the committee
suggests that the ALRC review proposed at recommendations 1 and 2 also consider
the possibility of an 'opt in' regime for direct marketing in line with the Spam Act 2003.
Recommendation 15
7.40 The committee recommends that the review by the
Australian Law Reform Commission, as proposed at recommendations 1 and 2,
consider the possibility of an 'opt in' regime for direct marketing in line
with the Spam Act 2003.
Adequacy for the purposes of the European
Union
7.41
The committee notes that the EU still has not
recognised Australia's
Privacy Act as 'adequate' for the purposes of the EU Data Protection Directive.
Notwithstanding the evidence that this has not had a significant impact on
businesses trading with the EU, the committee considers it desirable for Australia's
privacy laws to be recognised by the EU. The committee suggests that the issue
of EU adequacy be considered by the ALRC review proposed at recommendations 1
and 2.
Recommendation 16
7.42 The committee recommends that the review by the
Australian Law Reform Commission, as proposed at recommendations 1 and 2,
examine measures that could be taken to assist recognition of Australia's
privacy laws under the European Union Data Protection Directive.
Other aspects of the private sector
provisions
7.43
The committee notes other suggestions made during its
inquiry for other specific amendments to the Privacy Act and particularly NPPs.
The committee recognises that many of these suggestions have merit. However, given
the committee's recommendation of an ALRC review, and that the NPPs and IPPs
should be merged, the committee makes no further recommendations for
amendments, but rather proposes that these issues be considered as part of the
review at recommendations 1 and 2, and in particular in the development of a
single set of privacy principles as set out in recommendation 4 above.
Other issues
Credit reporting
7.44
The committee acknowledges the concerns raised by
consumer advocates and groups in respect of the credit reporting regime
established by Part IIIA of the Privacy Act. However, the committee does not
see any need for review or reform of Part IIIA at this time. As noted in this
report, action is being taken by industry to enhance data quality and to
improve consumer engagement, including the development of better dispute
resolution mechanisms.
7.45
However, the committee does consider that government
action is required to maintain community confidence in integrity of the credit
reporting regime. As Australia's largest credit reporting agency acknowledged,
retaining the trust of individual consumers and the community at large is
fundamental to credit reporting agencies' 'social licence to operate'.[777] The principal means of generating
and maintaining that trust is through the effective enforcement of statutory
privacy principles and rights. Yet evidence presented to the committee
indicates that industry and consumers share concerns that regulatory oversight
in the area of credit reporting is lacking. There is a view that, unless the
OPC is provided with greater resources to take enforcement action and then
prioritises enforcement action, the legislation will remain ineffective. The
committee's position – explained below – is that the government must provide
additional funding to the OPC as a matter of some urgency.
7.46
The committee sees no justification for the
introduction of positive credit reporting in Australia.
Moreover, the experience with the current range of credit information has shown
that industry has not run the existing credit reporting system as well as would
be expected and it is apparent that injustice can prevail. As mentioned
elsewhere in this report, positive reporting is also rejected on the basis that
it would magnify the problems associated the accuracy and integrity of the
current credit reporting system. The privacy and security risks associated with
the existence of large private sector databases containing detailed information
on millions of people are of major concern. For these reasons, the Committee's
view is that positive reporting not be introduced
Recommendation 17
7.47 The Committee recommends that the Privacy Act not be
amended to allow the introduction of positive credit reporting in Australia.
Health information and medical
research
7.48
The committee notes evidence pointing to an urgent need
for privacy laws relating to health information and medical research to be made
uniform across the Australian jurisdictions. The committee accepts the view put
by witnesses that the current arrangements are a failure of good government and
inimical to the interests of health providers, researchers and patients in Australia.
To this end, it urges the government to act on the recommendations made by the
OPC in its review of the private sector provisions of the Privacy Act,
especially the recommendations that a wider review of that Act be conducted and
that the National Health Privacy Code be implemented as a schedule to that Act.
Of particular concern to the committee is the evidence that the current privacy rules are hindering important
medical research of potential benefit to all Australians.
Recommendation 18
7.49 The Committee recommends that the Australian Government,
as part of a wider review of the Privacy Act, determine, with appropriate
consultation and public debate, what is the appropriate balance between
facilitating medical research for public benefit and individual privacy and the
right of consent.
Responding to overseas emergencies
7.50
The committee acknowledges concerns raised by the ARC
and DFAT in relation to impediments under the Privacy Act to information
sharing in emergency situations. The committee notes that the OPC review made a
number of recommendations to address this situation in relation to the private
sector provisions. The committee therefore again urges the Australian
Government to implement the recommendations of the OPC review as a matter of
priority. The committee also suggests that the government ensure that it also
addresses any impediments under the Privacy Act to information sharing between
government agencies in such emergency situations.
Use of the Privacy Act as a means
to avoid accountability and transparency
7.51
The committee acknowledges concerns about the use of
the Privacy Act as a means to avoid accountability and transparency. The use of
the Privacy Act as a 'shield' to justify privacy-invasive proposals and
reassure the public is particularly concerning to the committee in light of the
evidence received that the Privacy Act is actually not effective in protecting
Australians' privacy. The committee hopes that other reforms recommended by the
committee, and the OPC review, may improve this situation. In particular, the
committee considers that increasing the resourcing available to the OPC, as
recommended below, should help to alleviate this problem, particularly if some
of those resources are directed to increasing awareness and understanding of
privacy rights and obligations. The committee also sees merit in that the APF's
suggestion of empowering the Privacy Commissioner to issue 'corrective
statements', to be published at the expense of the organisation involved in the
misrepresentation of the Privacy Act.
Law Enforcement Issues
7.52
The committee notes concerns raised by the AFP about
problems encountered accessing information from organisations subject to the
NPPs in relation to law enforcement issues. The committee supports the OPC's
recommendation on this issue that it will develop practical guidance to assist
private sector organisations to better understand their obligations under the
Privacy Act in the context of law enforcement activities. However, the
committee also considers that the Australian Government should examine
additional mechanisms which may resolve this problem, such as the AFP's
suggestion of the use of 'notices to produce'.
Resourcing and powers of the Office of the Privacy Commissioner
7.53
The committee acknowledges the considerable evidence
received in the course of the inquiry which points to a serious lack of
resourcing and inadequate powers of the OPC. In relation to resourcing issues,
the committee is concerned that lack of funding is inhibiting the OPC from exercising
its functions to full effect. In particular, the committee is mindful that, due
to resource constraints, the OPC appears to be forced to concentrate on dealing
with individual consumer complaints, at the expense of other important strategic
functions.
7.54
Several findings and recommendations made by the OPC in
its review of the private sector provisions relate to resourcing and powers of
the OPC. As noted in paragraph 7.27, the committee endorses the findings and
recommendations made by the OPC in its review, however the OPC could have gone
much further in many of its recommendations. While the committee encourages the
Australian Government to implement the recommendations of the OPC review as a
matter of priority,[778] the committee
considers that, in relation to resourcing of the OPC, an immediate allocation
of additional funding is required to enable the OPC to more efficiently and effectively
fulfil its mandate.
7.55
The committee also notes concerns raised by the APF in
relation to the OPC review's recommendation that there be discretion not to investigate complaints where the harm
to individuals is minimal and there is no public interest in pursuing the
matter. The committee urges the Australian Government to consider carefully the
various implications of such an approach.
7.56
Further, the committee considers that the OPC review's
recommendations relating to powers of the Privacy Commissioner should be
implemented as soon as possible.[779] In
particular, the committee urges the introduction of private sector auditing powers for the OPC.
Recommendation 19
7.57 The committee recommends that the Australian Government
provide an immediate allocation of additional funding to the Office of the
Privacy Commissioner to enable it to more efficiently and effectively fulfil
its mandate and to ensure genuine and systemic improvements to its operation,
both now and into the future.
Senator the Hon Nick Bolkus
Chair
Navigation: Previous Page | Contents | Next Page