Executive Summary and Recommendations
Chapter 1
On 14 May 1998, the Senate referred to the Legal and Constitutional References
Committee an inquiry into privacy protection in Australia, linked to consideration
of the measures contained in the Privacy Amendment Bill 1998, which
extends the operation of the Privacy Act 1988 to businesses performing
work outsourced by the Commonwealth. The terms of reference include a
wider consideration of existing privacy protection in Australia's private
sector, as well as other issues including Australia's international obligations
and the need for legislative backing for any privacy protection.
Chapter 2
After examining the issue of privacy in the private sector, the Committee
concludes that there is strong evidence of widespread community concern
over the protection of privacy rights generally, fuelled by the rapid
advances in technology, particularly in the areas of electronic commerce
and the Internet. The Committee notes that these concerns are reflected
in international and national debates over privacy protection, leading
to the emergence of an expanding body of law and standards that will inevitably
have implications for the direction taken by the Commonwealth Parliament
in the matter of regulating for the protection of privacy in the private
sector.
Chapter 3
In Chapter 3, the Committee concludes that an adequate privacy protection
scheme to cover the private sector must have several key characteristics,
which must include certain core information protection principles, as
well as an enforcement system. Together, these must have the effect of
creating a system of enforceable rights and obligations that can provide
minimum guarantees of an individual's privacy rights.
The detail and content of the privacy protection principles should be
guided by existing international benchmarks and best practice standards,
such as the EU Directive on Data protection. Secondly, the Committee recognises
a considerable risk that a failure to ensure sufficiently high standards
could damage Australia's trade interests by inhibiting the ability of
trade partners to exchange information and by limiting the confidence
of the Australian public in emerging technologies.
The Committee also considers that while industry has legitimate concerns
about regulation, it is important to clearly establish that the needs
of industry must not be permitted to override individuals' rights to privacy.
Recommendation 1 (Paragraph 3.22)
The Committee therefore recommends that in the development of
more effective privacy legislation, as is recommended later in this report,
consideration be given to the relationship between existing laws regulating
employer records and proposed legislation which would seek to cover employee
data.
Recommendation 2 (Paragraph 3.95)
The Committee therefore recommends that the criteria outlined
in this chapter be used as a baseline for the development and evaluation
of a privacy regime applying to the private sector.
Chapter 4
Chapter 4 examines the extent of the privacy protection currently provided
by existing legislation and common law actions, and measured against the
criteria established in Chapter 3, the Committee concludes that such protections
are inadequate.
Overall, Australia's existing legal frameworks are only partial in their
coverage and vary widely across jurisdictions. Access to remedies and
enforcement is uncertain. Moreover, the current arrangements fail to meet
the needs of the private sector or to protect the rights of consumers.
The Committee also notes that existing inadequacies at the federal level
are already prompting legislative responses at a state and territory level,
increasing the likelihood that an already fragmented national approach
will become worse. The Committee considers that by avoiding consistent,
national, legislation Australia may end up with an inconsistent patchwork
system with varying requirement across jurisdictions.
Chapter 5
Chapter 5 examines the extent of privacy protection provided by existing
self regulatory systems, and draws a number of conclusions.
The Committee notes that many companies and organisations have adopted
a responsible approach to the protection of privacy. However, the Committee
remains concerned at what is essentially a piecemeal adoption of privacy
protection measures in the private sector, and considers that coverage
is far from uniform. Of equal concern is the slow progress achieved in
bringing into force comprehensive enforcement measures to give effect
to the National Principles [1].
The Committee sees little evidence of real progress and limited prospect
for such progress in the near future.
For these reasons the Committee concludes that at this stage private
sector self-regulatory systems do not, of themselves, provide an adequate
system for privacy protection in Australia. Without an adequate enforcement
mechanism the National Principles lack force and cannot provide
the basis for a national privacy scheme.
In general, the Committee concluded that, with reference to the
criteria developed in Chapter 3, self-regulation fails to deliver adequate
privacy protection. Self-regulation:
- fails to guarantee that the content of a self-regulatory scheme
will meet best international practice standards;
- fails to guarantee to a level acceptable to the community a
level of compliance with accepted privacy principles;
- cannot guarantee to provide a means for people to exercise
and protect their right to privacy, that is, cannot provide an accessible
enforcement mechanism; and
- cannot guarantee to provide redress when a privacy right is
breached, by way of specific remedies, sanctions or compensation.
The evidence provided to the Committee indicated clearly that unless
the private sector faces the credible possibility of coercive intervention
by government, adequate standards will not be adopted or enforced.
In examining the adequacy of the National Principles in meeting
the requirements of the European Union (EU) Directive on Data Protection,
the Committee found that the EU Directive places major limits on the processing
of material and provides substantially greater protection of the data
collected and processed. By placing its principles within a broad framework
of human rights and noting the right to privacy, the Directive links its
philosophy to general human rights issues.
The National Principles, in comparison, appear a very weak and
piecemeal approach to the issue of collection and protection of data.
They do not deal with substantive issues such as the rights of the data
subject; they give unequivocal preference to the wants of certain industries;
they provide very little obvious limitation on the discretion of certain
parties; and they provide virtually no direction as to the way in which
even the minimal protections provided would be safeguarded. They do not
locate privacy among human rights, and express limited concern for the
rights of the individual as opposed to the needs of the business community.
Recommendation 3 (Paragraph 5.144 )
The Committee recommends that the Commonwealth does not rely on
self-regulatory schemes.
Chapter 6
Chapter 6 examines the Privacy Amendment Bill 1998 and its adequacy
in addressing the lack of privacy protection identified in previous chapters.
The Committee concludes that the objectives of the bill are inadequate
to meet the wider need for privacy protection over the private sector
in Australia. However, the Committee agrees that there is an urgent need
to counteract the erosion of the coverage of the Privacy Act caused
by the widespread contracting out of government services, and to this
extent supports the objectives of the bill.
Nevertheless, the Committee is concerned that the desire to minimise
the application of the bill has led to a series of rules and exclusions,
which would have the effect of increasing the complexity of Australia's
privacy laws. The Committee considers this ironic, considering industry's
pleas for simplified, uniform and consistent privacy laws.
The Committee considers that many of the above issues serve to reinforce
the practicality of adopting uniform national legislation covering both
private and public sectors.
Recommendation 4 (Paragraph 6.52)
The Committee recommends the government introduce legislation
to provide privacy protection uniformly covering the public, private and
the charitable and `not for profit' sectors. The coverage of the bill
should be as broad as possible and minimise the extent of any exemptions.
Recommendation 5 (Paragraph 6.60)
The Committee recommends that, were the proposed legislation to
be agreed to, there be a serious re-evaluation undertaken of the proposed
workload of the Privacy Commission and the resource implications of the
proposed legislation.
Recommendation 6 (Paragraph 6.63)
The Committee questions the use of the Information Privacy Principles
in preference to the National Principles. However, as the Committee
has noted serious deficiencies in the National Principles, it recommends
that they be carefully revised, and should not be adopted without modification
which takes into account the issues raised by expert commentators, and
in light of the guiding principles of the European Directive. Until such
revision has occurred, the National Principles would not be an
appropriate base for legislation.
Recommendation 7 (Paragraph 6.71)
The Committee also examined the relationship between the Commonwealth
Freedom of Information Act and the Privacy Act, and recommends
the government further examine the issue so as to ensure the most effective
solution.
Chapter 7
Chapter 7 introduces the Committee's preferred solution for addressing
the need for privacy protection in the private sector. The co-regulatory
model suggested is based on a model developed by the Attorney-General's
Department, comprising privacy protection based on flexible industry codes
developed in co-operation with the Privacy Commissioner, backed by a legislative
scheme. Of particular interest to the Committee are the responses received
to the discussion paper, Privacy Protection in the Private Sector
(1996) which reveal an overwhelming support within industry for the proposed
co-regulatory model.
Recommendation 8 (Paragraph 7.116)
For this reason, the Committee recommends that the creation of
a co-regulatory model incorporate a comprehensive review of the Privacy
Act, creating a single universally applicable source of law.
Chapter 8
Chapter 8 examines the costs of the proposed co-regulatory model, and
the extent of the Commonwealth's constitutional powers to enact comprehensive
privacy legislation covering the private sector in Australia.
The Committee recognises that in developing a privacy protection system,
it is important to minimise the regulatory burden and compliance costs
to industry. Nevertheless, the Committee concludes that such costs
will depend upon the exact nature of the system in question, and it cannot
be assumed that a legislative system will necessarily entail high compliance
costs.
Given the evidence of low costs associated with the co-regulatory model
adopted in New Zealand, developed with the minimisation of compliance
costs as an explicit objective, the Committee considers that a similar
system in Australia would not impose unacceptably high costs.
Recommendation 9 (Paragraph 8.24)
Recognising the importance of keeping costs to a minimum, the Committee
recommends that any proposal for new legislation, once finalised,
be subject to a specific costing analysis to ensure that costs are not
unreasonable in the context of the social objectives of the legislation.
Recommendation 10 (Paragraph 8.44)
The Committee recommends that the government investigate mechanisms to
achieve a cooperative legislative approach with the State and Territory
parliaments that could ensure effective legislation.
Recommendation 11 (Paragraph 8.48)
The Committee strongly recommends the reconsideration of a co-regulatory
scheme underpinned by national uniform privacy legislation applicable
across all sectors. The scheme which was proposed by the Attorney-General's
Department in their discussion paper provided what the Committee views
as a practical and workable model, and one which received an overwhelmingly
positive response from all sectors.
In relation to constitutional issues, the Committee concludes
that there is a wide constitutional basis for the Commonwealth Parliament
to enact comprehensive privacy legislation, although there may be some
doubt as to the complete coverage of such legislation across all areas.
Footnotes
[1] All references are to the first set of principles.
The Committee notes the principles were revised in January 1999.