Chapter 2
Protecting privacy in the private sector: background and context of
the inquiry
Introduction
2.1 In considering the issue of privacy protection, the Committee is
aware of a number of background issues that will necessarily inform the
debate and influence any solutions that may be developed.
2.2 First and foremost among these is the widespread level of community
concern over privacy protection, driven by emerging technology that is
posing new challenges to individual privacy. This concern has not been
limited to Australia.
2.3 The Committee is also aware that it conducts this inquiry in the
wider context of numerous studies and an emerging body of international
standards and laws that have significant implications for Australia. As
ever, in a federal system, the Commonwealth Parliament must also take
into consideration the perspectives of the State and territory governments.
[1]
2.4 This chapter seeks to address these background issues as a starting
point to the wider analysis of privacy protection.
The Right To Privacy
2.5 There are limited legal and enforceable rights to privacy. [2]
However, there is an increasing level of interest in the community in
the protection of personal information:
Privacy is an important right which needs protection at the highest
level – being federal legislation.
EFA supports the call from privacy advocates for greater privacy protection
within the private sector, and believes that federal legislation is
the only way of providing this. [3]
2.6 Much of what is described as personal information is also `commercial'
information about consumers and their spending patterns, interests and
possible purchasing patterns, and health. To this extent, there is an
interest by the commercial sector in preventing access by other commercial
providers:
The Life Insurance sector, for example, has always needed to deal with
sensitive personal information provided by people applying for policies
or submitting claims under their policies. Such information is essential
for the assessment of the risk the insurer is being asked to assume.
Information must be handled to ensure appropriate security, with no
cause for complaint from policy owners. [4]
2.7 A similar point was made by the Australian Bankers' Association,
which also noted the legal obligation to maintain confidentiality:
Banks do mail out to their customers information or offers about products
and services available from third parties. The customer list is not
disclosed to the third party. It would be a breach of a bank's common
law duty to keep the affairs of its customers confidential if the bank
disclosed its customers' details to the third party without the customers'
consent. [5]
2.8 However, this is not to say that all those in legal possession of
personal information of this type have extensive regard to the needs of
consumers or their privacy concerns with respect to assembling and using
existing data in order to sell new products. [6]
The right of the consumer to have information collected for a specific
purpose only is seriously challenged by modern business practices. Further,
there is also a belief by some industry sectors that the multiple use
of data is expected and indeed encouraged by consumers:
Previous research by the Privacy Commissioner on public attitudes to
privacy reveals that customers expect bank groups to know things about
them. These are reasonable expectations. A customer seeking service
from an organisation through a single point or outlet such as a telephone
will expect comprehensive treatment from the organisation which can
only be achieved if the organisation can co-ordinate and access information
about the person. [7]
2.9 Nonetheless, there is also a recognition by business that consumers
have an expectation of privacy [8] and that
this is compatible with much business practice:
AMP considers that competitive financial institutions must meet their
customers' needs for value and service This includes customers' expectations
in terms of how their information will be handled and used. We want
our customers to know that their information will be secure with us,
to know how it will be used and disclosed, and to be able to exercise
choice about use and disclosure. [9]
Concern over the protection of privacy
2.10 The Committee has received evidence pointing to community concern
over the lack of adequate privacy protection. The Privacy Commissioner
reports that “[t]here is significant evidence that unfair information
privacy practices create real problems for real people in Australia.”
[10] The Commissioner stated that in 1996-1997
she had received 499 written inquires and overall about 15,000 inquiries,
“… many of them complaints about information privacy intrusions
in the private sector …”. [11]
2.11 The Privacy Commissioner also stated that in 1995-1996 the Telecommunications
Industry Ombudsman received 1,350 complaints about privacy. [12]
The New South Wales Privacy Committee received between 2,000 and 3,000
inquiries per year and about ten per cent were accepted as formal complaints.
The South Australian Privacy Committee (which oversights the public sector
only) receives about 900 complaints per annum. [13]
2.12 It is difficult to determine the value of such figures in the absence
of information about the validity of the concerns raised by complainants.
Many complaints may not be justified, and the level of justifiable concern
has to be measured against two factors – a community interest in
protecting the privacy of citizens, even where there is no specific prohibition
on this, and breaches of specific protections.
2.13 Many people may not be aware of their privacy rights or that their
rights have been breached, [14] and this may
well mean that there is a need for additional information and education
services. However, it does appear that there is a gradual increase in
the community's desire for privacy and for more rigorous monitoring of
the obvious invasions, even though many people may be unaware of the extent
to which their personal information is being used. A 1996 Mastercard survey
of attitudes to privacy in Australia revealed that:
…evidence of people's desire to control the use of personal information
is reflected in the way many have handled purchases when they were asked
to give personal information considered unnecessary. Of the 45% who
said that, when purchasing goods or services, they had been asked for
personal information that they felt was not necessary, more than half
(61%) reported that they had discontinued the transaction. This equates
with 28% of the total population. [15]
2.14 The same survey also revealed that for consumers, concern about
their right to privacy is expressed as a number of distinct issues.
- To give their permission to store data [very important 72%; important
21%]
- To be advised as to who may have access to the data [very important
85%; important 12%]
- To be advised how data may be used [very important 84%; important
14%]. [16]
2.15 There are also concerns that inadequate privacy controls may cause
significant damage to Australia's wider commercial interests:
Australia is in danger of becoming isolated in its inadequate response
to privacy concerns, with potentially serious consequences for business
confidence and investment and international trade, as well as leaving
citizens with a sub-standard privacy protection regime which will inhibit
the acceptance of electronic commerce and service delivery. [17]
Examples of breaches of privacy
2.16 These concerns were reinforced by examples in which privacy rights
were breached. The Privacy Commissioner gave this example:
The coordinator of the NSW Pap Test Register receives around 50 telephone
calls a week from women wishing to be removed from the database. In
most cases they blame their GP for allowing their details to be forwarded
without their consent. [18]
2.17 In another example, a man who, over a number of years, experienced
difficulty obtaining insurance, eventually discovered that he had been
confused with another person convicted of insurance fraud and whose name
had been placed on a black list. It took him two years to correct the
mistake. [19]
2.18 These examples reflect a widespread community concern over privacy
protection, and a general desire for the implementation of effective controls.
At present such instances cannot be acted upon, except on the basis of
goodwill.
The significance of emerging technology
2.19 The Committee has heard evidence that the protection of privacy
is being given new impetus by emerging technologies which enable access
to, and manipulation of, personal data. The Public Interest Advocacy Centre
stated in their submission:
The danger of much of the new technology is that it has the potential
to re-create the corporation as an intelligent predator, while the technologically
disadvantaged consumer becomes the predated. [20]
2.20 Some particular aspects and implications of this technology include:
Databases
2.21 Databases may be created without the knowledge or permission of
persons listed in them. Such databases may be used for marketing, research
or blacklisting. [21]
Surveillance
2.22 Emerging technology is opening up new opportunities for surveillance,
especially of employees, but also of the public. [22]
Data mining
2.23 Electronic and digital storage of information, combined with networking
and telecommunications, is also creating new opportunities for the creation
of detailed personal files from diverse sources that have the capacity
to reveal a profile of an individual's personal activities and spending
patterns. This is known as data mining, or covert data surveillance:
I believe the most pressing problem that we have in the 21st century
is covert data-surveillance. The victim … does not even know that
important information is being sucked out of their information system
or wherever it is, attached to the Internet. [23]
2.24 The following examples of data mining were provided to the Committee:
- In the United States a gaming company electronically reached into
customers' computers and collected their e-mail addresses. [24]
- A customer of a supermarket uses a discount shopper's card. The card
links the patron's identity to the items purchased. The supermarket
creates profiles of its customers and offers special discounts to prized
customers. [25]
- A child-oriented web site collects personal information about the
children who log on. This information includes the child's full name,
postal address, e-mail address, gender and age. Also requested is extensive
personal finance information, such as whether the child has received
gifts in the form of stocks, cash, savings bonds, mutual funds or certificates
of deposit; who has given the child these gifts; whether the child puts
monetary gifts into mutual funds, stocks or bonds; and whether the child's
parents own mutual funds. [26]
- One credit card company told the Committee that, “What we do
use our customer bases for is the marketing to them of goods and services
which we think that they will like. When we do this it is strictly controlled
by us and lists are not given out to third parties…We would certainly
try to match the known tastes of our consumers with the goods and services
which may be offered by third parties”. [27]
Electronic Commerce
2.25 Almost certainly the most widespread of all emerging technologies
relates to electronic commerce. A vast array of routine transactions are
performed via EFTPOS, [28] telephone banking,
or electronic transactions using credit or debit cards. The collection
and holding of so much personal information has serious implications for
the privacy of consumers. As Ms Whitaker explained in her submission:
[C]ash is still an anonymous method of payment, so choice exists. Cash
is a non-traceable means of carrying on our buying activities. Credit,
EFTPOS and Fly-buy cards are not anonymous by any means. … Buying
habits can be quite revealing about our lifestyles and life choices.
[29]
2.26 Opinion is predictably divided over the extent of any privacy problem
stemming from electronic commerce. It is now well-established that electronic
commerce is being held back by a crisis in public confidence about the
trustworthiness of organisations operating in the electronic environment.
The lack of trust reflects the difficulties of sustaining consumer protections
in the new electronic context and critical among these factors is the
lack of privacy protections. [30]
2.27 Similarly, the Campaign for Fair Privacy Laws submission notes that:
The Anderson Consulting report Ecommerce: Our Future Today found
that lack of privacy protection was seen by Australian CEOs as a major
barrier to the success of electronic commerce (61% significant). [31]
2.28 However, as the Australian Bankers Association pointed out,
Each month bank customers make about 70 million card-initiated electronic
transactions through merchants with a value in excess of $4 billion.
It is important to note that this very extensive use of electronic banking
has emerged in a largely self regulatory environment. [32]
Calling Number Display
2.29 The relatively recent advent of Calling Number Display (CND) in
Australian telecommunications has also generated some controversy within
the privacy debate. CND displays a caller's telephone number to the recipient
of a call, provided the recipient's telephone has a screen. This facility,
introduced by Telstra in December, 1997, has been the subject of ongoing
complaints. [33]
2.30 Complaints centre on the process leading to the introduction of
CND; the fact that customers must “opt out” if they do not want
the service; the fact that some customers have found it difficult to do
this despite advising Telstra of their desire to do so; the uses to which
CND can be put and the fact that Telstra did not have a code of practice
to cover CND when it was introduced. [34] One
witness described CND in these terms: “The CND debacle provides a
case study in the abuse of power by a corporation that is not subject
to effective privacy regulation”. [35]
Internet
2.31 The Committee also notes the exponential growth in the reach and
scope of the internet and the importance it will increasingly have for
business [36] and the associated transfer of
private information:
[In 1988] the Internet itself was in the very early stages of its development.
Indeed, it has grown substantially since then. In 1988, we had a few
thousand possible hosts on the net, and in January this year we had
approximately 29 million. The growth of the Internet itself is important.
[37]
2.32 As indicated above, some internet technology allows `covert data
activity' of which, by definition, the user is unaware:
[there are] problems that have emerged, particularly in relation to
the Internet dataveillance or to covert data collection. The case of
Starcraft has been widely publicised …which is a web site in California
which invited people to come in to get a copy of a game to play. Unknown
to those people who were playing the game, while they were playing—and
you had no indication whatsoever this was happening—the company
was sucking down, from your machine, your electronic mail addresses.
Not only was that company sucking down for use the electronic mail addresses
of you, the victim, but also anything else that was sitting in your
browser's record, and that may have included your address book. [38]
Tenant databases
2.33 A privacy issue that attracted considerable comment is the privacy
implications of tenancy databases, with the Committee receiving thirteen
submissions dealing directly with this matter.
2.34 The evidence suggests that companies develop databases containing
a range of information relating to tenants, which is then sold to real
estate agents and landlords. Users can provide first or second hand information
to the agency about tenants. However, existing legislation imposes no
obligations on these collecting organisations to verify claims by landlords
and agents.
2.35 When a prospective tenant applies for rental housing, a member agent
can access information from the database to check the tenant's rental
history. This information is then used to assess the application, and
on the basis of the data report, the agent may approve or reject the application
for tenancy. [39]
2.36 The Tenants' Union of Queensland:
believes that the existence of these databases raises serious social
and ethical issues in relation to the privacy rights of rental housing
consumers.
2.37 It argued for:
… a need to develop strategies that ensure tenants are protected
from discrimination and unfair treatment when applying for accommodation.
[40]
2.38 Similarly, the Access Community Housing Association argues:
Agents can and do list information about tenants that is not always
correct, not updated and tenants about whom the information is held
have no access to the information, so are not in a position to dispute
its [sic] correctness. [41]
2.39 In the absence of State or Commonwealth legislation providing protection
to tenants registered on these databases, there is significant scope for
abuse and misuse of information. Real estate agents have no obligation
to advise tenants that their information is listed on a database or what
that information is, while tenants have no right to access information
stored about them, or to correct false or misleading information.
2.40 The Committee notes evidence of privacy problems provided by a number
of state-wide unions and programs that represent the interests of residential
tenants. The Tenants' Union of Queensland stated:
The Tenants' Union receives around 7,000 enquiries from tenants each
year. A significant and growing proportion of callers are now seeking
information about tenant databases …
… Our callers are concerned about discrimination in access to
housing and about the lack of privacy protection in relation to information
held about them. [42]
2.41 Other submissions provided the following examples:
The Tenants' Union has numerous cases where tenants have encountered
extreme hardship and personal difficulties as a result of being listed
on these databases. Cases where identity has been mistaken, where Agents
have listed people out of vindictiveness and cases where people listed
have made no tenancy related misdemeanour are relatively frequently
encountered. [43]
Tenants making contact with BINHRA [Brisbane Inner Northern housing
Resource Serve] have informed this service that Real Estates [sic] have
threatened to lodge the tenant's name and damaging information about
them with a tenant database, when they have been negotiating with a
Real Estate [sic] about who the rental bond should be refunded to or
if they have taken action against the Real Estate [sic] due to breaches
by the Real Estate [sic]. [44]
2.42 Also, there have been numerous claims from tenants who have been
blacklisted because of agent retaliation or for seeking to enforce their
entitlements. Again, a tenant in this situation may not be able to secure
another rental property or their choice of rental properties may be severely
restricted. The threat of reporting may therefore force tenants into compliance
even when their cases are valid. [45]
2.43 In this context the Committee notes the views of many submitters
that:
data collected is unlikely to take into account the reasons why some
tenants may have defaulted on a tenancy lease. Loss of employment, cuts
in social welfare benefits, illness, late workers' compensation payments,
domestic violence can all force tenants to fall into rent arrears. [46]
2.44 Difficult economic times can bring about considerable and unexpected
financial problems, and options for low income tenants are usually limited.
The net effect of having such tenants registered on a tenant database
is that they will be discriminated against in future tenancies; and may
be forced to live in poor standard housing, which raises important housing
and social matters, or at worst, become homeless.
2.45 The Committee recognises that tenant databases offer significant
legitimate advantages by enabling property managers to keep a record of
tenants that pass through their clients' properties, and thereby safeguarding
against problems such as rent evasion, vandalising of property, vanishing
from properties and breaking lease agreements. The databases may consist
of information, rental history and opinions about tenants supplied by
landlords and/or real estate agents. Personal information stored on tenancy
databases may include date of birth, driving licence, car registration,
lease arrangements and rental history.
2.46 The Tenancy Information Centre Australasia Pty Ltd (TICA) in its
submission stated:
Whilst increased protection for the consumer is, of itself, meritorious,
in the landlord and tenant sector the rights and vulnerabilities of
the landlord have frequently been overlooked.
The failure to pay rent is a form of theft from the landlord where
a benefit (occupation) is received and not paid for.
Similarly, failure to pay for damage caused obliges the landlord to
either personally pay for the repairs or to call on an insurance policy
if the landlord is in fact insured for this risk.
The service[s] provided by the TICA GROUP do no more than protect the
landlord from and against persons who have, in the past, abused their
position as tenants.
TICA appreciate concerns as to the maintenance of a database in such
circumstances and we have imposed controls and restrictions to safeguard
against errors, misuse of the system and the breach of a right to privacy.
…
It is not a bar to future accommodation, but it does enable a landlord
or agent to access the merits of a tenancy application as one of the
factors to be taken into account. [47]
2.47 Currently, there are several agencies operating commercial tenant
databases in Australia. One of the largest of these companies is Remington
White Australia Pty Ltd, who for the past 11 years have been recording
tenant information on their Rent Check database. The Committee
notes that the company incorporates a number of privacy protections into
their business operations. Their service is offered only to licensed agents
who on commencement sign an agreement that the information they supply
will be accurate and factual, and that they will only access the database
for the genuine purpose of property management. [48]
Remington White argue:
The resultant effect for the private rental market has been that the
licensed agents, via their qualified property managers, have been able
to offer a valuable service to private sector landlords thus increasing
their willingness to place properties into the rental market, knowing
that agents are working as a cohesive group to assist in maintaining
their assets and reducing the potential for loss.
Further to this residential database, agents are also able if they
choose to access details off the public record that relate to judgements
handed down by various courts etc regarding potential tenants for residential
properties or details relating to company records, directorship details
etc regarding commercial leases. This provides a further balanced check
of a potential tenant prior to them entering into the lease agreement.
[49]
2.48 As a result property managers have reported reductions in instances
of broken leases; in landlords' exposure to habitually defaulting tenants;
and time spent in litigation. At the same time, there have been increases
in the incidence of tenants following laws relating to the vacation of
premises; in tenants' awareness of their legal obligations; and in the
number of successful applications made by `Recommended Tenants'.
2.49 However, the Committee has been made aware of some companies marketing
databases with little regard to the privacy issues involved when dealing
with personal information. [50]
2.50 On the basis of this evidence, however, the Committee agrees that
one of the central issues with regard to tenant databases is the lack
of privacy protection. Although an individual's right to privacy is not
absolute, privacy laws must provide protection for access to an individuals
personal information data. A balance needs to be struck between the commercial
rights of property owners and the personal rights of individuals. What
is clear is that the current lack of privacy protection continues to place
a significant group in a difficult and vulnerable position.
General trends in privatisation and contracting out
2.51 A major growth area internationally, including Australia, has been
the development of contracting out of services, including government services.
These include processing of sensitive personal data. Privatisation of
government services, in conjunction with a greater use of `commercial
in confidence' rules, may mean limited access to information about such
services. This situation, including any misuse of personal information,
will not be affected by proposed amendments to the Privacy Act 1988.
2.52 The contracting out of government services, without adequate protection
of information, has already created some problems. These include accountability
with respect to the quality of the service provided. [51]
They also include the major problem of the confidentiality and further
use of sensitive information:
For some years my existing jurisdiction under the Privacy Act
1988 in relation to the handling of personal information by Commonwealth
government agencies has been eroded by increases in the use of contracting
out. When personal information is handled by a contractor, the agency
is absolved of most of its responsibilities under the Privacy Act. [52]
Freedom of Information
2.53 The erosion of the Privacy Commissioner's jurisdiction caused by
the contracting out of government services also has implications for the
effectiveness of Commonwealth freedom of information legislation (FOI).
Currently, personal information in the public sector can be accessed by
data subjects using FOI legislation but the transfer of such information
to the private sector takes it outside the jurisdiction of the act, making
it inaccessible.
The important contribution that FOI has made to accountability of government
has been documented by the Administrative Review Council and the Australian
Law Reform Commission. In their joint review of the FOI Act in 1995
it was noted that contracting out [poses] a potential threat to government
accountability and openness provided by the FOI Act. [53]
Health records and genetic privacy
2.54 Privacy issues are also driving calls for new legislation to control
the use of and access to information in the health sector and in relation
to genetic information.
2.55 In 1997, the Senate Community Affairs References Committee, in its
report Access to Medical Records, recommended:
… the framing of comprehensive national legislation enshrining
the right of access to medical and other health records in the public
and private sectors … without delay. [54]
That the Federal Privacy Commissioner investigates the privacy implications
of record keeping in the private sector, … [55]
That the Commonwealth move expeditiously to draft legislation for nation
access to medical and other health records through the creation of extended
privacy legislation to cover the private health sector, to avoid conflicting
State and Territory access to medical and other health records legislation.
[56]
2.56 These recommendations were made on the basis of significant privacy
issues arising out of the handling of health records in the private sector.
The Privacy Commissioner argued:
As we approach the twenty-first century, the handling of health information
cannot any longer be seen simply as a doctor's handwritten card with
patient information on it. This Committee has already had evidence of
the rapidly expanding technologies and the different approaches to health
care which require many more people to be acccessing health data, most
of it in identified form. As technology and new approaches sweep over
the health sector, consumers are becoming legitimately concerned about
what happens to their information. [57]
2.57 These findings were also made in the light of the High Court's decision
in Breen v Williams which confirmed that there is no common law
right of access to medical records, and stated that it is the role of
the legislature to effect any change to the common law position. [58]
2.58 Similar concerns over the implications of the use of genetic information
and its potential to cause discrimination particularly in the fields of
insurance and employment, have prompted the drafting of legislation and
a further Senate inquiry, yet to report. [59]
In the second reading speech of the Genetic Privacy and Non-discrimination
bill 1998, the bill's sponsor, Senator Natasha Stott Despoja, argued:
The exponentially increasing number of genetic conditions which may
be tested and the huge range of genetic information that will be available
from the Human Genome Project will make genetic information a reality
for many in our community. It is estimated there may be 3000 to 4000
genetic hereditary diseases and conditions and their identification
at the gene level is possible. … The existing and future applications
of this science and technology require a framework of legislative protections
to ensure that the information which becomes available can be obtained
and used with a certainty that it is not being misused. [60]
2.59 Reactions from the government to genetic privacy issues are unknown
since the bill has yet to be debated in the Senate. With respect to the
report by the Community Affairs Committee, there is no government response
(some eighteen months after tabling). However, the issues raised are not
addressed by the proposed amendments to the Privacy Act. The Committee
considers there to be significant privacy issues arising out of the health
sector, which are likely to be reflected in continual calls for legislative
protection. [61]
Industry is always regulated by the market
2.60 The Committee was advised by a number of witnesses that the market
could provide privacy protection. [62] Telstra
Corporation advised the Committee that,
Unlike the government sector, private sector customers who are not
satisfied with the level of service being provided, including privacy
protection, usually have an option to “take their business”
elsewhere. As a result, competing organisations will find that there
is competitive advantage in adopting sound customer service principles
including taking measures to protect the privacy of individuals that
they deal with. Most private sector organisations, depending on their
size and degree of customer interface have established procedures for
the resolution of customer complaints. [63]
2.61 However, a number of witnesses challenged this viewpoint, noting
that self-regulation did not provide adequate protection. In certain areas
in particular, the `market' could control standards and the consumer had
virtually no alternative. [64]
Past reports
2.62 In addressing privacy in the private sector, the Committee is aware
that the issue has already been the subject of extensive research and
reporting in Australia and overseas.
2.63 The Australian Law Reform Commission has a long-standing interest
in privacy matters. The Commission has also considered issues of privacy
protection in relation to international commercial and banking transactions
as well as reviewing privacy issues in its consideration of the Freedom
of Information Act 1982 (Cth) and the Archives Act 1983 (Cth).
[65] Its feasibility study into legal risk
in cross-border transactions “alerted the Commission to the importance
of Australia having a uniformly effective privacy law in harmony with
those of our trading partners”. [66]
2.64 A number of other Australian reports have examined the issue, including
the Attorney General's Department, [67] the
National Information Services Council [68]
and several parliamentary Committees. [69]
Given the importance of the Attorney General's Department's co-regulatory
model proposed in the above Discussion Paper and the nature of the submissions
received, the Committee has considered this material in detail in Chapter
7.
International trends
2.65 The Committee notes that privacy is attracting considerable attention
in other jurisdictions, leading to the implementation of a variety of
regulatory responses. [70] The terms of reference
for this inquiry also invite the Committee to consider these overseas
models. [71] While a more comprehensive analysis
of other jurisdictions is contained in Chapter 3 [72]
and also Appendix 5, the Committee offers the following general observations.
2.66 There is a range of attitudes, codes and legislation concerning
privacy across the world. Many industry groups have referred favourably
to the United States, which is predominantly self-regulatory, and have
done so in the context that Australia should not become less competitive
through having inflexible legislation. [73]
Others believe that the United States is a prime example of the exclusion
of personal rights to the advantage of business and have recommended instead
the principles of the European Union as offering more rights to consumers.
[74]
2.67 Others have made the point that Australia does have to position
itself carefully:
The commonsense approach for Australia is to try to maintain a position
in the front of that movement rather than where we have put ourselves
at the moment – that is, to drag our heels, comforted really by
one thing: that the decision in North America has not been made at this
point.
We are not an economy that sets the market; we are an economy that
takes from, and is dictated to, by the market. Therefore, by leaving
ourselves where we are at the moment, we are simply putting ourselves
at a discount in financial terms, but particularly in terms of protections
that are available to the broadest base of consumers. [75]
2.68 The most significant international development is the European
Union Data Protection Directive which came into force on 25 October
1998. Its objective is to harmonise the laws of all the European jurisdictions
in respect of privacy. It is also expected to impose obligations concerning
privacy protection on European Union member states when data is transferred
to jurisdictions outside the Union. [76]
2.69 New Zealand has an enforced self-regulatory approach, which is also
described as co-regulation. This scheme is based upon the implementation
and observance of codes of practice and legislated privacy principles
similar to those in the Australian Privacy Act 1988. The Act
applies to the entire New Zealand economy, including the private sector
and all levels of government. [77]
2.70 Like Australia, Canada has for some time had a federal act applying
privacy principles to most federal agencies. However, many of the Canadian
provinces have followed the Government's lead, at times also combining
privacy protection laws with freedom of information laws. Self-regulation
of privacy issues appears now to have given way to proposed legislation,
due by the year 2,000, which will cover both the public and private sectors:
… the aim of the Federal Government is to enact privacy laws that
will meet the test of adequacy envisaged by the EU Directive, including
having the necessary oversight and enforcement mechanisms if the data
protection principles are contravened. [78]
Australian developments
2.71 Reflecting these international developments, privacy protection
has continued to be a focus of policy making and legislative drafting
over the past few years.
Coalition policy on privacy
2.72 The Coalition Law and Justice Policy [79]
of 1996 acknowledged the inadequacy of the privacy protection schemes,
stating that massive technological change had superseded the current level
of protections:
Developments in technology and international communication networks
are rendering our privacy laws hopelessly out of date. Labor's inaction
is not just a threat to the right of Australians to privacy in their
personal affairs. Unless our privacy laws are improved as a matter of
priority, Australian business and industry will be locked out of international
data flows. A recent European Community directive will have the effect
of excluding Australian entities from European community data flows
unless our privacy laws are substantially improved by mid-1998.
Reform is required as a matter of the utmost priority. A consistent
Australia-wide approach is required.
A Liberal and National Government will as a priority, and in consultation
and development with the States and Territories, ensure the implementation
of a privacy law regime in Australia comparable with best international
practice. [80]
2.73 In September 1996, following the formation of a Coalition government,
the Attorney-General released the discussion paper, Privacy Protection
in the Private Sector. [81] This paper
outlined a national, co-regulatory scheme [82]
based upon the existing information privacy principles and allowing for
legally enforceable remedies when breaches of privacy had occurred. The
discussion paper invited comments from interested members of the public
as well as business groups. The Attorney-General's Department received
116 submissions commenting on the paper.
2.74 However, on 21 March, 1997, the Prime Minister, Mr Howard announced
that his government would not proceed with its proposal to implement privacy
legislation covering the private sector, on the grounds of cost and administrative
simplicity.
At a time when all heads of government acknowledge the need to reduce
the regulatory burden, proposals for new compulsory regimes would be
counterproductive. On those grounds, the Commonwealth will not be implementing
privacy legislation for the private sector. [83]
2.75 This decision was explained more fully several months later:
The Government's decision not to legislate on private sector privacy
followed extensive consultation based on the discussion paper, Privacy
Protection in the Private Sector, released in September last year by
the Attorney-General's Department. That discussion paper outlined a
possible approach to privacy protection in the private sector. Its purpose
was to enable business and the community generally to provide concrete
comments.
As well as formal submissions, a number of organisations took the opportunity
to meet with the Attorney-General's advisers and relevant officers of
the Attorney-General's Department to discuss areas of specific concern.
There was particular concern expressed in submissions about how a legislative
regime would impact upon small and medium enterprises. Some submissions
argued strongly that there was no clear need for legislation in order
to ensure privacy protection and that privacy concerns could be adequately
addressed by business on a voluntary basis. [84]
2.76 The decision not to implement a legislative privacy regime for the
private sector appears to have been based on verbal rather than written
comment, [85] as many of the submissions were
not averse to regulation. [86] Additional information
stated that interested groups had advised there was no evidence that legislation
to protect privacy was needed:
There is absolutely no evidence of the need for an extension of the
Privacy Act to the private sector at this time…
Responses to that discussion paper have provided the government with
very clear guidance as to the genuine and real concerns of business
and industry on the possible government approaches to privacy protection.
Those responses clearly indicated that there is no need at this time
for a legislative response to those privacy issues. [87]
National Principles for the Fair Handling of Personal Information
2.77 When the Prime Minister announced on 21 March 1997 that the Executive
would not legislate to extend privacy legislation to the private sector,
he also stated that the services of the Federal Privacy Commissioner would
be made available “to assist business in the development of voluntary
codes of conduct and to meet privacy standards”.
2.78 The Privacy Commissioner subsequently commenced consultations with
the private sector, [88] resulting in the release
of a consultation paper. [89] This formed the
basis of the National Principles for the Fair Handling of Personal
Information, which were released on 20 February 1998, by the Attorney-General
who informed the House of Representatives that at the time of their release,
the National Principles had the support of fourteen peak body organisations.
[90]
2.79 Following the release of the National Principles, work commenced
on their implementation, and two meetings were held. However, problems
arose when consumer and privacy advocacy groups refused to participate
because of disagreement of the direction the reforms were taking. [91]
2.80 The Commissioner also reported that a number of sectors have moved
to adopt the National Principles, although the form that adoption
takes varies from sector to sector. [92]
Legislative responses by states/territories
2.81 When the Prime Minister announced the Cabinet decision not to proceed
with a legislated privacy protection scheme, he also announced that he
had “asked the Premiers and Chief Ministers not to introduce legislation
within their own jurisdictions. [93] This request
was agreed to by the Northern Territory, which advised this Committee
that it opposed privacy legislation for the same reason that the Cabinet
gave for abandoning its proposal – that is, unnecessary cost and
administrative burden. The Northern Territory has also expressed some
reservations about the National Principles, again in the context
of the need to maintain a competitive edge. [94]
2.82 Queensland originally agreed not to legislate but since then there
has been a change of government in that state. In April 1998 a report
from the Legal, Constitutional and Administrative Review Committee of
the Queensland Parliament, Privacy in Queensland, recommended the
enactment of a privacy act and the appointment of a privacy commissioner.
It also recommended that the proposed act make allowance for information
privacy principles modelled on the Commonwealth Privacy Act 1988.
2.83 The proposed act would bind all state government departments
and agencies, local governments and private sector service providers contracted
to State or local government. It is understood that, as at the end of
October 1998, the Queensland government plans to introduce legislation
which will protect personal information, but that the date for the introduction
of this legislation, and the specific contents of such legislation, have
not yet been made public.
2.84 In July 1998, the Victorian Treasurer and Minister for Information
Technology and Multimedia, Mr Alan Stockdale, released a discussion paper
which outlined a legislatively backed self-regulation scheme, effectively
a version of enforced self-regulation. A major objective of this innovation
was to instil greater consumer and business confidence, especially in
the use of electronic commerce. In the discussion paper the Victorian
government committed itself to introducing privacy legislation in the
near future. [95]
2.85 Subsequently, in advice to the Committee, [96]
the Minister reiterated the importance of business and consumer confidence.
The proposed legislation would be in two separate bills, an Electronic
Commerce Framework Bill and a Data Protection Bill, and the
National Principles would be an essential part of the standards
of legislation.
2.86 The New South Wales government indicated the importance of a national
approach to privacy protection. Such an approach does not rule out self-regulation,
but the issue of attaining standards which would not disadvantage Australia
in trade is a matter of concern. Tasmania has also indicated a preference
for a nationally consistent approach. [97]
Again, this does not rule out self-regulation, but equally it does not
mean that some legislative enforcement of `self-regulation' codes might
not be necessary.
The Privacy Amendment Bill 1998
2.87 The purpose of the Privacy Amendment Bill 1998 is to extend
the operation of the Privacy Act 1988 to information held by contractors
engaged to supply services to the Commonwealth. It is not the purpose
of the Bill to apply the Privacy Act 1988 to any other services
that a contractor may offer, and which are not the subject of a contract
with the Commonwealth. The Attorney-General stated in the second reading
speech that:
This bill ensures that the existing protections afforded by the Privacy
Act are not lost when services are delivered under contract. The bill
extends the current obligations of government agencies to any person
or body responsible for the provision of services under a contract with
the Commonwealth or one of its agencies. Subcontractors will also be
covered. [98]
2.88 The aim of the Bill was to remedy a problem that had developed as
a result of Commonwealth services being contracted out. Under the existing
legislation, Commonwealth Government agencies engaging contractors to
provide services which involve the contractor handling personal information
are obliged by the Privacy Act 1988 to ensure that “everything
reasonably within the power of the record-keeper [that is, the agency]
is done to prevent unauthorised use of disclosure of information contained
in the record”. [99]
2.89 This has meant that, in practice, agencies insert clauses in contracts
that require contractors to meet the same sort of privacy obligations
as the Privacy Act 1988 imposes directly upon Commonwealth agencies.
The effect of this is that any dispute concerning breach of the contract
is a dispute between the two contracting parties, and the individual whose
details may have been misused or abused has no recourse. If the contracting
agency chooses not to act, the individual has no means by which to gain
any redress.
2.90 The proposed amendments, by making contractors to the Commonwealth
directly subject to the Privacy Act 1988, enable members of the
community who have had their privacy breached to complain directly to
the Privacy Commissioner. They therefore have a direct avenue of complaint
and direct access to remedies. [100]
Conclusion
2.91 The Committee concludes that there is strong evidence of widespread
community concern over the protection of privacy rights generally, fuelled
by the rapid advances in technology, particularly in the areas of electronic
commerce and the internet. The Committee also notes that these concerns
are reflected in significant international and national debates over privacy
protection, leading to the emergence of an expanding body of law and standards,
that will inevitably have implications for the direction taken by the
Commonwealth Parliament in the matter of regulating for the protection
of privacy in the private sector.
Footnotes
[1] See below, Paragraphs 2.81 – 2.86.
[2] See below, Chapter 4.
[3] Submission No. 42, Electronic
Frontiers Australia, p. 724.
[4] Submission No. 45, Investment and
Financial Services Association Ltd, p. 756.
[5] Submission No 43A, Australian Bankers'
Association, p. 1378.
[6] See below, Chapter 4, Paragraph 4.24, and
Chapter 5.
[7] Submission No.43, Australian Bankers'
Association, p. 734.
[8] See, for example, Submission No. 45,
Investment and Financial Services Association Ltd, pp. 756-757.
[9] Submission No. 53, AMP, p. 1051.
[10] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 920.
[11] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 920.
[12] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 920.
[13] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 920.
[14] This observation has also been made in
the Senate Finance and Public Administration Committee report Contracting
out of Government Services, 2nd Report, May, 1998, p. 50.
[15] Mastercard International, Privacy and
Payments, 1996, p. 15. The survey, of the Australian community, was
conducted by Roy Morgan and the project management was by Xamax.
[16] Mastercard International, Privacy and
Payments, 1996, p.15.
[17] Submission No.7A, Australian Privacy
Charter Council, p. 296. This issue is addressed in more detail in the
discussion in Chapter 3 of International legal obligations.
[18] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 892.
[19] See below, Paragraphs 2.33 – 2.50,
and Chapter 5, Paragraphs 5.58 – 5.61.
[20] Submission No.37, Public Interest
Advocacy Centre, p. 664.
[21] This is considered below and also at Chapter
5.
[22] Bell Laboratories, for example, has developed
a video camera that is only a few centimetres wide, making covert video
surveillance exceedingly easy: see The Canberra Times, 10 August,
1998, p. 11. A recent survey revealed the extent of such surveillance
activities. The survey covered sixty-five of Australia's largest companies
and found that many of the companies that responded to the survey admitted
that they not only undertook various forms of surveillance of employees
– including video, e-mail, telephone and internet usage – but
also monitoring of the general public.
[23] Transcript of evidence, Professor
William Caelli, p. 60.
[24] Submission No. 57, Professor William
Caelli, p. 1154.
[25] Document tabled by Professor Quirk, Brisbane
Hearing, 27 July, 1998.
[26] Document tabled by Professor Quirk, Brisbane
Hearing, 27 July, 1998.
[27] Transcript of evidence, American
Express International Inc., p. 134.
[28] Electronic Funds Transfer at Point of
Sale.
[29] Submission No. 61, JL Whitaker
Associates, p. 1362.
[30] Submission No. 40, Xamax Consultancy,
p. 9.
[31] Submission No. 46, Campaign for
Fair Privacy Laws, p. 765.
[32] Transcript of evidence, Australian
Bankers' Association, p. 269 and see also p. 275.
[33] Submission No. 61, JL Whitaker
Associates, p. 1362; Submission No. 40A, Xamax Consultancy,
p. 1270.
[34] Transcript of evidence, Telstra,
p. 202.
[35] Submission No.40A, Xamax
Consultancy, p. 1271. Other criticisms of Telstra's handling of the introduction
of CND are contained in articles in publications such as Privacy Law
and Policy Reporter.
[36] American Express noted in evidence to
the Committee that the internet is likely to be an “explosive”
growth area for their business in the near future. Transcript of evidence,
American Express International Inc., p. 135.
[37] Transcript of evidence, Queensland
Health, p. 28.
[38] Transcript of evidence, Professor
William Caelli, p.55: `Just recently, university researchers in the United
States—Princeton's University's safe Internet programming team—published
a statement. University researchers say they've found a security flaw
in Java that allows a malicious applet to circumvent all security controls
…After disabling the security controls, the applet can do whatever
it likes on the victim's machine, including arbitrary reading, modifying,
or deleting files.'
[39] Submission No.27, Tenants' Union
of Queensland Inc., pp. 485-487.
[40] Submission No.19, Tenants Union
of Victoria, p. 395.
[41] Submission No.2, Access Community
Housing Association Inc., p. 6.
[42] Submission No.27, Tenants' Union
of Queensland Inc., p. 463.
[43] Submission No.18, Tenants Union
of NSW, p. 388.
[44] Submission No.12, Brisbane Inner
Northside Housing Service, p. 328.
[45] See for example, Submission No. 15,
Tenants Advice Service, p. 350.
[46] Submission No.1, Near North Housing
Service, pp 1-2.
[47] Submission No.54, Tenancy Information
Centre Australasia, pp.1058-1059.
[48] Submission No. 55, Remington White
Australia Pty Ltd, pp. 1083-1085.
[49] Submission No.55, Remington White
Australia Pty Ltd., pp. 1085-1086.
[50] Submission No. 55, Remington White
Australia Pty Ltd, p. 1087.
[51] The Australian Law Reform Commission noted
the `growing tendency for services formerly undertaken by government agencies
to be contracted out to private sector organisations, creating anomalies
between the accountability of service providers on the basis of whether
they are a public or private sector entity.' Submission No.49,
Australian Law Reform Commission, p. 831.
[52] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 867.
[53] Submission No. 37, Public
Interest Advocacy Centre, p. 651. The reference is to the Australian Law
Reform Commission and Administrative Review Council's Report, Open
Government: a review of the federal Freedom of Information Act 1982,
1995. For further discussion on the relationship between the FOI Act and
the Privacy Act see Chapter 6, Paragraphs 6.68 et seq.
[54] Senate Community Affairs References Committee,
Access to Medical Records, June 1997, Recommendation 3.
[55] Senate Community Affairs References Committee,
Access to Medical Records, June 1997, Recommendation 5.
[56] Senate Community Affairs References Committee,
Access to Medical Records, June 1997, Recommendation 6.
[57] Senate Community Affairs References Committee,
Access to Medical Records, June 1997, p. 46.
[58] High Court of Australia, 186 CLR 71.
[59] Senate Legal and Constitutional Legislation
Committee Inquiry into the Genetic Privacy and Non-discrimination Bill
1998.
[60] Genetic Privacy and Non-discrimination
Bill 1998, Second Reading Speech, p. 592.
[61] See below Paragraphs 2.87 – 2.90,
Chapter 4, Paragraph 4.17, and Chapter 6 for further discussion of some
of the shortcomings of the Privacy Amendment Bill 1998.
[62] Submission No. 29, Pacific
CDL, p.500, Transcript of evidence, Pacific CDL, pp. 152-153; Submission
No. 43, Australian Bankers' Association, p. 741.
[63] Submission No. 38, Telstra,
p. 676. Telstra provides no evidence for the assertion that “most
private sector organisations…have established procedures for the
resolution of customer complaints”. The 1997 Price Waterhouse Privacy
Survey revealed that 38% of companies surveyed had privacy policies currently
in place, while 45% had only guidelines (p. 5). The survey also revealed
that 50% of companies surveyed had operational procedures and guidelines.
[64] See especially Chapter 5.
[65] Submission No. 49, Australian Law
Reform Commission, p. 831. In addition, the Commission has considered
privacy issues when it reported on the Commonwealth's disability services
legislation, aged care, and child care legislation.
[66] Submission No. 49, Australian Law
Reform Commission, p. 832. See also Transcript of evidence, Australian
Law Reform Commission, pp 224, 228-229.
[67] Privacy Protection in the Private Sector,
Attorney-General's Department, Canberra, 1996.
[68] Privacy Protection in the Private Sector,
Attorney-General's Department, Canberra, 1996, pp. 1-2. In December 1994
the report of the Broadband Services Expert Group recommended that the
privacy of users of advanced networks be protected by developing a “self-regulatory
scheme for network participants within the framework of the Privacy Act”.
In addition, in 1995 the House of Representatives Standing Committee on
Legal and Constitutional Affairs released In Confidence: A report of
the inquiry into the protection of confidential personal and commercial
information held by the Commonwealth. This report recommended, unanimously,
that the Information Privacy Principles contained in the Privacy Act
1988 be extended to the private sector by way of a national privacy
code. As well, in August 1995 at the meeting of the National Information
Services Council, the legal issues group recommended that “Comprehensive
privacy laws … should apply to the new information environment. The
most practical response is to extend the operation of the Privacy Act.
[69] In 1995, the Senate Economic References
Committee in its report, Connecting you now … Telecommunications
Developments Towards the Year 2000, recommended a legislative safety
net be established. The Committee recommended that this involve an expansion
of the Information Privacy principles contained in the Privacy Act,
so that they included principles addressing the new telecommunications
privacy risks and that these principles should be applied to both the
public and private sector. In June 1997 the Senate Community Affairs References
Committee recommended in its report, Access to Medical Records,
that the Commonwealth enact privacy legislation that covers the private
health sector. As well, the Senate Finance and Public Administration References
Committee considered the privacy implications of contracting out in its
May 1998 report, Contracting out of Government Services. In May
1998 the Joint Committee of Public Accounts and Audit issued Report
360: Internet Commerce: To buy or not to buy? The Committee rejected
the Cabinet arguments that a legislated scheme would increase costs for
business and that there was no need for a legislated scheme. Considerations
such as this, and doubts about the efficacy of self-regulation, led the
Joint Committee to conclude that “there is overwhelming evidence
for legislation”(p.200) The Committee went on to say that `a legislated
regulatory privacy regime will be more effective than a self-regulatory
approach. Privacy legislation for the private sector will ensure better
coverage, receive international recognition, and will discourage state
governments from passing their own legislation (p.202). As a result of
its inquiry the Committee recommended: 'That the Australian Government
introduce privacy legislation, with specific reference to information
communications, to govern the use of personal information in the private
sector.'(p.203).
[70] See for example, Submission No 39,
Credit Union Services Corporation, pp. 681-682.
[71] Terms of reference 1(a).
[72] See below, Chapter 3, Paragraphs 3.54-3.90.
[73] See for example Submission No. 43,
Australian Bankers Association, p. 736.
[74] See below, Chapter 3, Paragraphs 3.68
- 3.85.
[75] Transcript of evidence, Australian
Law Reform Commission, p. 224.
[76] A more detailed discussion of the implications
of the European Data Directive is contained in Chapter 3, and see also
Chapter 5.
[77] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 876. The New Zealand Privacy
Act 1993 is administered by a Privacy Commissioner. Codes may be developed
either by a particular organisation or the Privacy Commissioner, or through
cooperation between them. The New Zealand privacy regime provides for
enforcement of the codes in the case of non-compliance.
[78] Submission No. 7A, Australian
Privacy Charter Council, pp. 287 - 288.
[79] Liberal and National Parties' Law and
Justice Policy - February 1996.
[80] Liberal and National Parties' Law and
Justice Policy - February 1996.
[81] Attorney-General's Department, Privacy
Protection in the Private Sector, 1996.
[82] For a more detailed discussion on the
Co-regulatory system see Chapter 7.
[83] Prime Minister, “Privacy Legislation”,
Press Release, 21 March, 1997.
[84] Answer provided by the Attorney-General
to a Question on Notice, Senate Hansard, 24 September, 1997, p.
6922; and see also Senate Hansard, 27 October, 1997, p. 8170.
[85] The decision was `preceded by an analysis
of the submissions received in response to the … discussion paper,
Privacy Protection in the Private Sector, and other consultations
by Government with industry and other relevantly interested parties”
Senate, Hansard, 27 October, 1997, p. 8170.
[86] The reason for not proceeding with legislation,
that is, the wish to reduce the regulatory burden on business, especially
small and medium size businesses, was reiterated in the Senate, Hansard,
27 August, 1997, p. 5829; Senate, Hansard, 24 September, 1997,
p. 6922; Senate, Hansard, 27 October, 1997, p. 8170. The cost of
this burden was not discussed. The issues of cost are considered further
in Chapters 7 and 8 below.
[87] Senate, Hansard, 27 August, 1997,
p. 5829. See also Senate, Hansard, 13 May, 1997, p. 3150.
[88] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 861.
[89] Information Privacy in Australia: A
National Scheme for Fair Information Practices in the Private Sector
(1997).
[90] House of Representatives, Hansard,
1 April, 1998, p. 2097.
[91] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 863. The Committee received
testimony from Mr Chris Connolly, Coordinator, Campaign for Fair Privacy
Laws, who stated that consumer and privacy advocates had boycotted discussions
concerning the implementation of the National Principles. They
had done this because they did not wish to give the appearance of support
for the Commissioner's process, which would not involve the discussion
of legislation [which they supported] and their participation in the process
of developing the National Principles had been mis-represented
in press releases issued by the Attorney-General. These press releases
indicated that consumers did support the initiatives of the Privacy Commissioner,
which in fact all the consumer groups supported was the development of
the National Principles. Transcript of evidence, Campaign
for Fair Privacy Laws, p. 141.
[92] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 863. The National Principles
are discussed more fully in Chapter 5.
[93] Prime Minister, “Privacy Legislation”,
Press Release, 21 March, 1997.
[94] Chief Minister of the Northern Territory,
Correspondence to Committee, 5 August 1998.
[95] Victorian Government, Discussion Paper:
Information Privacy in Victoria: Data Protection Bill, July, 1998.
See also Submission No. 41, Australian Chamber of Commerce
and Industry, pp. 715-716.
[96] Submission No.62 , Victorian Minister
for Multimedia, p. 1529.
[97] Premier of Tasmania, Correspondence to
Committee, 13 July 1998.
[98] House of Representatives, Hansard,
5 March, 1998, p. 534.
[99] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 961.
[100] This bill is considered in further detail
in Chapter 6.