Chapter 4
Privacy protection in Australia: current standards – legislation
and law
Introduction
4.1 This and the following chapter examines the nature of the privacy
protection measures currently existing in Australia; the extent to which
they cover the private sector, and their adequacy relative to the standards
set out in Chapter 3.
4.2 Privacy protection in Australia derives from a combination of legislation,
common law doctrines and self-regulatory measures that vary in coverage
and content between State/Territory and Commonwealth jurisdictions. Consequently,
Australia does not have a standard, nationally consistent, privacy protection
“system”. [1]
Legislation
4.3 There is a considerable body of legislation at both the state and
Commonwealth level that impacts upon the protection of privacy. In her
submission, the Privacy Commissioner states that:
…hundreds of individual statutes in State and federal jurisdictions
provide limited privacy protections for personal information, …
Most of these are limited to secrecy provisions that prohibit the unauthorised
disclosure by public servants of information they access in the course
of their duties. [2]
4.4 The Committee also notes the relevance of freedom of information
legislation which exists in all jurisdictions except the Northern Territory,
providing access to personal information held by government bodies.
Commonwealth
4.5 The pre-eminent privacy protection legislation in Australia is the
Privacy Act (Cth) 1988, which provides protection for personal
information held by most Commonwealth and ACT government agencies. The
act includes 11 privacy principles, which are derived from the OECD's
Guidelines on the Protection of Privacy and Transborder Flows of Personal
Information. It also established the independent statutory office
of the Privacy Commissioner, with powers of auditing, monitoring, reporting
and complaint resolution in relation to the Commissioner's functions.
[3]
4.6 Some agencies, such as the intelligence organisations, are exempt
from the provisions of the Privacy Act, while others are exempt
in respect of certain activities, such as commercial activities. From
the commencement of its operation the Act has been used to regulate the
collection, storage, use and security of tax file number information,
and in 1991 the Act was amended to cover consumer credit information
by regulating the handling of such information by credit reporting agencies
and credit providers. More recently, the Act was amended to apply to contracted
case managers for the long-term unemployed (eligible employment service
providers) under the Employment Services Act 1994. The Privacy
Act 1988 also applies to hearing service providers, under the Hearing
Services and AGHS Reform Act 1997. [4] Limited
inroads have also been made by legislation into the telecommunications
sector, with the Telecommunications Act 1997 (Cth) providing for
the involvement and jurisdiction of the Privacy Commissioner in relation
to certain sections. [5] Other relevant legislation
includes the Telecommunications (Interception) Act 1979.
States and Territories
4.7 Detailed privacy legislative protection is currently limited in the
States and Territories. Victoria, Queensland, Western Australia, South
Australia and the Northern Territory lack any general privacy legislation
applicable to the private sector. Only New South Wales and the Australian
Capital Territory have any degree of legislative protection of privacy
in the private sector, with the Privacy Committee Act 1975 (NSW) establishing
the Privacy Committee, and the Health Records (Privacy and Access)
Act 1997 (ACT). Both of these acts provide limited coverage.
4.8 A more detailed examination of current state/territory legislation
is provided in the Human Rights and Equal Opportunity submission, [6]
and the submission by Xamax Consultancy Pty Ltd. [7]
State and Territory government reaction to the Commonwealth changes in
1996-1998 is outlined in Chapter 2.
4.9 Evidence to the Committee has suggested clearly that the advent of
modern technology makes state-specific legislation out of date, even before
it has been developed. The basic reason is that information transfer and
use will rarely be confined to one geographic area, and the needs of business
are unreasonably hampered by adherence to multiple legislation, particularly
if it varies:
The evolution in communication technology is effectively making redundant
privacy laws that apply to only one State jurisdiction. The only possible
solution is to limit the transfer of data to other jurisdictions that
have similar privacy safeguards … The obvious problem with taking
this approach within Australia is that it would lead to the `balkanisation'
of data communication within our country … The effect of legislation,
while necessary, runs counter to the whole information technology revolution.
[8]
4.10 The effect of the mix of Commonwealth and state/territory legislation
is a lack of uniformity and consistency, two features which most commentators
on privacy regulation prize. [9] Much of the
concern expressed about the current situation relates to the belief that
it is important to avoid what has been described as the patchwork response,
characterised by a plethora of acts or other codes and guidelines.
4.11 It has also been argued that the failure of the current government
to take decisive action, and indeed, its apparent neglect of majority
opinion on privacy issues, has contributed directly and indirectly to
the patchwork effect. While there was some willingness by states to leave
the issue of privacy to the Commonwealth, the change in attitude from
1996, and to some extent the relatively limited progress made since then,
has led some states to plan legislation – the very approach which
the Commonwealth government and the industry sector did not want. [10]
4.12 As one witness has stated `the existence of inconsistent rights
across the states is undesirable':
Such fundamental rights as privacy and access should not depend on
the accident of which state boundaries one was born within. [11]
Effectiveness of privacy protection offered by existing legislation
Accessibility
4.13 According to the guidelines outlined at Chapter 3, current Commonwealth
legislation does not meet best practice standards. The legislation does
contain a series of principles – the Information Privacy Principles
(IPPs)– but these do not extend to the private sector except in certain
limited areas.
4.14 Insofar as the legislation has primarily affected the public sector,
it has been seen as increasing access by the community to an avenue of
information, education and complaint handling that was previously lacking.
Adequacy of coverage
4.15 The existing legislation has substantial gaps in coverage, quite
apart from limited coverage of the private sector:
- substantial amounts of sensitive information are collected about individuals
by organisations or individuals, and are subject to limited legislation;
[12]
- only Commonwealth bodies are affected; many professional groups are
not affected by any privacy legislation at all, although they may be
subject to state based bodies, such as board of inquiry or health and
legal complaints bodies;
- many organisations which hold extremely personal information reside
in an uncertain world of the `not for profit' organisations which appear
to be exempt at many levels. [13]
4.16 In referring to the proposed extension of the legislation to agencies
which undertake outsourced work, for example, the Mental Health Legal
Centre Inc noted that the proposed amendments would not improve the access
to information or the privacy standards of some such organisations:
Disability employment agencies, for example hold very sensitive information
concerning consumers, and many people are concerned about the uses to
which such information will be put and the level of security applied
to it.
Indeed the fact that health care and disability support services funded
by the Government are not covered highlights its inadequacy… [14]
4.17 The Second Reading speech for the Privacy Amendment Bill 1998
perpetuates this position by specifically excluding from its coverage
those `not for profit' bodies which have previously been involved in service
provision:
There are some services which it would be inappropriate for these amendments
to cover. For example, the Commonwealth has, for many years, provided
funding to volunteer and community organisations to assist them in the
delivery of services. Although many such funding programs are referred
to as grants, increasingly organisations in receipt of such funding
are required to enter into contracts, to ensure proper financial and
other accountability. The bill …does not extend coverage to contractors
providing `excluded funded services', which are listed in the proposed
new Schedule 3 to the Act. [15]
Content of Privacy Principles (IPPs)
4.18 As has been demonstrated, the limited scope and effectiveness of
the existing legislation already causes problems for the protection of
privacy. Criticisms have been made that suggest fundamental limitations
to the effectiveness of current legislation and the Privacy Act in particular.
4.19 The major criticisms of the existing legislative regime at Commonwealth
level are that its scope is too narrow and that the IPPs, which form the
basis of the act, are inappropriately framed and fail to take account
of recent developments in technology.
Unable to meet modern technological demands
4.20 As a result the IPPs are seen as being out of date and incapable
of protecting privacy, especially in the face of the challenges posed
by recent technological developments. Dr Roger Clarke advised the Committee
that:
The protections provided by conventional laws [such as the Privacy
Act 1988 (Cth)] are, however, insufficient for the 21st century because
the OECD's 1980 Guidelines, on which they are based, relate to the context
of the 1970s; and there have been massive advances in information technology
since then” [16]
4.21 The development of the internet and the ready access to new computer
technology has posed new privacy issues for existing legislation. [17]
Many of the major issues which have to be addressed in an electronic age
relate to matters such as:
- rights to anonymity and pseudonymity – that is, a right to engage
in anonymous and pseudonymous transactions wherever this is consistent
with the public interest;
- a right not to be indexed, for example, through the creation of dossiers
based on publicly available data;
- a right to encrypt data so as to protect privacy;
- a right to human checking of adverse automated decisions and to have
them explained. [18]
4.22 These are issues which have been addressed to some extent by the
National Privacy Principles, and there is no reason why the IPPs could
not be similarly updated.
4.23 The Committee has received evidence suggesting that the IPPs give
too much emphasis to the handling of information and do not adequately
address the use to which information can be put. For example, [19]
information collected by government for one purpose, can legally be used
for an entirely different purpose by the private or public sector, without
the consent of the data subject: an instance of this was the proposal
that identified information from the Australian Childhood Immunisation
Register be used by Centrelink staff to determine entitlements for child
care assistance. [20]
4.24 Some of these proposals are purely commercial, but they are not
illegal and merely reflect the enterprising nature of some industry sectors
and, possibly, the lack of foresight of local councils or others who have
collected such information.
4.25 In cases where government agencies seek to utilise data collected
for one purpose in order to meet another objective, particular care should
be taken to ensure that there is legislative authority for such action.
The use of various databases by government is not unusual, but it is generally
specifically authorised. This does not necessarily overcome the objection
to the use of information for a purpose for which it was not specifically
collected.
Legislation unable to meet the demands of business
4.26 To a degree, much the same complaints are made about the failings
of current legislation by some members of the business sector as are made
by those especially interested in the use of modern technology:
AMP would not welcome the general extension of the provisions of the
existing Privacy Act into the private sector for a number of reasons.
The Privacy Act and its Information Privacy Principles are based on
a model of privacy protection that had the public sector of a different
era in mind; they are inflexible and generally not cognisant of business
practices. In many instances, the purposes for which personal information
is collected, used and disclosed are very different in the private sector.
[21]
4.27 The argument that the IPPs are out of date may well be acceptable,
and considerable evidence was provided to the Committee on this point.
However, the argument that the original intention of the IPPs was for
the public sector only is not in fact accurate. They may never have been
appropriately used for the private sector – although there seems
to be limited objection to their use in respect of credit reporting –
but they were originally intended to cover this arena as well. [22]
Enforcement
4.28 Enforcement of determinations made by the Privacy Commission are
constrained by constitutional limitations. While the Privacy Commissioner's
determinations are enforceable with respect to the Commonwealth, determinations
relating to credit information are unenforceable, except by taking actions
de novo in the Federal Court. [23]
Conclusions
4.29 Currently, legislation cannot be considered an effective part of
privacy protection relating to the private sector. The Committee believes
that current legislation has limited relevance to the protection of privacy
in the private sector, since in almost all cases its application is limited
to government agencies while excluding most private sector operations
and transactions. [24]
4.30 The Committee notes however, that legislative schemes such as the
Privacy Act 1988 do offer the advantages of providing a
clear set of privacy principles and a statutory enforcement system establishing
the office of the Privacy Commission. This does provide better access
for those seeking redress for breaches of privacy.
Problems with legislative protection – a “heavy handed”
approach?
4.31 As is discussed in greater detail below, [25]
many witnesses were opposed to legislation because they associated it
with a total lack of flexibility. Reference was often made to a `heavy-handed'
approach; to `black-letter law'; and a `one size fits all' approach which
would allegedly be the inevitable result of any legislative solution.
4.32 As is noted below, there is no necessary relationship between legislation
and a heavy-handed approach. While there may be problems with the existing
IPPs that make them unsuitable for use in the private sector, many witnesses
believed that it was possible to find a legislative approach that was
not too onerous:
protections need to be inherently adaptive in order to cope with ongoing
and unpredictable developments in information technology and its use;
and it is highly desirable that the costs of compliance be commensurate
with the degree of privacy risk involved. Those industries and practices
that represent only limited threats to privacy should be subject to
less onerous and expensive requirements that organisations whose activities
are significantly intrusive. [26]
4.33 The benefits and disadvantages of the legislative approach are considered
in further detail below. [27]
Common Law protection of privacy
4.34 A second existing mechanism for protecting privacy is through common
law remedies, particularly arising under contract, equity and torts law.
4.35 A legal duty of confidentiality, as contained in a contract, can
confer upon a person some protection of their privacy, as well as remedies
for infringements of that privacy. Such contracts may be written contracts,
or contracts such as those implied into a professional relationship, such
as that between a solicitor and client; employer and employee, or doctor
and patient.
4.36 Privacy protection may also be provided when there is a relationship
of trust between two people. In such cases, a violation of privacy is
characterised by Australian courts as a breach of a duty of confidence.
4.37 The Committee has received some evidence suggesting that the Common
Law can provide adequate protection for privacy, thus negating the need
for any legislative response. In examining this claim, the Committee considered
the role of contract, torts and the law of equity in privacy protection,
and did so in the light of the general criteria for any adequate privacy
protection system:
It is clear that any meaningful analysis of adequate protection must
comprise the two basic elements: the content of the rules applicable
and the means for ensuring their effective application. [28]
The use of contract law to protect privacy
4.38 Contract law can be used to protect privacy, by means of incorporating
privacy principles and procedural requirements into contracts involving
the transfer of personal information.
4.39 This may include cases in which a Commonwealth Department contracts
out the provision of services to a private sector company, and performance
of the contract requires the release to the contractor of personal records.
Since the provisions of the Commonwealth Privacy Act 1988 do not
extend to the private sector providers, these contracts may require the
contracting company to agree to be bound by the provisions of the Privacy
Act 1988 and to abide by decisions of the Privacy Commissioner.
[29]
4.40 Such a contractual system may also serve to protect information
transfers carried out in association with contracts with companies bound
by the EU Directive on Data Protection, [30]
and who are required to ensure the security of personal information. Contracts
could also theoretically comprise an element of either a legislative or
self-regulatory system.
4.41 Where a party to the contract does not abide by the privacy requirements
contained in the specific contract, the other party may commence legal
proceedings for breach of contract, for which the usual range of remedies
are available including restitution, rescission, or damages.
The use of equity and torts law to protect privacy
4.42 Similarly, the Common Law in torts and equity provides some protection
of privacy through the action for breach of confidence. This action is
limited to situations in which the plaintiff can demonstrate the following
requirements:
In my judgement, three elements are usually required if, apart from
contract, a case of breach of confidence is to succeed. First, the information
itself … “must have the necessary quality of confidence about
it”. Secondly that information must have been imparted in circumstances
importing an obligation of confidence. Thirdly, there must be an unauthorised
use of that information to the detriment of the party communicating
it. [31]
4.43 This action is primarily associated with contractual relations in
a commercial context, but has also been extended to less formal relations,
however, according to the Privacy Commissioner, it is clear that “Australia
has not developed a tort of breach of privacy and it seems unlikely that
Australian courts will do so in the foreseeable future”. [32]
4.44 Where the action is established, the remedies available for breach
of confidence include an “injunction, account of profits, delivery
of reports of the information the subject of the action, and damages.”
[33]
Problems associated with Common Law protection of privacy
4.45 The Committee has found significant limitations to the effectiveness
of the Common Law protections of privacy. In particular, the Common Law
does not provide complete and effective coverage, nor does it provide
effective and accessible remedies.
Complete and effective coverage
4.46 A generic criticism of contract, torts and equity is that it fails
to deliver any coherent or comprehensive set of principles that can be
universally applied and understood, or which would comply with the privacy
principles contained in either the Privacy Act 1988 or in
the EU Data Protection Directive. This in part stems from the origins
of the Common Law rules of contract, torts and equity, which were not
intended to create bodies of rights as such, but rather were more limited
legal tools to, in the case of contracts, regulate and formalise agreements
between individuals, and for torts and equity, formulate “liability
in terms of reprehensible conduct rather than of specified interests entitled
to protection.” [34]
4.47 Privacy protection by means of contracts will lack consistency,
and is likely to vary from contract to contract since parties to a contract
are free to incorporate whatever privacy requirements best suit their
purposes. Significantly, though, the individual whose data is the subject
of any such privacy conditions has no opportunity to be involved in the
contractual negotiations. Such contracting freedom is of itself a positive
thing, which the courts have stated is not to be interfered with. [35]
Nevertheless, it does mean that in the absence of statutory contracting
requirements, contract law cannot provide any consistent privacy principles
or rights. To create such legislative controls however, is to adopt the
worst of both worlds by both limiting the inherent flexibility of contracts,
while adopting the least useful model of legislative protection.
Effective and enforceable remedies
4.48 Another general limitation of the Common Law, and where it again
fails to meet the requirements of an adequate privacy protection system,
is in relation to the enforcement of privacy rights.
4.49 This is a particular issue in relation to contract law. Where privacy
rights are breached under the terms of contract, the appropriate remedy
is an action for breach of contract. However, this is problematic under
Australian law due to the operation of the doctrine of privity of contract:
The traditional rule is that only the parties to a contract are legally
bound by and entitled to enforce it. A third party may be benefited
or burdened in fact by performance of the contract, but according to
the privity doctrine only the contracting parties are benefited and
burdened in law by the making of the contract. [36]
4.50 Since data subjects will not ordinarily be parties to a contract
involving the handling of information, any person whose privacy rights
have been infringed must rely on one of the parties to the contract to
bring an action against the other for breach of contract. Thus, in the
case of a contract for contracting out of government services, only the
Department itself can prosecute. This applies even where a contractor
has accepted the jurisdiction of the Privacy Commissioner, since, following
the ruling in Brandy's Case [37] the
Privacy Commissioner is unable to exercise a judicial function:
The problem that has been raised with me as the Privacy Commissioner
… is that they cannot use me for that because my powers do not
extend to the private sector, except in an encouraging and educating
role. So I have no role as a backstop regulator for their self-regulatory
codes, if you like. [38]
4.51 Reliance on contracts between a contracting agency and a contractor
therefore imposes serious practical problems. As the Australian Privacy
Charter Council states:
Attempts to enforce compliance and achieve remedies through enforcement
of contractual terms would be unwieldy and impractical – realistically
a client agency is not going to incur the expense of breach of contract
litigation, or terminate a contract, because of some relatively minor
privacy breach, or even repeated breaches. Reliance on contractual safeguards
is simply too blunt an instrument for dealing with commonplace interferences
with privacy. [39]
4.52 There is also evidence to suggest that, due to the growing effects
of technology, privity will constitute an increasing problem for enforcement
of privacy rights under contract law:
As we move to the new world, the global information infrastructure
we have [has] interspersed a number of other parties into that world
which, indeed, I have no control over. For example, I might be doing
my home banking and I understand my relationship with my bank. …
But in between there are a number of relationships and business entities
about whom I have very little knowledge, and even, possibly, no direct
business or legal relationship. [40]
4.53 The courts have been prepared to find limited exceptions to the
doctrine of privity of contract, through, for example the creation of
a trust on a contractual promise, or via the application of the doctrine
of unjust enrichment. [41] Nevertheless, contract
law in Australia currently would seem to preclude the use of contractual
remedies as a means for a data subject to take legal action to seek redress
for breaches of privacy rights arising under a contract. The Committee
notes that this problem has led to a legislative response in other jurisdictions
to provide for limited rights for third party enforcement of contractual
rights. [42]
4.54 In the case of contracts entered into by Australian companies with
companies in the European Union, the situation becomes even less acceptable.
As stated above, Article 26(2) of the EU Data Protection Directive allows:
… a Member State to authorise a transfer or set of transfers to
a non-adequate third country `where the controller adduces adequate
safeguards with respect to the protection of the privacy and fundamental
rights and freedoms of individuals and as regards the exercise of the
corresponding rights'. The provision goes on to specify that `such safeguards
may in particular result from contractual clauses. [43]
4.55 The EU plainly does not favour this approach, and has noted that
“in Europe, the tendency historically has been for data protection
rules to be embodied in law.” [44] The
Committee also notes that where the contractual option is used, the EU
has quite high expectations of the degree of protection required, which
may significantly limit the degree of control Australian companies are
able to exert over the information received, and on the uses to which
the information would be put:
Bearing in mind we are dealing with cases of inadequate general protection,
the preferred solution would be for the contract to set down the way
the recipient is to apply the basic data protection principles in such
detail that, in effect, the recipient of the transfer has no autonomous
decision-making power in respect of the transferred data, or in the
way in which they are subsequently processed. … The transferrer
thus remains the data controller, while the recipient is simply a sub-contracted
processor. [45]
4.56 This approach has two immediate implications. The first is that
such a contractual approach may be applicable to certain types of business
operations, but impose quite onerous obligations in other circumstances:
Contracts may prove [sic] insufficiently direct liability and may need
to be supplemented by arrangements for external verification such as
compliance audits. Provision for these could be readily incorporated
in transfer contracts but would hardly be cost-effective for other than
very large volume and continuing transfers. [46]
4.57 The second factor, arising from the first, is that enforcement action
for breach of contract would seem most likely to be pursued subject to
EU law, and in an EU member state.
4.58 Both of these factors suggest to the Committee that reliance on
a contract based scheme of protection for the purposes of complying with
the EU Data Protection Directive is most likely to result in considerable
burdens for smaller companies. This aspect has been noted by several witnesses
to the Committee:
… We will still see SMEs [Small to Medium Enterprises] in Australia
being disadvantaged by the complexity and cost of negotiating case-by-case
contracts. [47]
4.59 Similar points have been made in other information provided to the
Committee:
In many cases, specific contractual clauses will be an expensive option
and more generalised measures to secure “adequate protection”
are preferable. [48]
A contract is particularly suited to situations where data transfers
are similar and repetitive in nature. The difficulties regarding supervision
mean that a contractual solution may be most effective where the parties
to the contract are large operators already subject to public scrutiny
and regulation. Large international networks such as those used for
credit card transactions and airline reservations demonstrate both of
these characteristics and this are situations in which contracts may
be most useful. [49]
4.60 Other enforcement problems apply to all types of Common Law actions.
Since all are reliant on litigation, anyone seeking redress for violations
of their privacy must face long and expensive court actions, which become
all the more hazardous an undertaking given the unclear law applicable
to some of the actions described above. This was pointed out to the Committee
by a solicitor of the Mental Health Legal Centre:
The previous speaker talked about the fact that people can take civil
action in relation to breaches of confidentiality whether it be for
a breach of contract or equitable actions for a breach of confidence.
That is all very well in theory but, particularly when you are talking
about people who are socially disadvantaged, those sorts of remedies
are not accessible when they have to be pursued through the courts.
[50]
The Common Law – conclusions on effectiveness
4.61 For these reasons the Committee concludes that the Common Law does
not meet the adequacy criteria for a system of privacy protection, either
for use within Australia or as a means of complying with the EU Data Protection
Directive. As the Privacy Commissioner concluded in her submission:
In general, common law offers patchy protection at best for the privacy
rights of Australians. Large areas of activity are not covered in any
way at all. Where the common law could apply it is complicated, uncertain
and expensive to enforce, partly due to the fact that it grew out of
the law relating to property and commercial transactions. [51]
Conclusions
4.62 Measured against the criteria established in Chapter 3, the Committee
concludes that legislation and common law protections over privacy in
Australia are inadequate.
4.63 Overall, Australia's existing legal frameworks are only partial
in their coverage and vary widely across jurisdictions. [52]
Access to remedies and enforcement is uncertain. Moreover, the current
arrangements fail to meet the needs of the private sector or to protect
the rights of consumers.
4.64 The Committee also notes that existing inadequacies at the federal
level are likely to prompt the emergence of legislative responses at a
state and territory level. [53] As noted, both
New South Wales and Victoria intend to legislate, increasing the likelihood
that an already fragmented national approach will become worse. As the
Australian Bankers Association advised the Committee:
It [state legislation] is very likely to cause a spill – other
states will want to do the same thing – and we will end up with
the very patchwork that we have been working with the Privacy Commissioner
so very hard to avoid. [54]
4.65 It may be, that in seeking to avoid consistent national, legislation,
some industry groups may have to contend with that scenario which they
least wish – a patchwork system, with multiple requirements.
Footnotes
[1] The then Privacy Commissioner commented:
`Overall Australia's existing legal frameworks for the protection of personal
information are only partial in their coverage and vary widely across
jurisdictions.' Submission No. 51, Human Rights and Equal Opportunity
Commission, p. 884.
[2] Submission No. 51, Human Rights and
Equal Opportunity Commission, p. 880.
[3] Submission No. 51, Human Rights and
Equal Opportunity Commission, p. 880.
[4] Submission No. 49, Australian Law
Reform Commission, p. 832, and Explanatory Memorandum to the Privacy Amendment
Bill 1998, p. 3.
[5] Telecommunications Act 1997, Part
6, Div. 5 s 134: Part 13, Div. 5 s 309.
[6] A more detailed examination of current state/territory
legislation is provided by the Privacy Commissioner, see Submission
No. 51, Human Rights and Equal Opportunity Commission, pp.
881 - 883.
[7] Submission No. 40, Xamax Consultancy
Pty Ltd.,pp. 696, 699.
[8] Submission No. 39, Credit Union Services
Corporation, p. 682.
[9] See especially Chapters 5-7.
[10] Submission No.46, Campaign for
Fair Privacy Laws, p.766.
[11] Submission No.50, Mental Health
Legal Centre Inc, p. 847.
[12] See below, Chapter 6, Paragraph 6.20
[13] This is discussed below at Chapter 6.
[14] Submission No.50, Mental Health
Legal Centre Inc, p. 850
[15] Privacy Amendment Bill 1998, Second
Reading Speech, p. 3.
[16] Submission No. 40, Xamax Consultancy,
pp. 1, 8, 14. See also “The Australian Privacy Act 1988 as an Implementation
of the OECD Data Processing Guidelines”, available at
and “Flaws in the Glass; Gashes in the Fabric” available at
.
[17] Submission No. 33, Professor Greenleaf,
pp.560-561.
[18] Submission No. 33, Professor Greenleaf,
pp.560-561
[19] The example given refers to Commonwealth
government departments which are covered by current legislation. However,
state and local government agencies are not, and may sell `personal' information
that is not widely available, even though it is collected for administrative
purposes. One example was the sale by local councils to private enterprise
of information provided by dog owners when registering their dogs. Submission
No. 29, Pacific CDL, p. 499, and Transcript of evidence,
Pacific CDL, p. 150. Nonetheless, there is nothing to prevent data collected
by the Commonwealth and published in one format from being used and amalgamated
with other data, by a commercial operation.
[20] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 892.
[21] Submission No. 53, AMP, p. 1054.
[22] Transcript of evidence, Australian
Law Reform Commission, p. 232.
[23] This is the result of Harry Brandy
v Human Rights and Equal Opportunity Commission and Ors 183 CLR 245,
in which it was held that determinations and orders under the Racial Discrimination
Act were unconstitutional because such determinations involved the use
of a judicial power, which the Commissioner did not have. See above, Chapter
3, Paragraph 3.28.
[24] See below, Chapter 7
[25] See below, Chapter 5.
[26] Submission No. 40, Xamax Consultancy,
p. 700
[27] See below, Chapters 5 and 7. Chapter 7
offers a detailed examination of industry attitudes to regulation.
[28] EC Working Document – Transfers
of personal data to third countries: Applying Articles 25 and 26 of the
EU data protection directive, p. 5.
[29] In 1994, the Privacy Commissioner issued
guidelines entitled Advice for Commonwealth Agencies Considering Contracting
Out (Outsourcing) Technology and Other Functions, which suggests privacy
clauses and gives general advice to agencies concerning privacy when outsourcing.
According to the Explanatory Memorandum to the Privacy Amendment Bill
1998 (p. 4) these draft clauses are still widely used by agencies
in formulating their contracts.
[30] As per the exception set out in Article
26(2) of the European Data Protection Directive.
[31] Coco v A N Clark (Engineers) Ltd
[1969] RPC 41 per Megarry J, referred to in Heydon, Gummow and Austin,
Cases and Materials on Equity and Trusts, p. 66.
[32] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 879.
[33] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 879.
[34] Fleming, The Law of Torts in Australia,
p. 665.
[35] Trident General Insurance Co Ltd v
McNiece Bros Pty Ltd (1988) 62 ALJR 508, per Mason CJ and Wilson J
at 511 – 515.
[36] Carter, Harland and Lindgren, Cases
and Materials on Contract Law in Australia, p. 351.
[37] Brandy v Human Rights and Equal Opportunity
Commissioner 183 CLR 245. See above, Chapter 3, Paragraph 3.28, and
Chapter 4, Footnote 23.
[38] Transcript of evidence, Human Rights
and Equal Opportunity Commission, p. 80.
[39] Submission No. 7A, Australian Privacy
Charter Council, p. 284. The limitations of contract law as a means of
effective enforcement are also explicitly recognised in the Explanatory
Memorandum to the Privacy Amendment Bill 1998, p. 6.
[40] Transcript of evidence, Professor
Caelli, p. 61.
[41] See Trident General Insurance Co Ltd
v McNiece Bros Pty Ltd (1988) 62 ALJR 508, per Deane J and Gaudron
J respectively.
[42] See for example, the Contracts (Privity)
Act 1982 in New Zealand, and Property Law Act 1969 (WA) S.11,
and the Property Law Act 1974 (QLD) S.55. Note also the recommendations
of the Australian Law Reform Commission in Report Number 20, Insurance
Contracts.
[43] EC Working Document – Preliminary
views on the use of contractual provisions in the context of transfers
of personal data to third countries, p. 2.
[44] EC Working Document – Transfers
of personal data to third countries: Applying Articles 25 and 26 of the
EU data protection directive, p. 5.
[45] EC Working Document – Preliminary
views on the use of contractual provisions in the context of transfers
of personal data to third countries, p. 7.
[46] Submission No. 7, Australian Privacy
Charter Council, p. 281.
[47] Transcript of evidence, Nigel Waters,
pp. 103-104.
[48] Submission No. 60, European Commission,
p. 1356.
[49] EC Working Document – Preliminary
views on the use of contractual provisions in the context of transfers
of personal data to third countries, p. 11.
[50] Transcript of evidence, Mental
Health Legal Centre, p. 166.
[51] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 880.
[52] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 24.
[53] See also Submission No. 16, Vonaldy
Pty. Ltd., p. 374: `The absence of national legislation has already led
to a mixture of state regimes, which range from bodies like the NSW Privacy
Committee and similar ones in other states, to proposed legislation in
Victoria … Other states could be expected to react differently in
approach and coverage.'
[54] Transcript of evidence, Australian
Bankers Association, p. 273.