Privacy in the Private Sector

Chapter 5

Privacy protection in Australia – current standards – self regulation

Introduction

5.1 The Committee received evidence supporting and rejecting self-regulation of privacy by the private sector.

5.2 A major factor inhibiting the discussion of self-regulation was that it was not clearly defined. The Committee believes it is essential to clarify exactly what is meant by the term `self-regulation', and has examined the use of this term in various categories of submissions. On consideration, the Committee is of the view that there is very little pure self-regulation in existence, and that there may in fact be greater agreement between parties than would appear at first sight as to the preferred level of privacy protection.

5.3 The Committee believes that a high standard of privacy protection does not necessarily impose significant financial or administrative burdens, nor does it make companies uncompetitive. At the same time, it is essential that standards demanded are not so high that they fail to meet the needs of consumers or any legitimate expectations of business and other bodies. The debate on self-regulation must go beyond the narrow limits of self-interest, and demonstrate awareness of the best ways of meeting the needs of the community in general.

Definition of self-regulation

5.4 In examining the submissions and evidence provided to the inquiry, the Committee considered that a major problem was the absence of a definition agreed to by all parties. The definition of `self-regulation' that has been adopted in this report is:

• The practice of an organisation or group of like organisations voluntarily selecting, adopting and enforcing rules to produce compliance with a defined level of behaviour, without direct legislative interference by government.

5.5 In this definition the key factor is that there is no direct legislative interference or involvement by government. The components of the code or scheme may have different sources, but they are not established within a legislative framework. Thus, although the contents of information privacy principles are also crucial to any self-regulatory scheme accepted by some industry groups, the most important single feature is the absence of a legislative framework.

5.6 The existence of some legal limits in existing self-regulatory schemes may be considered as making these co-regulatory rather than self-regulatory. In a sense, this is true insofar as parts of the operations of some industry sectors are subject to the provisions of the Privacy Act 1988, and the crucial component of the best-known (proposed) co-regulatory scheme (outlined in Privacy Protection in the Private Sector [1]) was the existence of a legislative framework. Notwithstanding such limitations to a percentage of their operations, some industries appear to consider that self-regulation does dominate when only a part of their operations are so limited. The other sectors may be governed by various principles, but these cannot easily be enforced by law.

5.7 This separation of principles from a specific legal framework must necessarily place considerable onus on the force of the principles themselves and on the process by which any breach of principles can be addressed, either by the industry body itself or by any party adversely affected.

The characteristics of the self-regulated system

The role of legislation and other legal remedies is limited

5.8 The role of existing legislation and legal principles as a part of the current framework of privacy protection has been outlined above in Chapter 4. These will still remain in force with the development of a self-regulation model, which is able to accommodate some legislative restrictions if these are part of a pre-existing arrangement, or a part of established legal principle.

5.9 The banking sector, for example, considers that the National Principles would form a part of its contractual relationship, [2] and thus would be enforceable through the ability of the customer to take legal action. [3] The provisions of existing legislation are expected to continue. [4]

Legislation is seen as rigid, inflexible and out-of-date

5.10 Opposition to privacy legislation for the private sector by some industry groups and by the Attorney General was marked by a correlation of legislation with `heavy handedness', as compared with the non-legalistic, flexible approach offered by self-regulation:

The Government believes that the imposition of a heavy-handed regulatory approach to addressing privacy is not necessary and accordingly the principles are not intended to be legalistic rules. [5]

5.11 Other versions of the `heavy-handed legislation' approach were the `black-letter law' and the `wait and see' approaches. The first emphasises that a legislative framework is likely to be `black-letter' law, which appears to be seen as rigid and inflexible:

…there has been a rejection of the `one size fits all' black letter law approach, in favour of a framework adaptable to the needs of particular industries and consumers. [6]

5.12 The second approach suggests that there is no point looking at legislative frameworks because industry has spent substantial time on self-regulation (primarily, it seemed, the National Principles) and noted that it did not wish to have its time wasted [7] - `this process should run its course.' [8]

5.13 Evidence to the Committee suggested that much of the current Commonwealth privacy legislation is ineffective because it predates technological development, and especially because it can't accommodate modern business practice. [9] In particular the IPPs which were an integral part of the legislation were out of date and unable to meet the needs of business: [10]

Extension of the Commonwealth privacy legislation to the private sector is opposed. Such legislation was not designed for the needs of the private sector and ignores the varying operational requirements of different industries in the private sector. [11]

5.14 There appears to have been no suggestion made that:

• the legislation could be amended to take account of this, introducing a range of much more flexible principles to accommodate the needs of business; and
• as the public sector in Australia is increasingly being privatised or requested to behave as though it is a private body, the existing legislation may be inappropriate for the public sector as well (the proposed amendments to the Privacy Act 1988 possibly not going far enough to meet changes). [12]

5.15 It may be more effective and cost efficient to change the legislation altogether, rather than piece by piece:

The boundaries between the public and the private sectors are becoming increasingly blurred with corporatisation, privatisation and outsourcing, and it no longer makes sense, if it ever did, to single out activities performed by government agencies for special treatment. [13]

5.16 However, this approach was not supported by some elements of the industry sector. The emphasis appeared more on avoiding legislation than reforming it.

5.17 There is nothing inherently heavy handed in legislation; the key point is that the nature of the legislation depends on its requirements. However, the emphasis by some industries on such a correlation tended to obscure the fact that the restrictions imposed by existing legislation on industry is minimal. [14] It is possible that existing legislation could also be amended to remove what may be seen as restrictions and add more appropriate provisions.

5.18 From the viewpoint of some consumers, a further concern is that if some existing legislation such as the Telecommunications Act is seen as rigorous, or `heavy-handed', there will be pressure to weaken it in order to conform with the weaker requirements from a self-regulating scheme. In such an instance, the argument of uniformity and consistency may be used to water down, not maintain, existing law. There may be little pressure to ensure that agreed self-regulatory codes step up their standards to conform to existing legislation.

5.19 The opposition to the `imposition' of `heavy handed legislation' and `legalistic' practices is reinforced by the suggestion of some industry groups that industry has an inherent tendency to self-regulate. This approach suggests that all organisations manage themselves appropriately and automatically do so to the maximum benefit of all parties. However, it may be the case that development of a satisfactory model of self-regulation has more to do with the nature of some industries rather than being an inherent characteristic of business generally.

5.20 Established industries, including representatives of the banking sector, stated to the Committee that they had in place principles of operation which were an integral part of their business practices. The confidentiality of transactions – subject to any legal requirement otherwise – was deemed to be the key feature of banking and related financial transactions. [15]

5.21 The banking sector representative, the ABA, stated that the effectiveness of schemes did not depend on legislatively backed enforcement and related mechanisms. [16] There was a suggestion that in a well regulated world no external input was necessary (although there is an external compliance monitor of the EFT code). [17] However, not all groups work so cohesively as the banking sector appears to, and what may be appropriate for one industry may be quite wrong for another. Not many industries have such long-established principles. [18]

There is a role for `government' but it is limited

5.22 In the original discussion paper (Information Privacy in Australia) prepared by the office of the Privacy Commissioner, the option of `purely business based solutions, or some involvement for government' was offered in respect of complaints mechanisms. [19] The need for a `backstop regulator' was also raised, [20] and this is a role that may also be filled in part by government. The extent of involvement by government might affect the self-regulating status of a scheme, but not invariably, and not wholly – the crucial factor is still whether an organisation can be forced to act, and can have penalties imposed for not acting.

5.23 The submission from the Privacy Commissioner's office noted, that existing mechanisms such as industry ombudsmen must be allowed to operate within the framework of the National Principles. Nonetheless, this does not take into account the fact that for some consumers, the effectiveness of industry ombudsmen [21] (funded, as they are by the industries against which consumers complain) may be compromised.

5.24 In the context of considering the meaning of `self-regulation', industry ombudsmen are not established under law, but have been given certain powers through legislation, [22] and can be monitored by federal government bodies. They are thus part of a framework outside of `self-regulation'. In evidence to the Committee, the Australian Bankers' Association detailed the powers of the Banking Industry Ombudsman

… when investigating a complaint, the Ombudsman not only takes into account strict rules of law, but … also … general principles of good banking practice and any applicable codes of practice. His recommendations or awards are made by reference to what is, in his opinion, fair in all the circumstances. This is a much wider discretion than a court of law has … [23]

5.25 The proposed level of involvement of government in the privacy self-regulatory scheme is still not entirely clear. A board or an `independent' scheme monitor may all be forms of `government' involvement, but they are far from bringing a power to enforce any principles, and may in fact do the opposite. It may be essential for government to stand at a distance from day to day involvement in order to give a message to consumers that it does care about their needs [24] and has not become one with business. [25] This would also be important in the area of complaints handling.

Summary

5.26 Self-regulation is a process marked by an ability to accept some involvement by government or even some monitoring or administration by an external body, while still being `self' regulating. So long as there is no legally enforceable obligation, other than those available through more general legal processes, or, in some cases, some existing legislation, `self-regulation' retains its essential character.

The advantages of self-regulation

5.27 The advantages of self-regulation are deemed to be:

• Appropriateness—the regulatory framework is devised by those who know the area. There will be little input or ongoing involvement by those who are `outsiders'.
• Flexibility—the guidelines can be changed to accommodate needs, and keep up with technology.
• Simplicity—the guidelines will be straightforward and comprehensible because they will be non-legalistic; and
• Limited cost—although the cost of self-regulation is not negligible, it is assumed to be less than enforced regulation, presumably because of limited enforcement procedures and public sector involvement. There will be no onerous external management.

Appropriateness

5.28 The involvement of the relevant industry or private sector body in the development of principles and the non-enforceable nature of these is emphasised by the press release of the Attorney General of 20 February 1998. This release states that a regulatory approach would be heavy handed, [26](a point emphasised by the ABA) [27] and that the National Principles were to be seen not as `legalistic' rules but as guides `intended to provide practical assistance to business'. [28]

5.29 The ABA also implied that self-regulation was one means by which the continued appropriateness of privacy principles could be facilitated.

The changing dynamics of the financial services industry dictate the need for a flexible regulatory framework, an approach supported by the Federal Government and recommended in the final report of the Financial System Inquiry. [29]

5.30 In a further statement, the ABA noted that a more competitive marketplace required a different system to that existing in the public sector – it could not afford to operate on the basis of individual consent in respect of each transaction, [30] but must always be able to move without such specific consent. [31] A similar concern about individual consent was raised by the Australian Credit Forum. [32]

5.31 In part, these statements do reflect some awareness of one of the main problems currently limiting the effective implementation of concepts of privacy – the gap between technological and other developments, and the law as it stands. However, limited evidence was provided to the Committee demonstrating that the financial sector was notable for devising self-regulatory privacy schemes that overcame any of the problems deemed to be created by the use of legislation—that is, there was little evidence on the flexibility and adaptabilty of self-regulation

5.32 The automatic coupling of law with `heavy handedness' is an unfortunate link, suggesting that `industry' is an ever-changing enterprise that should not be fettered by the principles that limit society in general. While it has been argued by many that the law in many areas is unable to accommodate substantial social and other change, it is not accepted that there should therefore be as little law as possible. Industry has offered little evidence to the Committee that would justify this approach.

5.33 Appropriateness is also another means of suggesting that competitiveness is essential and that it would be `inappropriate' for Australian business to be limited in its capacity to compete with other markets. In this context, bodies such as the ABA refer to competing with the US market, which they claim to be unregulated, rather than with other areas such as the EU which have strict legislative privacy controls. [33]

Flexibility

5.34 The emphasis by industry bodies on their knowledge of their customers and their capacity to provide products their customers needed or wanted is seen as requiring a flexible approach. The provision of individual or one-off services, each bound by specific agreements, is suggested as inappropriate – a business must be able to provide multiple services without undue administrative barriers:

Effective management of the customer relationship so as to maximise the customer's satisfaction with the service offered by the organisation is not dependent on narrow legal concepts of consent and express “opt-in” arrangements. The National Principles recognise the importance of the customer's expectation in the use and management of his or her personal information. [34]

5.35 Flexibility is also linked to appropriateness – both of the commercial services provided and of the principles, which guide the provision of those services. A modern commercial transaction is promoted as quick and smart, meeting a customer's needs. Implicitly, no such principles guide the provision of other services, especially those from the public sector.

5.36 In contrast to this, evidence was presented to the Committee indicating that flexibility in a highly competitive world was often only possible when there was some certainty:

With respect to the [codes and industries] we have been talking about – banking, insurance and superannuation – the history of the last decade or decade and a half has been [one of] extraordinarily rapid change – some of it pressed by government policy and legislation, others by market reality. In those circumstances of dynamic change, only legal obligations can have any assurance at all of maintaining uniform application across the sector. [35]

Simplicity

5.37 Because self-regulation is seen as appropriate and flexible, capable of being adapted by agreement rather than complex machinery of government, it is also presented as streamlined and minimalist; not bureaucratic and tied up in red tape. [36]

5.38 On this point, the Committee stresses the importance of not losing sight of the ultimate criteria – which is the effectiveness of a system in achieving privacy protection. A system, however streamlined and minimalist, is useless if it does not achieve its objectives. For this reason, the objective should be developing a regime that provides effective privacy protection with the minimum regulatory burden.

Limited Cost

5.39 The cost of privacy is often presented as being too high and as requiring limitations. Regulations or legislation in particular are seen as inherently expensive, relative to the costs of self-regulated codes of practice. However, costing of privacy schemes is difficult mostly because the variables are unknown. It is not easy to determine, for example, the extent to which consumers will complain, or the extent to which they will require compensation. Thus, administrative and other costs are difficult to predict.

5.40 Much of the debate about cost is of limited use because it appears to be based on exaggerated figures by various sides. This matter is considered in further detail in Chapter 6.

5.41 Little emphasis was placed by witnesses on the costs of self-regulation, including the cost of the implementation of the National Principles. Some indication was given by the ABA that the Principles should be implemented gradually, although this was not explicitly related to cost. [37]

The coverage of existing self-regulatory systems

5.42 The Committee has heard evidence that there is a number of self-regulatory systems in place which are effective and which demonstrate that legislation is not needed:

The ACCC has a number of codes that it could quote as being highly successful in regulating a corporation's behaviour with no legislative backstop whatsoever. … I actually asked the ACCC for some examples and they provided me with three codes: the jewellery and timepieces industry code, the Australian Pharmaceutical Manufacturers Association and a code on the personal hygiene products industry. [38]

5.43 Other evidence listed codes that were appropriate, met the needs of consumers and dealt with the issue of coverage and uniformity:

The best example is that of the Scanning Code in Computerised Supermarkets. This Code has operated for several years to ensure the fair treatment of customers. It arose out of concerns that the [retail] industry could have faced different and perhaps conflicting state legislation to solve the same nationwide problem. The Australian Supermarket Institute … has administered this code to the satisfaction of ACCC. [39]

Adequacy of the existing and proposed self regulatory systems

5.44 In considering the adequacy of existing self-regulatory arrangements within the private sector, the Committee considers there are two key questions. The first is the extent of the coverage of current schemes, and the second is their effectiveness.

General coverage

5.45 On the evidence received, the Committee finds it difficult to accurately gauge the extent of coverage of existing self-regulatory privacy schemes in the private sector.

5.46 Significant parts of the private sector have adopted, or have indicated that they intend to adopt, self-regulatory schemes. [40] The Australian Direct Marketing Association is redrafting its code of practice to take into account the National Principles and is also actively examining the different options for enforcement of its new code. [41]

5.47 The Australian Retailers Association stated that a number of compatible codes already existed; [42] that it believed it would be important for such codes to be established; and that it had itself "established a sub-Committee to develop a retail industry Privacy Code encapsulating these standards as they relate to the retail industry." [43] Many of the professions, such as the medical and legal, also include in their codes of conduct provisions concerning the protection of the privacy of clients. [44]

5.48 The Privacy Commissioner informed the Committee that several peak private sector organisations were examining the National Principles or had adopted them. [45] This information was based on a survey of national industry associations by the Privacy Commission which found that a few months [46] after the release of the National Principles:

• around half of respondents said they had seen the National Principles; half of respondents, though not the same half, even though there is some overlap, have some kind of information privacy guidelines in place in their industries;
• about half those respondents with some kind of guidelines in place said that they would review their guidelines in the light of the National Principles;
• respondents who have not seen the National Principles said that they were interested to find out more about them. [47]

5.49 This level of response is not particularly encouraging, given that the National Principles are voluntary and given the criticism by some groups that important issues had been avoided. [48] Other surveys are equally discouraging. A 1997 Price Waterhouse survey [49] revealed that only 38% of companies surveyed had formally documented privacy policies in place, while 45% of companies had “guidelines”; 50% of companies had operational procedures in place to support privacy policies, while 26% stated that they do not have any privacy related procedures or guidelines; 80% of companies failed to have privacy training programs for employees.

5.50 A related problem is that where a scheme is self-regulatory, and especially where there is limited pressure from any source, including government, to adopt it, implementation may be delayed. The Committee was told, for example, that industry associations are trying to bend the National Principles and the present self-regulatory scheme to suit their own interests, rather than participating in the process in good faith:

What we see is a pattern of the industry associations trying to pick and choose. They are trying to take those parts of the principles that they think they can live with and leave those that they do not like – things like access to evaluative material or undue restrictions on direct marketing – and basically providing what they think consumers should get in their particular sector. We know that simply does not measure up. We now have a set of international standards which have been accepted and implemented without great difficulty around the world. That is what we need here in Australia as well. [50]

5.51 The development of high quality codes is not the same as making such codes enforceable. The President of the Australian Law Reform Commission noted that there were indeed several excellent codes in existence, and that the development of appropriate codes was an objective that could be achieved by business. However, he was of the opinion that these had to be mandatory:

What we do see as real life is that, over a period of time, unless those codes are mandatory – that is, unless all the participants in the sector have to follow the standards that have been set out – then we will find the inevitable happening.

No other piece of the financial sector's development in the last 15 years – from Campbell to Wallis and after – has in any real respect depended on voluntary codes being the sole support. We do not see privacy and access to information – that is, both the protection of information and, importantly also, the full community access to information – being guaranteed in any other way than through a legislative base. [51]

Industry coverage not full and consistent

5.52 A number of witnesses, including the Privacy Commissioner, noted that self-regulation faced serious problems in obtaining appropriate and consistent coverage. Such issues must affect the extent to which a voluntary system will be able to bring together a wide range of groups to provide what many have emphasised is essential – uniformity and certainty, by whatever means. [52] They may even affect the ability to devise a scheme sufficiently flexible to overcome the opposition to the `one size fits all' approach. [53]

5.53 These problems include the fact that while some peak organisations may support a principle, members of the peak organisation may not. They may consider that the peak body is not fully representative, [54] they may not belong to the peak body or they may not agree with all the actions of the peak body.

5.54 A further problem is that there may be more than one industry association, and they may have different views. [55] Thus, it is possible to have incomplete coverage and uniformity in an industry:

An industry may have a number of competing industry associations. As a result, coverage of the entire industry may not occur because of disagreements between the rival associations; even where an industry is represented by one association, there may be organisations within an industry that refuse to join the association and so not be bound by the self-regulatory process. Organisations within an association may also refuse to abide by the rulings of a self-regulatory mechanism. [56]

5.55 Even in an industry with a dominant organisation, the adoption of effective self-regulation may be inconsistent:

…in the telecommunications area … despite the provision of a sort of co-regulatory privacy framework under the Telecommunications Act, the privacy and consumer groups have found that there is only partial and unsatisfactory progress towards meeting privacy standards in the telecommunications environment. All of the carriers are having to be dragged, kicking and screaming, into providing adequate privacy standards through the consultative processes under the Telecommunications Act, and the rather blunt statutory backing for those provisions means that we are having great difficulty in persuading Telstra and some of the other carriers to come to the party on providing adequate notification to individuals about their privacy rights and on seeing them through into enforceable implementation. [57]

5.56 In some instances, there may be no effective industry organisations, making it unlikely that there will be the resources to deal with complaints in an independent or effective way. [58] Even in areas where there may be limited commercial benefit obtained from lack of privacy protection, consumers may find that their often sensitive personal information has virtually no security:

Aside from people who are subject to some kind of code or voluntary regulation from their professional organisation, there are a lot of service providers to people with psychiatric disabilities. There are other health service consumers, and consumers generally for that matter, which are not regulated at all – in the mental health area, for example, counsellors and psychotherapists, who are entitled to practice without being members of any particular professional body which can investigate complaints against them. [59]

5.57 This situation results from an incomplete and inadequate coverage by professional or para-professional groups. Some professions do not have clear privacy protections in place for all the information they hold; [60] may not have up to date privacy principles, or may have ineffectual enforcement and implementation mechanisms.

5.58 However, similar problems are even more likely in other industries. Sectors such as the real estate industry, [61] the internet, [62] organisations that maintain certain health records, [63] and organisations that engage in information mining and collation of information from existing records [64] and surveillance of employees [65] are largely unregulated, through a failure or absence of self-regulation or adequate legislation.

5.59 There is still nothing to compel irresponsible companies to comply with privacy standards. [66] In such instances, the need for some capacity to enforce principles may be supported by commercial organisations. [67]

5.60 This type of problem remains a source of concern to both responsible companies and to the Committee. Remington White Australia, a company that provides database services in the real-estate rental market, drew the attention of the Committee to the operations of a company, which was:

… quite keen to trade with anyone and everyone, [the]details provided to them by real estate agents that use their services. We were concerned from an industry standpoint that this demonstrated a gross misuse of the information provided to them and in fact we immediately brought the contents of the flyer to the attention of all the heads of the Real Estate Institutes in each state to warm them of the apparent misuse of this data. [68]

5.61 In other evidence on this point, witnesses from two companies that operate tenancy databases described their efforts to comply with privacy principles and contrasted their activities with other operators within the same industry. These other operators, it was claimed, failed to adhere to privacy principles. The operators provided, through the Internet, the names of `difficult' tenants. The General Manager of one of the more ethical tenancy databases told the Committee:

We are extremely concerned over some databases that are on the market. Admittedly they are a lot smaller than we are. However, in order to try to attract a marketplace, they step into the area of basically being cowboys by allowing people to record all types of defamatory remarks. We are extremely concerned about that. [69]

5.62 Owing to the mostly voluntary nature of self-regulation schemes, there is no way to ensure that an industry will retain a scheme, or that a private sector organisation will remain within an industry organisation that operates a scheme. Self-regulation is incapable of dealing with both the cowboys, who never join, and the regulatory “deserters”. They allow others to be limited by self-imposed restrictions, and then move in:

Why should an organisation that applies adequate privacy protection be placed at a disadvantage over one that does not. This could occur through additional costs in their computer systems or through not following up with direct mail if the customer has expressed a desire not to have such follow up. A similar problem would occur when an organisation does not comply with privacy rules and obtains carefully tailored marketing lists and is thus enabled to make more sales at a lower cost and hence make a better profit. These pressures on a voluntary system would ensure the lowest common denominator was followed. Legislation is needed to ensure a level playing field for all competitors. [70]

5.63 As the above reference has made clear, the major impetus for free riding or deserting was that it bestowed a competitive advantage.

One example which the [Australian Law Reform Commission] has been closely involved with for many years is the self-regulatory approach followed in franchising. The voluntary code proposed, followed and exhorted by both the government and the franchising sector in Australia has not worked, most particularly because in that case, in two or three sectors, it was found to be to the competitive advantage of those franchisors not to sign up to the code. [71]

5.64 There is little regulation at present in some parts of the private sector. As a result, there are few controls on the collection of information and there is limited access to redress. As well, the contracting out of services formerly provided by the Commonwealth, has led to some information that was originally collected by Commonwealth authorities losing the level of protection that it had under the Privacy Act 1988. [72]

Effectiveness of existing self regulatory schemes

5.65 As has been stated above, the second criteria for assessing the effectiveness of any privacy protection scheme is the extent to which it creates enforceable rights and obligations. As Professor Caelli said:

When you get to the enforcement side of these codes of conduct or the ethical basis, the question is really one of whether or not the industry organisation and/or professional organisation associated with that particular industry has enough force – let us say, in good old Australian, enough clout – to actually make such a privacy regime stick. [73]

5.66 It is in this respect that the Committee holds the greatest concerns as to the adequacy of existing privacy protections in the private sector. Overseas experience demonstrates that industries, especially those connected with newly emerged technologies, have failed to introduce effective privacy protection schemes. Moreover, a number of witnesses advised the Committee that history indicated self-regulation did not ensure an acceptable level of compliance with desirable standards of behaviour: [74]

It is clear that the private sector is incapable of providing an adequate level of privacy protection without a legislative framework. To date we have seen only a modest incorporation of some of the privacy principles into a few codes of practice, applying to limited and self-selected areas of the private sector, and generally without effective complaints, investigation and enforcement mechanisms. [75]

5.67 Thus, the development and coverage issues, while important are only the beginning. Even if these are sound, they will be have limited effect if they cannot be enforced.

Monitoring, complaints and enforcement mechanisms

5.68 The Committee heard that in some sectors, there are quite robust enforcement systems. The banking industry claims, with some justification, that their privacy controls have been very successful in an industry that has grown massively in recent years, pointing to the Electronic Funds Transfer (EFT) Code and the existence of the Banking Ombudsman. [76] In the banking industry, a customer with a complaint can in the first instance, raise the matter with the bank:

The bank would investigate it. If the customer were not satisfied that the bank had properly investigated the matter, the customer could take his or her complaint to the Australian banking industry ombudsman scheme. The scheme has power to look at what are known as acts of maladministration, which would include a bank breaching its duty of confidentiality to a customer. The ombudsman has a range of options available to him. He can make a recommendation to the bank to take appropriate action – some form of redress for the customer – or, if the bank will not do that, he can actually exercise power to make an award which, if the customer agrees with that, the bank is bound to comply with contractually. [77]

5.69 In theory, the existence of an industry ombudsman can have advantages such as independence and limited cost. However, costs will increase if the customer does not accept the decision of the ombudsman, since the matter must then be dealt with on the basis of an action for breach of contract. [78] Delays in ombudsmen procedures may also be substantial, and this factor limits ease of access.

5.70 Notwithstanding the example of the banking industry, the Committee finds that in general, there are real gaps in privacy protection, and the effectiveness and enforceability of privacy protection through existing self regulatory codes is inconsistent and inadequate.

5.71 There is a general lack of credible enforcement mechanisms, opportunities for timely redress and remedy. Sanctions on private sector organisations for breaches of privacy rights in order to deter further breaches or prevent opportunistic breaches, do not seem to figure prominently in the schemes under development.

5.72 To the Committee's knowledge, only the Australian Bankers Association has implemented an enforcement mechanism, although others have begun the process. [79] The reason for the banks' success may well be that the banks have developed a uniform set of values through shared self-interest over a long period of time. This has effectively established a culture which values privacy as the foundation of commercial success. [80]

5.73 Another issue that must be taken into account in evaluating the usefulness of self-regulatory schemes is whether they may be seen as breaching legislation on competition. An agreement to abide by a self-regulatory scheme may be construed as anti-competitive and render the private sector organisations subject to actions under laws that are intended to promote competition between businesses. The difficulty that enforcement of self-regulatory codes provides, especially in navigating competition laws, was noted in a number of submissions (although the Committee has not received enough evidence on the issue to fully evaluate the implications of this issue). [81]

5.74 The Privacy Commissioner summed up these problems this way:

In practical terms, however, a purely voluntary approach to privacy protection, with no legislative element at all, poses difficult problems of implementation. Satisfactory outcomes may well be achieved in highly organised industries with active and well-supported industry associations, but in other more fragmented industries, or in areas of activity that are not organised along industry lines, there are clearly some difficult challenges. [82]

Regulatory capture

5.75 There are other problems with self-regulation, including the limited viewpoint that it provides. Where industry has a uniform view and little internal competition, there is no force which leads it to take the needs of others into account. Self-regulation invites members of the private sector to engage in various practices which have no benefit to the broader community and can adversely affect the standing of the parent organisation or profession. Possibly to its own short and long-term detriment, an industry can in fact be captured by its status and its own limited perspective:

5.76 Such practices are of little advantage to the individual consumer. They may also contribute to increased and unnecessary costs and development of unnecessary services. Unfortunately, industry sectors may see only a short term benefit, or a supposed saving, in not taking appropriate action. The cost of this is likely to be substantial.

5.77 An even more serious problem occurs when such regulatory influence extends to independent bodies which are involved in developing guidelines; monitoring the operation of these guidelines; or acting in some capacity in the enforcement and/or complaints processes. For this reason, publicly funded bodies should remain at arms length from the private sector. This can be achieved by public organisations:

• Ensuring that dominant industries, or dominant groups within an industry, do not gain control of discussions which are meant to be comprehensive and all-embracing;
• Ensuring that all industry and professional sectors are involved in discussions or have the opportunity to be involved;
• Ensuring that no principles or guidelines which are deemed to be uniform are given that status unless there is general consensus by all industry groups;
• Avoiding becoming a member of industry boards, unless very clear guidelines apply;
• Ensuring that any involvement as an `appeals' resource is genuinely objective. [83]

The National Principles as a form of self-regulation

General comments

5.78 The National Principles are seen as the most recent expression of private sector self-regulation. In keeping with the government directive to be minimalist in approach, the principles are basic in their expectations and obligations (albeit acknowledging that existing legislation or other legal obligations would have to be accommodated). [84]

5.79 The Principles primarily are a set of expectations with no clearly defined meaning. Guidelines are attached which are not an integral part of the Principles but which are "an initial guide to the Privacy Commissioner's preferred interpretation of the principles". [85]

5.80 The Principles are notable mainly for a dichotomy between the headings placed at the beginning of each Principle, which emphasise what an organisation `will' do, and the contents of the Principles themselves – which emphasise only what an organisation `should' or `ought' to do. As the Headings are not a part of the Principles, [86] the use of such different terms is clearly misleading and should be removed.

Adequacy of the National Principles

5.81 Some major industry sectors supported the release of the National Privacy Principles, suggesting that they met the needs both of industry and the consumer. This support appears to be based on the fact that the Principles did not include certain components – such as employee data or `workplace related information'. [87] The Australian Bankers' Association emphasised that the Principles were appropriate as `a basis for businesses to develop practices to ensure that the privacy of individuals is protected.' [88] The Australian Privacy Charter Council also expressed some qualified support for the Principles, describing them as being `reasonably close the international best practice'. [89]

5.82 One witness, who compared the contents of the Privacy Principles with that of other principles, noted that they contained much the same information as earlier sets:

The principles announced by the Privacy Commissioner in February 1998 … [are] essentially a revision of those in the 1988 Act in the light of further experience, and changing public attitudes – notably, an increase in concern, heightened by E-Commerce and the Internet.

A point that should be noted about these sets of principles is that they all contain the same basic set of rights which have stood the test of over 25 years of usage. That only relatively minor changes are now included indicates that the validity of these principles is nearly as good as we can get at present, and they should form the basis of revised public sector and suggested private sector legislation. [90]

5.83 However, some evidence provided to the Committee suggested that the Principles, as an expression of self-regulation, were as outdated and inflexible as the legislation that some industries condemned:

The Australian Privacy Commissioner's 1998 'National Principles' document is merely a very late addition to the substantial pool of 1970s documents. A document based on 30-year-old precepts, and which contains additional exemptions based on special pleading, is utterly inadequate as a means of addressing the ever-growing public concerns about the privacy invasiveness of business practices.

The result of a flawed process is a flawed document. The 'National Principles' have many mainstream and worthwhile features, but contain carefully crafted loopholes that seriously undermine some of its most important features. In particular, the exceptions to the use and disclosure principle essentially gut the critical protections that this principle is supposed to provide. They attempt to legitimise practices that demand public justification. [91]

5.84 Other problems with the Principles were listed as including the very factors which business found to be an advantage, for example the fact that they did not apply to employee data. The European Union notes in its submission that employee data is “an important area for international data flows” [92].

5.85 It was also argued that :

• There are several exceptions [93] allowed, and these relate, among other things, to direct marketing and access (Principles 2.1(c), 6) and law enforcement (which requires express authorisations for exceptions); [94]
• The Principles allow for the possibility that data may be used for a purpose different from that advised at collection, in particular, in the area of direct marketing, and that such uses can occur without sufficiently strong safeguards. This point was severely criticised by one submission which noted that the Principles provide reasonable exceptions (as in the OECD principles), but beyond those exceptions, the rights of consumers must be carefully protected:

… the Privacy Commissioner proposes an exemption for direct marketing companies, from some of the principles [2.1(c) (i)].

If a company requires client details for direct marketing, or to sell to another company for direct marketing, it should say so. Few people may give permission for this form of marketing, but it is not the Privacy Commissioner's job to protect questionable business practices. [95]

• The issue of secondary use of information was important, and the nature of the authority which determined secondary use access was also crucial; [96]
• The right of an individual to access personal data seems to be subject to a great number of exceptions and restrictions; [97]
• Access to personal information by a range of government agencies needs to be clarified (Principle 2: exceptions (e)(g) and (h)); [98]
• Implicit consent is used for handling sensitive data, when this sort of data should be afforded greater protection; [99] and
• The National Principles lack specific provisions for dealing with the issue of onward transfer of data. The National Principles seem to allow the transfer of data to organisations that do not themselves abide by the privacy protection principles.

5.86 One witness concluded that, for a range of reasons including the need for uniformity and adherence to acceptable standards, the Principles were not appropriate: they `are not seen as a suitable basis for protection of public privacy in the private sector.' [100]

Adequacy of content - The National Principles and the European Union Directive

5.87 Aspects of the European Directive have been discussed above in Chapter 3. [101] In contrasting the National Privacy Principles with the European Directive, a number of other issues become more apparent.

General

5.88 The EU Directive is phrased in language which suggests that the enforceable provisions of the Directive are based on human rights principles.

`Article 1

1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data.' [102]

5.89 As is noted above, [103]the headings on the National Principles suggest a commitment, while the text of the Principles only refer to what `should' rather than what `will' be done. As the headings are not a part of the Principles, their effect is to suggest approaches which are obligatory but which in reality are not obligatory in any way.

5.90 By contrast, the headings on the Directive relate only to the content. Further, the Articles themselves generally refer to the members' obligations, and the fact that members `shall' meet certain agreed requirements.

Coverage

5.91 The European Data Directive is specifically concerned with personal information, including personal information about employees.

5.92 The National Principles deal with personal information. Unfortunately, ACCI managed to remove the issue of employee data from the National Privacy Principles on the grounds that other legislation provided adequate protection. However, current legislation regarding employee data will not protect employee data which is being processed or otherwise dealt with offshore. In this respect, the Directive is of a higher standard.

5.93 This highlights a problem with putting personal information into separate categories: commercial information which is to be protected, and as employee data subject to other legislation. For the contractor, the processing of the information is a task and having two standards for dealing with data is not satisfactory. It could also add to the processing cost.

5.94 The EU Directive will cover all personal data, with the exceptions listed in Article 3, including that which falls outside the scope of community law, and that relating to defence, security etc. and processing of personal data `by a natural person in the course of a purely personal or household activity.' Article 8 also deals with `the processing of special categories of data'. In this Article reference is made to the prohibition regarding processing of specific forms of data, which does not affect the processing of data of a medical and similar nature:

where processing of data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy. [104]

5.95 However, this proviso only refers to Paragraph 1 of Article 8, and does not prohibit the processing of medical or similar data nor exempt it from general provisions applicable throughout the Directive.

5.96 This coverage is broader than that currently available in Australia through professional codes, self-regulation, proposed or actual legislation, and the proposed National Principles. In particular, protection is needed for sensitive information which is currently not addressed by the National Principles, such as health/medical data. Evidence received by the Committee suggested that while much medical information was either protected through voluntary codes, or through the provisions of legislation, [105]other information was not subject to such protection. [106] The extent and depth of coverage of the National Principles is a matter of concern, especially given the limited consultation on matters relating to security and police. [107]

Special Provisions

5.97 The EU Directive (Article 8) specifically prohibits the processing of material so as to provide lists of information or names of people on the basis of their race, religion or ethnicity etc, except where such collection of information is appropriate. A similar proviso exists in Privacy Principle 10, `Sensitive Information' which appears to be based on the Directive.

Loopholes

5.98 As noted, [108] one of the main problems identified with the National Principles was the existence of `carefully crafted loopholes that seriously undermine some of the [Principles'] most important features'.

Use and disclosure principle.

5.99 Principle 2 refers to Use and Disclosure of Information. [109] This primarily relates to the other use that may be made of information collected. The main difficulty with secondary use is the absence of consent from the data subject. Within NPP2 there is a fair amount of laxity in favour of the direct marketing organisations.

5.100 This is expressed in terms which allow the direct marketers to virtually ignore any constraints, especially through use of `reasonable and practicable' exclusions. Thus NPP 2(c) states that if it is impracticable for the organisation to seek the individual's consent before using the information, and an opportunity is given either when the information is collected or, at the instigation of the individual concerned, at a later time, to `decline to receive any further direct marketing communications', it is permissible to use the information. This provides extensive freedom to the direct marketing groups, with much of the responsibility placed back upon the consumer for refusing to receive further information. This approach was criticised by the Australian Computer Society Inc. [110]

5.101 National Principle 2 (1)(d) refers to use being made of personal information on the basis of an organisation `reasonably' believing that `the use or disclosure is necessary to prevent or lessen a serious and imminent threat to an individual's life or health'. There is no obligation for this use to be recorded or assessed. In contrast, EU Directive, Article 6(1) specifically states that:

Member States shall provide that personal data must be:

(b) collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. [111]

5.102 In particular Article 14 of the Directive addresses concerns about direct marketing, allowing individuals to lodge an objection to the use of their data for this purpose:

14(b) to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or are used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses. [112]

Source of material about an individual

5.103 The National Principles offer a variety of exceptions for the collectors of information, such as those set out in Principle 1 that:

where it is reasonable and practicable to do so, an organisation should collect personal information directly from the subject of the information.

5.104 This allows a range of exceptions on the basis of the terms ` reasonable and practical”. In contrast, the EU Directive states:

Article 7

Member states shall provide that personal data may be processed [113]only if:

the data subject has unambiguously given his consent; or

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. [114]

5.105 EU Directive Article 10 provides minimum standards of safeguards regarding data collected from a data subject and Article 11 safeguards information where the material was not collected from the data subject but concerns him/her.

Access

5.106 The National Principles again appear to give preference to the holder or processor of information through their use of the `reasonableness' principle. Principle 5 states:

5.1 An organisation should have clearly expressed policies on its management of personal information which be readily available;(emphasis added)

5.2 An organisation, on request, should take reasonable steps to let individuals know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. (emphasis added)

5.107 NPP 6 states that `Where an organisation holds personal information about an individual, it should provide the individual with access to the information on request, except to the extent that…'(followed by a long list of exemptions). While some of these exemptions are acceptable, those which state, for example, National Privacy Principle 6(1)(c) `providing access would be unduly onerous for the organisation' or (d) `the request for access is frivolous or vexatious', further loopholes are provided which could benefit organisations.

5.108 The extent of opportunity to correct information is limited, in spite of the misleading heading to the principle (`Wherever possible we will let you see the information we hold about you and correct it if it is wrong'). National Privacy Principle 6(6) in fact places much of the responsibility upon the individual and not the organisation:

`If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation should take reasonable steps to correct the information so that it is accurate, complete and up to date.'(emphasis added).

5.109 The EU Directive appears to give preference to the data subject through Articles 12 and 14 to obtain information `without constraint at reasonable intervals and without excessive delay or expense' information about whether data is being processed about the individual, the purposes, the categories and the recipients; the data, in an `intelligible' form; and `any available information as to their source' and `knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15'. Article 14 provides a right to object, including to the use of data for direct marketing purposes, as noted above.

Accuracy

5.110 National Privacy Principle 3 states that "an organisation should take reasonable steps to make sure that the personal information it collects, uses, or discloses is, accurate, complete and up to date”. The heading over this principle states quite otherwise: "We will ensure that information about you is accurate when we collect or use it", but, as noted above, these headings are not a part of the principles [115] and are thus worthless.

5.111 The EU Directive states:

Article 6(1): Member States shall provide that personal data must be:

(c) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;'(emphasis added)

Evaluative Material

5.112 The National Principles do not allow easy access to evaluative data by the community, as in National Privacy Principles 6(2) and 6(3), where access is linked to the material not being deemed to be in connection with an internal' commercially sensitive decision-making process'(6(2)). Such phrases, in spite of the provision of an `independent process'(6(3)) to determine their validity, are likely to be beneficial to business but not to individuals.

5.113 The EU Directive does not specifically address the issue of `evaluative' material, which may mean that it is perceived in the same terms and subject to the same controls as any other information.

Transfer of information to an unapproved site

5.114 Article 25 of the Directive does not permit the processing of information in a country which does not have adequate legislation. The effect of this is twofold- firstly, it increases the protection for data; secondly, it has the potential to exclude some countries from the marketplace. Article 25, Paragraph 1 states:

The member States shall provide that transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to other provisions of this Directive, the third country in question ensures an adequate level of protection. [116]

5.115 Paragraph 2 of Article 25 refers to particular factors which may be taken into account in assessing the situation, including the nature of the data, domestic law, professional rules and security measures, all of which may provide an appropriate level of security.

Possible exemptions

5.116 Article 25, Paragraph 6 then deals with the means by which countries may be able to meet the above provisions:

The Commission may find in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of Paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusions of the negotiations referred to in paragraph 5, for the protections of the private lives and basic freedoms and rights of individuals.

5.117 The NPPs at Principle 9 refer to transborder data flow, with a heading of `We will take steps to protect your privacy if we send personal information about you outside Australia'(emphasis added). Principle 9 however, again gives a preference to the business rather than the individual, stating that information can only be transferred if:

9(a) the organisation reasonably believes that the recipient of the information is subject to a statute, binding scheme or contract which effectively upholds principles for fair information handling that are substantially similar to these principles; or

(b) the individual concerned consents to the transfer.

5.118 Other provisos concern the transfer of information being for the `benefit' of the individual concerned (9(d)) and the likelihood of the person giving consent for transfer if they were aware of the fact (9(e)(ii)). However, it could be argued that the transfer of social security data is in the interests of the individual, but this in itself should not be sufficient to allow for its processing in a situation where there can be no guarantee of (as opposed to the taking of `reasonable steps' towards (9(f)) security.

5.119 The proposed amendments to the Privacy Act 1988 provide some limitations to this type of data transfer. [117] However, this proposed legislation is of limited value, since it covers a limited percentage of companies' operations, dealing only with the contracts they have with governments in respect of specific services. [118]

Conclusion

5.120 Overall, the EU Directive places major limits on the processing of material and provides substantially greater protection of the data collected and processed. By placing its principles within a broad framework of human rights and noting the right to privacy, the Directive links its philosophy to general human rights issues.

5.121 The National Principles, in comparison, appear a very weak and piecemeal approach to the issue of collection and protection of data. They do not deal with substantive issues such as the rights of the data subject; they give unequivocal preference to the wants of certain industries; they provide very little obvious limitation on the discretion of certain parties; and they provide virtually no direction as to the way in which even the minimal protections provided would be safeguarded. They do not locate privacy among human rights, [119] and express limited concern for the rights of the individual as opposed to the needs or the business community.

Enforcement mechanisms

5.122 One of the problems with the National Principles at the time of writing is that they contain no information about implementation, monitoring or enforcement, although the 1997 discussion paper Information Privacy in Australia did contain suggestions about enforcement mechanisms. [120] Unfortunately, no information was provided by the Privacy Commission about the reception by industry to these early proposals. Although the Commissioner provided reasons for dealing separately with Principles and with the operation of the principles, [121] the Committee is concerned at the separation of the two.

5.123 A major concern about the absence of detail on complaints mechanisms and enforcement processes in the National Principles is the statement in the paper Information Privacy in Australia that "where business sectors already have ways of ensuring compliance with codes of behaviour, these are to be used". [122]

5.124 In principle, this approach may be acceptable. However, the Committee believes it would have been more appropriate to determine the nature of such compliance before giving such power to what is, after all, an agreement, not a legislatively based scheme.

5.125 Further, it would be important to determine how much the codes of practice effectively dealt with complaints and how much of consumers' valid expectations are in fact met. A code which has little interest in consumers and limited interest in facilitating their access to redress might well meet the above criteria of "ensuring compliance with codes of behaviour," but this hardly makes them effective or appropriate. Existing codes can only be acceptable within a broader context of high standards which address the needs of consumers as well as those of industry and business.

5.126 Within the paper Information Privacy in Australia, one section is devoted to compliance and enforcement mechanisms within a voluntary or self-regulatory scheme. The section dealt with the option of a Scheme Administrator:

It is generally recognised that a self-regulatory scheme is unlikely to be effective without an independent administrator to undertake administrative, coordination and monitoring functions. The administrator would, for example, monitor whether the objectives of the scheme are being met, whether it is cost effective, whether the members are complying with all aspects of the code and whether the scheme is sufficiently adaptable to meet the ongoing needs of its members. [123]

5.127 The role of the independent administrator is outlined in detail in this paper, with a number of education, data collection and other roles being proposed. [124] It is not clear if what is being proposed is an extended role for the Privacy Commission, an industry ombudsman, or a totally separate organisation. Reference is made to existing industry ombudsmen in favourable terms:

An independent scheme administrator is a significant step in ensuring that the scheme is robust and effective and does not become a token process controlled by the organisation it covers. In the case of industry codes, the administrator is usually funded, but not directly controlled, by the members of the industry association. Apart from the appointment of an independent chair, such scheme administrators usually have industry and consumer representatives, and may include a government regulator. Examples of such independent industry administrators include the Council of the Telecommunications Industry Ombudsman and the Council of the Banking Industry Ombudsman. [125]

5.128 The Privacy Commission clearly also expected that the Commission would be involved in the administration process:

It is expected that the Commissioner, and her staff, would be involved in some way in the ongoing administration of a national privacy code, and at the very least would expect to be represented on the governing body of any privacy scheme administrator. [126]

5.129 However, this type of relationship can lead to problems, at least in the eyes of the consumer. The role of a Privacy Commissioner, as a part of the Human Rights and Equal Opportunity Commission, [127] must be to protect the rights of all parties. Direct involvement with boards and other bodies must be carefully assessed so that it is not seen as seriously compromising the capacity of a government body to provide an appropriate service. As is noted above, regulatory (or, indeed, regulator) capture is a serious problem, and one of the roles of publicly funded monitoring organisations is to be aware of such problems. Government bodies should be careful to avoid any involvement with industry boards, councils or administration schemes so that they are able to retain an objective role in their main function.

5.130 Without any information as to enforcement mechanisms or complaints bodies, the Principles are really a set of actions or approaches that various sectors might take on or carry out if they feel so inclined. It is difficult to see if they even meet the very limited scope of the brief given by the Prime Minister in March 1997.

5.131 Other opposition to the Principles was based not so much on a detailed study of these but on the fact that, being legislation-free, they would not be appropriate for those services or sectors likely to be affected by the EU Data Protection Directive. [128] The Australian Computer Society argued:

The National Principles for the Fair Handling of Personal Information, as produced by the Privacy Commissioner, are not seen as a suitable basis for protection of public privacy in the private sector.

Australia requires privacy laws to prevent some sectors of Australian industry, particularly those involved in on-line trade, being severely disadvantaged in international commerce. [129]

No timetable for the adoption of any enforceable system

5.132 The final aspect of current self regulatory systems that is of concern to the Committee is the lack of any concrete timetable for the adoption of any enforceable system implementing the National Principles:

The second phase – how to implement the principles – is not complete. I have had two meetings with business groups and there is a fairly extensive list of people potentially involved or involved, but they have not all been able to attend those two meetings. They include the Financial Services Association, retailers, Telstra, the Finance Conference, bankers, direct marketeers, insurers, the Chamber of Commerce and Industry, Readers Digest, the Attorney-General's Department, the Victorian Department of Multimedia, the Australian Information Industry Association, the Law Council, the Society of CPAs, credit unions and the Business Council. It is a comprehensive group, although they have not all been in attendance yet. [130]

5.133 Mr Conolly, of the Campaign for Fair Privacy Laws, commented further that the discussions that had taken place concerning the implementation of the National Principles had not:

… involved any great detail or depth people outside the finance industries. There has not been any representation from the Video Retailers Association, for example, or a range of people whom you think might have privacy issues. They are not there; they are not discussing it. There is no timetable. It is just this sort of do nothing moment where we are saying at the government level we support self-regulation but there is no actual process for achieving that. [131]

5.134 The result of the current self-regulatory scheme is a `do nothing' option. Of the “do nothing” option the Privacy Commissioner said:

Doing nothing is of course a real possibility out of this whole process, but if that is the outcome it is my view that Australian consumers will be being treated with contempt – but just as importantly, Australian businesses will be major losers in terms of lost opportunity – and we will get the chaos we deserve. [132]

5.135 At the time of writing, there have only been two meetings held to discuss implementation of the enforcement scheme. [133] Given the large number of organisations involved in this process and the lack of comprehensive involvement, the Committee suspects that it is unlikely the National Principles will be implemented comprehensively by way of a self-regulatory regime in any other than a highly structured sector, such as banking.

5.136 There is no agreed program to implement the National Principles or to develop appropriate enforcement mechanisms to meet the needs of consumers. As a result, the community has no assurance that a privacy scheme will be introduced that will provide meaningful and consistent levels of protection.

5.137 In this context it is also worth noting that the failure of self-regulation in the Internet sector has led to calls for privacy legislation from regulators and politicians in other countries who formerly supported self-regulation. [134]

Conclusions

5.138 The Committee makes a number of conclusions in relation to self-regulation.

5.139 The Committee notes the evidence of numerous companies and organisations that have adopted a responsible approach to the protection of privacy. However, the Committee remains concerned at the essentially patchy adoption of privacy protection measures in the private sector, and considers that there is still far from uniform coverage. Of equal concern is the slow progress achieved in bringing into force comprehensive enforcement measures to give effect to the National Principles. The Committee sees little evidence of real progress and limited prospect for such progress in the near future.

5.140 For these reasons the Committee concludes that at this stage private sector self-regulatory systems do not, of themselves, provide an adequate system for privacy protection in Australia. For these reasons, without an adequate enforcement mechanism the National Principles lack force and cannot provide the basis for a national privacy scheme.

5.141 In general, the Committee believes that self-regulation, without any legislative oversight, offers many dangers to the community:

Certainly from a consumer's perspective, including small business consumers, there is no way that a voluntary code, as with franchising, is going to provide protection for any parties. It will leave the large internationally competitive entities within each of those sectors to do what they will. [135]

5.142 With reference to the criteria being used to assess the adequacy of the present regulatory arrangements, the Committee concluded that self-regulation failed all of them. Self-regulation:

• fails to guarantee that the content of a self-regulatory scheme will meet best international practice standards;
• fails to guarantee, to a level acceptable to the community, a level of compliance with accepted privacy principles;
• cannot guarantee to provide a means for people to exercise and protect their right to privacy, that is, cannot provide an accessible enforcement mechanism; and
• cannot guarantee to provide redress when a privacy right is breached, by way of specific remedies, sanctions or compensation.

5.143 Self-regulation also fails to guarantee the rights of consumers, and to meet the needs and facilitate the responsibilities of the private sector. The evidence provided to the Committee indicated clearly that unless the private sector faces the credible possibility of coercive intervention by government, adequate standards will not be adopted or enforced.

5.144 The Committee therefore recommends that the Commonwealth does not rely on self-regulatory schemes.

Footnotes

[1] Developed by the Attorney-General. For a more detailed description of this scheme, see Chapter 7.

[2] See Chapter 4.

[3] However, the existence of various rights – such as under contract law – may be seen as a justification for avoiding the complexity of more extensive and binding legislation.

[4] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 910.

[5] `Privacy Principles Released', Press Release, Commonwealth Attorney General, 20 February 1998. The other side of this approach is that industry is inherently self-regulating.

[6] Submission No. 41, ACCI, p. 713; see also p. 715.

[7] `We strongly believe that a self-regulatory approach to privacy is the best way to ensure that the interests of consumers and Australians generally are protected. To those calling for regulation, we say that we have already made excellent progress in establishing the principles. Now let us give those principles a change to work as they were intended to work – in a self-regulatory environment.' Transcript of evidence, Australian Bankers' Association, p. 270.

[8] Transcript of evidence, Australian Bankers' Association, p. 273.

[9] Submission No. 43, Australian Bankers' Association, p. 735.

[10] Submission No. 43, Australian Bankers' Association, p. 735.

[11] Submission No. 10, Australian Retailers Association, p. 313.

[12] See below, Chapter 6.

[13] Submission No.7, Australian Privacy Charter Council, p. 239.

[14] The Privacy Principles refer to the need to adhere both to existing Commonwealth privacy laws (as at February 1998) and `any further legislation that might be considered necessary in particular sectors, States or Territories.' National Principles, Foreword, p.2.

[15] Submission No.43, Australian Bankers' Association, pp. 735-736. Although much of the emphasis in evidence to the Committee was on industry, other forms of self regulation referred to include professional ethics such as the codes of the legal and medical professions. Unfortunately, little information was provided to this Committee on or by these groups, and their codes and practices have not been included in the work done for the National Principles.

[16] Submission No. 43, Australian Bankers' Association, p.738.

[17] Transcript of evidence, Australian Bankers' Association, p. 268.

[18] It is quite clear from evidence given to the Committee that the free riders of any business are virtually impossible to control. They do not accept standards and principles adhered to by others, and they cannot be controlled because there is no legislation in place to penalise them. This is a point which was previously made by the Privacy Commission paper of 1997 Submission No. 51, Human Rights and Equal Opportunity Commission, p. 898 E17. See also below, Paragraphs 5.60-5.64.

[19] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 911.

[20] Transcript of evidence, Human Rights & Equal Opportunity Commission, p. 80.

[21] See, for example, Transcript of evidence, Australian Bankers' Association, p. 271.

[22] See, for example, the powers given to the Telecommunications Industry Ombudsman to investigate unresolved complaints.

[23] Submission No.43A, Australian Bankers Association, p. 1379.

[24] See below, Paragraphs 5.75-5.77 on regulatory capture.

[25] See below Paragraphs 5.128-5.129, which refer to concerns about the involvement of the Privacy Commission in self-regulatory schemes.

[26] See above, Paragraphs 5.10-5.21.

[27] Submission No. 43, Australian Bankers' Association, p. 733.

[28] Some of the difficulties with the idea of legislation and with it being described as heavy handed, arise from the apparently limited choice (co-regulation) presented to those invited to comment on the Attorney General's Department's paper, Privacy Protection in the Private Sector.

[29] Submission No. 43, Australian Bankers' Association, p. 733(1).

[30] Submission No. 43, Australian Bankers' Association, p. 735.

[31] This approach works on the basis of implied consent, but can lead to cross-use of personal data.

[32] Submission No. 9, Australian Credit Forum, p. 307.

[33] See Submission No. 7, Australian Privacy Charter Council, p. 240. “The United States is sometimes used as an example of how self-regulation can satisfy privacy concerns. This is simply not true. Apart from the fact that there is already a raft of sector or activity specific privacy laws at federal and state level, it is becoming increasingly clear that the private sector is unable to respond adequately to growing public concern about the potential for privacy abuses.” For a discussion of the requirements of the EU Data Protection Directive, see above, Chapter 3 and also below, Paragraphs 5.87-5.121.

[34] Submission No 43, Australian Bankers' Association, p. 734.

[35] Transcript of evidence, Australian Law Reform Commission, p. 227.

[36] See above, Chapter 3, Paragraphs 3.43-3.46.

[37] Submission No. 43, Australian Bankers' Association, p. 739.

[38] Transcript of evidence, Australian Bankers' Association, p. 271.

[39] Submission No. 10, Australian Retailers Association, p. 318

[40] For example: the Australian Bankers Association, the Insurance Council of Australia, the Australian Direct Marketing Association, the Australian Retailers Association, the Australian Information Industries Association, the Law Council of Australia, the Australian Finance Conference, the Credit Union Services Corporation (Australia) Ltd, the Investment and Financial Services Association, the Institute of Mercantile Agents, the Real Estate Institute of Australia, and the Australian Communications Industry Forum, Submission No. 51, Human Rights and Equal Opportunity Commission, p. 864.

[41] Submission No. 36, Australian Direct Marketing Association, pp. 2-3.

[42] Submission No. 10, Australian Retailers Association, p. 318.

[43] Submission No. 10, Australian Retailers Association, p.319.

[44] Submission No. 37, Public Interest Advocacy Centre, p. 11.

[45] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 864-865.

[46] The National Principles were released in February 1998 and the Privacy Commission's submission was made in July 1998. Submission No. 51, Human Rights and Equal Opportunity Commission, p 864.

[47] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 864.

[48] See below Paragraphs 5.81-5.86 on the National Principles and factors that witnesses considered should have been more thoroughly examined in the development of these. See also the comparison between the National Principles and the European Union Directive at Paragraphs 5.87-5.121.

[49] Price Waterhouse, Privacy Survey (1997)

[50] Transcript of evidence, Mr Nigel Waters, p. 106.

[51] Transcript of evidence, Australian Law Reform Commission, pp. 226-227

[52] For an examination of industry attitudes to regulation, see Chapter 7.

[53] See Submission No. 41, Australian Chamber of Commerce and Industry, p. 713.

[54] Transcript of evidence, p. 80 (Senator McKiernan).

[55] See Submission No. 51, Human Rights and Equal Opportunity Commission, p. 956.

[56] Submission No. 51, Human Rights and Equal Opportunity Commission, p.897.

[57] Transcript of evidence, Mr Nigel Waters, p. 104.

[58] See Submission No. 7, Australian Privacy Charter Council, p. 242: `In many areas there are not even associations or peak bodies with wide coverage of the sector which would be able to approach such a task'.

[59] Transcript of evidence, Mental Health Legal Centre Inc., p. 167.

[60] Submission No. 37, Public Interest Advocacy Centre, p. 659 and Transcript of evidence, Public Interest Advocacy Centre, pp. 116, 118-119; Submission No. 50, Mental Health Legal Centre Inc., p.847 and Transcript of evidence, Mental Health Legal Centre Inc, p. 167; Transcript of evidence, Queensland Health, p 31.

[61] See Submission No. 54, Tenancy Information Centre Australasia Pty Ltd and Submission No. 55, Remington White Pty Ltd. Transcript of evidence, Tenancy Information Centre Australasia, pp. 94, 98-99; Transcript of evidence, Remington White Pty Ltd., p. 194; Transcript of evidence, Real Estate Institute of Queensland, pp.38, 40.

[62] Submission No. 57, Professor William Caelli; p.1140 and attachment 1; Transcript of evidence, Professor William Caelli, pp. 55, 66; Transcript of evidence, Professor Patrick Quirk, pp. 3-8; Submission No. 33, Professor Greenleaf, pp. 557-558, 561.

[63] Submission No. 37, Public Interest Advocacy Centre, p. 659; Submission No. 50, Mental Health Legal Centre, p. 847; Transcript of evidence, Public Interest Advocacy Centre, p. 116; Transcript of evidence, Mental Health Legal Centre Inc., p. 167; Transcript of evidence, Queensland Health,. pp. 30, 31.

[64] Transcript of evidence, Public Interest Advocacy Centre , p. 120 and Submission No. 37, Public Interest Advocacy Centre, pp. 664-667; Submission No. 51, Human Rights and Equal Opportunity Commission , p. 894.

[65] The survey by Price Waterhouse (reported in the Canberra Times, 10 September, 1998, p. 11) revealed that “more than half of Australian companies undertake video surveillance of both employees and the general public”. Surveillance of employees involved monitoring email content, internet use and telephone conversations. The survey also revealed that “around half the companies surveyed admitted that they were involved in international information transferral”; such information forms part of international databases.

[66] Transcript of evidence, Mental Health Legal Centre Inc., p. 166

[67] See Paragraphs 5.61-5.62

[68] Submission No. 55, Remington White Australia, p. 1087

[69] Transcript of evidence, Tenancy Information Centre Australasia, p. 94

[70] Submission No. 16, Vonaldy Pty. Ltd., p. 375. See also Submission No. 46, Campaign for Fair Privacy Laws, p. 764.

[71] Transcript of evidence, Australian Law Reform Commission, p.225.

[72] The proposed amendments to the Privacy Act 1988 are intended to counteract this “leakage”. See below, Chapter 6.

[73] Transcript of evidence, Professor Caelli, p. 57

[74] Transcript of evidence, Professor Caelli, p. 56; Submission, No. 40, Xamax Consultancy, p. 700; Submission No. 33, Mr Graham Greenleaf, p.561; Submission No. 7, Australian Privacy Charter Council, p. 242; Submission No. 8, Mr Nigel Waters, p. 254.

[75] Submission No.7, Australian Privacy Charter Council, p. 242

[76] Transcript of evidence, Australian Bankers Association, p. 269

[77] Transcript of evidence, Australian Bankers Association, p. 271

[78] Transcript of evidence, Australian Bankers Association, p. 278. The Committee also notes that the jurisdiction of the Banking Ombudsman was increased to an upper limit of $150 000, from a previous limit of $100 000 Transcript of evidence, Australian Bankers Association, p. 276

[79] For example, the Insurance Council of Australia, the Australian Direct Marketing Association and the Australian Retailers Association. Submission No. 51, Human Rights and Equal Opportunity Commission, p. 864

[80] Submission No.43, Australian Bankers Association, p. 739

[81] Submission No. 36, Australian Direct Marketing Association, p. 645,

[82] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 898

[83] See below, Paragraphs 5.128-5.129.

[84] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 862. A similar proviso was included in the earlier paper, Information Privacy in Australia, which is reproduced in Submission No. 51, see especially p. 910.

[85] National Principles, p. 18.

[86] National Principles, p. 6.

[87] Submission No. 41, Australian Chamber of Commerce and Industry, pp 714 – 715. This point was also made by Submission No. 43, Australian Bankers' Association, p. 743: `These principles provide a valuable guide for all businesses to balance the legitimate and responsible use of personal information about their customers with the reasonable expectations of those customers.'

[88] Submission No. 43, Australian Bankers Association, p. 733

[89] Submission No. 7, Australian Privacy Charter Council, p. 243

[90] Submission No. 16, Vonaldy Pty Ltd., p. 376.

[91] Privacy law and policy reporter, 4 (1998), p. 178.

[92] Submission No. 60, European Union, p. 1356. See also above Chapter 3, Paragraphs 3.15-3.22, and below, Paragraphs 5.91-5.92.

[93] See below, Paragraphs 5.98-5.100, 5.103-5.105, 5.106-5.109, 5.112, 5.116-5.119.

[94] Submission No. 7, Australian Privacy Charter Council , p. 243

[95] Submission No. 13, Australian Computer Society Inc., p. 335

[96] See below, Paragraphs 5.99-5.102.

[97] See Paragraphs 5.103-5.113.

[98] Submission No. 8, Mr Nigel Waters, p. 254

[99] See Paragraphs 5.99 -5.100.

[100] Submission No. 13, Australian Computer Society, p. 332

[101] See above, Chapter 3, Paragraphs 3.68-3.85.

[102] All references are to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Journal of the European Communities 23 November 1995

[103] See above, Paragraph 5.80.

[104] EU Directive 95/46, Article 8, Paragraph 3.

[105] See for example, Chapter 6, Paragraph 6.12.

[106] See above, Paragraphs 5.56-5.57 and Chapter 3, Paragraph 3.25, Chapter 4, Paragraph 4.16, and below, Chapter 6, Paragraphs 6.21-6.30 and 6.41-6.43.

[107] Submission No. 51, Human Rights and Equal Opportunity Commission, p.866, Paragraph 31.

[108] See above, Paragraph 5.83

[109] See National Principles, p. 7.

[110] See above, Paragraph 5.85 and see also Submission No.13, Australian Computer Society Inc., p. 335

[111] EU Directive 95/46 Article 6.

[112] EU Directive 95/46 Article 14

[113] Emphasis added. For the meaning of processing in the Directive, see Article 2 of Chapter 1, Definitions; processing includes `any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage…'[emphasis added]

[114] Article 7 makes further provision regarding the objectives of the processing of data, some of which are similar to the factors noted in NPP 2, but always with the overriding provision of Article 1.

[115] See Paragraph 5.80.

[116] EU Directive 95/46, Article 25.

[117] See below, Chapter 6, Paragraphs 6.46-6.48.

[118] See below, Chapter 6, Paragraphs 6.13-6.43. See also Submission No.39, Credit Union Services Corporation, p. 686, comment on NPP 9.

[119] This approach is also reflected in the proposed separation of the Privacy Commission from the Human Rights and Equal Opportunity Commission. See below, Paragraph 5.129

[120] National Principles, p. 5 `What these principles do not cover'. In the context of debate, this led people to accept principles without having any idea of the ways in which enforcement of principles could be ensured. As is noted elsewhere, the best principles are of no use unless they are in place and uniformly adhered to and unless people are able to take effective action in defence of privacy.

[121] Transcript of evidence, Human Rights and Equal Opportunity Commission, p. 71

[122] Information Privacy in Australia, p.iii, in Submission No. 51, Human Rights and Equal Opportunity Commission, p. 911.

[123] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 934

[124] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 934

[125] Submission No 51, Human Rights and Equal Opportunity Commission, p. 935

[126] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 936

[127] The Committee has some concerns over any separation of the Privacy Commission from the Human Rights and Equal Opportunity Commission, under the provisions of two bills before the Senate - Human Rights Legislation Amendment Bill 1997 and Human Rights Legislation Amendment Bill (No.2) 1998. Privacy is an essential human right and must be seen to be a part of the operations of the Human Rights and Equal Opportunity Commission. See also the Report of the Senate Legal and Constitutional Legislation Committee into the Human Rights Legislation Amendment Bill 1997. The Legislation Committee's report into the Human Rights Amendment Legislation Bill (No. 2) 1998 was tabled on 17 February 1999.

[128] Submission No. 13, Australian Computer Society, p. 333

[129] Submission No. 13, Australian Computer Society, p. 332

[130] Transcript of evidence, Human Rights and Equal Opportunity Commission, p. 72

[131] Transcript of evidence, Campaign for Fair Privacy Laws, p. 144

[132] Moira Scollay, “Stark choices for private sector privacy”, Privacy Law and Policy Reporter, 4 (1997) p. 89.

[133] Transcript of evidence, Human Rights and Equal Opportunity Commission, p. 72

[134] A recent survey by the Electronic Privacy Information Centre of the 100 most popular internet sites in the USA found that 49 sites collected personal information but that only 17 sites had privacy policies stated on the site. Only one site allowed users to access information collected about them and 24 used cookies to collect information about users. However, there was still a widespread practice of allowing users to browse sites anonymously other than for disclosure of TCP/IP addresses by browsers (Submission. No. 33, Professor Graham Greenleaf, p.561).

[135] Transcript of evidence, Australian Law Reform Commission, p. 226.