Chapter 5
Privacy protection in Australia current standards self
regulation
Introduction
5.1 The Committee received evidence supporting and rejecting self-regulation
of privacy by the private sector.
5.2 A major factor inhibiting the discussion of self-regulation was that
it was not clearly defined. The Committee believes it is essential to
clarify exactly what is meant by the term `self-regulation', and has examined
the use of this term in various categories of submissions. On consideration,
the Committee is of the view that there is very little pure self-regulation
in existence, and that there may in fact be greater agreement between
parties than would appear at first sight as to the preferred level of
privacy protection.
5.3 The Committee believes that a high standard of privacy protection
does not necessarily impose significant financial or administrative burdens,
nor does it make companies uncompetitive. At the same time, it is essential
that standards demanded are not so high that they fail to meet the needs
of consumers or any legitimate expectations of business and other bodies.
The debate on self-regulation must go beyond the narrow limits of self-interest,
and demonstrate awareness of the best ways of meeting the needs of the
community in general.
Definition of self-regulation
5.4 In examining the submissions and evidence provided to the inquiry,
the Committee considered that a major problem was the absence of a definition
agreed to by all parties. The definition of `self-regulation' that has
been adopted in this report is:
- The practice of an organisation or group of like organisations voluntarily
selecting, adopting and enforcing rules to produce compliance with a
defined level of behaviour, without direct legislative interference
by government.
5.5 In this definition the key factor is that there is no direct legislative
interference or involvement by government. The components of the code
or scheme may have different sources, but they are not established within
a legislative framework. Thus, although the contents of information
privacy principles are also crucial to any self-regulatory scheme accepted
by some industry groups, the most important single feature is the absence
of a legislative framework.
5.6 The existence of some legal limits in existing self-regulatory schemes
may be considered as making these co-regulatory rather than self-regulatory.
In a sense, this is true insofar as parts of the operations of some industry
sectors are subject to the provisions of the Privacy Act 1988,
and the crucial component of the best-known (proposed) co-regulatory scheme
(outlined in Privacy Protection in the Private Sector [1])
was the existence of a legislative framework. Notwithstanding such limitations
to a percentage of their operations, some industries appear to consider
that self-regulation does dominate when only a part of their operations
are so limited. The other sectors may be governed by various principles,
but these cannot easily be enforced by law.
5.7 This separation of principles from a specific legal framework must
necessarily place considerable onus on the force of the principles themselves
and on the process by which any breach of principles can be addressed,
either by the industry body itself or by any party adversely affected.
The characteristics of the self-regulated system
The role of legislation and other legal remedies is limited
5.8 The role of existing legislation and legal principles as a part of
the current framework of privacy protection has been outlined above in
Chapter 4. These will still remain in force with the development of a
self-regulation model, which is able to accommodate some legislative restrictions
if these are part of a pre-existing arrangement, or a part of established
legal principle.
5.9 The banking sector, for example, considers that the National Principles
would form a part of its contractual relationship, [2]
and thus would be enforceable through the ability of the customer to take
legal action. [3] The provisions of existing
legislation are expected to continue. [4]
Legislation is seen as rigid, inflexible and out-of-date
5.10 Opposition to privacy legislation for the private sector by some
industry groups and by the Attorney General was marked by a correlation
of legislation with `heavy handedness', as compared with the non-legalistic,
flexible approach offered by self-regulation:
The Government believes that the imposition of a heavy-handed regulatory
approach to addressing privacy is not necessary and accordingly the
principles are not intended to be legalistic rules. [5]
5.11 Other versions of the `heavy-handed legislation' approach were the
`black-letter law' and the `wait and see' approaches. The first emphasises
that a legislative framework is likely to be `black-letter' law, which
appears to be seen as rigid and inflexible:
there has been a rejection of the `one size fits all' black letter
law approach, in favour of a framework adaptable to the needs of particular
industries and consumers. [6]
5.12 The second approach suggests that there is no point looking at legislative
frameworks because industry has spent substantial time on self-regulation
(primarily, it seemed, the National Principles) and noted that
it did not wish to have its time wasted [7]
- `this process should run its course.' [8]
5.13 Evidence to the Committee suggested that much of the current Commonwealth
privacy legislation is ineffective because it predates technological development,
and especially because it can't accommodate modern business practice.
[9] In particular the IPPs which were an integral
part of the legislation were out of date and unable to meet the needs
of business: [10]
Extension of the Commonwealth privacy legislation to the private sector
is opposed. Such legislation was not designed for the needs of the private
sector and ignores the varying operational requirements of different
industries in the private sector. [11]
5.14 There appears to have been no suggestion made that:
- the legislation could be amended to take account of this, introducing
a range of much more flexible principles to accommodate the needs of
business; and
- as the public sector in Australia is increasingly being privatised
or requested to behave as though it is a private body, the existing
legislation may be inappropriate for the public sector as well (the
proposed amendments to the Privacy Act 1988 possibly not
going far enough to meet changes). [12]
5.15 It may be more effective and cost efficient to change the legislation
altogether, rather than piece by piece:
The boundaries between the public and the private sectors are becoming
increasingly blurred with corporatisation, privatisation and outsourcing,
and it no longer makes sense, if it ever did, to single out activities
performed by government agencies for special treatment. [13]
5.16 However, this approach was not supported by some elements of the
industry sector. The emphasis appeared more on avoiding legislation than
reforming it.
5.17 There is nothing inherently heavy handed in legislation; the key
point is that the nature of the legislation depends on its requirements.
However, the emphasis by some industries on such a correlation tended
to obscure the fact that the restrictions imposed by existing legislation
on industry is minimal. [14] It is possible
that existing legislation could also be amended to remove what may be
seen as restrictions and add more appropriate provisions.
5.18 From the viewpoint of some consumers, a further concern is that
if some existing legislation such as the Telecommunications Act is
seen as rigorous, or `heavy-handed', there will be pressure to weaken
it in order to conform with the weaker requirements from a self-regulating
scheme. In such an instance, the argument of uniformity and consistency
may be used to water down, not maintain, existing law. There may be little
pressure to ensure that agreed self-regulatory codes step up their standards
to conform to existing legislation.
5.19 The opposition to the `imposition' of `heavy handed legislation'
and `legalistic' practices is reinforced by the suggestion of some industry
groups that industry has an inherent tendency to self-regulate. This approach
suggests that all organisations manage themselves appropriately and automatically
do so to the maximum benefit of all parties. However, it may be the case
that development of a satisfactory model of self-regulation has more to
do with the nature of some industries rather than being an inherent characteristic
of business generally.
5.20 Established industries, including representatives of the banking
sector, stated to the Committee that they had in place principles of operation
which were an integral part of their business practices. The confidentiality
of transactions subject to any legal requirement otherwise
was deemed to be the key feature of banking and related financial transactions.
[15]
5.21 The banking sector representative, the ABA, stated that the effectiveness
of schemes did not depend on legislatively backed enforcement and related
mechanisms. [16] There was a suggestion that
in a well regulated world no external input was necessary (although there
is an external compliance monitor of the EFT code). [17]
However, not all groups work so cohesively as the banking sector appears
to, and what may be appropriate for one industry may be quite wrong for
another. Not many industries have such long-established principles. [18]
There is a role for `government' but it is limited
5.22 In the original discussion paper (Information Privacy in Australia)
prepared by the office of the Privacy Commissioner, the option of `purely
business based solutions, or some involvement for government' was offered
in respect of complaints mechanisms. [19] The
need for a `backstop regulator' was also raised, [20]
and this is a role that may also be filled in part by government. The
extent of involvement by government might affect the self-regulating status
of a scheme, but not invariably, and not wholly the crucial factor
is still whether an organisation can be forced to act, and can have penalties
imposed for not acting.
5.23 The submission from the Privacy Commissioner's office noted, that
existing mechanisms such as industry ombudsmen must be allowed to operate
within the framework of the National Principles. Nonetheless, this
does not take into account the fact that for some consumers, the effectiveness
of industry ombudsmen [21] (funded, as they
are by the industries against which consumers complain) may be compromised.
5.24 In the context of considering the meaning of `self-regulation',
industry ombudsmen are not established under law, but have been given
certain powers through legislation, [22] and
can be monitored by federal government bodies. They are thus part of a
framework outside of `self-regulation'. In evidence to the Committee,
the Australian Bankers' Association detailed the powers of the Banking
Industry Ombudsman
when investigating a complaint, the Ombudsman not only takes
into account strict rules of law, but
also
general principles
of good banking practice and any applicable codes of practice. His recommendations
or awards are made by reference to what is, in his opinion, fair in
all the circumstances. This is a much wider discretion than a court
of law has
[23]
5.25 The proposed level of involvement of government in the privacy self-regulatory
scheme is still not entirely clear. A board or an `independent' scheme
monitor may all be forms of `government' involvement, but they are far
from bringing a power to enforce any principles, and may in fact do the
opposite. It may be essential for government to stand at a distance from
day to day involvement in order to give a message to consumers that it
does care about their needs [24] and has not
become one with business. [25] This would also
be important in the area of complaints handling.
Summary
5.26 Self-regulation is a process marked by an ability to accept some
involvement by government or even some monitoring or administration by
an external body, while still being `self' regulating. So long as there
is no legally enforceable obligation, other than those available through
more general legal processes, or, in some cases, some existing legislation,
`self-regulation' retains its essential character.
The advantages of self-regulation
5.27 The advantages of self-regulation are deemed to be:
- Appropriatenessthe regulatory framework is devised by those
who know the area. There will be little input or ongoing involvement
by those who are `outsiders'.
- Flexibilitythe guidelines can be changed to accommodate needs,
and keep up with technology.
- Simplicitythe guidelines will be straightforward and comprehensible
because they will be non-legalistic; and
- Limited costalthough the cost of self-regulation is not negligible,
it is assumed to be less than enforced regulation, presumably because
of limited enforcement procedures and public sector involvement. There
will be no onerous external management.
Appropriateness
5.28 The involvement of the relevant industry or private sector body
in the development of principles and the non-enforceable nature of these
is emphasised by the press release of the Attorney General of 20 February
1998. This release states that a regulatory approach would be heavy handed,
[26](a point emphasised by the ABA) [27]
and that the National Principles were to be seen not as `legalistic'
rules but as guides `intended to provide practical assistance to business'.
[28]
5.29 The ABA also implied that self-regulation was one means by which
the continued appropriateness of privacy principles could be facilitated.
The changing dynamics of the financial services industry dictate the
need for a flexible regulatory framework, an approach supported by the
Federal Government and recommended in the final report of the Financial
System Inquiry. [29]
5.30 In a further statement, the ABA noted that a more competitive marketplace
required a different system to that existing in the public sector
it could not afford to operate on the basis of individual consent in respect
of each transaction, [30] but must always be
able to move without such specific consent. [31]
A similar concern about individual consent was raised by the Australian
Credit Forum. [32]
5.31 In part, these statements do reflect some awareness of one of the
main problems currently limiting the effective implementation of concepts
of privacy the gap between technological and other developments,
and the law as it stands. However, limited evidence was provided to the
Committee demonstrating that the financial sector was notable for devising
self-regulatory privacy schemes that overcame any of the problems deemed
to be created by the use of legislationthat is, there was little
evidence on the flexibility and adaptabilty of self-regulation
5.32 The automatic coupling of law with `heavy handedness' is an unfortunate
link, suggesting that `industry' is an ever-changing enterprise that should
not be fettered by the principles that limit society in general. While
it has been argued by many that the law in many areas is unable to accommodate
substantial social and other change, it is not accepted that there should
therefore be as little law as possible. Industry has offered little evidence
to the Committee that would justify this approach.
5.33 Appropriateness is also another means of suggesting that competitiveness
is essential and that it would be `inappropriate' for Australian business
to be limited in its capacity to compete with other markets. In this context,
bodies such as the ABA refer to competing with the US market, which they
claim to be unregulated, rather than with other areas such as the EU which
have strict legislative privacy controls. [33]
Flexibility
5.34 The emphasis by industry bodies on their knowledge of their customers
and their capacity to provide products their customers needed or wanted
is seen as requiring a flexible approach. The provision of individual
or one-off services, each bound by specific agreements, is suggested as
inappropriate a business must be able to provide multiple services
without undue administrative barriers:
Effective management of the customer relationship so as to maximise
the customer's satisfaction with the service offered by the organisation
is not dependent on narrow legal concepts of consent and express opt-in
arrangements. The National Principles recognise the importance
of the customer's expectation in the use and management of his or her
personal information. [34]
5.35 Flexibility is also linked to appropriateness both of the
commercial services provided and of the principles, which guide the provision
of those services. A modern commercial transaction is promoted as quick
and smart, meeting a customer's needs. Implicitly, no such principles
guide the provision of other services, especially those from the public
sector.
5.36 In contrast to this, evidence was presented to the Committee indicating
that flexibility in a highly competitive world was often only possible
when there was some certainty:
With respect to the [codes and industries] we have been talking about
banking, insurance and superannuation the history of the
last decade or decade and a half has been [one of] extraordinarily rapid
change some of it pressed by government policy and legislation,
others by market reality. In those circumstances of dynamic change,
only legal obligations can have any assurance at all of maintaining
uniform application across the sector. [35]
Simplicity
5.37 Because self-regulation is seen as appropriate and flexible, capable
of being adapted by agreement rather than complex machinery of government,
it is also presented as streamlined and minimalist; not bureaucratic and
tied up in red tape. [36]
5.38 On this point, the Committee stresses the importance of not losing
sight of the ultimate criteria which is the effectiveness of a
system in achieving privacy protection. A system, however streamlined
and minimalist, is useless if it does not achieve its objectives. For
this reason, the objective should be developing a regime that provides
effective privacy protection with the minimum regulatory burden.
Limited Cost
5.39 The cost of privacy is often presented as being too high and as
requiring limitations. Regulations or legislation in particular are seen
as inherently expensive, relative to the costs of self-regulated codes
of practice. However, costing of privacy schemes is difficult mostly because
the variables are unknown. It is not easy to determine, for example, the
extent to which consumers will complain, or the extent to which they will
require compensation. Thus, administrative and other costs are difficult
to predict.
5.40 Much of the debate about cost is of limited use because it appears
to be based on exaggerated figures by various sides. This matter is considered
in further detail in Chapter 6.
5.41 Little emphasis was placed by witnesses on the costs of self-regulation,
including the cost of the implementation of the National Principles.
Some indication was given by the ABA that the Principles should be implemented
gradually, although this was not explicitly related to cost. [37]
The coverage of existing self-regulatory systems
5.42 The Committee has heard evidence that there is a number of self-regulatory
systems in place which are effective and which demonstrate that legislation
is not needed:
The ACCC has a number of codes that it could quote as being highly
successful in regulating a corporation's behaviour with no legislative
backstop whatsoever.
I actually asked the ACCC for some examples
and they provided me with three codes: the jewellery and timepieces
industry code, the Australian Pharmaceutical Manufacturers Association
and a code on the personal hygiene products industry. [38]
5.43 Other evidence listed codes that were appropriate, met the needs
of consumers and dealt with the issue of coverage and uniformity:
The best example is that of the Scanning Code in Computerised Supermarkets.
This Code has operated for several years to ensure the fair treatment
of customers. It arose out of concerns that the [retail] industry could
have faced different and perhaps conflicting state legislation to solve
the same nationwide problem. The Australian Supermarket Institute
has administered this code to the satisfaction of ACCC. [39]
Adequacy of the existing and proposed self regulatory systems
5.44 In considering the adequacy of existing self-regulatory arrangements
within the private sector, the Committee considers there are two key questions.
The first is the extent of the coverage of current schemes, and the second
is their effectiveness.
General coverage
5.45 On the evidence received, the Committee finds it difficult to accurately
gauge the extent of coverage of existing self-regulatory privacy schemes
in the private sector.
5.46 Significant parts of the private sector have adopted, or have indicated
that they intend to adopt, self-regulatory schemes. [40]
The Australian Direct Marketing Association is redrafting its code of
practice to take into account the National Principles and is also
actively examining the different options for enforcement of its new code.
[41]
5.47 The Australian Retailers Association stated that a number of compatible
codes already existed; [42] that it believed
it would be important for such codes to be established; and that it had
itself "established a sub-Committee to develop a retail industry
Privacy Code encapsulating these standards as they relate to the retail
industry." [43] Many of the professions,
such as the medical and legal, also include in their codes of conduct
provisions concerning the protection of the privacy of clients. [44]
5.48 The Privacy Commissioner informed the Committee that several peak
private sector organisations were examining the National Principles
or had adopted them. [45] This information
was based on a survey of national industry associations by the Privacy
Commission which found that a few months [46]
after the release of the National Principles:
- around half of respondents said they had seen the National Principles;
half of respondents, though not the same half, even though there is
some overlap, have some kind of information privacy guidelines in place
in their industries;
- about half those respondents with some kind of guidelines in place
said that they would review their guidelines in the light of the National
Principles;
- respondents who have not seen the National Principles said
that they were interested to find out more about them. [47]
5.49 This level of response is not particularly encouraging, given that
the National Principles are voluntary and given the criticism by
some groups that important issues had been avoided. [48]
Other surveys are equally discouraging. A 1997 Price Waterhouse survey
[49] revealed that only 38% of companies surveyed
had formally documented privacy policies in place, while 45% of companies
had guidelines; 50% of companies had operational procedures
in place to support privacy policies, while 26% stated that they do not
have any privacy related procedures or guidelines; 80% of companies failed
to have privacy training programs for employees.
5.50 A related problem is that where a scheme is self-regulatory, and
especially where there is limited pressure from any source, including
government, to adopt it, implementation may be delayed. The Committee
was told, for example, that industry associations are trying to bend the
National Principles and the present self-regulatory scheme to suit
their own interests, rather than participating in the process in good
faith:
What we see is a pattern of the industry associations trying to pick
and choose. They are trying to take those parts of the principles that
they think they can live with and leave those that they do not like
things like access to evaluative material or undue restrictions
on direct marketing and basically providing what they think consumers
should get in their particular sector. We know that simply does not
measure up. We now have a set of international standards which have
been accepted and implemented without great difficulty around the world.
That is what we need here in Australia as well. [50]
5.51 The development of high quality codes is not the same as making
such codes enforceable. The President of the Australian Law Reform Commission
noted that there were indeed several excellent codes in existence, and
that the development of appropriate codes was an objective that could
be achieved by business. However, he was of the opinion that these had
to be mandatory:
What we do see as real life is that, over a period of time, unless
those codes are mandatory that is, unless all the participants
in the sector have to follow the standards that have been set out
then we will find the inevitable happening.
No other piece of the financial sector's development in the last 15
years from Campbell to Wallis and after has in any real
respect depended on voluntary codes being the sole support. We do not
see privacy and access to information that is, both the protection
of information and, importantly also, the full community access to information
being guaranteed in any other way than through a legislative
base. [51]
Industry coverage not full and consistent
5.52 A number of witnesses, including the Privacy Commissioner, noted
that self-regulation faced serious problems in obtaining appropriate and
consistent coverage. Such issues must affect the extent to which a voluntary
system will be able to bring together a wide range of groups to provide
what many have emphasised is essential uniformity and certainty,
by whatever means. [52] They may even affect
the ability to devise a scheme sufficiently flexible to overcome the opposition
to the `one size fits all' approach. [53]
5.53 These problems include the fact that while some peak organisations
may support a principle, members of the peak organisation may not. They
may consider that the peak body is not fully representative, [54]
they may not belong to the peak body or they may not agree with all the
actions of the peak body.
5.54 A further problem is that there may be more than one industry association,
and they may have different views. [55] Thus,
it is possible to have incomplete coverage and uniformity in an industry:
An industry may have a number of competing industry associations. As
a result, coverage of the entire industry may not occur because of disagreements
between the rival associations; even where an industry is represented
by one association, there may be organisations within an industry that
refuse to join the association and so not be bound by the self-regulatory
process. Organisations within an association may also refuse to abide
by the rulings of a self-regulatory mechanism. [56]
5.55 Even in an industry with a dominant organisation, the adoption of
effective self-regulation may be inconsistent:
in the telecommunications area
despite the provision of
a sort of co-regulatory privacy framework under the Telecommunications
Act, the privacy and consumer groups have found that there is only partial
and unsatisfactory progress towards meeting privacy standards in the
telecommunications environment. All of the carriers are having to be
dragged, kicking and screaming, into providing adequate privacy standards
through the consultative processes under the Telecommunications Act,
and the rather blunt statutory backing for those provisions means that
we are having great difficulty in persuading Telstra and some of the
other carriers to come to the party on providing adequate notification
to individuals about their privacy rights and on seeing them through
into enforceable implementation. [57]
5.56 In some instances, there may be no effective industry organisations,
making it unlikely that there will be the resources to deal with complaints
in an independent or effective way. [58] Even
in areas where there may be limited commercial benefit obtained from lack
of privacy protection, consumers may find that their often sensitive personal
information has virtually no security:
Aside from people who are subject to some kind of code or voluntary
regulation from their professional organisation, there are a lot of
service providers to people with psychiatric disabilities. There are
other health service consumers, and consumers generally for that matter,
which are not regulated at all in the mental health area, for
example, counsellors and psychotherapists, who are entitled to practice
without being members of any particular professional body which can
investigate complaints against them. [59]
5.57 This situation results from an incomplete and inadequate coverage
by professional or para-professional groups. Some professions do not have
clear privacy protections in place for all the information they hold;
[60] may not have up to date privacy principles,
or may have ineffectual enforcement and implementation mechanisms.
5.58 However, similar problems are even more likely in other industries.
Sectors such as the real estate industry, [61]
the internet, [62] organisations that maintain
certain health records, [63] and organisations
that engage in information mining and collation of information from existing
records [64] and surveillance of employees
[65] are largely unregulated, through a failure
or absence of self-regulation or adequate legislation.
5.59 There is still nothing to compel irresponsible companies to comply
with privacy standards. [66] In such instances,
the need for some capacity to enforce principles may be supported by commercial
organisations. [67]
5.60 This type of problem remains a source of concern to both responsible
companies and to the Committee. Remington White Australia, a company that
provides database services in the real-estate rental market, drew the
attention of the Committee to the operations of a company, which was:
quite keen to trade with anyone and everyone, [the]details provided
to them by real estate agents that use their services. We were concerned
from an industry standpoint that this demonstrated a gross misuse of
the information provided to them and in fact we immediately brought
the contents of the flyer to the attention of all the heads of the Real
Estate Institutes in each state to warm them of the apparent misuse
of this data. [68]
5.61 In other evidence on this point, witnesses from two companies that
operate tenancy databases described their efforts to comply with privacy
principles and contrasted their activities with other operators within
the same industry. These other operators, it was claimed, failed to adhere
to privacy principles. The operators provided, through the Internet, the
names of `difficult' tenants. The General Manager of one of the more ethical
tenancy databases told the Committee:
We are extremely concerned over some databases that are on the market.
Admittedly they are a lot smaller than we are. However, in order to
try to attract a marketplace, they step into the area of basically being
cowboys by allowing people to record all types of defamatory remarks.
We are extremely concerned about that. [69]
5.62 Owing to the mostly voluntary nature of self-regulation schemes,
there is no way to ensure that an industry will retain a scheme, or that
a private sector organisation will remain within an industry organisation
that operates a scheme. Self-regulation is incapable of dealing with both
the cowboys, who never join, and the regulatory deserters.
They allow others to be limited by self-imposed restrictions, and then
move in:
Why should an organisation that applies adequate privacy protection
be placed at a disadvantage over one that does not. This could occur
through additional costs in their computer systems or through not following
up with direct mail if the customer has expressed a desire not to have
such follow up. A similar problem would occur when an organisation does
not comply with privacy rules and obtains carefully tailored marketing
lists and is thus enabled to make more sales at a lower cost and hence
make a better profit. These pressures on a voluntary system would ensure
the lowest common denominator was followed. Legislation is needed to
ensure a level playing field for all competitors. [70]
5.63 As the above reference has made clear, the major impetus for free
riding or deserting was that it bestowed a competitive advantage.
One example which the [Australian Law Reform Commission] has been closely
involved with for many years is the self-regulatory approach followed
in franchising. The voluntary code proposed, followed and exhorted by
both the government and the franchising sector in Australia has not
worked, most particularly because in that case, in two or three sectors,
it was found to be to the competitive advantage of those franchisors
not to sign up to the code. [71]
5.64 There is little regulation at present in some parts of the private
sector. As a result, there are few controls on the collection of information
and there is limited access to redress. As well, the contracting out of
services formerly provided by the Commonwealth, has led to some information
that was originally collected by Commonwealth authorities losing the level
of protection that it had under the Privacy Act 1988. [72]
Effectiveness of existing self regulatory schemes
5.65 As has been stated above, the second criteria for assessing the
effectiveness of any privacy protection scheme is the extent to which
it creates enforceable rights and obligations. As Professor Caelli said:
When you get to the enforcement side of these codes of conduct or the
ethical basis, the question is really one of whether or not the industry
organisation and/or professional organisation associated with that particular
industry has enough force let us say, in good old Australian,
enough clout to actually make such a privacy regime stick. [73]
5.66 It is in this respect that the Committee holds the greatest concerns
as to the adequacy of existing privacy protections in the private sector.
Overseas experience demonstrates that industries, especially those connected
with newly emerged technologies, have failed to introduce effective privacy
protection schemes. Moreover, a number of witnesses advised the Committee
that history indicated self-regulation did not ensure an acceptable level
of compliance with desirable standards of behaviour: [74]
It is clear that the private sector is incapable of providing an adequate
level of privacy protection without a legislative framework. To date
we have seen only a modest incorporation of some of the privacy principles
into a few codes of practice, applying to limited and self-selected
areas of the private sector, and generally without effective complaints,
investigation and enforcement mechanisms. [75]
5.67 Thus, the development and coverage issues, while important are only
the beginning. Even if these are sound, they will be have limited effect
if they cannot be enforced.
Monitoring, complaints and enforcement mechanisms
5.68 The Committee heard that in some sectors, there are quite robust
enforcement systems. The banking industry claims, with some justification,
that their privacy controls have been very successful in an industry that
has grown massively in recent years, pointing to the Electronic Funds
Transfer (EFT) Code and the existence of the Banking Ombudsman. [76]
In the banking industry, a customer with a complaint can in the first
instance, raise the matter with the bank:
The bank would investigate it. If the customer were not satisfied that
the bank had properly investigated the matter, the customer could take
his or her complaint to the Australian banking industry ombudsman scheme.
The scheme has power to look at what are known as acts of maladministration,
which would include a bank breaching its duty of confidentiality to
a customer. The ombudsman has a range of options available to him. He
can make a recommendation to the bank to take appropriate action
some form of redress for the customer or, if the bank will not
do that, he can actually exercise power to make an award which, if the
customer agrees with that, the bank is bound to comply with contractually.
[77]
5.69 In theory, the existence of an industry ombudsman can have advantages
such as independence and limited cost. However, costs will increase if
the customer does not accept the decision of the ombudsman, since the
matter must then be dealt with on the basis of an action for breach of
contract. [78] Delays in ombudsmen procedures
may also be substantial, and this factor limits ease of access.
5.70 Notwithstanding the example of the banking industry, the Committee
finds that in general, there are real gaps in privacy protection, and
the effectiveness and enforceability of privacy protection through existing
self regulatory codes is inconsistent and inadequate.
5.71 There is a general lack of credible enforcement mechanisms, opportunities
for timely redress and remedy. Sanctions on private sector organisations
for breaches of privacy rights in order to deter further breaches or prevent
opportunistic breaches, do not seem to figure prominently in the schemes
under development.
5.72 To the Committee's knowledge, only the Australian Bankers Association
has implemented an enforcement mechanism, although others have begun the
process. [79] The reason for the banks' success
may well be that the banks have developed a uniform set of values through
shared self-interest over a long period of time. This has effectively
established a culture which values privacy as the foundation of commercial
success. [80]
5.73 Another issue that must be taken into account in evaluating the
usefulness of self-regulatory schemes is whether they may be seen as breaching
legislation on competition. An agreement to abide by a self-regulatory
scheme may be construed as anti-competitive and render the private sector
organisations subject to actions under laws that are intended to promote
competition between businesses. The difficulty that enforcement of self-regulatory
codes provides, especially in navigating competition laws, was noted in
a number of submissions (although the Committee has not received enough
evidence on the issue to fully evaluate the implications of this issue).
[81]
5.74 The Privacy Commissioner summed up these problems this way:
In practical terms, however, a purely voluntary approach to privacy
protection, with no legislative element at all, poses difficult problems
of implementation. Satisfactory outcomes may well be achieved in highly
organised industries with active and well-supported industry associations,
but in other more fragmented industries, or in areas of activity that
are not organised along industry lines, there are clearly some difficult
challenges. [82]
Regulatory capture
5.75 There are other problems with self-regulation, including the limited
viewpoint that it provides. Where industry has a uniform view and little
internal competition, there is no force which leads it to take the needs
of others into account. Self-regulation invites members of the private
sector to engage in various practices which have no benefit to the broader
community and can adversely affect the standing of the parent organisation
or profession. Possibly to its own short and long-term detriment, an industry
can in fact be captured by its status and its own limited perspective:
5.76 Such practices are of little advantage to the individual consumer.
They may also contribute to increased and unnecessary costs and development
of unnecessary services. Unfortunately, industry sectors may see only
a short term benefit, or a supposed saving, in not taking appropriate
action. The cost of this is likely to be substantial.
5.77 An even more serious problem occurs when such regulatory influence
extends to independent bodies which are involved in developing guidelines;
monitoring the operation of these guidelines; or acting in some capacity
in the enforcement and/or complaints processes. For this reason, publicly
funded bodies should remain at arms length from the private sector. This
can be achieved by public organisations:
- Ensuring that dominant industries, or dominant groups within an industry,
do not gain control of discussions which are meant to be comprehensive
and all-embracing;
- Ensuring that all industry and professional sectors are involved in
discussions or have the opportunity to be involved;
- Ensuring that no principles or guidelines which are deemed to be uniform
are given that status unless there is general consensus by all industry
groups;
- Avoiding becoming a member of industry boards, unless very clear guidelines
apply;
- Ensuring that any involvement as an `appeals' resource is genuinely
objective. [83]
The National Principles as a form of self-regulation
General comments
5.78 The National Principles are seen as the most recent expression
of private sector self-regulation. In keeping with the government directive
to be minimalist in approach, the principles are basic in their expectations
and obligations (albeit acknowledging that existing legislation or other
legal obligations would have to be accommodated). [84]
5.79 The Principles primarily are a set of expectations with no clearly
defined meaning. Guidelines are attached which are not an integral part
of the Principles but which are "an initial guide to the Privacy
Commissioner's preferred interpretation of the principles". [85]
5.80 The Principles are notable mainly for a dichotomy between the headings
placed at the beginning of each Principle, which emphasise what an organisation
`will' do, and the contents of the Principles themselves which
emphasise only what an organisation `should' or `ought' to do. As the
Headings are not a part of the Principles, [86]
the use of such different terms is clearly misleading and should be removed.
Adequacy of the National Principles
5.81 Some major industry sectors supported the release of the National
Privacy Principles, suggesting that they met the needs both of industry
and the consumer. This support appears to be based on the fact that the
Principles did not include certain components such as employee
data or `workplace related information'. [87]
The Australian Bankers' Association emphasised that the Principles were
appropriate as `a basis for businesses to develop practices to
ensure that the privacy of individuals is protected.' [88]
The Australian Privacy Charter Council also expressed some qualified support
for the Principles, describing them as being `reasonably close the international
best practice'. [89]
5.82 One witness, who compared the contents of the Privacy Principles
with that of other principles, noted that they contained much the same
information as earlier sets:
The principles announced by the Privacy Commissioner in February 1998
[are] essentially a revision of those in the 1988 Act in the
light of further experience, and changing public attitudes notably,
an increase in concern, heightened by E-Commerce and the Internet.
A point that should be noted about these sets of principles is that
they all contain the same basic set of rights which have stood the test
of over 25 years of usage. That only relatively minor changes are now
included indicates that the validity of these principles is nearly as
good as we can get at present, and they should form the basis of revised
public sector and suggested private sector legislation. [90]
5.83 However, some evidence provided to the Committee suggested that
the Principles, as an expression of self-regulation, were as outdated
and inflexible as the legislation that some industries condemned:
The Australian Privacy Commissioner's 1998 'National Principles'
document is merely a very late addition to the substantial pool of 1970s
documents. A document based on 30-year-old precepts, and which contains
additional exemptions based on special pleading, is utterly inadequate
as a means of addressing the ever-growing public concerns about the
privacy invasiveness of business practices.
The result of a flawed process is a flawed document. The 'National
Principles' have many mainstream and worthwhile features, but contain
carefully crafted loopholes that seriously undermine some of its most
important features. In particular, the exceptions to the use and disclosure
principle essentially gut the critical protections that this principle
is supposed to provide. They attempt to legitimise practices that demand
public justification. [91]
5.84 Other problems with the Principles were listed as including the
very factors which business found to be an advantage, for example the
fact that they did not apply to employee data. The European Union notes
in its submission that employee data is an important area for international
data flows [92].
5.85 It was also argued that :
- There are several exceptions [93] allowed,
and these relate, among other things, to direct marketing and access
(Principles 2.1(c), 6) and law enforcement (which requires express authorisations
for exceptions); [94]
- The Principles allow for the possibility that data may be used for
a purpose different from that advised at collection, in particular,
in the area of direct marketing, and that such uses can occur without
sufficiently strong safeguards. This point was severely criticised by
one submission which noted that the Principles provide reasonable exceptions
(as in the OECD principles), but beyond those exceptions, the rights
of consumers must be carefully protected:
the Privacy Commissioner proposes an exemption for direct marketing
companies, from some of the principles [2.1(c) (i)].
If a company requires client details for direct marketing, or to sell
to another company for direct marketing, it should say so. Few people
may give permission for this form of marketing, but it is not the Privacy
Commissioner's job to protect questionable business practices. [95]
- The issue of secondary use of information was important, and the nature
of the authority which determined secondary use access was also crucial;
[96]
- The right of an individual to access personal data seems to be subject
to a great number of exceptions and restrictions; [97]
- Access to personal information by a range of government agencies needs
to be clarified (Principle 2: exceptions (e)(g) and (h)); [98]
- Implicit consent is used for handling sensitive data, when this sort
of data should be afforded greater protection; [99]
and
- The National Principles lack specific provisions for dealing
with the issue of onward transfer of data. The National Principles
seem to allow the transfer of data to organisations that do not themselves
abide by the privacy protection principles.
5.86 One witness concluded that, for a range of reasons including the
need for uniformity and adherence to acceptable standards, the Principles
were not appropriate: they `are not seen as a suitable basis for protection
of public privacy in the private sector.' [100]
Adequacy of content - The National Principles and the European Union
Directive
5.87 Aspects of the European Directive have been discussed above in Chapter
3. [101] In contrasting the National Privacy
Principles with the European Directive, a number of other issues become
more apparent.
General
5.88 The EU Directive is phrased in language which suggests that the
enforceable provisions of the Directive are based on human rights principles.
1. In accordance with this Directive, Member States shall protect the
fundamental rights and freedoms of natural persons, and in particular
their right to privacy with respect to processing of personal data.'
[102]
5.89 As is noted above, [103]the headings
on the National Principles suggest a commitment, while the text
of the Principles only refer to what `should' rather than what `will'
be done. As the headings are not a part of the Principles, their effect
is to suggest approaches which are obligatory but which in reality are
not obligatory in any way.
5.90 By contrast, the headings on the Directive relate only to the content.
Further, the Articles themselves generally refer to the members' obligations,
and the fact that members `shall' meet certain agreed requirements.
Coverage
5.91 The European Data Directive is specifically concerned with personal
information, including personal information about employees.
5.92 The National Principles deal with personal information. Unfortunately,
ACCI managed to remove the issue of employee data from the National Privacy
Principles on the grounds that other legislation provided adequate protection.
However, current legislation regarding employee data will not protect
employee data which is being processed or otherwise dealt with offshore.
In this respect, the Directive is of a higher standard.
5.93 This highlights a problem with putting personal information into
separate categories: commercial information which is to be protected,
and as employee data subject to other legislation. For the contractor,
the processing of the information is a task and having two standards for
dealing with data is not satisfactory. It could also add to the processing
cost.
5.94 The EU Directive will cover all personal data, with the exceptions
listed in Article 3, including that which falls outside the scope of community
law, and that relating to defence, security etc. and processing of personal
data `by a natural person in the course of a purely personal or household
activity.' Article 8 also deals with `the processing of special categories
of data'. In this Article reference is made to the prohibition regarding
processing of specific forms of data, which does not affect the processing
of data of a medical and similar nature:
where processing of data is required for the purposes of preventive
medicine, medical diagnosis, the provision of care or treatment or the
management of health care services, and where those data are processed
by a health professional subject under national law or rules established
by national competent bodies to the obligation of professional secrecy
or by another person also subject to an equivalent obligation of secrecy.
[104]
5.95 However, this proviso only refers to Paragraph 1 of Article 8, and
does not prohibit the processing of medical or similar data nor exempt
it from general provisions applicable throughout the Directive.
5.96 This coverage is broader than that currently available in Australia
through professional codes, self-regulation, proposed or actual legislation,
and the proposed National Principles. In particular, protection
is needed for sensitive information which is currently not addressed by
the National Principles, such as health/medical data. Evidence
received by the Committee suggested that while much medical information
was either protected through voluntary codes, or through the provisions
of legislation, [105]other information was
not subject to such protection. [106] The
extent and depth of coverage of the National Principles is a matter
of concern, especially given the limited consultation on matters relating
to security and police. [107]
Special Provisions
5.97 The EU Directive (Article 8) specifically prohibits the processing
of material so as to provide lists of information or names of people on
the basis of their race, religion or ethnicity etc, except where such
collection of information is appropriate. A similar proviso exists in
Privacy Principle 10, `Sensitive Information' which appears to be based
on the Directive.
Loopholes
5.98 As noted, [108] one of the main problems
identified with the National Principles was the existence of `carefully
crafted loopholes that seriously undermine some of the [Principles'] most
important features'.
Use and disclosure principle.
5.99 Principle 2 refers to Use and Disclosure of Information. [109]
This primarily relates to the other use that may be made of information
collected. The main difficulty with secondary use is the absence of consent
from the data subject. Within NPP2 there is a fair amount of laxity in
favour of the direct marketing organisations.
5.100 This is expressed in terms which allow the direct marketers to
virtually ignore any constraints, especially through use of `reasonable
and practicable' exclusions. Thus NPP 2(c) states that if it is impracticable
for the organisation to seek the individual's consent before using the
information, and an opportunity is given either when the information is
collected or, at the instigation of the individual concerned, at a later
time, to `decline to receive any further direct marketing communications',
it is permissible to use the information. This provides extensive freedom
to the direct marketing groups, with much of the responsibility placed
back upon the consumer for refusing to receive further information. This
approach was criticised by the Australian Computer Society Inc. [110]
5.101 National Principle 2 (1)(d) refers to use being made of personal
information on the basis of an organisation `reasonably' believing that
`the use or disclosure is necessary to prevent or lessen a serious and
imminent threat to an individual's life or health'. There is no obligation
for this use to be recorded or assessed. In contrast, EU Directive, Article
6(1) specifically states that:
(b) collected for specific, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes. [111]
5.102 In particular Article 14 of the Directive addresses concerns about
direct marketing, allowing individuals to lodge an objection to the use
of their data for this purpose:
14(b) to object, on request and free of charge, to the processing of
personal data relating to him which the controller anticipates being
processed for the purposes of direct marketing, or to be informed before
personal data are disclosed for the first time to third parties or are
used on their behalf for the purposes of direct marketing, and to be
expressly offered the right to object free of charge to such disclosures
or uses. [112]
Source of material about an individual
5.103 The National Principles offer a variety of exceptions for
the collectors of information, such as those set out in Principle 1 that:
where it is reasonable and practicable to do so, an organisation
should collect personal information directly from the subject of the
information.
5.104 This allows a range of exceptions on the basis of the terms ` reasonable
and practical. In contrast, the EU Directive states:
processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract. [114]
5.105 EU Directive Article 10 provides minimum standards of safeguards
regarding data collected from a data subject and Article 11 safeguards
information where the material was not collected from the data subject
but concerns him/her.
Access
5.106 The National Principles again appear to give preference
to the holder or processor of information through their use of the `reasonableness'
principle. Principle 5 states:
5.1 An organisation should have clearly expressed policies on
its management of personal information which be readily available;(emphasis
added)
5.2 An organisation, on request, should take reasonable
steps to let individuals know, generally, what sort of personal
information it holds, for what purposes, and how it collects, holds,
uses and discloses that information. (emphasis added)
5.107 NPP 6 states that `Where an organisation holds personal information
about an individual, it should provide the individual with access to the
information on request, except to the extent that
'(followed by a
long list of exemptions). While some of these exemptions are acceptable,
those which state, for example, National Privacy Principle 6(1)(c) `providing
access would be unduly onerous for the organisation' or (d) `the request
for access is frivolous or vexatious', further loopholes are provided
which could benefit organisations.
5.108 The extent of opportunity to correct information is limited, in
spite of the misleading heading to the principle (`Wherever possible we
will let you see the information we hold about you and correct it if it
is wrong'). National Privacy Principle 6(6) in fact places much of the
responsibility upon the individual and not the organisation:
`If an organisation holds personal information about an individual
and the individual is able to establish that the information
is not accurate, complete and up to date, the organisation should take
reasonable steps to correct the information so that it is accurate,
complete and up to date.'(emphasis added).
5.109 The EU Directive appears to give preference to the data subject
through Articles 12 and 14 to obtain information `without constraint at
reasonable intervals and without excessive delay or expense' information
about whether data is being processed about the individual, the purposes,
the categories and the recipients; the data, in an `intelligible' form;
and `any available information as to their source' and `knowledge of the
logic involved in any automatic processing of data concerning him at least
in the case of the automated decisions referred to in Article 15'. Article
14 provides a right to object, including to the use of data for direct
marketing purposes, as noted above.
Accuracy
5.110 National Privacy Principle 3 states that "an organisation
should take reasonable steps to make sure that the personal information
it collects, uses, or discloses is, accurate, complete and up to date.
The heading over this principle states quite otherwise: "We will
ensure that information about you is accurate when we collect or use
it", but, as noted above, these headings are not a part of the principles
[115] and are thus worthless.
5.111 The EU Directive states:
(c) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate
or incomplete, having regard to the purposes for which they were collected
or for which they are further processed, are erased or rectified;'(emphasis
added)
Evaluative Material
5.112 The National Principles do not allow easy access to evaluative
data by the community, as in National Privacy Principles 6(2) and 6(3),
where access is linked to the material not being deemed to be in connection
with an internal' commercially sensitive decision-making process'(6(2)).
Such phrases, in spite of the provision of an `independent process'(6(3))
to determine their validity, are likely to be beneficial to business but
not to individuals.
5.113 The EU Directive does not specifically address the issue of `evaluative'
material, which may mean that it is perceived in the same terms and subject
to the same controls as any other information.
Transfer of information to an unapproved site
5.114 Article 25 of the Directive does not permit the processing of information
in a country which does not have adequate legislation. The effect of this
is twofold- firstly, it increases the protection for data; secondly, it
has the potential to exclude some countries from the marketplace. Article
25, Paragraph 1 states:
The member States shall provide that transfer to a third country of
personal data which are undergoing processing or are intended for processing
after transfer may take place only if, without prejudice to compliance
with the national provisions adopted pursuant to other provisions of
this Directive, the third country in question ensures an adequate level
of protection. [116]
5.115 Paragraph 2 of Article 25 refers to particular factors which may
be taken into account in assessing the situation, including the nature
of the data, domestic law, professional rules and security measures, all
of which may provide an appropriate level of security.
Possible exemptions
5.116 Article 25, Paragraph 6 then deals with the means by which countries
may be able to meet the above provisions:
The Commission may find in accordance with the procedure referred to
in Article 31(2), that a third country ensures an adequate level of
protection within the meaning of Paragraph 2 of this Article, by reason
of its domestic law or of the international commitments it has entered
into, particularly upon conclusions of the negotiations referred to
in paragraph 5, for the protections of the private lives and basic freedoms
and rights of individuals.
5.117 The NPPs at Principle 9 refer to transborder data flow, with a
heading of `We will take steps to protect your privacy
if we send personal information about you outside Australia'(emphasis
added). Principle 9 however, again gives a preference to the business
rather than the individual, stating that information can only be transferred
if:
9(a) the organisation reasonably believes that the recipient of the
information is subject to a statute, binding scheme or contract which
effectively upholds principles for fair information handling that are
substantially similar to these principles; or
5.118 Other provisos concern the transfer of information being for the
`benefit' of the individual concerned (9(d)) and the likelihood of the
person giving consent for transfer if they were aware of the fact (9(e)(ii)).
However, it could be argued that the transfer of social security data
is in the interests of the individual, but this in itself should not be
sufficient to allow for its processing in a situation where there can
be no guarantee of (as opposed to the taking of `reasonable steps' towards
(9(f)) security.
5.119 The proposed amendments to the Privacy Act 1988 provide
some limitations to this type of data transfer. [117]
However, this proposed legislation is of limited value, since it covers
a limited percentage of companies' operations, dealing only with the contracts
they have with governments in respect of specific services. [118]
Conclusion
5.120 Overall, the EU Directive places major limits on the processing
of material and provides substantially greater protection of the data
collected and processed. By placing its principles within a broad framework
of human rights and noting the right to privacy, the Directive links its
philosophy to general human rights issues.
5.121 The National Principles, in comparison, appear a very weak
and piecemeal approach to the issue of collection and protection of data.
They do not deal with substantive issues such as the rights of the data
subject; they give unequivocal preference to the wants of certain industries;
they provide very little obvious limitation on the discretion of certain
parties; and they provide virtually no direction as to the way in which
even the minimal protections provided would be safeguarded. They do not
locate privacy among human rights, [119] and
express limited concern for the rights of the individual as opposed to
the needs or the business community.
Enforcement mechanisms
5.122 One of the problems with the National Principles at the
time of writing is that they contain no information about implementation,
monitoring or enforcement, although the 1997 discussion paper Information
Privacy in Australia did contain suggestions about enforcement mechanisms.
[120] Unfortunately, no information was provided
by the Privacy Commission about the reception by industry to these early
proposals. Although the Commissioner provided reasons for dealing separately
with Principles and with the operation of the principles, [121]
the Committee is concerned at the separation of the two.
5.123 A major concern about the absence of detail on complaints mechanisms
and enforcement processes in the National Principles is the statement
in the paper Information Privacy in Australia that "where
business sectors already have ways of ensuring compliance with codes of
behaviour, these are to be used". [122]
5.124 In principle, this approach may be acceptable. However, the Committee
believes it would have been more appropriate to determine the nature of
such compliance before giving such power to what is, after all, an agreement,
not a legislatively based scheme.
5.125 Further, it would be important to determine how much the codes
of practice effectively dealt with complaints and how much of consumers'
valid expectations are in fact met. A code which has little interest in
consumers and limited interest in facilitating their access to redress
might well meet the above criteria of "ensuring compliance with codes
of behaviour," but this hardly makes them effective or appropriate.
Existing codes can only be acceptable within a broader context of high
standards which address the needs of consumers as well as those of industry
and business.
5.126 Within the paper Information Privacy in Australia, one section
is devoted to compliance and enforcement mechanisms within a voluntary
or self-regulatory scheme. The section dealt with the option of a Scheme
Administrator:
It is generally recognised that a self-regulatory scheme is unlikely
to be effective without an independent administrator to undertake administrative,
coordination and monitoring functions. The administrator would, for
example, monitor whether the objectives of the scheme are being met,
whether it is cost effective, whether the members are complying with
all aspects of the code and whether the scheme is sufficiently adaptable
to meet the ongoing needs of its members. [123]
5.127 The role of the independent administrator is outlined in detail
in this paper, with a number of education, data collection and other roles
being proposed. [124] It is not clear if what
is being proposed is an extended role for the Privacy Commission, an industry
ombudsman, or a totally separate organisation. Reference is made to existing
industry ombudsmen in favourable terms:
An independent scheme administrator is a significant step in ensuring
that the scheme is robust and effective and does not become a token
process controlled by the organisation it covers. In the case of industry
codes, the administrator is usually funded, but not directly controlled,
by the members of the industry association. Apart from the appointment
of an independent chair, such scheme administrators usually have industry
and consumer representatives, and may include a government regulator.
Examples of such independent industry administrators include the Council
of the Telecommunications Industry Ombudsman and the Council of the
Banking Industry Ombudsman. [125]
5.128 The Privacy Commission clearly also expected that the Commission
would be involved in the administration process:
It is expected that the Commissioner, and her staff, would be involved
in some way in the ongoing administration of a national privacy code,
and at the very least would expect to be represented on the governing
body of any privacy scheme administrator. [126]
5.129 However, this type of relationship can lead to problems, at least
in the eyes of the consumer. The role of a Privacy Commissioner, as a
part of the Human Rights and Equal Opportunity Commission, [127]
must be to protect the rights of all parties. Direct involvement with
boards and other bodies must be carefully assessed so that it is not seen
as seriously compromising the capacity of a government body to provide
an appropriate service. As is noted above, regulatory (or, indeed, regulator)
capture is a serious problem, and one of the roles of publicly funded
monitoring organisations is to be aware of such problems. Government bodies
should be careful to avoid any involvement with industry boards, councils
or administration schemes so that they are able to retain an objective
role in their main function.
5.130 Without any information as to enforcement mechanisms or complaints
bodies, the Principles are really a set of actions or approaches that
various sectors might take on or carry out if they feel so inclined. It
is difficult to see if they even meet the very limited scope of the brief
given by the Prime Minister in March 1997.
5.131 Other opposition to the Principles was based not so much on a detailed
study of these but on the fact that, being legislation-free, they would
not be appropriate for those services or sectors likely to be affected
by the EU Data Protection Directive. [128]
The Australian Computer Society argued:
The National Principles for the Fair Handling of Personal Information,
as produced by the Privacy Commissioner, are not seen as a suitable
basis for protection of public privacy in the private sector.
Australia requires privacy laws to prevent some sectors of Australian
industry, particularly those involved in on-line trade, being severely
disadvantaged in international commerce. [129]
No timetable for the adoption of any enforceable system
5.132 The final aspect of current self regulatory systems that is of
concern to the Committee is the lack of any concrete timetable for the
adoption of any enforceable system implementing the National Principles:
The second phase how to implement the principles is not
complete. I have had two meetings with business groups and there is
a fairly extensive list of people potentially involved or involved,
but they have not all been able to attend those two meetings. They include
the Financial Services Association, retailers, Telstra, the Finance
Conference, bankers, direct marketeers, insurers, the Chamber of Commerce
and Industry, Readers Digest, the Attorney-General's Department, the
Victorian Department of Multimedia, the Australian Information Industry
Association, the Law Council, the Society of CPAs, credit unions and
the Business Council. It is a comprehensive group, although they have
not all been in attendance yet. [130]
5.133 Mr Conolly, of the Campaign for Fair Privacy Laws, commented further
that the discussions that had taken place concerning the implementation
of the National Principles had not:
involved any great detail or depth people outside the finance
industries. There has not been any representation from the Video Retailers
Association, for example, or a range of people whom you think might
have privacy issues. They are not there; they are not discussing it.
There is no timetable. It is just this sort of do nothing moment where
we are saying at the government level we support self-regulation but
there is no actual process for achieving that. [131]
5.134 The result of the current self-regulatory scheme is a `do nothing'
option. Of the do nothing option the Privacy Commissioner
said:
Doing nothing is of course a real possibility out of this whole process,
but if that is the outcome it is my view that Australian consumers will
be being treated with contempt but just as importantly, Australian
businesses will be major losers in terms of lost opportunity
and we will get the chaos we deserve. [132]
5.135 At the time of writing, there have only been two meetings held
to discuss implementation of the enforcement scheme. [133]
Given the large number of organisations involved in this process and the
lack of comprehensive involvement, the Committee suspects that it is unlikely
the National Principles will be implemented comprehensively by
way of a self-regulatory regime in any other than a highly structured
sector, such as banking.
5.136 There is no agreed program to implement the National Principles
or to develop appropriate enforcement mechanisms to meet the needs of
consumers. As a result, the community has no assurance that a privacy
scheme will be introduced that will provide meaningful and consistent
levels of protection.
5.137 In this context it is also worth noting that the failure of self-regulation
in the Internet sector has led to calls for privacy legislation from regulators
and politicians in other countries who formerly supported self-regulation.
[134]
Conclusions
5.138 The Committee makes a number of conclusions in relation to self-regulation.
5.139 The Committee notes the evidence of numerous companies and organisations
that have adopted a responsible approach to the protection of privacy.
However, the Committee remains concerned at the essentially patchy adoption
of privacy protection measures in the private sector, and considers that
there is still far from uniform coverage. Of equal concern is the slow
progress achieved in bringing into force comprehensive enforcement measures
to give effect to the National Principles. The Committee sees little
evidence of real progress and limited prospect for such progress in the
near future.
5.140 For these reasons the Committee concludes that at this stage
private sector self-regulatory systems do not, of themselves, provide
an adequate system for privacy protection in Australia. For these reasons,
without an adequate enforcement mechanism the National Principles
lack force and cannot provide the basis for a national privacy scheme.
5.141 In general, the Committee believes that self-regulation, without
any legislative oversight, offers many dangers to the community:
Certainly from a consumer's perspective, including small business consumers,
there is no way that a voluntary code, as with franchising, is going
to provide protection for any parties. It will leave the large internationally
competitive entities within each of those sectors to do what they will.
[135]
5.142 With reference to the criteria being used to assess the adequacy
of the present regulatory arrangements, the Committee concluded
that self-regulation failed all of them. Self-regulation:
- fails to guarantee that the content of a self-regulatory scheme
will meet best international practice standards;
- fails to guarantee, to a level acceptable to the community,
a level of compliance with accepted privacy principles;
- cannot guarantee to provide a means for people to exercise
and protect their right to privacy, that is, cannot provide an accessible
enforcement mechanism; and
- cannot guarantee to provide redress when a privacy right is
breached, by way of specific remedies, sanctions or compensation.
5.143 Self-regulation also fails to guarantee the rights of consumers,
and to meet the needs and facilitate the responsibilities of the private
sector. The evidence provided to the Committee indicated clearly that
unless the private sector faces the credible possibility of coercive intervention
by government, adequate standards will not be adopted or enforced.
5.144 The Committee therefore recommends that the Commonwealth
does not rely on self-regulatory schemes.
Footnotes
[1] Developed by the Attorney-General. For a
more detailed description of this scheme, see Chapter 7.
[2] See Chapter 4.
[3] However, the existence of various rights
such as under contract law may be seen as a justification
for avoiding the complexity of more extensive and binding legislation.
[4] Submission No. 51, Human Rights and
Equal Opportunity Commission, p. 910.
[5] `Privacy Principles Released', Press Release,
Commonwealth Attorney General, 20 February 1998. The other side of this
approach is that industry is inherently self-regulating.
[6] Submission No. 41, ACCI, p. 713;
see also p. 715.
[7] `We strongly believe that a self-regulatory
approach to privacy is the best way to ensure that the interests of consumers
and Australians generally are protected. To those calling for regulation,
we say that we have already made excellent progress in establishing the
principles. Now let us give those principles a change to work as they
were intended to work in a self-regulatory environment.' Transcript
of evidence, Australian Bankers' Association, p. 270.
[8] Transcript of evidence, Australian
Bankers' Association, p. 273.
[9] Submission No. 43, Australian Bankers'
Association, p. 735.
[10] Submission No. 43, Australian Bankers'
Association, p. 735.
[11] Submission No. 10, Australian Retailers
Association, p. 313.
[12] See below, Chapter 6.
[13] Submission No.7, Australian Privacy
Charter Council, p. 239.
[14] The Privacy Principles refer to the need
to adhere both to existing Commonwealth privacy laws (as at February 1998)
and `any further legislation that might be considered necessary in particular
sectors, States or Territories.' National Principles, Foreword,
p.2.
[15] Submission No.43, Australian Bankers'
Association, pp. 735-736. Although much of the emphasis in evidence to
the Committee was on industry, other forms of self regulation referred
to include professional ethics such as the codes of the legal and medical
professions. Unfortunately, little information was provided to this Committee
on or by these groups, and their codes and practices have not been included
in the work done for the National Principles.
[16] Submission No. 43, Australian Bankers'
Association, p.738.
[17] Transcript of evidence, Australian
Bankers' Association, p. 268.
[18] It is quite clear from evidence given
to the Committee that the free riders of any business are virtually impossible
to control. They do not accept standards and principles adhered to by
others, and they cannot be controlled because there is no legislation
in place to penalise them. This is a point which was previously made by
the Privacy Commission paper of 1997 Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 898 E17. See also below, Paragraphs
5.60-5.64.
[19] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 911.
[20] Transcript of evidence, Human Rights
& Equal Opportunity Commission, p. 80.
[21] See, for example, Transcript of evidence,
Australian Bankers' Association, p. 271.
[22] See, for example, the powers given to
the Telecommunications Industry Ombudsman to investigate unresolved complaints.
[23] Submission No.43A, Australian Bankers
Association, p. 1379.
[24] See below, Paragraphs 5.75-5.77 on regulatory
capture.
[25] See below Paragraphs 5.128-5.129, which
refer to concerns about the involvement of the Privacy Commission in self-regulatory
schemes.
[26] See above, Paragraphs 5.10-5.21.
[27] Submission No. 43, Australian Bankers'
Association, p. 733.
[28] Some of the difficulties with the idea
of legislation and with it being described as heavy handed, arise from
the apparently limited choice (co-regulation) presented to those invited
to comment on the Attorney General's Department's paper, Privacy Protection
in the Private Sector.
[29] Submission No. 43, Australian Bankers'
Association, p. 733(1).
[30] Submission No. 43, Australian Bankers'
Association, p. 735.
[31] This approach works on the basis of implied
consent, but can lead to cross-use of personal data.
[32] Submission No. 9, Australian Credit
Forum, p. 307.
[33] See Submission No. 7, Australian
Privacy Charter Council, p. 240. The United States is sometimes
used as an example of how self-regulation can satisfy privacy concerns.
This is simply not true. Apart from the fact that there is already a raft
of sector or activity specific privacy laws at federal and state level,
it is becoming increasingly clear that the private sector is unable to
respond adequately to growing public concern about the potential for privacy
abuses. For a discussion of the requirements of the EU Data Protection
Directive, see above, Chapter 3 and also below, Paragraphs 5.87-5.121.
[34] Submission No 43, Australian Bankers'
Association, p. 734.
[35] Transcript of evidence, Australian
Law Reform Commission, p. 227.
[36] See above, Chapter 3, Paragraphs 3.43-3.46.
[37] Submission No. 43, Australian Bankers'
Association, p. 739.
[38] Transcript of evidence, Australian
Bankers' Association, p. 271.
[39] Submission No. 10, Australian Retailers
Association, p. 318
[40] For example: the Australian Bankers Association,
the Insurance Council of Australia, the Australian Direct Marketing Association,
the Australian Retailers Association, the Australian Information Industries
Association, the Law Council of Australia, the Australian Finance Conference,
the Credit Union Services Corporation (Australia) Ltd, the Investment
and Financial Services Association, the Institute of Mercantile Agents,
the Real Estate Institute of Australia, and the Australian Communications
Industry Forum, Submission No. 51, Human Rights and Equal Opportunity
Commission, p. 864.
[41] Submission No. 36,
Australian Direct Marketing Association, pp. 2-3.
[42] Submission No. 10, Australian
Retailers Association, p. 318.
[43] Submission No. 10, Australian Retailers
Association, p.319.
[44] Submission No. 37, Public Interest
Advocacy Centre, p. 11.
[45] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 864-865.
[46] The National Principles were released
in February 1998 and the Privacy Commission's submission was made in July
1998. Submission No. 51, Human Rights and Equal Opportunity Commission,
p 864.
[47] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 864.
[48] See below Paragraphs 5.81-5.86 on the
National Principles and factors that witnesses considered should
have been more thoroughly examined in the development of these. See also
the comparison between the National Principles and the European
Union Directive at Paragraphs 5.87-5.121.
[49] Price Waterhouse, Privacy Survey
(1997)
[50] Transcript of evidence, Mr Nigel
Waters, p. 106.
[51] Transcript of evidence, Australian
Law Reform Commission, pp. 226-227
[52] For an examination of industry attitudes
to regulation, see Chapter 7.
[53] See Submission No. 41, Australian
Chamber of Commerce and Industry, p. 713.
[54] Transcript of evidence, p. 80 (Senator
McKiernan).
[55] See Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 956.
[56] Submission No. 51, Human
Rights and Equal Opportunity Commission, p.897.
[57] Transcript of evidence, Mr Nigel
Waters, p. 104.
[58] See Submission No. 7, Australian
Privacy Charter Council, p. 242: `In many areas there are not even associations
or peak bodies with wide coverage of the sector which would be able to
approach such a task'.
[59] Transcript of evidence, Mental
Health Legal Centre Inc., p. 167.
[60] Submission No. 37, Public
Interest Advocacy Centre, p. 659 and Transcript of evidence, Public
Interest Advocacy Centre, pp. 116, 118-119; Submission No. 50,
Mental Health Legal Centre Inc., p.847 and Transcript of evidence,
Mental Health Legal Centre Inc, p. 167; Transcript of evidence,
Queensland Health, p 31.
[61] See Submission No. 54, Tenancy
Information Centre Australasia Pty Ltd and Submission No. 55, Remington
White Pty Ltd. Transcript of evidence, Tenancy Information Centre
Australasia, pp. 94, 98-99; Transcript of evidence, Remington White
Pty Ltd., p. 194; Transcript of evidence, Real Estate Institute
of Queensland, pp.38, 40.
[62] Submission No. 57, Professor
William Caelli; p.1140 and attachment 1; Transcript of evidence,
Professor William Caelli, pp. 55, 66; Transcript of evidence, Professor
Patrick Quirk, pp. 3-8; Submission No. 33, Professor Greenleaf,
pp. 557-558, 561.
[63] Submission No. 37, Public Interest
Advocacy Centre, p. 659; Submission No. 50, Mental Health
Legal Centre, p. 847; Transcript of evidence, Public Interest Advocacy
Centre, p. 116; Transcript of evidence, Mental Health Legal Centre
Inc., p. 167; Transcript of evidence, Queensland Health,. pp. 30,
31.
[64] Transcript of evidence, Public
Interest Advocacy Centre , p. 120 and Submission No. 37,
Public Interest Advocacy Centre, pp. 664-667; Submission No.
51, Human Rights and Equal Opportunity Commission , p. 894.
[65] The survey by Price Waterhouse (reported
in the Canberra Times, 10 September, 1998, p. 11) revealed that more
than half of Australian companies undertake video surveillance of both
employees and the general public. Surveillance of employees involved
monitoring email content, internet use and telephone conversations. The
survey also revealed that around half the companies surveyed admitted
that they were involved in international information transferral;
such information forms part of international databases.
[66] Transcript of evidence, Mental
Health Legal Centre Inc., p. 166
[67] See Paragraphs 5.61-5.62
[68] Submission No. 55, Remington White
Australia, p. 1087
[69] Transcript of evidence, Tenancy
Information Centre Australasia, p. 94
[70] Submission No. 16, Vonaldy Pty.
Ltd., p. 375. See also Submission No. 46, Campaign for Fair Privacy
Laws, p. 764.
[71] Transcript of evidence, Australian
Law Reform Commission, p.225.
[72] The proposed amendments to the Privacy
Act 1988 are intended to counteract this leakage. See
below, Chapter 6.
[73] Transcript of evidence, Professor
Caelli, p. 57
[74] Transcript of evidence, Professor
Caelli, p. 56; Submission, No. 40, Xamax Consultancy, p.
700; Submission No. 33, Mr Graham Greenleaf, p.561; Submission
No. 7, Australian Privacy Charter Council, p. 242; Submission No.
8, Mr Nigel Waters, p. 254.
[75] Submission No.7, Australian
Privacy Charter Council, p. 242
[76] Transcript of evidence, Australian
Bankers Association, p. 269
[77] Transcript of evidence, Australian
Bankers Association, p. 271
[78] Transcript of evidence, Australian
Bankers Association, p. 278. The Committee also notes that the jurisdiction
of the Banking Ombudsman was increased to an upper limit of $150 000,
from a previous limit of $100 000 Transcript of evidence, Australian
Bankers Association, p. 276
[79] For example, the Insurance Council of
Australia, the Australian Direct Marketing Association and the Australian
Retailers Association. Submission No. 51, Human Rights and
Equal Opportunity Commission, p. 864
[80] Submission No.43, Australian Bankers
Association, p. 739
[81] Submission No. 36, Australian Direct
Marketing Association, p. 645,
[82] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 898
[83] See below, Paragraphs 5.128-5.129.
[84] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 862. A similar proviso was
included in the earlier paper, Information Privacy in Australia,
which is reproduced in Submission No. 51, see especially p. 910.
[85] National Principles, p. 18.
[86] National Principles, p. 6.
[87] Submission No. 41, Australian
Chamber of Commerce and Industry, pp 714 715. This point was also
made by Submission No. 43, Australian Bankers' Association,
p. 743: `These principles provide a valuable guide for all businesses
to balance the legitimate and responsible use of personal information
about their customers with the reasonable expectations of those customers.'
[88] Submission No. 43, Australian
Bankers Association, p. 733
[89] Submission No. 7, Australian Privacy
Charter Council, p. 243
[90] Submission No. 16, Vonaldy
Pty Ltd., p. 376.
[91] Privacy law and policy reporter,
4 (1998), p. 178.
[92] Submission No. 60, European Union,
p. 1356. See also above Chapter 3, Paragraphs 3.15-3.22, and below,
Paragraphs 5.91-5.92.
[93] See below, Paragraphs 5.98-5.100, 5.103-5.105,
5.106-5.109, 5.112, 5.116-5.119.
[94] Submission No. 7, Australian Privacy
Charter Council , p. 243
[95] Submission No. 13, Australian
Computer Society Inc., p. 335
[96] See below, Paragraphs 5.99-5.102.
[97] See Paragraphs 5.103-5.113.
[98] Submission No. 8, Mr Nigel Waters,
p. 254
[99] See Paragraphs 5.99 -5.100.
[100] Submission No. 13, Australian
Computer Society, p. 332
[101] See above, Chapter 3, Paragraphs 3.68-3.85.
[102] All references are to Directive 95/46/EC
of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data
and on the free movement of such data, Journal of the European Communities
23 November 1995
[103] See above, Paragraph 5.80.
[104] EU Directive 95/46, Article 8, Paragraph
3.
[105] See for example, Chapter 6, Paragraph
6.12.
[106] See above, Paragraphs 5.56-5.57 and
Chapter 3, Paragraph 3.25, Chapter 4, Paragraph 4.16, and below, Chapter
6, Paragraphs 6.21-6.30 and 6.41-6.43.
[107] Submission No. 51, Human Rights
and Equal Opportunity Commission, p.866, Paragraph 31.
[108] See above, Paragraph 5.83
[109] See National Principles, p. 7.
[110] See above, Paragraph 5.85 and see also
Submission No.13, Australian Computer Society Inc., p. 335
[111] EU Directive 95/46 Article 6.
[112] EU Directive 95/46 Article 14
[113] Emphasis added. For the meaning of processing
in the Directive, see Article 2 of Chapter 1, Definitions; processing
includes `any operation or set of operations which is performed upon personal
data, whether or not by automatic means, such as collection, recording,
organization, storage
'[emphasis added]
[114] Article 7 makes further provision regarding
the objectives of the processing of data, some of which are similar to
the factors noted in NPP 2, but always with the overriding provision of
Article 1.
[115] See Paragraph 5.80.
[116] EU Directive 95/46, Article 25.
[117] See below, Chapter 6, Paragraphs 6.46-6.48.
[118] See below, Chapter 6, Paragraphs 6.13-6.43.
See also Submission No.39, Credit Union Services Corporation, p.
686, comment on NPP 9.
[119] This approach is also reflected in the
proposed separation of the Privacy Commission from the Human Rights and
Equal Opportunity Commission. See below, Paragraph 5.129
[120] National Principles, p. 5 `What
these principles do not cover'. In the context of debate, this led people
to accept principles without having any idea of the ways in which enforcement
of principles could be ensured. As is noted elsewhere, the best principles
are of no use unless they are in place and uniformly adhered to and unless
people are able to take effective action in defence of privacy.
[121] Transcript of evidence, Human
Rights and Equal Opportunity Commission, p. 71
[122] Information Privacy in Australia,
p.iii, in Submission No. 51, Human Rights and Equal Opportunity
Commission, p. 911.
[123] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 934
[124] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 934
[125] Submission No 51, Human Rights
and Equal Opportunity Commission, p. 935
[126] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 936
[127] The Committee has some concerns over
any separation of the Privacy Commission from the Human Rights and Equal
Opportunity Commission, under the provisions of two bills before the Senate
- Human Rights Legislation Amendment Bill 1997 and Human Rights Legislation
Amendment Bill (No.2) 1998. Privacy is an essential human right and must
be seen to be a part of the operations of the Human Rights and Equal Opportunity
Commission. See also the Report of the Senate Legal and Constitutional
Legislation Committee into the Human Rights Legislation Amendment
Bill 1997. The Legislation Committee's report into the Human Rights
Amendment Legislation Bill (No. 2) 1998 was tabled on 17 February 1999.
[128] Submission No. 13, Australian
Computer Society, p. 333
[129] Submission No. 13, Australian
Computer Society, p. 332
[130] Transcript of evidence, Human
Rights and Equal Opportunity Commission, p. 72
[131] Transcript of evidence, Campaign
for Fair Privacy Laws, p. 144
[132] Moira Scollay, Stark choices for
private sector privacy, Privacy Law and Policy Reporter,
4 (1997) p. 89.
[133] Transcript of evidence, Human
Rights and Equal Opportunity Commission, p. 72
[134] A recent survey by the Electronic Privacy
Information Centre of the 100 most popular internet sites in the USA found
that 49 sites collected personal information but that only 17 sites had
privacy policies stated on the site. Only one site allowed users to access
information collected about them and 24 used cookies to collect information
about users. However, there was still a widespread practice of allowing
users to browse sites anonymously other than for disclosure of TCP/IP
addresses by browsers (Submission. No. 33, Professor
Graham Greenleaf, p.561).
[135] Transcript of evidence, Australian
Law Reform Commission, p. 226.