Privacy in the Private Sector

Chapter 6

Finding the best solution: suggested models

Introduction

6.1 Previous chapters have examined the wider background to the inquiry, and concluded that there is a need to extend privacy protection to cover the private sector. Chapter 3 established a broad set of criteria for the evaluation of a privacy protection system, while chapters 4 and 5 examined the extent and effectiveness of existing privacy protection provided by law and self-regulation respectively. These chapters concluded that neither law nor self-regulation currently provide adequate privacy safeguards over the private sector.

6.2 The task of this and the following chapters is to examine future options and to determine the most efficient, effective and acceptable method for providing privacy safeguards over private sector operations.

The Privacy Amendment Bill 1998

Introduction

6.3 Chapter 2 of the Report outlines the provisions of the Privacy Amendment Bill 1998. [1] In commenting in further detail on this option, there are two key issues that must be considered. The first of these is the adequacy and appropriateness of the objectives, and the second concerns the effectiveness of the bill in meeting the objectives.

Adequacy of the objectives of the bill

6.4 The second reading speech states that the objective of the bill is to amend “the Privacy Act 1988 to apply it to personal information held by contractors in relation to services provided to the Commonwealth.” The speech explains the need for change in the context of the widescale competitive tendering and contracting out of a range of services previously performed by government agencies. Thus:

Since 1 January 1989, when it came into operation, the Privacy Act has required government agencies that hold information about individuals to deal with that information in a manner that protects the individual's privacy. This bill ensures that the existing protections afforded by the Privacy Act are not lost when services are delivered under contract. [2]

6.5 This report identified in Chapter 3 the challenges posed to privacy by the contracting out of government services and the associated transfers of personal information, and found a need for privacy protections to be extended to cover this situation. The bill goes some way towards meeting concerns expressed by some business groups.

6.6 The introduction of privacy legislation to govern contractors in relation to services provided to the Commonwealth is a welcome if not overdue initiative. The need for national privacy legislation is increasing and by implementing the proposed amendment the government is gradually expanding the scope of good privacy practices to the private sector. [3]

6.7 Insofar as the bill is a (belated) attempt to correct a serious erosion of privacy protection, the Committee considers it is a step in the right direction. However, this bill only seeks to restore some measure of protection and does little to address a number of discrepancies. As the Second Reading speech states: “the bill is intended to ensure the continuation of existing protections only”.

6.8 The bill is premised on the belief that the contractual arrangements which were put in place in order for Commonwealth departments and agencies to deal with the outsourcing of some services were inadequate. [4] The basis of the inadequacy, as noted above, is that the contracts are made between a department/agency and the contractor. An individual whose personal information is abused or misused by a contractor has no right of redress, since all action (if any) must be taken by the contracting department or agency. If no action is taken, the individual has no redress:

Whatever conditions and requirements are placed in contracts, the fact that contractors have not themselves been generally subject to the Privacy Act means that individuals' right of redress in the event of breaches of privacy have been limited. [5]

6.9 The contractual provisions themselves will no longer be relevant if the Privacy Amendment Bill is passed, since the legislation effectively by-passes the need for specific provisions regarding privacy protection in a contract. If an outsourcing contract exists, the service provider is automatically subject to the legislation:

The only contract that is necessary to bring the bill into existence is the outsourcing contract. But there do not need to be any provisions in that contract dealing with privacy issues. The bill simply applies because there is an outsourcing contract. [6]

Need for amendments

6.10 No information was provided on any actions taken by a department or agency against contractors, or against those members of staff which may have failed to ensure that contractors do not abuse privacy. The [then] Privacy Commissioner did not note in her submission any such action, and, although annual reports of the Privacy Commission refer to various breaches of privacy, there is little indication in such reports that contractors have in fact used personal information inappropriately. This must necessarily lead some witnesses to query if there is a current real problem, or whether the bill is intended to prevent such instances from occurring.

6.11 The ALRC noted the unsatisfactory nature of current arrangements. However, it also went further by suggesting that lax departmental practices may have created a problem, and lack of resources may have made it difficult to identify the actual extent of this problem:

Anecdotal evidence suggest that many such contracts [under existing legislation] simply state that the Privacy Act 1988 (Cth) applies to the contractor, without spelling out the obligations that this imposes on the contractor. It is feasible that many contractors may not be aware of their privacy obligations, or alternatively, that the contracting department does not have the resources to ensure that such obligations are being met. [7]

6.12 Although there has been little direct evidence of a serious breach of current arrangements, the Committee believes the objectives of the bill are inadequate even if one accepts that there is no intention in it to extend privacy protection to people or organisations not previously protected. The reason for the Committee's concern is primarily that certain terms such as `outsourced' are used to exclude people and services which could logically be covered, and which need protection and the security and confidence which such protection may provide. [8]

Limits to extension of privacy protection

6.13 In developing the legislation it is apparent that the issue of coverage was substantial, insofar as the Commonwealth has an extensive series of what might be deemed contractual arrangements with people and services. For example, it effectively has contractual arrangements with doctors and pharmacists through Medicare and through the Pharmaceutical Benefits Scheme. Such people are in possession of extremely sensitive information about individuals. [9] Other services funded by the Commonwealth include educational, employment, aged care, disability and related services; however, only certain of these services are or will be subject to the Privacy Act 1988 or the proposed amendments.

Caught between its commitment to ensure protection wherever data handling was contracted out, and its rejection of general private sector privacy law, the government faced a difficult dilemma: how to draft an extension which would cover the main categories of contractors carrying out functions previously undertaken by agencies themselves, without inadvertently subjecting a whole range of service providers funded directly or indirectly by the Commonwealth (including all GPs, and various non-government organisations )… to the privacy regime. [10]

Contractual arrangements

6.14 From evidence provided to the Committee, it is apparent that various measures were taken to avoid increasing the protection available to a substantial number of members of the community who were in receipt of Commonwealth-funded services. At one stage, the Attorney General's Department considered defining the relevant parties who would be subject to the amended Act on the basis of whether or not they had a contract with an agency or department.

The existence of a contract for the delivery of services as the sole defining feature was also explored. Clearly, a contract is an essential element in the outsourcing of services, provided one includes the notional contracts within the Commonwealth. However, the requirements of accountability and financial prudence mean that in many cases funding that is considered to be a `grant' is provided under an agreement that is likely to be, technically, a contract rather than a grant. [11]

6.15 Such a definition, therefore, was seen as too extensive. The reason for this is not specified. However, from the context, it appears that either the service providers or the agencies or departments involved did not wish this definition to be used because it would create new restrictions or new responsibilities. In some cases, it would also mean some new regulation of the private sector.

6.16 It appears then, that the contractual relationship was too broad as a ground for definition The Attorney General's Department then moved to the argument that regardless of the nature of the service or the extent of personal information that might be involved, the defining factor would be whether a service was `outsourced'.

Outsourced services

6.17 The definition of `outsourced' used by the Attorney General's Department is somewhat tortuous, given that the definition had to fit not a series of categories of a like nature, but a series of past, present and future events. In short, the Department was obliged to work backwards from a given situation – that a large number of existing services were not going to be covered, regardless of their nature. The Department was unable to work forwards from a position which provided equal coverage to all like groups:

It's likely that everyone … is comfortable that they know what is meant by the term outsourcing.

However, I am not so sure that any of us could find a definition that could be used in legislation, that would satisfactorily include all services that are `outsourced', but not include those where there is some other relationship, such as a funding arrangement, with the Government. [12]

6.18 The Department does not explain in detail exactly what is meant by outsourced, but does indicate that there has to be some form of relationship in the past, present, or future with the relevant department or agency which is seeking the provision of a service by another party. Thus, the idea of a relationship between a department and a service provider becomes important (but not all-important).

6.19 The term `outsourced' is not clearly defined in the bill. However, by a process of elimination, through considering terms such as `outsourcing agency' and `Commonwealth contract', [13]it appears that an outsourced service is one:

• Previously, currently, or in the future undertaken by a department or agency, and now undertaken by another party and to be delivered to the agency (such as personnel or IT services which are an integral part of the operations of a department or agency); or
• Previously, currently, or in the future to be provided by another party, to other persons or organisations, on behalf of the department or agency, or as part of or `in connection with the performance of the Commonwealth agency's functions.' [14]

Relationship with the department or agency

6.20 As noted above, the relationship with a department or agency is important, but not all-important. However close the previous relationship with a department or agency may be- for example, the provision of substantial funding in order to provide services which are an integral part of the departmental raison d'etre, such as aged care services) proximity will not suffice. In the above instance, for example, the aged care service provider will be exempt in respect of funded services. The grounds for this are primarily that the service type was not previously subject to privacy legislation. Thus, it is not relevant whether it is provided by a private company or by a community group. The private agency has been paid to provide a service; the community group is a `community or volunteer organisation to whom the Commonwealth provides funding'. [15]

6.21 Implicit in this statement is an understanding that the funding is provided for the organisation to do something, but not for, or on behalf of, the Commonwealth. However, given the nature of many of the services provided, it is very difficult to argue logically that funding is provided to a range of organisations for services which have nothing to do with the Commonwealth or its programs. This point was made by the submission to the Attorney General's Department's paper, Privacy Protection in the Private Sector, by the then Commonwealth Department of Health and Family Services:

At present personal information, held by the Department and relating to clients of some programs, is protected by strict secrecy provisions involving criminal penalties in the event of unauthorised use or disclosure. However, the same information held by a private organisation may not be sufficiently protected from disclosure or unauthorised use…

Clients in receipt of Government programs ought to be treated consistently regardless of the method of delivery of those programs. It follows that there is a clear need for a consistent regime to protect personal information relating to the Department's clients regardless of whether those clients deal with the Department directly or through a service organisation. [16]

6.22 Although the Attorney General's Department's submission does not go into any explanation of how the definition of `outsourced' was arrived at, any service which, although funded by the Commonwealth, is deemed not to have been `provided' by the Commonwealth, is exempt from any privacy regulation. [17]

6.23 To differentiate between these services and those which are an integral part of a department's raison d'etre, the legislation makes reference to an example, the provision of `job-seeking assistance to individuals'. [18] This example, however, is somewhat misleading, since it is only to a service previously undertaken by a department, and not to those that could arguably be seen as having been undertaken on behalf of a department. Yet, as the above statement from the then Department of Health and Family Services indicates, many programs, never having been directly provided by a department, nonetheless are an integral part of a department's services and need protection. Further, the department noted that:

The Australian Law Reform Commission recognised these inconsistencies in its reports into the department's Aged Care and Child Care legislation and recommended that an appropriate privacy regime be imposed upon service providers. [19]

6.24 The Australian Law Reform Commission also expressed its concern at the gaps in the proposed legislation, based on its belief that the more vulnerable [20] required protection:

By excluding service providers in these areas, the Bill maintains a flawed status quo. It results in the circumstance that whether a service provider is required to observe privacy standards or not depends on an historical consideration of whether that service has been subject to privacy obligations, rather than on a consideration on the merits of whether the contractor who is to be engaged today ought to be obliged to provide a legislated minimum standard of privacy protection. [21]

6.25 The Attorney General's department noted some of the likely problems, although looking more to the future than to problems with existing service providers:

In many instances, an outsourced service will have previously been delivered by a Commonwealth agency. But what of situations where the service is significantly different to that previously provided by a Commonwealth agency, so that it may not be possible to say it was previously delivered by an agency? Or where a new Government program is introduced, involving a service to be delivered by the private sector under contract to a Commonwealth agency? [22]

6.26 The Committee considers that there is no sound reason advanced for the limitations imposed by the bill in respect of a range of services provided by organisations which are in possession of extremely sensitive information about individuals, many of whom are disadvantaged and vulnerable. Indeed, given that the government has generally compelled people to provide information in order to obtain a service, it has a particular obligation to ensure that the information is protected. It also has an implicit obligation, in respect of material which is collected for a specific and stated purpose, to ensure that the material is not used in other ways or for any other purpose. [23] It can only do this by applying the same principles to all of those service providers it effectively employs – directly or indirectly – to provide services to the community.

6.27 The Committee believes that all `volunteer' or `not for profit' organisations receiving funding from the Commonwealth to provide services should not be exempt from the provisions of any legislation intended to provide protection of personal information.

6.28 In addition, the Committee would not find it acceptable that any private sector organisation which had previously provided services and was exempt from any privacy protection principles or legislation should continue to be free from such regulation with respect to such services. As is noted below, this can lead to the operation of different standards within the one organisation. [24]

6.29 The Committee does not consider it logical to create separate rules applying to the handling of personal information between the public and private sectors. As legal academic Moira Paterson comments:

[A] person may have a right of access to his or her medical records in the possession of a public hospital but not a private one even though there is no inherent difference in the type of information or the circumstances in which it was generated. [25]

6.30 The Committee considers that privacy protection should be accorded on the basis of the nature of the personal information rather than on an arbitrary, and increasingly blurred distinction between the private and public sectors.

Regulation rather than legislation

6.31 Given the serious problems noted above with the definition of included or excluded services, the use of a Schedule was also subject to criticism. It enables changes to be made by regulation rather than legislation:

The difficulty with the Schedule approach, of course, is the timeframes that can be involved in amending legislation. Programs change, and it may be appropriate to remove services from the Schedule, or, where new funding programs are introduced, to include them in it. The Bill allows for either to be done, effectively, by regulation, to ensure that the Schedule does not inappropriately exclude services from coverage, and that the introduction of funding programs is not delayed by the need to await legislative amendments. [26]

6.32 To accommodate changes, the bill provides that regulations may allow parties other than the current list of `excluded funded services' to be exempt from provisions. [27] This allows considerable flexibility as regards to exclusions. It is stated that services can be removed from the Schedule or added, as required. [28]

6.33 While there is some logic in this argument with respect to future services, there is little with respect to services established in the past. The basis on which they are proposed to be excluded from coverage is determined on whether they previously were subject to privacy legislation. This is not going to change.

6.34 The arguments with respect to future services appear to be ease and speed for administrators and the executive. However, given the problems which have already been identified with the legislation, it is highly desirable that unexamined services are not able to be so easily approved. This point is also supported by the Australian Law Reform Commission:

The Commission is also concerned by the mechanism by which service providers can be added to the schedule of excluded providers….

…the Commission considers that there should be a presumption that all service providers ought to be subject to the Privacy Act 1988 (Cth), unless the public interest in ensuring such protection is outweighed by other factors. In such circumstances, the decision to exempt a service provider from their privacy obligations would appropriately be one for the Parliament to make through consideration of amending the legislation and not by regulation. Accordingly, proposed new section 6(1) should be deleted. [29]

`Past' information

6.35 The bill seeks also to quarantine all personal information collected by an organisation in the past, even though the organisation may collect information about the same people through the provision of services which are now affected by the legislation. The Committee is concerned that no provisions have been made about the security of such `old' information itself, although it appears that there are limits placed on mixing old and new data. [30]

The second reading speech suggest that one consequence of this provision is that contractors will not be able to mix information held under a Commonwealth contract with other information they hold, for other purposes. Given the range of exceptions to IPP10, the law itself may not guarantee this, but hopefully a combination of the amendments and contractual provisions will do so. [31]

6.36 In fact, the Second Reading speech suggests that such material could continue to be used (although perhaps not mixed with other `protected' information) when it refers to the inconvenience to `contracted service providers' were they to be obliged to impose restrictions on their use of data:

These Information Privacy Principles will only apply to information collected by contracted service providers from commencement. This ensures that contracted service providers are not required to contact individuals to seek their consent to uses of information already collected by them. However, the Information Privacy Principles relating to matters such as secure storage and ensuring personal information is relevant and accurate before it is used will apply regardless of when the contracted service provider obtained the information. [32]

6.37 There is no reference in the legislation to penalties to be applied to organisations who have previously collected personal information and who then use it for other purposes (as distinct from mixing this information with data collected or obtained under a contractual arrangement subject to the proposed legislation). This is a serious gap in the legislation since there is no means by which existing information retained from a Commonwealth contract prior to the introduction of the legislation, or by a commercial or `not for profit' or charitable organisation not affected by the proposed legislation, is prevented from being misused. The Committee believes that where such information is still used it must be treated in the same way as other personal information recently collected. Otherwise, if it is not subject to any other legislation, it should be destroyed or returned to the individual concerned.

6.38 The limited restriction on the use of data collected earlier is not explained although the principle of `no retrospectivity' generally applies. However, it is also clear that the bill intends there should be no major inconvenience to service providers:

…a contracted service provider will be an agency under the Privacy Act. This means that the Information Privacy Principles apply directly to their acts and practices in relation to personal information held or dealt with under or for the purposes of a Commonwealth contract, from the commencement of the amendments.

The amendments are not intended to be retrospective, nor to require the impossible. [33]

6.39 Any restrictions on much of the data held by a large number of organisations would require that at the least all charitable or voluntary organisations receiving Commonwealth funding be subject to legislation or regulation regarding the collection and use of data.

6.40 This view is supported by a statement from the Campaign for Fair Privacy Laws which asks a pertinent question about government's interest in its clients, as opposed to government's interest in the security of `government' information:

…it is noted that Government has chosen not to outsource “its” sensitive data, such as security, intelligence or law enforcement records. The same reasoning should be applied to “our” sensitive data. [34]

Partial coverage of private sector and other organisations

6.41 One of the major drawbacks of the proposed legislation is that it only applies to services classified as outsourced. [35] This raises the possibility of an organisation being affected by legislation for some services but not for others, and in respect of some contractors and not others. This has been criticised on several grounds, notably those concerning the importance of systematic and standard practices and principles in the handling of information: `This results in an impractical and fragmented approach to information handling within an organisation.' [36]

6.42 A further criticism of a similar nature is that the existence within one organisation of different practices may affect commercial competitiveness:

The proposal may also lead to some anomalies from a commercial standpoint. An organisation which deals with government contracts and also with personal information obtained from other operations may feel competitively disadvantaged if different information handling practices are required. [37]

6.43 Similar comments were also made by the Australian Law Reform Commission which noted the emphasis by another inquiry on a standard culture of accountability. [38] The ALRC noted the potential for uneven service provision within an organisation, including in an organisation which had previously received grants for services, but would now receive payments for other services:

Even more unacceptably, the circumstance may arise where a community organisation has for years been contracted through `grants' to provide services and is not bound by privacy laws with respect to a recipient, but now having been further contracted with to provide a different service previously directly supplied by the department to that same recipient, is bound by privacy laws. That organisation would therefore be required to meet privacy obligations to the service recipient in relation to one service but not the other. [39]

`Use' and `Disclosure'

6.44 The proposed amendments deal with the issue of whether material provided to a third party by a department or agency is material which has been disclosed or has been transferred for `use'. [40] This amendment would ensure that the provision of data to a contracted service provider is seen as a `use' of information and not a `disclosure'; the information is therefore subject to the provisos that exist regarding the purpose of collection of the data. [41]

Employee data

6.45 Another problem with the bill is that it does not apply to the information held by organisations on their employees. No specific reason is advanced for this. As noted above, there is an objection by many business groups to having employee information covered by privacy legislation on the grounds that employee data is already subject to a range of other legislation. [42]

Overseas information processing

6.46 The bill makes provision to protect some personal information which may be processed or otherwise dealt with overseas. [43] However, the effect of this is likely to be minimal where the main body of an organisation is located outside Australia.

6.47 In theory, the overseas processing of such data in countries where there are limited privacy regulations is not acceptable to the current government. [44] If this were the case, then there should be an express prohibition on the export of sensitive data to such countries. The provision of a failsafe may in fact be the most effective means of ensuring that data will routinely be sent to countries without such protections if they offer a cheaper service. The capacity of the individual or the Privacy Commissioner to routinely assess the adequacy of the protection offered is virtually non-existent. [45]

6.48 Further, as is noted in the evidence, much data is already difficult to protect unless it is encrypted. [46] A similar point was also made by the Law Institute of Victoria which noted that as electronic commerce was becoming the standard, and hence regulation of privacy must accommodate to this fact: `This medium pays little regard to national borders and needs robust privacy protection, at national and international levels, to underpin its success.' [47]

Conclusion

6.49 In the context of the current Privacy Act, the effect of which has been eroded, there appears to be support for the Privacy Amendment Bill 1998. [48]

6.50 However, the Committee has some reservations about the Bill, primarily as regards its limited coverage and the fact that it has made an untenable distinction between different types of service providers. The Committee finds that instead of merely maintaining existing protection, the government should extend it to comprehensively cover all those providing a government funded service.

6.51 In saying this the Committee states that its support of privacy protection is such that it believes not only the private sector but also the substantial `voluntary' and `charitable' sector, however defined, must be subject to the same principles.

6.52 The Committee therefore recommends the government introduce legislation to provide privacy protection uniformly covering the public, private and the charitable and `not for profit' sectors. The coverage of the bill should be as broad as possible and minimise the extent of any exemptions.

Effectiveness of the bill in meeting its objectives

6.53 The second question to be considered is the effectiveness of the bill in meeting its stated objectives. A number of general comments can be made, concerning access, resources available to the Privacy Commissioner, the value of the Information Privacy Principles vis-a-vis the National Principles, complexity created by the legislation, and access to and correction of records.

Access to redress

6.54 The Committee notes that the bill provides for individuals who have suffered a breach of privacy to complain directly to the Privacy Commissioner, offering greatly improved access to justice and remedies than is currently available. The Committee commends these changes.

6.55 In this respect, the bill adopts what Nigel Waters refers to as a `belt and braces' approach to privacy protection “to ensure that individuals are not disadvantaged by any uncertainty about who is responsible”. [49]

6.56 Under the terms of the bill, the contracting out agency retains responsibility for compliance with the Information Privacy Principles, but shares that responsibility with contractors and sub-contractors [50]. Likewise, complainants may amend a complaint to ensure that the correct party is named. [51] Importantly, where a contractor ceases to exist, the Privacy Commissioner is able to substitute the contracting agency for the contractor and to be required to pay any compensation. [52]

6.57 In these respects, the Committee concludes that the bill should successfully extend the protection of the Privacy Act to contractors for government services.

Resources of the Privacy Commissioner

6.58 One aspect of concern to the Committee is the extent of the Privacy Commissioner's capacity to accept additional responsibilities without any increases in resources. The Privacy Commissioner already has wide responsibilities, and the significant task of developing national compliance mechanisms to accompany the NPPs. The Committee queries the practicality of adding a significant industry `client base' to the Privacy Commissioner's jurisdiction, in conjunction with a claim that there should not be any major cost implications of the legislation:

I have a continuing concern with the level of resources available to the Privacy Commissioner, the Privacy Commissioner has experienced funding cuts yet is expected to extend the services offered. I therefore cannot understand how the Commissioner can expect to extend her services and ensure compliance with the Privacy Act by another group of organisations without additional funding and resources. [53]

6.59 In this context, the Committee notes the problems that limited resources have had on the capacity of the New Zealand Privacy Commissioner to deal with the expanded number of complaints following the widening of his jurisdiction:

In their submissions on the review, business and industry associations favoured the complaints mechanism, although they took issue with my own level of funding. Because I have not been sufficiently funded for the complaints I have on hand, I have instituted a queue system and businesses have found the delays unpalatable. [54]

6.60 The Committee therefore recommends that, were the proposed legislation to be agreed to, there be a serious re-evaluation undertaken of the proposed workload of the Privacy Commission and the resource implications of the proposed legislation.

Use of the Information Privacy Principles (IPPs)

6.61 A further concern of the Committee is that the bill is based upon the use of the Information Privacy Principles (IPPs) contained in the current Privacy Act. As the discussion in Chapter 4 demonstrates, [55] there are a number of problems with the IPPs based in part on their age and corresponding applicability to emerging technologies.

6.62 Some business submissions agreed that the IPPs are not well suited to private sector operations:

The coverage of credit providers by the Information Privacy Principles in the Privacy Act has resulted in anomalies that are costly for business and benefits to consumers have not been proportional to those costs. … AMP would not welcome the general extension of the provisions of the existing Privacy Act into the private sector. [56]

To adopt Information Privacy Principles (IPPs) in the current act relating to privacy in the public sector would present industry with a set of rules that in some situations would be unworkable and on others highly costly to implement. Further these IPPs are not relevant in an environment where a customer is free to choose with which business they form a relationship. [57]

6.63 The Committee questions the use of the IPPs in preference to the National Principles. However, as the Committee has noted serious deficiencies in the National Principles, it recommends that they be carefully revised, and should not be adopted without modification which takes into account the issues raised by expert commentators, and in light of the guiding principles of the European Directive. [58] Until such revision has occurred, the National Principles would not be an appropriate base for legislation.

Unnecessary complexity

6.64 The Committee is concerned that the provisions of the bill serve to increase the complexity of the laws regulating privacy, rather than achieving the stated aim of reducing regulatory burdens and red-tape.

6.65 As noted above, the Australian Law Reform Commission (ALRC) argued that the list of excluded service providers, contained in Schedule 3 of the Bill, “maintained a flawed status quo”. [59] This led to different sets of standards having to be maintained which were not based on rational divisions of service types but on past decisions.

6.66 As the Law Society of NSW concludes, the overall result is one of increased complexity:

The proposed scheme under the Privacy Amendment Bill … is not appropriate. The proposed scheme is too complex and relies on definitions etc … rather than achieving certainty, the proposed scheme introduces an unnecessary process for capturing contractors and subcontractors. [60]

6.67 The Law Institute of Victoria echoes these comments:

The proposed amendment to the Privacy Act 1988 further complicates the law relating to privacy in Australia and underscores the unevenness of protection across the country. [61]

Access to and correction of records

6.68 The Committee also notes the comments of Mr Nigel Waters, who argues that the arrangements under the bill for access to and correction of personal records appear to be unsatisfactory. The difficulty lies in the relationship between the Privacy Act and the Freedom of Information Act 1982 (Cth) (FOI). Currently, in matters relating to the access to and amendment of personal information in the public sector, complaints are dealt with under the provisions of the FOI Act rather than the Privacy Act, even though the Privacy Commissioner has the legislative power to receive and investigate such complaints. [62] The provisions of the bill will carry this arrangement over into the private sector by amending the FOI Act to include provisions deeming documents containing personal information, held by contracting companies, to be in the possession of the client agency. The client agency can then include provisions in the relevant contract to give effect to the access and correction rights. According to Mr Waters:

The FOI Act is to be amended (by a future bill) to ensure that individuals can obtain access to, and where appropriate, correct, information about themselves held by contractors pursuant to a service provided to the Commonwealth. But this is to be effected by deeming documents containing such information to be in the possession of the client agency. It is apparently envisaged that an agency will then be able to include provisions in the contract to give practical effect to the access and correction rights.

The problem with this approach is the same as in relying on contractual provisions alone – if a contractor does not comply with the letter or spirit of FOI Act provisions, redress for an individual will have to rely on the client agency attempting to enforce the contract. … this is very much a second best to the contractor being separately liable to comply with the access and correction principles, which could be best achieved by transferring the personal information aspects of the FOI Act into the Privacy Act, and making them subject to the jurisdiction of the Privacy Commissioner. [63]

6.69 The Committee also notes that the Administrative Review Council and Australian Law Reform Commission, in accordance with a 1996 report, [64] have recommended that:

… access to and amendment of personal information in the public sector should continue to be dealt with under the FOI Act in preference to the Privacy Act. … This is primarily because of the review mechanisms available under the FOI Act. [65]

6.70 The Committee concludes that the implications of this appear to be that achieving consistency between public and private sectors with respect to the accessing and correction of personal information entails adopting an enforcement mechanism that will be less than effective.

6.71 In the absence of any detailed information on this issue, the Committee is not able to make any final recommendations regarding the optimal interaction between these two Acts, in the public or private sectors. However, the Committee does recommend that the government give further consideration to the issue.

Conclusions

6.72 The Committee concludes that the objectives of the Privacy Amendment Bill 1998 are inadequate to meet the wider need for privacy protection over the public sector in Australia. Nevertheless, the Committee agrees that there is an urgent need to counteract the erosion of the coverage of the Privacy Act caused by the widespread contracting out of government services, and to this extent only, supports the objectives of the bill.

6.73 Regardless, the Committee is concerned that the desire to minimise the application of the bill to the private sector has led to a series of rules and exclusions, which would have the effect of increasing the complexity of Australia's already “patchwork” privacy laws. The Committee considers this an ironic course of action since it has heard industry's almost unanimous plea for simplified, uniform and consistent privacy laws.

6.74 The Committee considers that many of the above issues raised regarding the effectiveness of the bill in meeting even limited objectives serve more to reinforce the practicality of adopting uniform national legislation covering both private and public sectors than they do to support the proposed amendments.

Footnotes

[1] Reference is also make to the Privacy Amendment Bill 1998 in Chapter 4.

[2] Privacy Amendment Bill 1998, Second Reading Speech, p. 1

[3] Submission No. 34, Price Waterhouse, p. 602. See also Submission No. 36, Australian Direct Marketing Association, p. 645.

[4] For a detailed assessment of the complex administrative law issues raised by `contracting out', see the report by the Administrative Review Council, The Contracting Out of Government Services, 1998.

[5] Submission No.7A, Australian Privacy Charter Council, p. 284

[6] Transcript of evidence, Attorney General's Department, p. 221.

[7] Submission No. 49, Australian Law Reform Commission, p. 838.

[8] See especially Paragraphs 6.17-6.30 below.

[9] The National Health Act 1953 provides some protection for sensitive personal information. See also Submission No. 49, Australian Law Reform Commission, p. 838.

[10] Submission No. 7A, Australian Privacy Charter Council, pp. 285-286.

[11] Submission No. 52, Attorney General's Department, pp. 1042-1043.

[12] Submission No. 52, Attorney General's Department, p. 1042.

[13] Privacy Amendment Bill 1998, Schedule 1, Clauses 7 and 3 respectively.

[14] Privacy Amendment Bill 1998, Schedule 1, Clause 3.

[15] Submission No. 52, Attorney General's Department, p. 1043.

[16] Department of Health and Family Services, Submission to Privacy and the Private Sector,1996, p.1.

[17] In this instance, it is the service provided and not the organisation providing the service which is relevant: an organisation may also provide a service which is subject to the proposed amendments, see also below, Paragraphs 6.25, 6.40, 6.42.

[18] Privacy Amendment Bill 1998, Schedule 1, Clause 3.

[19] Department of Health and Family Services, Submission to Privacy and the Private Sector,1996, p.1.

[20] Especially health care access, child care, aged care and disability services – see Submission No. 49, Australian Law Reform Commission, p. 840.

[21] Submission No. 49, Australian Law Reform Commission, p. 840.

[22] Submission No. 52, Attorney General's Department, p. 1042.

[23] The Second Reading speech states that material which has already been collected will not be subject to the new amendments because this previously collected information was obtained on a different basis. (Second Reading Speech, p. 4). All subsequent information is to be collected on the basis of not being used for any other than a specific purpose (`a person having been made aware, at the time of collection, of the purpose of collection').

[24] See below, Paragraphs 6.37-6.40.

[25] Moira Paterson, `Privacy protection in Australia: the need for an effective private sector regime', 26 Federal Law Review, 1998, p.371 at p. 378. This conclusion is shared by the Senate Community Affairs References Committee in their report Access to Medical Records, June 1997, p. 2.

[26] Submission No. 52, Attorney General's Department, p. 1043.

[27] Submission No. 52, Attorney General's Department, p. 1043. Privacy Amendment Bill 1998, Clause 6.

[28] Submission No. 52, Attorney General's Department, p. 1043.

[29] Submission No. 49, Australian Law Reform Commission, p. 841.

[30] Privacy Amendment Bill 1998, Schedule 1, Clause 23.

[31] Submission No. 7A, Australian Privacy Charter Council, p. 287. See also Submission No. 52, Attorney General's Department, p. 1045.

[32] Second Reading Speech, House of Representatives, Hansard, 5 March 1998, p. 4.

[33] Submission No. 52, Attorney General's Department, p. 1044.

[34] Submission No.46, Campaign for Fair Privacy Laws, p. 777.

[35] See above, Paragraphs 6.17-6.30.

[36] Submission No. 34, Price Waterhouse, p. 603.

[37] Submission No. 34, Price Waterhouse, p. 603.

[38] Submission No. 49, Australian Law Reform Commission, p. 837.

[39] Submission No. 49, Australian Law Reform Commission, p.841.

[40] See also above, Paragraphs 6.35-6.40. See Privacy Amendment Bill 1998, Schedule 1, Clause 14A.

[41] Second Reading Speech, House of Representatives, Hansard, 5 March 1998, p. 5.

[42] The issue of employee data in general is considered in Chapters 3 and 5.

[43] Privacy Amendment Bill 1998, Schedule 1, Clause 8A.

[44] In fact, the Second Reading Speech refers to broader principles: 'The Government does not consider it is appropriate for personal information to be processed overseas and has included provisions in its outsourcing contracts under the IT Infrastructure Initiative to require contractors to provide services under the contract in Australia', p. 4.

[45] The limited resources available could create the same situation as noted by the Austalian Law Reform Commission, that there is no attempt made to monitor practices – see above, Paragraphs 6.10-6.12.

[46] Submission No. 16, Vonaldy Pty Ltd., p.377.

[47] Submission No. 25, Law Institute of Victoria (Commercial Law Section), p. 425.

[48] See above, Paragraph 6.6. See also Submission No. 16, Vonaldy Pty Ltd., p.373:'[the Privacy Amendment Bill] provides a means of ensuring the intent of the Privacy Act 1988 continues to apply to personal data collected by federal government departments, agencies and commissions, even when that information is handed over to third parties for processing, and see also Submission No. 36, Australian Direct Marketing Association, p.645. The Association agrees that private sector organisations contracting with the federal government or any of its agencies … should be bound by the same legislated privacy provisions as public servants are. [48]

[49] Submission No. 7A, Australian Privacy Charter Council, p. 286.

[50] Privacy Amendment Bill 1998, Clause 21.

[51] Privacy Amendment Bill 1998, Clause 29.

[52] Privacy Amendment Bill 1998, Clauses 34-36.

[53] Submission No. 34, Price Waterhouse, p. 602.

[54] Bruce Slane, New Zealand Privacy Commissioner, Privacy Laws and the Private Sector, Notes for an address to the IIR conference on practical implementation strategies for privacy protocols, November 1998.

[55] See above, Chapter 4, Paragraphs 4.18-4.25.

[56] Submission No. 53, AMP, p. 1054. See also Submission No. 8A, Nigel Waters, p. 447. `Given that there will be an immediate addition to the Commissioner's jurisdiction of a large number… of contractors providing a wide variety of services, with thousands more as and when additional services and functions are outsourced, the government's commitment to effective implementation of the amendments must be in doubt.' These comments are also reflected in Submission No. 22, Law Council of Australia, p. 409.

[57] Submission No. 35, Coles Myer, p. 639E.

[58] See the more detailed evaluation of the National Privacy Principles in Chapter 5.

[59] Submission No. 49, Australian Law Reform Commission, p. 840.

[60] Submission No. 44, Law Society of NSW, p. 752.

[61] Submission No. 25, Law Institute of Victoria, p. 425.

[62] Submission No. 48, Administrative Review Council, p. 794.

[63] Submission No. 7A, Australian Privacy Charter Council, p.288.

[64] ALRC/ADR Open Government: A review of the Freedom of Information Act 1982, January 1996. The Committee notes that the government has yet to respond to this report.

[65] Submission No. 48, Administrative Review Council, p. 794. The FOI Act includes the availability of an external merits review by the Administrative Appeals Tribunal, not available under the Privacy Act.