Chapter 6
Finding the best solution: suggested models
Introduction
6.1 Previous chapters have examined the wider background to the inquiry,
and concluded that there is a need to extend privacy protection to cover
the private sector. Chapter 3 established a broad set of criteria for
the evaluation of a privacy protection system, while chapters 4 and 5
examined the extent and effectiveness of existing privacy protection provided
by law and self-regulation respectively. These chapters concluded that
neither law nor self-regulation currently provide adequate privacy safeguards
over the private sector.
6.2 The task of this and the following chapters is to examine future
options and to determine the most efficient, effective and acceptable
method for providing privacy safeguards over private sector operations.
The Privacy Amendment Bill 1998
Introduction
6.3 Chapter 2 of the Report outlines the provisions of the Privacy
Amendment Bill 1998. [1] In commenting in
further detail on this option, there are two key issues that must be considered.
The first of these is the adequacy and appropriateness of the objectives,
and the second concerns the effectiveness of the bill in meeting the objectives.
Adequacy of the objectives of the bill
6.4 The second reading speech states that the objective of the bill is
to amend the Privacy Act 1988 to apply it to personal information
held by contractors in relation to services provided to the Commonwealth.
The speech explains the need for change in the context of the widescale
competitive tendering and contracting out of a range of services previously
performed by government agencies. Thus:
Since 1 January 1989, when it came into operation, the Privacy Act
has required government agencies that hold information about individuals
to deal with that information in a manner that protects the individual's
privacy. This bill ensures that the existing protections afforded by
the Privacy Act are not lost when services are delivered under contract.
[2]
6.5 This report identified in Chapter 3 the challenges posed to privacy
by the contracting out of government services and the associated transfers
of personal information, and found a need for privacy protections to be
extended to cover this situation. The bill goes some way towards meeting
concerns expressed by some business groups.
6.6 The introduction of privacy legislation to govern contractors in
relation to services provided to the Commonwealth is a welcome if not
overdue initiative. The need for national privacy legislation is increasing
and by implementing the proposed amendment the government is gradually
expanding the scope of good privacy practices to the private sector. [3]
6.7 Insofar as the bill is a (belated) attempt to correct a serious erosion
of privacy protection, the Committee considers it is a step in the right
direction. However, this bill only seeks to restore some measure of protection
and does little to address a number of discrepancies. As the Second Reading
speech states: the bill is intended to ensure the continuation of
existing protections only.
6.8 The bill is premised on the belief that the contractual arrangements
which were put in place in order for Commonwealth departments and agencies
to deal with the outsourcing of some services were inadequate. [4]
The basis of the inadequacy, as noted above, is that the contracts are
made between a department/agency and the contractor. An individual whose
personal information is abused or misused by a contractor has no right
of redress, since all action (if any) must be taken by the contracting
department or agency. If no action is taken, the individual has no redress:
Whatever conditions and requirements are placed in contracts, the fact
that contractors have not themselves been generally subject to the Privacy
Act means that individuals' right of redress in the event of breaches
of privacy have been limited. [5]
6.9 The contractual provisions themselves will no longer be relevant
if the Privacy Amendment Bill is passed, since the legislation
effectively by-passes the need for specific provisions regarding privacy
protection in a contract. If an outsourcing contract exists, the service
provider is automatically subject to the legislation:
The only contract that is necessary to bring the bill into existence
is the outsourcing contract. But there do not need to be any provisions
in that contract dealing with privacy issues. The bill simply applies
because there is an outsourcing contract. [6]
Need for amendments
6.10 No information was provided on any actions taken by a department
or agency against contractors, or against those members of staff which
may have failed to ensure that contractors do not abuse privacy. The [then]
Privacy Commissioner did not note in her submission any such action, and,
although annual reports of the Privacy Commission refer to various breaches
of privacy, there is little indication in such reports that contractors
have in fact used personal information inappropriately. This must necessarily
lead some witnesses to query if there is a current real problem, or whether
the bill is intended to prevent such instances from occurring.
6.11 The ALRC noted the unsatisfactory nature of current arrangements.
However, it also went further by suggesting that lax departmental practices
may have created a problem, and lack of resources may have made it difficult
to identify the actual extent of this problem:
Anecdotal evidence suggest that many such contracts [under existing
legislation] simply state that the Privacy Act 1988 (Cth) applies
to the contractor, without spelling out the obligations that this imposes
on the contractor. It is feasible that many contractors may not be aware
of their privacy obligations, or alternatively, that the contracting
department does not have the resources to ensure that such obligations
are being met. [7]
6.12 Although there has been little direct evidence of a serious breach
of current arrangements, the Committee believes the objectives of the
bill are inadequate even if one accepts that there is no intention in
it to extend privacy protection to people or organisations not previously
protected. The reason for the Committee's concern is primarily that certain
terms such as `outsourced' are used to exclude people and services which
could logically be covered, and which need protection and the security
and confidence which such protection may provide. [8]
Limits to extension of privacy protection
6.13 In developing the legislation it is apparent that the issue of coverage
was substantial, insofar as the Commonwealth has an extensive series of
what might be deemed contractual arrangements with people and services.
For example, it effectively has contractual arrangements with doctors
and pharmacists through Medicare and through the Pharmaceutical Benefits
Scheme. Such people are in possession of extremely sensitive information
about individuals. [9] Other services funded
by the Commonwealth include educational, employment, aged care, disability
and related services; however, only certain of these services are or will
be subject to the Privacy Act 1988 or the proposed amendments.
Caught between its commitment to ensure protection wherever data handling
was contracted out, and its rejection of general private sector privacy
law, the government faced a difficult dilemma: how to draft an extension
which would cover the main categories of contractors carrying out functions
previously undertaken by agencies themselves, without inadvertently
subjecting a whole range of service providers funded directly or indirectly
by the Commonwealth (including all GPs, and various non-government organisations
)
to the privacy regime. [10]
Contractual arrangements
6.14 From evidence provided to the Committee, it is apparent that various
measures were taken to avoid increasing the protection available to a
substantial number of members of the community who were in receipt of
Commonwealth-funded services. At one stage, the Attorney General's Department
considered defining the relevant parties who would be subject to the amended
Act on the basis of whether or not they had a contract with an agency
or department.
The existence of a contract for the delivery of services as the sole
defining feature was also explored. Clearly, a contract is an essential
element in the outsourcing of services, provided one includes the notional
contracts within the Commonwealth. However, the requirements of accountability
and financial prudence mean that in many cases funding that is considered
to be a `grant' is provided under an agreement that is likely to be,
technically, a contract rather than a grant. [11]
6.15 Such a definition, therefore, was seen as too extensive. The reason
for this is not specified. However, from the context, it appears that
either the service providers or the agencies or departments involved did
not wish this definition to be used because it would create new restrictions
or new responsibilities. In some cases, it would also mean some new regulation
of the private sector.
6.16 It appears then, that the contractual relationship was too broad
as a ground for definition The Attorney General's Department then moved
to the argument that regardless of the nature of the service or the extent
of personal information that might be involved, the defining factor would
be whether a service was `outsourced'.
Outsourced services
6.17 The definition of `outsourced' used by the Attorney General's Department
is somewhat tortuous, given that the definition had to fit not a series
of categories of a like nature, but a series of past, present and future
events. In short, the Department was obliged to work backwards from a
given situation that a large number of existing services were not
going to be covered, regardless of their nature. The Department was unable
to work forwards from a position which provided equal coverage to all
like groups:
However, I am not so sure that any of us could find a definition that
could be used in legislation, that would satisfactorily include all
services that are `outsourced', but not include those where there is
some other relationship, such as a funding arrangement, with the Government.
[12]
6.18 The Department does not explain in detail exactly what is meant
by outsourced, but does indicate that there has to be some form of relationship
in the past, present, or future with the relevant department or agency
which is seeking the provision of a service by another party. Thus, the
idea of a relationship between a department and a service provider becomes
important (but not all-important).
6.19 The term `outsourced' is not clearly defined in the bill. However,
by a process of elimination, through considering terms such as `outsourcing
agency' and `Commonwealth contract', [13]it
appears that an outsourced service is one:
- Previously, currently, or in the future undertaken by a department
or agency, and now undertaken by another party and to be delivered to
the agency (such as personnel or IT services which are an integral part
of the operations of a department or agency); or
- Previously, currently, or in the future to be provided by another
party, to other persons or organisations, on behalf of the department
or agency, or as part of or `in connection with the performance of the
Commonwealth agency's functions.' [14]
Relationship with the department or agency
6.20 As noted above, the relationship with a department or agency is
important, but not all-important. However close the previous relationship
with a department or agency may be- for example, the provision of substantial
funding in order to provide services which are an integral part of the
departmental raison d'etre, such as aged care services) proximity will
not suffice. In the above instance, for example, the aged care service
provider will be exempt in respect of funded services. The grounds for
this are primarily that the service type was not previously subject to
privacy legislation. Thus, it is not relevant whether it is provided by
a private company or by a community group. The private agency has been
paid to provide a service; the community group is a `community or volunteer
organisation to whom the Commonwealth provides funding'. [15]
6.21 Implicit in this statement is an understanding that the funding
is provided for the organisation to do something, but not for, or on behalf
of, the Commonwealth. However, given the nature of many of the services
provided, it is very difficult to argue logically that funding is provided
to a range of organisations for services which have nothing to do with
the Commonwealth or its programs. This point was made by the submission
to the Attorney General's Department's paper, Privacy Protection in
the Private Sector, by the then Commonwealth Department of Health
and Family Services:
At present personal information, held by the Department and relating
to clients of some programs, is protected by strict secrecy provisions
involving criminal penalties in the event of unauthorised use or disclosure.
However, the same information held by a private organisation may not
be sufficiently protected from disclosure or unauthorised use
Clients in receipt of Government programs ought to be treated consistently
regardless of the method of delivery of those programs. It follows that
there is a clear need for a consistent regime to protect personal information
relating to the Department's clients regardless of whether those clients
deal with the Department directly or through a service organisation.
[16]
6.22 Although the Attorney General's Department's submission does not
go into any explanation of how the definition of `outsourced' was arrived
at, any service which, although funded by the Commonwealth, is deemed
not to have been `provided' by the Commonwealth, is exempt from any privacy
regulation. [17]
6.23 To differentiate between these services and those which are an integral
part of a department's raison d'etre, the legislation makes reference
to an example, the provision of `job-seeking assistance to individuals'.
[18] This example, however, is somewhat misleading,
since it is only to a service previously undertaken by a department,
and not to those that could arguably be seen as having been undertaken
on behalf of a department. Yet, as the above statement from the then Department
of Health and Family Services indicates, many programs, never having been
directly provided by a department, nonetheless are an integral part of
a department's services and need protection. Further, the department noted
that:
The Australian Law Reform Commission recognised these inconsistencies
in its reports into the department's Aged Care and Child Care legislation
and recommended that an appropriate privacy regime be imposed upon service
providers. [19]
6.24 The Australian Law Reform Commission also expressed its concern
at the gaps in the proposed legislation, based on its belief that the
more vulnerable [20] required protection:
By excluding service providers in these areas, the Bill maintains a
flawed status quo. It results in the circumstance that whether a service
provider is required to observe privacy standards or not depends on
an historical consideration of whether that service has been subject
to privacy obligations, rather than on a consideration on the merits
of whether the contractor who is to be engaged today ought to be obliged
to provide a legislated minimum standard of privacy protection. [21]
6.25 The Attorney General's department noted some of the likely problems,
although looking more to the future than to problems with existing service
providers:
In many instances, an outsourced service will have previously been
delivered by a Commonwealth agency. But what of situations where the
service is significantly different to that previously provided by a
Commonwealth agency, so that it may not be possible to say it was previously
delivered by an agency? Or where a new Government program is introduced,
involving a service to be delivered by the private sector under contract
to a Commonwealth agency? [22]
6.26 The Committee considers that there is no sound reason advanced for
the limitations imposed by the bill in respect of a range of services
provided by organisations which are in possession of extremely sensitive
information about individuals, many of whom are disadvantaged and vulnerable.
Indeed, given that the government has generally compelled people to provide
information in order to obtain a service, it has a particular obligation
to ensure that the information is protected. It also has an implicit obligation,
in respect of material which is collected for a specific and stated purpose,
to ensure that the material is not used in other ways or for any other
purpose. [23] It can only do this by applying
the same principles to all of those service providers it effectively employs
directly or indirectly to provide services to the community.
6.27 The Committee believes that all `volunteer' or `not for profit'
organisations receiving funding from the Commonwealth to provide services
should not be exempt from the provisions of any legislation intended to
provide protection of personal information.
6.28 In addition, the Committee would not find it acceptable that any
private sector organisation which had previously provided services and
was exempt from any privacy protection principles or legislation should
continue to be free from such regulation with respect to such services.
As is noted below, this can lead to the operation of different standards
within the one organisation. [24]
6.29 The Committee does not consider it logical to create separate rules
applying to the handling of personal information between the public and
private sectors. As legal academic Moira Paterson comments:
[A] person may have a right of access to his or her medical records
in the possession of a public hospital but not a private one even though
there is no inherent difference in the type of information or the circumstances
in which it was generated. [25]
6.30 The Committee considers that privacy protection should be accorded
on the basis of the nature of the personal information rather than on
an arbitrary, and increasingly blurred distinction between the private
and public sectors.
Regulation rather than legislation
6.31 Given the serious problems noted above with the definition of included
or excluded services, the use of a Schedule was also subject to criticism.
It enables changes to be made by regulation rather than legislation:
The difficulty with the Schedule approach, of course, is the timeframes
that can be involved in amending legislation. Programs change, and it
may be appropriate to remove services from the Schedule, or, where new
funding programs are introduced, to include them in it. The Bill allows
for either to be done, effectively, by regulation, to ensure that the
Schedule does not inappropriately exclude services from coverage, and
that the introduction of funding programs is not delayed by the need
to await legislative amendments. [26]
6.32 To accommodate changes, the bill provides that regulations may allow
parties other than the current list of `excluded funded services' to be
exempt from provisions. [27] This allows considerable
flexibility as regards to exclusions. It is stated that services can be
removed from the Schedule or added, as required. [28]
6.33 While there is some logic in this argument with respect to future
services, there is little with respect to services established in the
past. The basis on which they are proposed to be excluded from coverage
is determined on whether they previously were subject to privacy legislation.
This is not going to change.
6.34 The arguments with respect to future services appear to be ease
and speed for administrators and the executive. However, given the problems
which have already been identified with the legislation, it is highly
desirable that unexamined services are not able to be so easily approved.
This point is also supported by the Australian Law Reform Commission:
The Commission is also concerned by the mechanism by which service
providers can be added to the schedule of excluded providers
.
the Commission considers that there should be a presumption that
all service providers ought to be subject to the Privacy Act 1988 (Cth),
unless the public interest in ensuring such protection is outweighed
by other factors. In such circumstances, the decision to exempt a service
provider from their privacy obligations would appropriately be one for
the Parliament to make through consideration of amending the legislation
and not by regulation. Accordingly, proposed new section 6(1) should
be deleted. [29]
`Past' information
6.35 The bill seeks also to quarantine all personal information collected
by an organisation in the past, even though the organisation may collect
information about the same people through the provision of services which
are now affected by the legislation. The Committee is concerned that no
provisions have been made about the security of such `old' information
itself, although it appears that there are limits placed on mixing old
and new data. [30]
The second reading speech suggest that one consequence of this provision
is that contractors will not be able to mix information held under a
Commonwealth contract with other information they hold, for other purposes.
Given the range of exceptions to IPP10, the law itself may not guarantee
this, but hopefully a combination of the amendments and contractual
provisions will do so. [31]
6.36 In fact, the Second Reading speech suggests that such material could
continue to be used (although perhaps not mixed with other `protected'
information) when it refers to the inconvenience to `contracted
service providers' were they to be obliged to impose restrictions on their
use of data:
These Information Privacy Principles will only apply to information
collected by contracted service providers from commencement. This ensures
that contracted service providers are not required to contact individuals
to seek their consent to uses of information already collected by them.
However, the Information Privacy Principles relating to matters such
as secure storage and ensuring personal information is relevant and
accurate before it is used will apply regardless of when the contracted
service provider obtained the information. [32]
6.37 There is no reference in the legislation to penalties to be applied
to organisations who have previously collected personal information
and who then use it for other purposes (as distinct from mixing this information
with data collected or obtained under a contractual arrangement subject
to the proposed legislation). This is a serious gap in the legislation
since there is no means by which existing information retained from a
Commonwealth contract prior to the introduction of the legislation, or
by a commercial or `not for profit' or charitable organisation not affected
by the proposed legislation, is prevented from being misused. The Committee
believes that where such information is still used it must be treated
in the same way as other personal information recently collected. Otherwise,
if it is not subject to any other legislation, it should be destroyed
or returned to the individual concerned.
6.38 The limited restriction on the use of data collected earlier is
not explained although the principle of `no retrospectivity' generally
applies. However, it is also clear that the bill intends there should
be no major inconvenience to service providers:
a contracted service provider will be an agency under the Privacy
Act. This means that the Information Privacy Principles apply directly
to their acts and practices in relation to personal information held
or dealt with under or for the purposes of a Commonwealth contract,
from the commencement of the amendments.
The amendments are not intended to be retrospective, nor to require
the impossible. [33]
6.39 Any restrictions on much of the data held by a large number of organisations
would require that at the least all charitable or voluntary organisations
receiving Commonwealth funding be subject to legislation or regulation
regarding the collection and use of data.
6.40 This view is supported by a statement from the Campaign for Fair
Privacy Laws which asks a pertinent question about government's interest
in its clients, as opposed to government's interest in the security of
`government' information:
it is noted that Government has chosen not to outsource its
sensitive data, such as security, intelligence or law enforcement records.
The same reasoning should be applied to our sensitive data.
[34]
Partial coverage of private sector and other organisations
6.41 One of the major drawbacks of the proposed legislation is that it
only applies to services classified as outsourced. [35]
This raises the possibility of an organisation being affected by legislation
for some services but not for others, and in respect of some contractors
and not others. This has been criticised on several grounds, notably those
concerning the importance of systematic and standard practices and principles
in the handling of information: `This results in an impractical and fragmented
approach to information handling within an organisation.' [36]
6.42 A further criticism of a similar nature is that the existence within
one organisation of different practices may affect commercial competitiveness:
The proposal may also lead to some anomalies from a commercial standpoint.
An organisation which deals with government contracts and also with
personal information obtained from other operations may feel competitively
disadvantaged if different information handling practices are required.
[37]
6.43 Similar comments were also made by the Australian Law Reform Commission
which noted the emphasis by another inquiry on a standard culture of accountability.
[38] The ALRC noted the potential for uneven
service provision within an organisation, including in an organisation
which had previously received grants for services, but would now
receive payments for other services:
Even more unacceptably, the circumstance may arise where a community
organisation has for years been contracted through `grants' to provide
services and is not bound by privacy laws with respect to a recipient,
but now having been further contracted with to provide a different service
previously directly supplied by the department to that same recipient,
is bound by privacy laws. That organisation would therefore be required
to meet privacy obligations to the service recipient in relation to
one service but not the other. [39]
`Use' and `Disclosure'
6.44 The proposed amendments deal with the issue of whether material
provided to a third party by a department or agency is material which
has been disclosed or has been transferred for `use'. [40]
This amendment would ensure that the provision of data to a contracted
service provider is seen as a `use' of information and not a `disclosure';
the information is therefore subject to the provisos that exist regarding
the purpose of collection of the data. [41]
Employee data
6.45 Another problem with the bill is that it does not apply to the information
held by organisations on their employees. No specific reason is advanced
for this. As noted above, there is an objection by many business groups
to having employee information covered by privacy legislation on the grounds
that employee data is already subject to a range of other legislation.
[42]
Overseas information processing
6.46 The bill makes provision to protect some personal information which
may be processed or otherwise dealt with overseas. [43]
However, the effect of this is likely to be minimal where the main body
of an organisation is located outside Australia.
6.47 In theory, the overseas processing of such data in countries where
there are limited privacy regulations is not acceptable to the current
government. [44] If this were the case, then
there should be an express prohibition on the export of sensitive data
to such countries. The provision of a failsafe may in fact be the most
effective means of ensuring that data will routinely be sent to countries
without such protections if they offer a cheaper service. The capacity
of the individual or the Privacy Commissioner to routinely assess the
adequacy of the protection offered is virtually non-existent. [45]
6.48 Further, as is noted in the evidence, much data is already difficult
to protect unless it is encrypted. [46] A similar
point was also made by the Law Institute of Victoria which noted that
as electronic commerce was becoming the standard, and hence regulation
of privacy must accommodate to this fact: `This medium pays little regard
to national borders and needs robust privacy protection, at national and
international levels, to underpin its success.' [47]
Conclusion
6.49 In the context of the current Privacy Act, the effect of
which has been eroded, there appears to be support for the Privacy
Amendment Bill 1998. [48]
6.50 However, the Committee has some reservations about the Bill, primarily
as regards its limited coverage and the fact that it has made an untenable
distinction between different types of service providers. The Committee
finds that instead of merely maintaining existing protection, the government
should extend it to comprehensively cover all those providing a government
funded service.
6.51 In saying this the Committee states that its support of privacy
protection is such that it believes not only the private sector but also
the substantial `voluntary' and `charitable' sector, however defined,
must be subject to the same principles.
6.52 The Committee therefore recommends the government introduce
legislation to provide privacy protection uniformly covering the public,
private and the charitable and `not for profit' sectors. The coverage
of the bill should be as broad as possible and minimise the extent of
any exemptions.
Effectiveness of the bill in meeting its objectives
6.53 The second question to be considered is the effectiveness of the
bill in meeting its stated objectives. A number of general comments can
be made, concerning access, resources available to the Privacy Commissioner,
the value of the Information Privacy Principles vis-a-vis the National
Principles, complexity created by the legislation, and access to and
correction of records.
Access to redress
6.54 The Committee notes that the bill provides for individuals who have
suffered a breach of privacy to complain directly to the Privacy Commissioner,
offering greatly improved access to justice and remedies than is currently
available. The Committee commends these changes.
6.55 In this respect, the bill adopts what Nigel Waters refers to as
a `belt and braces' approach to privacy protection to ensure that
individuals are not disadvantaged by any uncertainty about who is responsible.
[49]
6.56 Under the terms of the bill, the contracting out agency retains
responsibility for compliance with the Information Privacy Principles,
but shares that responsibility with contractors and sub-contractors [50].
Likewise, complainants may amend a complaint to ensure that the correct
party is named. [51] Importantly, where a contractor
ceases to exist, the Privacy Commissioner is able to substitute the contracting
agency for the contractor and to be required to pay any compensation.
[52]
6.57 In these respects, the Committee concludes that the bill should
successfully extend the protection of the Privacy Act to contractors for
government services.
Resources of the Privacy Commissioner
6.58 One aspect of concern to the Committee is the extent of the Privacy
Commissioner's capacity to accept additional responsibilities without
any increases in resources. The Privacy Commissioner already has wide
responsibilities, and the significant task of developing national compliance
mechanisms to accompany the NPPs. The Committee queries the practicality
of adding a significant industry `client base' to the Privacy Commissioner's
jurisdiction, in conjunction with a claim that there should not be any
major cost implications of the legislation:
I have a continuing concern with the level of resources available to
the Privacy Commissioner, the Privacy Commissioner has experienced funding
cuts yet is expected to extend the services offered. I therefore cannot
understand how the Commissioner can expect to extend her services and
ensure compliance with the Privacy Act by another group of organisations
without additional funding and resources. [53]
6.59 In this context, the Committee notes the problems that limited resources
have had on the capacity of the New Zealand Privacy Commissioner to deal
with the expanded number of complaints following the widening of his jurisdiction:
In their submissions on the review, business and industry associations
favoured the complaints mechanism, although they took issue with my
own level of funding. Because I have not been sufficiently funded for
the complaints I have on hand, I have instituted a queue system and
businesses have found the delays unpalatable. [54]
6.60 The Committee therefore recommends that, were the proposed
legislation to be agreed to, there be a serious re-evaluation undertaken
of the proposed workload of the Privacy Commission and the resource implications
of the proposed legislation.
Use of the Information Privacy Principles (IPPs)
6.61 A further concern of the Committee is that the bill is based upon
the use of the Information Privacy Principles (IPPs) contained in the
current Privacy Act. As the discussion in Chapter 4 demonstrates, [55]
there are a number of problems with the IPPs based in part on their age
and corresponding applicability to emerging technologies.
6.62 Some business submissions agreed that the IPPs are not well suited
to private sector operations:
The coverage of credit providers by the Information Privacy Principles
in the Privacy Act has resulted in anomalies that are costly for business
and benefits to consumers have not been proportional to those costs.
AMP would not welcome the general extension of the provisions
of the existing Privacy Act into the private sector. [56]
To adopt Information Privacy Principles (IPPs) in the current act relating
to privacy in the public sector would present industry with a set of
rules that in some situations would be unworkable and on others highly
costly to implement. Further these IPPs are not relevant in an environment
where a customer is free to choose with which business they form a relationship.
[57]
6.63 The Committee questions the use of the IPPs in preference to the
National Principles. However, as the Committee has noted serious
deficiencies in the National Principles, it recommends that
they be carefully revised, and should not be adopted without modification
which takes into account the issues raised by expert commentators, and
in light of the guiding principles of the European Directive. [58]
Until such revision has occurred, the National Principles would
not be an appropriate base for legislation.
Unnecessary complexity
6.64 The Committee is concerned that the provisions of the bill serve
to increase the complexity of the laws regulating privacy, rather than
achieving the stated aim of reducing regulatory burdens and red-tape.
6.65 As noted above, the Australian Law Reform Commission (ALRC) argued
that the list of excluded service providers, contained in Schedule 3 of
the Bill, maintained a flawed status quo. [59]
This led to different sets of standards having to be maintained which
were not based on rational divisions of service types but on past decisions.
6.66 As the Law Society of NSW concludes, the overall result is one of
increased complexity:
The proposed scheme under the Privacy Amendment Bill
is not
appropriate. The proposed scheme is too complex and relies on definitions
etc
rather than achieving certainty, the proposed scheme introduces
an unnecessary process for capturing contractors and subcontractors.
[60]
6.67 The Law Institute of Victoria echoes these comments:
The proposed amendment to the Privacy Act 1988 further complicates
the law relating to privacy in Australia and underscores the unevenness
of protection across the country. [61]
Access to and correction of records
6.68 The Committee also notes the comments of Mr Nigel Waters, who argues
that the arrangements under the bill for access to and correction of personal
records appear to be unsatisfactory. The difficulty lies in the relationship
between the Privacy Act and the Freedom of Information Act 1982
(Cth) (FOI). Currently, in matters relating to the access to and amendment
of personal information in the public sector, complaints are dealt with
under the provisions of the FOI Act rather than the Privacy Act,
even though the Privacy Commissioner has the legislative power to receive
and investigate such complaints. [62] The provisions
of the bill will carry this arrangement over into the private sector by
amending the FOI Act to include provisions deeming documents containing
personal information, held by contracting companies, to be in the possession
of the client agency. The client agency can then include provisions in
the relevant contract to give effect to the access and correction rights.
According to Mr Waters:
The FOI Act is to be amended (by a future bill) to ensure that individuals
can obtain access to, and where appropriate, correct, information about
themselves held by contractors pursuant to a service provided to the
Commonwealth. But this is to be effected by deeming documents containing
such information to be in the possession of the client agency. It is
apparently envisaged that an agency will then be able to include provisions
in the contract to give practical effect to the access and correction
rights.
The problem with this approach is the same as in relying on contractual
provisions alone if a contractor does not comply with the letter
or spirit of FOI Act provisions, redress for an individual will have
to rely on the client agency attempting to enforce the contract.
this is very much a second best to the contractor being separately liable
to comply with the access and correction principles, which could be
best achieved by transferring the personal information aspects of the
FOI Act into the Privacy Act, and making them subject to the jurisdiction
of the Privacy Commissioner. [63]
6.69 The Committee also notes that the Administrative Review Council
and Australian Law Reform Commission, in accordance with a 1996 report,
[64] have recommended that:
access to and amendment of personal information in the public
sector should continue to be dealt with under the FOI Act in preference
to the Privacy Act.
This is primarily because of the review mechanisms
available under the FOI Act. [65]
6.70 The Committee concludes that the implications of this appear to
be that achieving consistency between public and private sectors with
respect to the accessing and correction of personal information entails
adopting an enforcement mechanism that will be less than effective.
6.71 In the absence of any detailed information on this issue, the Committee
is not able to make any final recommendations regarding the optimal interaction
between these two Acts, in the public or private sectors. However, the
Committee does recommend that the government give further consideration
to the issue.
Conclusions
6.72 The Committee concludes that the objectives of the Privacy Amendment
Bill 1998 are inadequate to meet the wider need for privacy protection
over the public sector in Australia. Nevertheless, the Committee agrees
that there is an urgent need to counteract the erosion of the coverage
of the Privacy Act caused by the widespread contracting out of government
services, and to this extent only, supports the objectives of the
bill.
6.73 Regardless, the Committee is concerned that the desire to minimise
the application of the bill to the private sector has led to a series
of rules and exclusions, which would have the effect of increasing the
complexity of Australia's already patchwork privacy laws.
The Committee considers this an ironic course of action since it has heard
industry's almost unanimous plea for simplified, uniform and consistent
privacy laws.
6.74 The Committee considers that many of the above issues raised regarding
the effectiveness of the bill in meeting even limited objectives serve
more to reinforce the practicality of adopting uniform national legislation
covering both private and public sectors than they do to support the proposed
amendments.
Footnotes
[1] Reference is also make to the Privacy
Amendment Bill 1998 in Chapter 4.
[2] Privacy Amendment Bill 1998, Second
Reading Speech, p. 1
[3] Submission No. 34, Price Waterhouse,
p. 602. See also Submission No. 36, Australian Direct Marketing
Association, p. 645.
[4] For a detailed assessment of the complex
administrative law issues raised by `contracting out', see the report
by the Administrative Review Council, The Contracting Out of Government
Services, 1998.
[5] Submission No.7A, Australian Privacy
Charter Council, p. 284
[6] Transcript of evidence, Attorney
General's Department, p. 221.
[7] Submission No. 49, Australian Law
Reform Commission, p. 838.
[8] See especially Paragraphs 6.17-6.30 below.
[9] The National Health Act 1953 provides
some protection for sensitive personal information. See also Submission
No. 49, Australian Law Reform Commission, p. 838.
[10] Submission No. 7A, Australian Privacy
Charter Council, pp. 285-286.
[11] Submission No. 52, Attorney General's
Department, pp. 1042-1043.
[12] Submission No. 52, Attorney General's
Department, p. 1042.
[13] Privacy Amendment Bill 1998, Schedule
1, Clauses 7 and 3 respectively.
[14] Privacy Amendment Bill 1998, Schedule
1, Clause 3.
[15] Submission No. 52, Attorney General's
Department, p. 1043.
[16] Department of Health and Family Services,
Submission to Privacy and the Private Sector,1996, p.1.
[17] In this instance, it is the service provided
and not the organisation providing the service which is relevant: an organisation
may also provide a service which is subject to the proposed amendments,
see also below, Paragraphs 6.25, 6.40, 6.42.
[18] Privacy Amendment Bill 1998, Schedule
1, Clause 3.
[19] Department of Health and Family Services,
Submission to Privacy and the Private Sector,1996, p.1.
[20] Especially health care access, child care,
aged care and disability services see Submission No. 49,
Australian Law Reform Commission, p. 840.
[21] Submission No. 49, Australian Law
Reform Commission, p. 840.
[22] Submission No. 52, Attorney General's
Department, p. 1042.
[23] The Second Reading speech states that
material which has already been collected will not be subject to the new
amendments because this previously collected information was obtained
on a different basis. (Second Reading Speech, p. 4). All subsequent information
is to be collected on the basis of not being used for any other than a
specific purpose (`a person having been made aware, at the time of collection,
of the purpose of collection').
[24] See below, Paragraphs 6.37-6.40.
[25] Moira Paterson, `Privacy protection
in Australia: the need for an effective private sector regime', 26
Federal Law Review, 1998, p.371 at p. 378. This conclusion is shared
by the Senate Community Affairs References Committee in their report Access
to Medical Records, June 1997, p. 2.
[26] Submission No. 52, Attorney General's
Department, p. 1043.
[27] Submission No. 52, Attorney General's
Department, p. 1043. Privacy Amendment Bill 1998, Clause 6.
[28] Submission No. 52, Attorney General's
Department, p. 1043.
[29] Submission No. 49, Australian Law
Reform Commission, p. 841.
[30] Privacy Amendment Bill 1998, Schedule
1, Clause 23.
[31] Submission No. 7A, Australian Privacy
Charter Council, p. 287. See also Submission No. 52, Attorney General's
Department, p. 1045.
[32] Second Reading Speech, House of Representatives,
Hansard, 5 March 1998, p. 4.
[33] Submission No. 52, Attorney General's
Department, p. 1044.
[34] Submission No.46, Campaign for
Fair Privacy Laws, p. 777.
[35] See above, Paragraphs 6.17-6.30.
[36] Submission No. 34, Price Waterhouse,
p. 603.
[37] Submission No. 34, Price Waterhouse,
p. 603.
[38] Submission No. 49, Australian Law
Reform Commission, p. 837.
[39] Submission No. 49, Australian Law
Reform Commission, p.841.
[40] See also above, Paragraphs 6.35-6.40.
See Privacy Amendment Bill 1998, Schedule 1, Clause 14A.
[41] Second Reading Speech, House of Representatives,
Hansard, 5 March 1998, p. 5.
[42] The issue of employee data in general
is considered in Chapters 3 and 5.
[43] Privacy Amendment Bill 1998, Schedule
1, Clause 8A.
[44] In fact, the Second Reading Speech refers
to broader principles: 'The Government does not consider it is appropriate
for personal information to be processed overseas and has included provisions
in its outsourcing contracts under the IT Infrastructure Initiative to
require contractors to provide services under the contract in Australia',
p. 4.
[45] The limited resources available could
create the same situation as noted by the Austalian Law Reform Commission,
that there is no attempt made to monitor practices see above, Paragraphs
6.10-6.12.
[46] Submission No. 16, Vonaldy Pty
Ltd., p.377.
[47] Submission No. 25, Law Institute
of Victoria (Commercial Law Section), p. 425.
[48] See above, Paragraph 6.6. See also Submission
No. 16, Vonaldy Pty Ltd., p.373:'[the Privacy Amendment Bill] provides
a means of ensuring the intent of the Privacy Act 1988 continues to apply
to personal data collected by federal government departments, agencies
and commissions, even when that information is handed over to third parties
for processing, and see also Submission No. 36, Australian Direct
Marketing Association, p.645. The Association agrees that private sector
organisations contracting with the federal government or any of its agencies
should be bound by the same legislated privacy provisions as public
servants are. [48]
[49] Submission No. 7A, Australian Privacy
Charter Council, p. 286.
[50] Privacy Amendment Bill 1998, Clause
21.
[51] Privacy Amendment Bill 1998, Clause
29.
[52] Privacy Amendment Bill 1998, Clauses
34-36.
[53] Submission No. 34, Price Waterhouse,
p. 602.
[54] Bruce Slane, New Zealand Privacy Commissioner,
Privacy Laws and the Private Sector, Notes for an address to the
IIR conference on practical implementation strategies for privacy protocols,
November 1998.
[55] See above, Chapter 4, Paragraphs 4.18-4.25.
[56] Submission No. 53, AMP, p. 1054.
See also Submission No. 8A, Nigel Waters, p. 447. `Given that there
will be an immediate addition to the Commissioner's jurisdiction of a
large number
of contractors providing a wide variety of services,
with thousands more as and when additional services and functions are
outsourced, the government's commitment to effective implementation of
the amendments must be in doubt.' These comments are also reflected in
Submission No. 22, Law Council of Australia, p. 409.
[57] Submission No. 35, Coles Myer,
p. 639E.
[58] See the more detailed evaluation of the
National Privacy Principles in Chapter 5.
[59] Submission No. 49, Australian Law
Reform Commission, p. 840.
[60] Submission No. 44, Law Society
of NSW, p. 752.
[61] Submission No. 25, Law Institute
of Victoria, p. 425.
[62] Submission No. 48, Administrative
Review Council, p. 794.
[63] Submission No. 7A, Australian Privacy
Charter Council, p.288.
[64] ALRC/ADR Open Government: A review
of the Freedom of Information Act 1982, January 1996. The Committee
notes that the government has yet to respond to this report.
[65] Submission No. 48, Administrative
Review Council, p. 794. The FOI Act includes the availability of an external
merits review by the Administrative Appeals Tribunal, not available under
the Privacy Act.