Privacy in the Private Sector

Chapter 7

The co-regulation model

Introduction

7.1 Having examined international and national developments, and the advantages and disadvantages of both regulatory and self-regulatory systems, the Committee moved to a consideration of what has been called co-regulation. In particular, given that a substantial number of submissions were provided in response to the Attorney General's request for comment on the proposed co-regulation model, the Committee has assessed these responses to determine the extent of support for a legislatively-backed privacy regime.

Background

7.2 Some evidence suggested that self-regulation by itself is not an adequate basis for an effective privacy system. This conclusion is borne out in government documents. The Regulatory Impact Statement (RIS) to the Privacy Amendment Bill 1998 identifies the limitations of a self-regulatory solution in the context of the more limited question of extending privacy protection to contractors for government business. It concludes that “legislative mechanisms for providing such protection would appear to be the optimum way of dealing with the problem.” [1] In the Privacy Commissioner's Consultation Paper there is an explicit recognition that “there is an urgent need to address privacy concerns” in the private sector. [2]

7.3 By the government's own logic, therefore, it would seem obvious that a legislative solution is the best way to achieve the accepted need for protection. The main question is not whether any legislation is needed, but rather what sort of legislation is required, and the role it would play in any final privacy protection regime. A judicious mixture of legislation and self-regulation – in other words, co-regulation – may provide the optimum solution, offering the advantages of flexibility and low-compliance of self-regulatory systems, with the rights, obligations, and enforceable bottom line of legislative guarantees.

7.4 This view appears to be shared by the Privacy Commissioner. In a background paper released in April 1997, Privacy Protection in Australia, she stated:

My office has, for some years, argued that uniform national privacy legislation is the best way to implement a scheme of privacy protection which will meet the needs of both business and consumers, and it remains my view that a legislatively based “co-regulatory” approach would best achieve this result. I believe it should be possible to devise a statutory regime which is neither onerous nor costly for business. [3]

7.5 The Committee has seen evidence that a co-regulatory model of this type has been successfully adopted in New Zealand, and a similar model has also been proposed for adoption in Victoria. The Committee also notes with great interest the co-regulatory scheme proposed by the Attorney-General's Department in their 1996 discussion paper Privacy Protection in the Private Sector. [4]

Attorney-General's model: A co-regulatory approach

7.6 In response to the growing concerns of the public, the business community and international organisations, the Commonwealth Attorney-General's Department released a discussion paper in September 1996, entitled Privacy Protection in the Private Sector. The paper was disseminated in order to ascertain the views of a broad cross-section of the Australian community in determining whether privacy should be extended to the private sector and if so, how it could most effectively be achieved. The discussion paper proposed a national, co-regulatory scheme based on the existing Information Privacy Principles (IPPs) in the Privacy Act 1988, and recommended legally enforceable remedies where breaches occurred.

7.7 One hundred and sixteen submissions [5] were received by the Attorney-General's Department in response to its discussion paper. The notable issues of concern raised by the submissions included, inter alia, the costs to business, the compatibility of existing IPPs with the operations of the private sector, the nature and scope of any Codes of Practice, the time-frame for implementation, the extent of the authority of the Privacy Commissioner and attributes of any of the compliance mechanisms. Chart 1 on Page 155 demonstrates the number of submissions by industry.

Co-Regulation: A viable option?

7.8 In broad terms, a co-regulatory system propounds the use of statutory Information Privacy Principles (IPPs) in protecting the “collection, storage and security, individual access and correction, use and disclosure of personal information.” [6] Furthermore, it provides for the development of Codes of Practice based on the IPPs, to enable a level of flexibility in their application to the private sector. This system of regulation in many ways reflects the privacy regimes adopted in both New Zealand and Hong Kong.

7.9 A majority of submissions expressed strong support for the adoption of a co-regulatory regime in extending privacy protection to the public sector. This is demonstrated at Chart 2, Page 155. In fact, the proposed regime was overwhelmingly endorsed (a breakdown of support by industry group is demonstrated in Charts 3-7, Pages 156-158). The acceptance by the Lend Lease Corporation of the co-regulatory approach is indicative of the responses made by the preponderance of submissions:

Lend Lease supports the extension of privacy regulation to the private sector and welcomes the proposal that this occurs on a co-regulatory basis after a lengthy implementation period. [7]

7.10 Price Waterhouse also supported a co-regulatory regime. Their submission stated:

We agree that a co-regulatory approach, utilising Information Privacy Principles and the Codes of Practice is a suitable method to adopt. Self regulation methods are not enough to ensure compliance with the Act. [8]

7.11 The New South Wales Privacy Committee is also committed to a co-regulatory approach to privacy in the private sector. The Committee notes that the traditional distinction between the public and private sector is becoming increasingly artificial. This is in part due to the trend toward privatisation, the contracting out of government services, and the increasing data links between the two sectors. The Privacy Committee believes that the blurring of these boundaries make it necessary to introduce more general coverage, regardless of the sector:

The Committee is aware of the needs of various industries to develop industry specific guidelines for privacy protection. With this in mind the co-regulatory approach suggested in the discussion paper is the Committee's preferred option. This approach gives flexibility while retaining a safety net of minimum privacy standards. [9]

7.12 While the majority of submissions clearly endorse a co-regulatory regime, there is a note of caution espoused by some organisations such as the ANZ, which states:

ANZ cautiously supports a co-regulatory approach to privacy protection in the private sector, but has reservations about the uncertainty the proposed regime may cause for business. The proposed privacy legislation is likely to mean significant system changes for most industries and certainly for the financial services industry. The cost and advance planning necessary to efficiently achieve appropriate system changes mean that a long period of uncertainty with respect to the regulation (ie. long development period for a Code of Practice) would be extremely undesirable. [10]

7.13 Of the 108 submissions reviewed, only 6 submissions were completely opposed to the introduction of a co-regulatory regime. Of these, only 2 submissions clearly espoused the use of a self-regulatory regime while the remaining 4 submissions suggested that self-regulation or no regulation would be preferable. The Department of Industry, Science and Tourism, for example, advocated a self-regulatory approach:

There is insufficient justification given in the discussion paper for abandoning self- regulation in favour of co-regulation. The Department suggests that, in the first instance, the onus should be placed on industry to self regulate by implementing codes of conduct which comply with the information privacy principles (IPPs). It is only if the industry does not utilise this opportunity and regulate itself to solve the problem, that co-regulation should be considered. [11]

7.14 The Australian Chamber of Commerce and Industry, quoting from a media release by the then Federal Minister for Small Business and Consumer Affairs, Mr Geoff Prosser, said:

Self-regulation is an important means of easing the compliance burden on business without weakening consumer protection. [12]

7.15 It must be stressed however, that only 2 of 108 submissions advocated a self-regulatory system, while 102 submissions supported or strongly supported the introduction of a co-regulatory regime of privacy protection.

Information Privacy Principles

7.16 The discussion paper proposed the use of Information Privacy Principles (IPPs) as the most effective way of extending privacy protection to the private sector. The IPPs, set out in section 14 of the Privacy Act 1988, embody most of the “internationally recognised tenets of privacy protection”. [13] These IPPs were formulated from draft principles summarised in the 1983 Australian Law Reform Commission Report on Privacy (Report No. 22), which formed the basis for the Privacy Act 1988. [14]

IPPs: Appropriate for the private sector?

7.17 The original IPPs were drafted for use by both the Commonwealth public sector and the private sector in the Australian Capital Territory (ACT). [15] The ACT, however, assumed self-government in 1988 and consequently the Act was not applied to the ACT private sector. Although the IPPs were originally drafted to apply equally to both the public and private sectors, many submissions expressed the need for the IPPs to be reviewed and possibly modified before being adopted by the private sector. The Commonwealth Bank stated that:

… the proposed IPPs should be modified with a view to establishing a broadly based, workable set of principles, capable of application across both the public and private sectors. [16]

Effect of the IPPs

7.18 The nature and scope of the IPPs were extensively reviewed by many of the submissions received. Copious submissions made specific reference to how each of the IPPs would impact directly upon their businesses. In many cases the submissions supported the adoption of a broad set of principles. The Australian Bankers' Association (ABA) stated that:

… a workable set of information privacy principles is achievable and capable of covering both the public and private sectors. And that privacy issues in the private sector are best handled through workable legislation itself rather than through negotiated Codes of Practice. In order to accommodate both public and private sectors [the] ABA submits that information privacy principles should be drafted more generally than is presently the case in the Privacy Act 1988. The ABA has made some detailed amendments to the proposed IPPs which it suggests would largely serve this purpose. [17]

7.19 Similarly, the Australian Privacy Charter Council (APCC) supported the concept of IPPs, but noted that experience with IPPs had shown that some changes were required. The APCC acknowledged that the IPPs in the Privacy Act 1988 did not translate directly to the private sector, noting that:

Even with a code mechanism, a number of amendments are necessary to suit them to the more flexible requirements of GBEs and private sector organisations.

There is a need to amend the current IPPs to deal with emerging technologies (eg. multi-media) changes in usage (eg. for surveillance) and developments in applications and techniques (eg. use of mass screening of digitised personal data). [18]

7.20 The APCC went on to state that if the IPPs were not altered prior to being extended to the private sector, then they should be reviewed within 3 years. The IPPs could then be evaluated in terms of their ability to deal with technological change, to report on changes required as a result of extending their application, and to report on the need for additional principles to cover, for example, issues of surveillance and other forms of intrusion into privacy.

7.21 Telstra Corporation also advocated the use of broadly based IPPs in order to obviate the need for detailed Codes of Practice. The Telstra submission stated that:

It would be preferable to develop IPPs that could readily be adopted by the greater part of the private sector rather than seek to modify the existing IPPs through the development of Codes of Practice. [19]

7.22 Telstra was also concerned that the IPPs were structured and had been drafted in language that was oriented towards government departments or organisations that:

• are responsible for the administration of statutory functions;
• are in a non-commercial, non-competitive environment; and
• use information for limited purposes.

7.23 Government Business Enterprises and private sector organisations, in contrast, were frequently:

• service oriented;
• in a competitive environment; and
• using information to enhance their provision of services and profitability.

7.24 Consequently, Telstra, along with a number of other submissions, expressed concern that the existing IPPs did not readily translate into a commercial environment. Telstra recommended that consideration be given to redrafting the IPPs prior to their application to the private sector:

It is suggested that the Department consult with a broad section of community and industry groups to ensure that the IPPs are relevant to the private sector and reflect current Australian community attitudes and values. [20]

Limited need for change of IPPs

7.25 Conversely, Mr Kevin O'Connor, the Privacy Commissioner at the time the discussion paper was released, suggested that the existing IPPs in the Privacy Act could be effectively applied to the private sector with little amendment. He stated that:

I do not support two sets of privacy principles, one for the private sector and one for the public sector. There is an increasingly strong case for a universal approach because:

• the extensive interface between the private and public sectors argues strongly for consistency in the privacy protection's applying to them;
• as a matter of fairness, individual Australians should be able to expect the same level of privacy protection whichever organisation they are dealing with; and
• the boundary between the private and public sectors shifts over time. [21]

7.26 The Commissioner conceded, however, that there might be some areas where the IPPs may apply to the private and public sectors differently. In such circumstances, `some measures may need to be taken to clarify the application of the principles, either by way of legislative amendment or by administrative interpretation'. [22]

7.27 In general, use of the proposed IPPs was embraced. There was, however, considerable support for further discussion in relation to the IPPs, including clarification of the meaning and definition of some of the phrases and words used in constructing the IPPs.

Codes of practice

7.28 As part of the Government's commitment to developing a co-regulatory approach to privacy protection in the private sector, the discussion paper advocated the formation of Codes of Practice. Codes are intended to supplement the broad nature of IPPs, by providing a greater degree of flexibility to “specified information, activities, organisations, industries or professions.” [23] Where a Code is not established the IPPs automatically apply. This approach provides a general framework, based on the IPPs, for use by the private sector, while at the same time incorporating a degree of flexibility into the process through the use of Codes.

7.29 Any business or profession may develop a Code of Practice. The Code must then be submitted to the Privacy Commissioner for approval. If the Code is deemed to be acceptable then the Commissioner may issue it. The Privacy Commissioner may also create and issue a Code, based on his or her own initiative or on the application of any other person. The ability of `any person' to make an application to the Privacy Commissioner for the introduction of a Code is, however, of considerable concern to many of the organisations who made submissions. This is discussed further under `Powers of the Privacy Commissioner' at paragraph 7.60. [24]

Acceptance of codes of practice

7.30 In general, a majority of submissions favoured the concept of a Code of Practice. The then Privacy Commissioner, Mr Kevin O'Connor, stated in a submission by Human Rights Australia that:

Codes appear to provide flexible, but accountable means of filling the gap between the general statements of principle in the IPPs and the nuts and bolts of day to day decision making in particular organisations. [25]

7.31 The South Australian Minister for State Government Services, Mr Wayne Matthew, also stated that the development of Codes of Practice would be beneficial:

The promotion of codes of practice is to be fully supported. Such codes are a means of permitting some form of voluntary regulation within the confines of broader legislative provisions. They enable sensitivity of particular information to be addressed. The New Zealand health sector has developed an extensive code on personal health information. [26]

Concerns about codes of practice

7.32 A number of concerns were raised by the submissions however, in relation to the use of Codes of Practice.

Limited strength of code of practice

7.33 One concern was that a number of industry groups may formulate their own Codes of Practice in order to minimise the impact of broad IPPs on their business practices. Professor Greg Tucker of Monash University expressed concern that Codes of Practice may be used to dilute the protection provided by the IPPs. He states that:

In relation to the Codes of Practice, it is of concern that codes would be able to establish a standard which is lower than the information privacy principles. This decision rests with the Privacy Commissioner. If this approach is taken it would be appropriate to build in a directed discretion to provide guidance to the Privacy Commissioner in reaching this decision. For example, it could require the Privacy Commissioner to weigh-up the likely public benefit as against the likely adverse impact on privacy of a particular modification of a principle. It is unclear how frequently the codes would be used as some IPPs currently provide exceptions within them. Thus far the New Zealand experience has been that codes are a rarity. [27]

Caution should be exercised where a code of practice exists. Should the code create a lesser standard than that set out in the IPPs then some danger exists that the code may fall below the standard of adequacy set out in the European Union directive. Thus the code may be acceptable in Australia, but not in Europe. [28] [emphasis in original]

7.34 Mr Charles Raab of the University of Edinburgh also expounded his concern that standards prescribed by a Code of Practice, may be less exacting than those of the IPPs:

Regarding the Codes of Practice: it would be a matter of concern if the standards prescribed by a Code were less stringent than the IPPs, and obviously the Commissioner would require such relaxation to be fully justified as well as reviewed in the light of experience. In giving public notice of a proposal to issue a Code, the Commissioner's statement should explain any difference in stringency between the Code and IPPs. [29]

Cost of developing codes

7.35 Another concern raised by the submissions relates to the time consuming and potentially expensive nature of developing separate Codes of Practice. The ABA expressed its reservations by stating that:

The ABA views a proliferation of industry codes of practice, particularly where there is increased blurring of boundaries between financial institutions and of the financial and products and services which they offer, as potentially cumbersome, inefficient, costly and confusing.

It is the ABA's strongly held view that by paying attention to the workability of private sector information privacy principles the need for private sector codes should in most cases be obviated. An organisation which has developed at its own cost systems, practices, procedures and documentation and trained its own staff to comply with the information privacy principles needs to be confident that its compliance regime will have some permanency. Mid to long term business decisions will depend upon this. [30]

Possible inconsistencies

7.36 Furthermore, there was a degree of apprehension, even among those who supported a co-regulatory regime, that the use of Codes of Practice may in fact result in inconsistencies and confusion. Telstra Corporation noted that:

… there is a danger that the proliferation of differing codes could result in inconsistencies in the handling of personal information and defeat the principle advantage of a uniform privacy code. Companies which operate in two or more industries (eg. media and telecommunications) should not be subject to multiple codes. [31]

7.37 The Australian Retailers Association espoused similar concerns, stating:

The Attorney-General's guidelines talk at length about the need for Codes of Practice. They can be effective in translating the general principles that are envisaged into more specific guidelines in certain industry sectors. However, there is also a risk that given the broad level of activities potentially covered by the legislation, there could be a plethora of Codes of Practice making the cost of compliance by retailers, large and small, substantial. The costs of policing such codes could also be significant. We therefore reiterate our view that some thought should be given to being more specific about the types of personal information that ought to be regulated. [32]

Extent of need for codes

7.38 These concerns, however, overlook the fact that by far the greater number of businesses within the private sector, especially small to medium sized organisations, will rely solely on the IPPs, without the need to develop a Code of Practice. The New Zealand experience aptly demonstrates the benefits of specific Codes of Practice for certain industries, and yet overall there have been relatively few Codes established. This was the opinion expressed by the then Privacy Commissioner, Kevin O'Connor, in a submission by Human Rights Australia when he stated:

I note that the New Zealand experience suggests that it will be necessary for the Privacy Commissioner to issue only a few Codes of Practice. Contrary to expectations when the NZ Act was introduced it has not been necessary for each industry sector or each type of information handling activity to develop a code. The NZ Commissioner has issued only three codes – on the handling of health information, on the use of employee identifiers by superannuation funds and on the conduct of the government computer centre at Wanganui. The Commissioner is considering proposals for Codes of Practice for the police, credit reporting and telecommunications. [33]

Process of consultation

7.39 Many of the concerns raised by the submissions arise from a perception that industry will have limited input into the development of any Codes of Practice. Such an assessment appears contrary to the views of the Privacy Commissioner who has publicly espoused a system of cooperation in the development of Codes. The discussion paper stated that the following provisions must be adhered to prior to a Code of Practice being issued:

• public notice would be given of a proposal to issue a Code of Practice, stating where a copy of the draft proposed Code could be obtained and inviting written submissions within a specified period;
• everything reasonably possible would have to be done to advise all persons who would be affected by the proposed Code of the proposed terms of the Code and the reasons for it, and such persons would have to be given a reasonable opportunity to consider the proposed Code and to make submissions on it;
• having considered any submissions received, the Privacy Commissioner would then determine whether a Code should be issued and if the Privacy Commissioner decided to issue a Code, he or she would do so formally;
• public notice would be provided of the issue of the Code, including advice of where copies could be inspected or obtained;
• a Code of Practice would come into force 28 days after the date of public notification or on such later day specified in the Code. [34]

7.40 The Commissioner was aware that it would be necessary to consider a number of difficult issues if a system of binding Codes is to prove effective in practice. Consultation with organisations in particular sectors must be sufficiently wide ranging to ensure the process of Code development is not captured by one particular group to the detriment of less vocal or well organised groups and it is imperative that sufficient care be taken to prevent privacy codes being used to inhibit competition. The Privacy Commissioner appears to concur by stating:

… efforts will need to be made to ensure that the issue of a code of practice does not unduly advantage one `industry' at the expense of another. For example, banks often argue that they compete with non-bank financial institutions as well as each other and that the level of regulation to which they are subject puts them at a competitive disadvantage vis-a vis their non-bank competitors. To some extent it may be possible to address this by careful attention to the definition of `industry' used in the code in question. [35]

7.41 Finally, in order to control the potentially powerful status of Codes, Codes of Practice would be disallowable instruments for the purposes of section 46A of the Acts Interpretation Act 1901. This means that Codes would be tabled before both Houses of Parliament and could be disallowed by either one.

Uniform privacy regime

7.42 The vast majority of submissions stated that the overriding consideration in extending privacy protection to Australia's private sector was the need for a single, nationally effective and uniform regime under a single regulator. The New South Wales Privacy Committee stated that:

… [it] is strongly in favour of national privacy legislation, that gives consistency both between the public and private sectors and across the various states. Only a comprehensive regime such as this can adequately deliver the degree of privacy protection that people have a right to expect in a sophisticated modern society. Therefore, the Committee would like to express its support for the proposal to extend coverage of the Privacy Act to the private sector. [36]

7.43 The Australian Law Reform Commission noted that in its experience (in other areas where proposals for uniform laws had been raised), it was often difficult to achieve consensus, due to the perception by States and Territories that they were “trading away a degree of their sovereignty in agreeing to national legislation.” [37] However, a number of submissions, like that of the Credit Reference Association of Australia (CRAA), suggested that national legislation was imperative as:

There is a very real danger that individual State Governments will unilaterally introduce privacy legislation in addition to the current Commonwealth Privacy Act. CRAA believes it is essential that the Commonwealth and State Governments reach firm agreement on uniform privacy legislation as a priority. The overriding legislation should be the Commonwealth's, with State legislation playing a complementary role, as required. [38]

7.44 The Insurance Council of Australia and the National Insurance Brokers Association reiterated this view in a joint submission, which stated:

Above all, the insurance industry is concerned that Australia's privacy regime should follow a consistent national approach, free of State and Territory variants which have confused much of our legislation in the past. [39]

Implementation timeframe

7.45 A majority of submissions expressed overwhelming support for a lengthy phasing-in period in the implementation of a co-regulatory privacy regime.

7.46 A broad array of submissions asseverated support for the privacy model adopted by New Zealand, that provided for a three-year phase-in period. The Insurance Council of Australia's submission expounds the majority view by stating:

We believe that it is important that our industry be given a realistic period in which to adapt to the style and requirements of the IPPs. Our industry is one of the largest users and processors of personal information. Realistically, we will need time to examine systems, documentation, administrative procedures and staff training programs against the standards required by IPPs.

Unquestionably, the three-year phasing-in period which was such a key feature of the New Zealand legislation was of paramount assistance to the insurance industry in coming to terms with the regime. Importantly, it allowed examination of the issues to take place within the time scale of normal responsible and realistic cyclical planning periods; rather than towards some arbitrary date, without regard for the commercial and financial consequences.

This phasing-in period was of immeasurable value in minimising the initial compliance costs to the industry and the community. Our industry believes that a realistic phasing-in period must be a prime consideration by Government, in any implementation of a privacy regime in the private sector. [40]

7.47 Another reason proffered for instituting a lengthy phase-in period was that it would ensure sufficient time for the private sector to become acquainted with and to institute changes necessary to comply with, the requirements of the new regime; particularly among small and medium sized organisations. The ADMA strongly recommends:

… that the Australian legislation allows for a three year phase-in period as was the case in New Zealand. Contrary to the belief of the Attorney-General's department, the level of awareness about the discussion paper is low, particularly among small and medium businesses. [41]

7.48 The Privacy Commissioner also pronounced support for a phasing-in period by stating that:

… in relation to IPPs 1 to 3 and 8-11, the discussion paper proposes that there be a phase-in period during which a complainant would not be able to take an unresolved complaint to the Federal Court unless a code of practice was already in place. I broadly support this staged proposal. Such a period should give organisations a chance to review their personal information handling practices before they face the prospect of financial loss arising from breaches of IPPs. As well, it will allow the Privacy Commissioner and his or her office to develop administrative expertise in relation to new sectors as early as possible. [42]

I consider that a one year phase-in after assent would give sufficient time for organisations intent on complying with the law to review their handling of personal information while not unduly delaying the introduction of enforceable remedies for individuals whose personal information has been mishandled. If the likely date of commencement of an extended Act were announced as the time of introduction of the bill, a year or more would effectively be added to the one year to which I have referred. [43]

Retrospectivity

7.49 With the exception of all but a few submissions, there was express support for privacy legislation to be prospective. The Lend Lease Group summarised succinctly the view espoused by most submissions, stating:

We are fundamentally opposed to the proposal that the Act apply to information collected before the commencement of the proposed amendments as this would give the Act retrospective effect. [44]

7.50 The main reasons given for embracing a prospective privacy regime were the copious time and considerable costs associated with complying with a retrospective regime. Some large organisations indicated that their complex data collection and storage systems would require considerable modification in order to collect and store data in a format appropriate to any new privacy regime. Consequently, most organisations support a lengthy lead-time in order to implement the changes necessary to accommodate any new regime.

7.51 Furthermore, there are difficulties in allowing people access to records which, prior to any extension of privacy legislation, they had no legal right to view. The Consumers Health Forum of Australia states:

… the CHF understands the concerns that the medical profession may have regarding any retrospective application of the right of access to records. We believe that if change is to be achieved in this area, it must be achieved prospectively, such that practitioners have the chance to adapt their note taking and record keeping practices to accommodate appropriate consumer access and information exchange. [45]

7.52 Similarly, in a joint submission by the Insurance Council of Australia and the National Insurance Brokers Association of Australia, the Council stated:

As with most organisations, the Insurance Council holds the view that the enforcement provisions should not apply to insurance contracts entered into before any agreed privacy regime comes into force. [46]

Transborder data flow and international privacy standards

7.53 Given the globalisation of many large organisations, it is not surprising that a number of submissions canvassed the issue of transborder data flows. The majority of submissions were primarily concerned with adopting a privacy regime that met international standards and thus ensured that Australia was not financially disadvantaged through having inadequate privacy regulation. The Law Council of Australia stated:

The Law Council of Australia is concerned to ensure that Australia complies with its international obligations and remains mindful of international developments in the area of privacy. These considerations justify the extension of privacy legislation to the private sector. [47]

7.54 The New South Wales Privacy Committee also added their support to extending privacy protection to transborder data flows by stating:

The Committee supports the introduction of privacy controls on transborder data flows. It is important to recognise the increasing internationalisation of data and such legislation would help to promote a consistent regime of privacy controls throughout the world. [48]

7.55 The Attorney-General's discussion paper proposed that where information was transferred from Australia to another Australian resident individual or organisation in a country with an inadequate level of privacy protection, then that individual or organisation would be bound by Australia's privacy regime. However, where the information was transferred out of Australia to a non-resident in a country with insufficient privacy protection, then the individual Australian or organisation that transferred the information would be liable for any breach of the IPPs.

7.56 The Government stated that countries considered to have laws commensurate with Australia's privacy regime would be specified by regulation. This proposal was supported by the Australian Bankers' Association:

[The] ABA submits that Australian organisations should not be liable for information it transfers to non-resident third parties for any breach of the Australian privacy principles. An Australian organisation has no power to police the processing of data in another country. This is more so where the customer has authorised the transfer. It would be of assistance for the Commonwealth Government to specify by regulation countries which are recognised as having adequate levels of privacy protection. [49]

7.57 The Superannuation Complaints Tribunal goes further, by stating that the Commonwealth government should prevent Australian individuals and organisations from transferring information from Australia to countries where there are insufficient privacy regulations:

The Tribunal is concerned with problems of extra-jurisdictional enforceability outside Australia where information is transferred to another country with an inadequate level of privacy protection. It is suggested that the course taken by the European Union in its Directive preventing the transfer of data to such countries is more appropriate. [50]

7.58 The Australian Law Reform Commission provided by far the most comprehensive discourse on transborder data flows. The Commission developed this point:

There are international imperatives for the introduction of comprehensive privacy protection. Australia is a party to the International Covenant on Civil and Political Rights (ICCPR) as well as being a member of the Organisation for Economic Cooperation and Development (OECD). Article 17 of the ICCPR prohibits the arbitrary or unlawful interference with a person's privacy. In 1980, the OECD issued guidelines on the protection of privacy of personal data, whether in the public or private sectors.

More recently, the European Union issued a Directive which applies to both the public and private sectors. This Directive imposes a uniform minimum standard of privacy protection in the European Union and directs member countries to amend their laws to comply with the Directive. Article 25 of the Directive prohibits the transfer of personal data from the European Union to countries that do not have data protection laws that comply with these minimum standards. The Directive is due to come into effect from October 1998. At present Australia does not meet the minimum standards.

Developments in the information superhighway and international standards should not only provide a strong rationale for the introduction of privacy protection, they also provide strong justification for any such legislation to be uniform and nationally based. [51]

Powers of the Privacy Commissioner

7.59 The proposed functions of the Privacy Commissioner, as stated by the discussion paper, are as follows:

• to promote an understanding and acceptance of the IPPs and of the objects of those Principles;
• to issue Codes of Practice modifying or elaborating upon the IPPs;
• to prepare, and to publish in such manner as the Commissioner considered appropriate, Guidelines for the avoidance of acts or practices of an individual or organisation, that while not involving a breach of the IPPs or any Codes of Practice, would have adverse effects on the privacy of individuals;
• to investigate an act or practice of an individual or organisation that could breach an IPP or a Code of Practice and, where the Commissioner considered it appropriate to do so, to endeavour to effect a settlement of the matters that gave rise to the investigation;
• to investigate an act or practice of any individual or organisation that, while not involving a breach of an IPP or a Code of Practice, could have an adverse effect on the privacy of an individual and, where the Commissioner considered it appropriate to do so, to endeavour to effect a settlement of the matters that gave rise to the investigation;
• to conduct audits for the purpose of ascertaining compliance with the IPPs or any relevant Code of Practice;
• to monitor and report on the adequacy of equipment and user safeguards;
• to maintain, and to publish annually, a record (to be known as the Personal Information Digest) of the matters set out in records maintained by individuals or organisations in accordance with clause 3 of IPP 5;
• to examine a proposal for data-matching or data-linkage that could involve an interference with the privacy of individuals or which could otherwise have any adverse effects on the privacy of individuals;
• to undertake research into, and to monitor developments in, data processing and computer technology (including data-matching and data-linkage) to ensure that any adverse effects of such developments on the privacy of individuals are minimised, and to report to the Minister the results of such research and monitoring;
• to make reports and recommendations to the Minister in relation to any matter that concerned the need for or the desirability of legislative or administrative action in the interests of the privacy of individuals;
• for the purpose of promoting the protection of individual privacy, to undertake educational programs;
• to make public statements in relation to any matter affecting the privacy of individuals or of any class of individuals;
• to receive and invite representations from members of the public on any matter affecting the privacy of individuals;
• to consult and cooperate with other persons and bodies concerned with the privacy of individuals;
• to provide advice (with or without a request) to an individual or organisation on any matter relevant to their obligations under this Act;
• to make suggestions to any person in relation to any matter that concerned the need for, or the desirability of, action by that person in the interests of the privacy of individuals;
• to gather such information as in the Commissioner's opinion will assist the Commissioner in carrying out the Commissioner's functions under this Act.

7.60 These functions bestow considerable power on the Privacy Commissioner, and a high proportion of submissions made reference to this. The views expressed in the submissions ranged from those who felt the powers were appropriate and necessary, through to those who considered that such power was excessive and unfettered. The Optus submission was indicative of many of the submissions received:

Optus strongly endorses the Government's commitment to a co-regulatory approach in extending privacy protection to the private sector, but is concerned that the co-regulatory mechanism proposed gives too much weight to the role of the Privacy Commissioner and too little weight to the role of industry participants and industry self-regulatory bodies. [52]

7.61 One of the primary concerns raised by the submissions was the extent to which the Privacy Commissioner could issue, amend or revoke a Code of Practice. International Masters Publishers states:

Of particular concern is the fact that the Privacy Commissioner can issue a new Code or amend or revoke an existing Code without any public notice or public consultation. This can be done if the Commissioner considers that the issue, amendment or revocation is urgent. Codes issued under this process will remain in force for up to a year and during that time the Privacy Commissioner may, but is not obliged to, consult with interest groups. The fact that there is no appeal process available to force the Privacy Commissioner to revoke Codes issued in a perceived case of urgency within less than one year is also of concern. [53]

7.62 This opinion was further supported by the ANZ submission:

The Privacy Commissioner's power to urgently issue a code is unacceptable in that it effectively puts the power of legislation into one person's hands. [54]

Alternatives to further powers for the Privacy Commissioner

7.63 In response to these concerns, a number of submissions recommended instituting a board of directors as an alternative to conferring extensive powers upon the Privacy Commissioner. The intention was to form a broadly representative body comprising consumers, community groups and industry representatives. Some submissions, such as the one submitted by the Australian Privacy Charter Council, recommended the use of independent experts:

While the APCC supports the role of the Privacy Commissioner, it recommends a panel of independent experts assist the Commissioner. The APCC believes this is necessary as some technical practices require enormous knowledge and experience to understand the transactions associated with technologies and techniques and their implications and risks for privacy. [55]

7.64 Lend Lease agreed, stating:

Lend Lease is concerned as to the breadth of the powers to be granted to the Commissioner. We believe that the exercise of the powers granted under the Act should be supervised by a board comprised of representatives of all those interested in the operation of the Act. [56]

7.65 Another issue of concern was the scope accorded the Commissioner to investigate an act or practice of any individual or organisation that, while not involving a breach of an IPP or a Code of Practice, could have an adverse effect on the privacy of an individual. The ANZ stated emphatically that the Privacy Commissioner should not have the power to issue guidelines on, or investigate matters extraneous to, the IPPs or any Code of Practice. Telstra concurred and recommended:

… that the power of the Privacy Commissioner to investigate should be restricted to specific complaints of alleged breaches of the IPPs or Codes of Practice or the handling of a request for access to personal information.

The regime should encourage the referral of privacy complaints, in the first instance, to industry alternative dispute resolution schemes, where these are in place. If the industry scheme is unable to resolve the complaint, the matter could then be referred to the Privacy Commissioner. From a consumer's perspective this would act to preserve the benefits of current `one stop shop' dispute resolution schemes as well as allowing an opportunity for the complaint to be resolved within the industry and for industry specific solutions to be developed. Any such arrangements should be subject to the approval of the Privacy Commissioner.

The Privacy Commissioner is also able to amend and revoke all or part of a Code of Practice. Furthermore, if the Privacy Commissioner believes that a Code of Practice needs to be issued, amended or revoked urgently, then the Commissioner could do so without complying notifying the public or taking written submissions. Such action would only be permitted on a temporary basis and could not remain in force for longer than 12 months. [57]

Privacy officers

7.66 The discussion paper stated that “organisations would be responsible for ensuring that there was, within the organisation, at least one person appointed as their privacy officer”. [58] A number of submissions were concerned that the appointment of a privacy officer would add considerably to an organisation's costs. The Privacy Commissioner dispelled this view, by stating:

The proposal in the discussion paper to require organisations to nominate a privacy officer is, I think, a sensible one. Such a person would be able to act as a point of contact for the office of the Privacy Commissioner and for complaints in the first instance. Except perhaps in the very largest organisations, it would not be necessary to make this a full-time job and in most organisations the role could be attached to the person responsible for other issues of compliance with the law. It is important that the `privacy officer' should have sufficient standing in his or her organisation to influence its policies and practices. [59]

Costs

7.67 The cost of complying with extended privacy protection was one of the most important issues to arise out of the submissions. The Commonwealth Bank noted that “a fundamental principle of public policy is that the benefits provided by regulatory legislation should outweigh the cost of compliance”. [60] The issue of cost is fundamental as it has the capacity to negate the benefit of privacy protection if charges' for accessing and correcting information are prohibitively expensive. The discussion paper stated that any fee charged must be reasonable and linked to the reasonable cost to the individual or organisation of complying with the request. Furthermore, fees would not be charged for:

• the making of a request to the individual or organisation; or
• the processing of a request, including deciding whether or not the request was to be granted, and if so, in what manner. [61]

7.68 The Australian Law Reform Commission made the point that the cost of compliance will increase unless there is a single, national regulatory regime:

Within Australia, care must be taken to avoid the costs and inconveniences arising through the development of incompatible privacy protection regimes amongst States, Territories and the Commonwealth. A company that operates nationally should not be encumbered with having to satisfy different standards of privacy protection in each State or Territory. [62]

Data on Costs

7.69 Another problem surrounding the issue of costs associated with a co-regulatory regime, is the lack of empirical data available for analysis. Notably, the Office of Regulation Review in a submission to the Attorney-General's department submitted that:

… [the] proposal to extend the application of Information Protection Principles to the private sector is likely to require a submission to Cabinet. As the proposal will impact upon business, the Cabinet Handbook requires that a Regulation Impact Statement (RIS) also be prepared.

The RIS approach includes assessing the cost and benefits of amending the Privacy Act as well as examining the efficacy of alternative regulatory and non-regulatory methods of achieving the desired privacy outcome. For example, the current proposal will impose costs upon businesses and consumers. Costs to business could include:

- An increase in the regulatory compliance burden on business; and

• A decrease in revenue from restrictions on business (ie. direct marketing activities, etc.)

The costs to consumers could include:

- Less information about products; and

- Less choice from fewer products being marketed.

These costs should be balanced against the benefits which enhanced privacy protection may provide to the community. [63]

7.70 Unfortunately, as the Prime Minister, Mr Howard, chose to discontinue his proposal to extend privacy legislation to the private sector on 21 March 1997, a Regulatory Impact Statement was never conducted. The Commonwealth Bank also supported the production of an RIS, stating:

The Bank recommends that a regulatory impact statement should be used to ensure that any extension of privacy legislation to the private sector achieves an appropriate balance between the need to protect the privacy of customers and the ability of organisations to offer beneficial services to them. [64]

Charges as a disincentive

7.71 Mr Rick Snell, in a submission to the inquiry, expressed concern that even reasonable charges might prevent some people from gaining access to their information:

As with Freedom of Information laws, the charging regime has the potential to significantly restrict use of and access to personal information regime. The requirement that fees should be reasonable and linked to the reasonable cost of complying with the access request should assist in ensuring that the regime is not unnecessarily harsh. However, there needs to be attention given to the situation of people who may be unable to pay even reasonable fees and who will otherwise be excluded from the regime. The creation of a privacy regime that is inaccessible to the financially disadvantaged such as individuals on income support would be undesirable and discriminatory. The feasibility of government subsidising of such cases or other mechanisms for fee waiver or reduction should be considered.

7.72 This view was further supported by Professor John Goldring, who stated:

I also have some concern that private sector data holders may be able to discourage data subjects from seeking information or from seeking to correct it by the imposition of charges, but I appreciate that the type of fees you suggest in your report are those already applying to public sector bodies under the Freedom of Information Act. [65]

7.73 The Public Interest Advocacy Centre suggested that a maximum charge should be set to ensure that low-income consumers are not disadvantaged.

Acceptability of charges

7.74 The general consensus among the submissions was that the proposal for charging, as outlined in the discussion paper, was reasonable. The ANZ stated:

Assuming that pre-existing information will be exempt from legislation, and that sufficient time will be allowed to implement system changes necessary to efficiently respond to access and correction requests, the proposal for charging is acceptable. [66]

7.75 The Privacy Commissioner also supported the concept of charging under certain circumstances:

The discussion paper proposes that organisations would be able to charge fees for making available information pursuant to IPP 5, as well as for access and correction under IPPs 6 and 7. Charging has been a controversial topic over many years in the FOI area. Care needs to be taken to avoid developing a charging policy which effectively curtails the value of the right of access. Organisations and individuals should be encouraged to provide access and correction without charge but it should not be impossible to impose a charge which seeks to recover direct costs for more complex requests. [67]

Compliance and enforcement mechanisms

7.76 The discussion paper suggests that the process for the resolution of complaints should be as flexible and informal as possible, especially while the new system of privacy protection is in its early stages of implementation. The discussion paper also notes that an individual may make a complaint to the Privacy Commissioner about an act or practice that:

• might be an interference with privacy; or
• might otherwise adversely affect the privacy of the individual and is inconsistent with guidelines issued by the Privacy Commissioner. [68]

7.77 The Privacy Commissioner would then be required to investigate the complaint and determine whether or not the act or practice complained of was inconsistent with the guidelines. In response, the Commissioner could issue a formal assessment of compliance and recommend any appropriate remedy, however, any such recommendation by the Privacy Commissioner would not be legally binding. Nonetheless, in the opinion of the then Privacy Commissioner, Mr Kevin O'Connor, any recommendation would carry considerable weight and would be likely to lead to more settlements than if the Commissioner's role were limited to conciliation attempts.

7.78 In general, the submissions supported the use of internal complaints mechanisms for resolving disputes as an appropriate first step. Where such mechanisms failed, the Privacy Commissioner could then deal with the matter. The majority of submissions recommended that the Federal Court only be considered as a last resort option for individuals, once all other avenues had been exhausted.

7.79 Credit Union Services Corporation Australia was typical of many of the submissions in that it felt the Privacy Commissioner's examination of a complaint should begin only after the complaint had exhausted any internal mechanism available within an organisation, including established dispute resolution processes. And another contributor to the debate, Mr Damian Murphy, stated:

The proposal to allow the Privacy Commissioner to secure a settlement between the parties following an investigation, is supported. It is a form of alternative dispute resolution which, in the context of the nature of the complaints, is likely to be successful in a high proportion of cases. The problem is, as found by the High Court in Brandy's case, any settlement is unenforceable. [69]

7.80 There was, however, some divergence among the submissions as to what type of enforcement mechanisms were most appropriate in regulating privacy protection. A number of submissions provided detailed proposals outlining their preferred system of regulation. The Australian Direct Marketing Association provided a comprehensive proposal:

As with a number of submissions, the ADMA believes that the powers proposed for a privacy commissioner are far too extensive and recommends that the most appropriate regulatory structure be a National Privacy Authority (NPA) with a Board of Directors allowing for consultation and private sector expertise.

ADMA is suggesting a model along the lines of recently established regulatory bodies such as the National Registration Authority. The NRA has a seven member part-time Board and is administered by a CEO who is not a Board member. A larger board would also enable the establishment of a Private Sector Board sub-Committee to approve matters such as Codes of Practice to eliminate the necessity for formal gazettal. One of the advantages of the Codes is flexibility. This will be lost with a formal process involving the Governor-General in Council.

The NPA's focus and strategic direction would be determined by a Board of Directors provided for under the Privacy Act. The Board would comprise one part-time Chair and six part-time Directors who could be selected for their experience in privacy matters relating to health, financial services, marketing consumer affairs, State/Territory administration and the academic sector.

The regulatory framework should be capable of addressing current issues and concerns rather than trying to cope with problems which may or may not emerge in the future. At the same time, the framework should be flexible enough to cope with changing circumstances that are foreseeable.

ADMA's recommendations draw heavily on the New Zealand legislation which has the advantage of being through the process of adaptation to suit both the private and public sectors. [70]

7.81 The ANZ suggested that:

… a similar process to complaints dealt with by the Banking Ombudsman be adopted. The first reference should be back to the organisation, which then has 30 days in which to resolve the complaint. [71]

Limits to complaints

7.82 A further issue of concern regarding complaints was the power of the Privacy Commissioner to investigate an act or practice which did not involve a breach of an IPP or a Code of Practice, but that could have an adverse effect on the privacy of an individual. The ABA states:

The power to investigate should be confined to specific alleged breaches of privacy principles or codes of practice or to unreasonable impediments on or time taken to respond to requests for access to personal information. A general right to complain about an “interference with privacy” would be objectionable and the suggestion in the Discussion Paper to limit this expression to a breach of a privacy principle or code of practice would be helpful. [72]

Federal Court

7.83 The most significant issue in relation to the suggested complaints and enforcement mechanisms is the proposal to allow proceedings to commence in the Federal Court. The discussion paper notes that this action would only be taken where the Privacy Commissioner had been unable to secure a settlement, where he or she considered the matter raised public interest concerns or where the dispute was not suitable for settlement by the Commissioner.

7.84 The Law Council of Australia suggests a cautious approach stating:

There seems to be no reason why the existing procedure for complaints and enforcement could not be retained in the event that the Act were extended to cover the private sector. In broad terms, the Law Council of Australia endorses the outline contained in the Discussion Paper with one exception.

The Council is concerned about the suggestion that a complainant should be able to commence proceedings in the Federal Court to recover damages for an interference with privacy.

The concept of damages for “interferences with privacy” is unknown to Australian courts. There would be significant difficulties in quantifying such claims. The efficient introduction of the new regime could be undermined by spurious and speculative court actions in the early stages which might include claims of dubious merit. The Council would prefer to see any right of recovery of civil damages for interference with privacy deferred for at least 2 years to enable time for further debates as to the merits of the civil damages regime underpinning the Act. It must be emphasised that the legislation has to date proved effective in regulating public sector privacy practices in the absence of a civil damages remedy such as the discussion paper contemplates. [73]

7.85 Mr Damian Murphy states:

I note the proposal to allow individuals to commence proceedings in the Federal Court. The legislative provisions relating to this aspect should be considered carefully. It is likely that there will be a class of cases that involve public interest considerations such as large scale data matching or selling. It is in the public interest that those matters be resolved in a public forum. There may be other examples of egregious intrusions of privacy where only a single individual is involved that cannot be resolved by the Privacy Commissioner. Again it is desirable that those matters be dealt with in court.

However, where an individual is a complainant, consideration should be given to the relevant onus of proof provisions. It may be desirable to develop onus of proof provisions to lessen the burden on individuals to prove a breach of or an interference with the privacy of that individual. This is because it may be very expensive for an individual to prove an interference with privacy has occurred, as the acts constituting that interference with privacy will have been undertaken by a corporation. That corporation will be in the best position to know the extent to which it has interfered with an individual's or group's privacy.

Although there are obviously potential difficulties in giving access to the court for interferences with privacy, I am of the firm opinion that it should be attempted as a last resort option for individuals the subject of an interference with their privacy. It will also be important in cases where a group of individuals have been the subject of such an interference. [74]

7.86 While most submissions advocated a cautious approach to allowing proceeding to commence in the Federal Court, Associate Professor Graham Greenleaf states:

The ability of both individuals and the Privacy Commissioner to seek injunctions from the Federal Court under s.98 should be retained. Its terms are broad enough to apply to the private sector. In situations of urgency, where the normal complaint-handling procedures before the Commissioner are likely to take too long to provide an effective resolution of a claimed breach, access to the Court to seek an injunction should be available, as it is to protect almost all other legal rights. [75]

7.87 Finally, the Privacy Commissioner believes that recourse to the Federal Court is essential due to the fact that any determination made by him is not legally enforceable:

But the aim of the administration of the extended Act should be to resolve as many complaints as possible without the need for a hearing in the Federal Court. [76]

Plain English

7.88 The importance of the use of Plain English is a minor issue that was referred to in only a small proportion of submissions. However, given the importance of the IPPs and the general lack of understanding surrounding them, it may be an issue that warrants further consideration. Associate Professor Graham Greenleaf stated:

The IPPs are worded in an unnecessarily confusing way, which reduces the extent to which they are understood both by organisations that must comply with them, and individuals relying on them. They are also framed in public sector terms (eg. Agency), rather than using some more neutral terms such as `organisation'. It may be worth considering replacing them with a more `Plain English' and sector-neutral simplification (without attempting to amend them), preferably before the private sector has to cope with them. The Privacy Commissioner has published `Plain English Guidelines', and my own `IPPs in Plain English' are attached.

7.89 Telstra also made mention of the concept noting:

A principal function of any privacy regime has to be the education of both the people who give up their personal information and the people who collect that information and subsequently use and/or disclose it. This can most readily be achieved by expressing the Information Privacy Principles in plain English. It is perhaps indicative that shortly after the introduction of the current Act a number of plain English translations of the IPPs were circulated and one of the greatest difficulties that Telstra faced introducing its initial compliance program was to explain what the IPPs meant in practice. [77]

Exemptions

7.90 The issue of exemptions barely rated a mention in any of the 108 submissions available. The discussion paper stated that exemptions to the requirement in IPP 6 to give an individual access to his or her own personal information would be provided in recognition of other competing interests. Broadly, the exemptions would address the following matters:

• the information requested did not exist or could not be found;
• the information requested was not held by the individual or organisation to whom the request had been made;
• the safety of any individual;
• trade secrets and other commercial in confidence information;
• the privacy interests of other individuals;
• evaluative or opinion material;
• the physical or mental health of individuals;
• the safe custody or the rehabilitation of individuals;
• legal professional privilege;
• contempt of Court; and
• the resource costs to the individual or organisation of complying with the request. [78]

7.91 The then Privacy Commissioner, Mr Kevin O'Connor, expressed concern that evaluative material not be exempted:

I strongly support the institution of an access and correction regime along the lines of that outlined in the discussion paper. My reservations about the discussion paper model relate to the exemptions from the obligation to give people access to personal information about them.

All but one of the exemptions set out in the discussion paper has a counterpart in the Commonwealth Freedom of Information Act. The exemption that does not is that for `evaluative material' and it is this – judged unnecessary in the FOI context – about which I am most concerned.

Assuming that the meaning of `evaluative material' in the New Zealand Privacy Act is intended, this refers to evaluative or opinion material compiled solely for determining suitability for: employment; promotion; continuation in employment; termination of employment; the granting, continuation or termination of awards, scholarships etc; or the provision or continuation of insurance cover.

This is a broad class of material and in practice it will be exactly this sort of material that individuals will be most concerned to gain access to. I doubt that in most cases it would be justified for an organisation to withhold personal information from a person solely on the grounds that it evaluates that person in some way. There may be instances where giving access to the information could adversely affect the commercial position of the firm, the supplier of the information, or the progress of a decision making process that is still going on. In such circumstances it may be justified for access to be withheld, either temporarily or permanently. But in the main, I see no reason why people should not be able to access personal information used to make important decisions about them whether or not that information is `evaluative' in character.

In the NZ legislation on which the discussion paper is largely based, the exception for evaluative material applies only where making the material available would breach an express or implied promise made to the person who supplied the information that the information or the identity of the person who supplied it would be held in confidence. If an `evaluative material' exemption is incorporated, such a limitation is essential. Otherwise the value of access right will be negated in situations where it is most needed. [79]

Conclusion

7.92 On 21 March 1997, the Prime Minister, Mr Howard, issued a media release stating that his government had decided not to continue with its proposal to implement privacy legislation to the private sector, on the grounds of cost and administrative simplicity. A more detailed explanation was provided some months later when the Attorney-General, Mr Williams stated that:

There was particular concern expressed in submissions about how a legislative regime would impact upon small and medium enterprises. Some submissions argued strongly that there was no clear need for legislation in order to ensure privacy protection and that privacy concerns could be adequately addressed by business on a voluntary basis. [80]

7.93 Furthermore:

There is absolutely no evidence of the need for an extension of the Privacy Act to the Private sector at this time …

Responses to that discussion paper have provided the government with very clear guidance as to the genuine and real concerns of business and industry on the possible government approaches to privacy protection. Those responses clearly indicated that there is no need at this time for a legislative response to those privacy issues. [81]

7.94 The views as expressed by both the Prime Minister and the Attorney-General are almost opposite to those expressed in the submissions. The evidence is clear and unequivocal that the overwhelming majority of submissions supported the extension of a co-regulatory privacy regime to include the private sector. This is not to deny that both large and small organisations have genuine concerns regarding the implementation and impact of the proposed regime. However, less than 6 percent of submissions stated that they were opposed to the co-regulatory proposal, while 84 percent of submissions supported (or strongly supported) the measures as outlined in the Attorney-General's discussion paper. In fact, one of the issues on which there was almost unanimous consensus was the need for a single, nationally effective and uniform regime under a single regulator.

7.95 Where concerns were identified throughout the submissions, there was a tendency to stipulate what action the organisation felt needed to be taken in order to make the regime acceptable. There was a strong suggestion that further consultation between Government and organisations was necessary before producing a final set of IPPs. [82]

7.96 Furthermore, the Government decided not to continue with its proposal to implement privacy legislation to the private sector, on the grounds of cost and administrative simplicity. The Committee, however, is unaware of any evidence that quantifies the costs of extending privacy protection to the private sector.

7.97 The Joint Committee of Public Accounts and Audit report on internet commerce [83] referred briefly to the costs of privacy systems, including a legislative system. The data referred to in that report was based on the 1997 Price Waterhouse survey that found that a majority of respondents did not believe the costs would be excessive. [84]

7.98 A number of submissions in fact made the point that there was a dearth of empirical evidence available in relation to costs and suggested that a Regulatory Impact Statement (RIS) be carried out. A RIS could then assess the costs and benefits of amending the Privacy Act, as well as examine the efficacy of alternative regulatory and non-regulatory methods of achieving the desired privacy outcome. [85]

Benefits of the proposed co-regulatory scheme

7.99 It is the Committee's belief that the co-regulatory model contained in the Attorney-General's Department's discussion paper in virtually all respects meets the criteria required of a privacy system, as enumerated in Chapter 3. The universal application of privacy principles, as well as the expanded jurisdiction of the Privacy Commissioner offer certainty to individuals as well as a cost effective mechanism for enforcing their rights.

7.100 The scheme also establishes a clear priority for industry by establishing a national, consistent and simple system which contains a minimal regulatory burden [86] and maximises the flexibility of individual industry sectors to create codes of practice customised to their particular needs.

7.101 At the same time, enactment of the proposed system ensures Australia's compliance with our international responsibilities, and removes any difficulties Australian industry may have in trading with the European Union subject to the rules of the EU Data Protection Directive.

Flexibility

7.102 An issue that arises is whether a single uniform set of rules is practical, some criticising a “one size fits all approach” which the IPPs or NPPs would suggest. Can all these different sectors work under one set of principles? The Privacy Commissioner advised that:

We need consistency and flexibility. One national scheme while avoiding the criticism of a `one size fits all' approach. How do we achieve both things? NZ provides an interesting case study here. After the NZ principles were enacted, it was expected that a whole range of industry codes would also be an outcome. At this stage, there are only two sectoral codes (telecommunications and health) with most industries now finding that they can work comfortably within the existing principles and would find specific industry codes too restricting. [87]

Industry attitudes to regulation in 1998

7.103 In Chapter 3, this report discussed the perspectives and needs of industry, and concluded that the priorities must be to ensure a nationally consistent system and to minimise regulatory burdens and compliance costs (which is itself served by national consistency). Industry attitudes to regulation of privacy reflect this balance of interests.

7.104 On this point the Committee notes the evidence derived from several sources. A 1997 Price Waterhouse survey, for example, [88] revealed that 70% of companies surveyed supported the introduction of privacy legislation and only 20% opposed it. The submissions provided to the Attorney-General's Department's discussion paper (late 1996) reflect this strong support for a legislatively based model.

7.105 Another recent survey which covered sixty-five of Australia's largest companies found that 50% of companies supported the introduction of national privacy laws. [89] These results have been borne out by submissions to the Committee:

Protection of the privacy of individuals under the privacy regime established by the MRSA Code of Professional Behaviour generally corresponds to, or exceeds, the requirements of the existing Privacy Principles …

Therefore the market, social and survey research organisations support the introduction of appropriate privacy legislation. [90]

And

Should it be decided that some legislative approach be taken ARA would support the adoption of practical privacy principles developed with the private sector. To this end, ARA believes the National Principles for the fair handling of personal information, underpinned by a co-regulatory approach to be appropriate. [91]

7.106 Other groups recommending extension of the current legislation to the private sector included the Australian Credit Forum, [92] Law Council of Australia, [93] Law Institute of Victoria, [94] and American Express. [95]

7.107 The Committee is also mindful that any industry attitudes to legislation will depend on the nature of the particular legislation proposed. Some groups are not unreasonably opposed to highly prescriptive legislation – the “heavy handed” approach – but may be less resistant to a co-regulatory approach with a legislative underlay, especially where there are attendant advantages generated by national consistency and administrative simplicity:

ACCI has consistently opposed a detailed legislative scheme on all business, which pays no regard to whether or not their operations are privacy sensitive or not. [96]

7.108 Not all industry submissions agreed with this however. Pacific CDL, for example, argued strongly that:

The privacy of Australians is not threatened by the private sector. In fact, there is clearly a greater threat from the unregulated public sector …

Business is well down the track of self-regulation. It should be allowed to develop and implement a national scheme and then have sufficient opportunity to prove its effectiveness before any government resorts to the ultimate step – intervention in a free society. [97]

7.109 Notwithstanding these comments, the Committee concludes that the majority of industry supports legislation extending privacy protection to the private sector, as an efficient means of ensuring uniform national standards. This support is, however, subject to the caveat that any legislation should minimise regulatory compliance costs, and maximise the continued flexibility of privacy schemes to adjust to the different requirements of various submission stated:

We agree that a co-regulatory approach, utilising Information Privacy Principles and the Codes of Practice is a suitable method to adopt. Self regulation methods are not enough to ensure compliance with the Act. [98]

The appropriateness of the use of the National Principles for the fair handling of information as a basis for a co-regulatory regime

7.110 The Committee has heard considerable evidence suggesting that the National Principles are the most appropriate basis for a co-regulatory scheme:

The Privacy Commissioner's process is working well, it has produced the National Principles by consensus and on schedule. It would be a backward step for this Committee or any of the States to impede its progress. [99]

7.111 These sentiments are echoed by the Credit Union Services Corporation:

The [then] Privacy Commissioner, Moira Scollay, has listened closely to all sides of this debate, and has produced a workable set of principles. The public policy challenge that remains is how to implement and enforce these principles in a workable manner. [100]

7.112 The Privacy Commissioner herself states:

The National Principles were developed in an attempt to reach a compromise between businesses' need for reasonable latitude in the way they handle the personal information they hold and individual's need to be sure that their personal information will be handled responsibly. [101]

And

The National Principles are the result of an extensive consultation process and as such the working reflects trade-offs made as they were developed. The principles were designed so that they could readily be given statutory effect if any Australian legislature decides to pursue this route …

But in terms of content, the National Principles appear to be a workable and appropriate set of principles for the protection of information privacy in the private sector. [102]

7.113 The Committee also notes that the NPPs include several principles additional to the original Information Privacy Principles contained in the Privacy Act, and serve to modernise their content. These are:

• Principle 7, which deals with the use of government assigned identifiers;
• Principle 8, which encourages organisations to deal anonymously with people when they reasonably can;
• Principle 9, which sets out conditions for the transfer of personal information outside Australia; and
• Principle 10, which deals with the handling of sensitive information about health, political affiliation, race, sex life and religion. [103]

7.114 The Committee believes that the National Privacy Principles have some value in that they reflect some of the concerns of the business community. However, the Committee also notes the objections raised to various aspects of the National Principles, and has recommended above that they should not be adopted without modification.

7.115 The Committee also considers that the principle of consistency of regulatory structure should include consistency between the private and public sectors. In an environment of widespread contracting out of government services, it would be inappropriate and cumbersome to have inconsistent requirements between these two sectors.

7.116 For this reason, the Committee recommends that the creation of a co-regulatory model incorporate a comprehensive review of the Privacy Act, creating a single universally applicable source of law.

Chart 1 [104] - Number of submissions by industry

Chart 2 – Overall response to a co-regulatory regime

Chart 3 – Responses to a co-regulatory regime (industry/business sector)

Chart 4 – Responses to a co-regulatory regime (government departments/statutory authorities)

Chart 5 – Responses to a co-regulatory regime (industry associations/councils

Chart 6 – Responses to a co-regulatory regime (direct marketing industry)

Chart 7 – Responses to a co-regulatory regime (health industry)

Footnotes

[1] Regulatory Impact Statement to the Privacy Amendment Bill 1998, p. 10.

[2] Privacy Commissioner – Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector, August 1997, p. i.

[3] Privacy Protection in Australia, Background information from the Federal Privacy Commissioner, April 1997, p. 1.

[4] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September, 1996.

[5] In total there were 116 submissions, however of these, 8 submissions were not made publicly available due to confidentiality requirements, and a further 5 submissions were received subsequent to these, and were not included in the charts.

[6] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996,
p. 4.

[7] Attorney-General's Department, Submission No. 57, Lend Lease Corporation Ltd, p. 1.

[8] Attorney-General's Department, Submission No. 73, Price Waterhouse, p. 1.

[9] Attorney-General's Department, Submission No.68, New South Wales Privacy Committee, p. 1.

[10] Attorney-General's Department, Submission No. 6, Australian and New Zealand Banking Group, p. 28.

[11] Attorney-General's Department, Submission No. 48, Commonwealth Department of Industry, Science and Tourism, p. 2.

[12] Attorney-General's Department, Submission No. 9, Australian Chamber of Commerce and Industry, p. 2.

[13] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996,
p. 6. However, the Committee does not accept that the IPPs are sufficiently up to date. For a fuller account of current international standards and obligations see Chapter 3, p. 40.

[14] The IPPs were designed to apply to both the Commonwealth public sector and the private sector of the Australian Capital Territory (ACT). Due to a move by the ACT to self-government, the Privacy Act was not applied to the ACT private sector. The fact remains, however, that the IPPs were drafted to apply equally to both the public and private sectors.

[15] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996,
p. 6.

[16] Attorney-General's Department, Submission No. 27, Commonwealth Bank, Attachment 1, p. 1.

[17] Attorney-General's Department, Submission No. 8, Australian Bankers' Association, p. 1.

[18] Attorney-General's Department, Submission No.17, Australian Privacy Charter Council, p. 2.

[19] Attorney-General's Department, Submission No.96, Telstra Corporation Limited, p. 5.

[20] Attorney-General's Department, Submission No.96, Telstra Corporation Limited, p. 5-6.

[21] Attorney-General's Department, Submission No.74, Human Rights Australia, p. 4.

[22] Attorney-General's Department, Submission No.74, Human Rights Australia, p. 4.

[23] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996,
p. 13.

[24] See below, Paragraphs 7.59-7.65.

[25] Attorney-General's Department, Submission No. 74, Human Rights Australia, p. 15.

[26] Attorney-General's Department, Submission No. 94, Minister for State Government Services (SA), p. 3.

[27] Attorney-General's Department, Submission No.104, Professor Greg Tucker, p. 4.

[28] Attorney-General's Department, Submission No.104, Professor Greg Tucker, p. 6.

[29] Attorney-General's Department, Submission No.105, Mr Charles Raab, p. 2.

[30] Attorney-General's Department, Submission No. 8, Australian Bankers' Association, p. 53.

[31] Attorney-General's Department, Submission No. 96, Telstra Corporation, p. 5.

[32] Attorney-General's Department, Submission No. 19, Australian Retailers Association, p. 5.

[33] Attorney-General's Department, Submission No. 74, Human Rights Australia, p.15.

[34] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996,
p. 14-15.

[35] Attorney-General's Department, Submission No.74, Human Rights Australia, p. 16.

[36] Attorney-General's Department, Submission No. 68, New South Wales Privacy Committee, p. 1.

[37] Attorney-General's Department, Submission No.14, Australian Law Reform Commission, p. 4.

[38] Attorney-General's Department, Submission No. 31, Credit Reference Association of Australia, p. 7.

[39] Attorney-General's Department, Submission No. 51, Insurance Council of Australia, p. 7.

[40] Attorney-General's Department, Submission No. 51, Insurance Council of Australia, p. 9.

[41] Attorney-General's Department, Submission No.12, Australian Direct Marketing Association, p. 9.

[42] Attorney-General's Department, Submission No. 74, Human Rights Australia, p. 14.

[43] Attorney-General's Department, Submission No. 74, Human Rights Australia, p. 15.

[44] Attorney-General's Department, Submission No. 57, Lend Lease Group, p. 14.

[45] Attorney-General's Department, Submission No. 29, Consumers Health Forum, p. 2.

[46] Attorney-General's Department, Submission No. 51, Insurance Council of Australia, p. 9.

[47] Attorney-General's Department, Submission No. 56, Law Council of Australia, p. 1.

[48] Attorney-General's Department, Submission No. 68, New South Wales Privacy Committee, p. 2.

[49] Attorney-General's Department, Submission No. 8, Australian Bankers Association, p. 63.

[50] Attorney-General's Department, Submission No. 95, Superannuation Complaints Tribunal, p. 2.

[51] Attorney-General's Department, Submission No. 15, Australian Law Reform Commission, pp. 2-3.

[52] Attorney-General's Department, Submission No.71, Optus, p. 1.

[53] Attorney-General's Department, Submission No. 53, International Master Publishers Pty Ltd., p. 3.

[54] Attorney-General's Department, Submission No. 6, Australian and New Zealand Banking Group, p. 39.

[55] Attorney-General's Department, Submission No17, Australian Privacy Charter Council, p. 9.

[56] Attorney-General's Department, Submission No.57, Lend Lease Group, p. 3.

[57] Attorney-General's Department, Submission No 96, Telstra Corporation Limited, pp. 7-8.

[58] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996,
p. 24.

[59] Attorney-General's Department, Submission No.74, Human Rights Australia, p. 19.

[60] Attorney-General's Department, Submission No. 27, Commonwealth Bank, p. 6.

[61] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996,
p. 17.

[62] Attorney-General's Department, Submission No.15, Australian Law Reform Commission, p. 3.

[63] Attorney-General's Department, Submission No. 70, Office of Regulatory Review, p. 2.

[64] Attorney-General's Department, Submission No 27, Commonwealth Bank of Australia, Attachment 1, p. 1. The most recent Government comment pertaining to costs in relation to an extension of Australia's privacy regulations, was made in the Second Reading Speech of the Privacy Amendment Bill 1998 where it was stated: 'There is no significant financial impact on Government as a consequence of applying the Privacy Act to contracted service providers. The contracting agency will retain some responsibility for the acts and practices of the contracted service provider, but this is a cost which Government would otherwise have if that function had not been contracted out. Similarly, any costs for contractors of complying with privacy obligations may be taken into account when negotiating the contract price. Many of these costs may already be taken into account in current contractual arrangements which include privacy requirements in accordance with current Government competitive tendering and contracting policy. 'However, this statement is only partially useful, as the Bill only proposes to extend privacy protection to Government Business Enterprises, and not the entire private sector.

[65] Attorney-General's Department, Submission No. 41, Professor Goldring, pp. 1-2.

[66] Attorney-General's Department, Submission No 6, Australia and New Zealand Banking Group, p. 44.

[67] Attorney-General's Department, Submission No.74, Human Rights Australia, p. 18.

[68] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996, pp. 24-25.

[69] Attorney-General's Department, Submission No. 62, Mr Damian Murphy, p. 2.

[70] Attorney-General's Department, Submission No. 12, Australian Direct Marketing Association, pp. 3, 12-13.

[71] Attorney-General's Department, Submission No.6, Australian and New Zealand Banking Group, p. 50.

[72] Attorney-General's Department, Submission No. 8, Australian Bankers Association, p. 59.

[73] Attorney-General's Department, Submission No. 56, Law Council of Australia, p. 17.

[74] Attorney-General's Department, Submission No. 62, Mr Damian Murphy, pp. 2-3.

[75] Attorney-General's Department, Submission No.43, Associate Professor Graham Greenleaf, p. 11.

[76] Brandy v Human Rights and Equal Opportunity Commission (1995) 127 ALR 1.

[77] Attorney-General's Department, Submission No.96, Telstra Corporation Limited, p. 6.

[78] Attorney-General's Department, Privacy Protection in the Private Sector, Canberra, September 1996, pp. 16-17.

[79] Attorney-General's Department, Submission No. 74, Human Rights Australia, p. 17-18.

[80] Answer provided by the Attorney-General to a Question on Notice, Senate Hansard, 24 September, 1997, p. 6922; and see also Senate Hansard, 27 October, 1997, p. 8170.

[81] Senate Hansard, 27 August, 1997, p. 5829. See also Senate Hansard, 13 May, 1997, p. 3150.

[82] These views were expressed in 1996. To some degree, the revision of the IPPs could be seen in the development of the National Principles.

[83] Report 360, Internet Commerce: to buy or not to buy?, May 1998. This report is also referred to above in Chapter 2, Footnote 69.

[84] Joint Committee of Public Accounts and Audit, Report 360, Internet Commerce: to buy or not to buy, Paragraphs 7.37, 7.39-7.40.

[85] See above, Paragraphs 7.66-7.76.

[86] For a more detailed examination of cost issues, see below at Chapter 8, Paragraphs 8.3-8.24.

[87] Moira Scollay, “Stark choices for private sector privacy”, Privacy Law and Policy Reporter, 4 (1997), pp. 87.

[88] Privacy Survey 1997, reprinted in Privacy Law and Policy Reporter, 4 (1997), pp. 21-27.

[89] Mike Taylor, “Yes, Big Brother is watching you”, The Canberra Times, 10 September, 1998, p. 11.

[90] Submission No. 32, Market Research Society of Australia, p. 512.

[91] Submission No. 10, Australian Retailers Association, p. 313.

[92] Submission No. 9, Australian Credit Forum, p. 308.

[93] Submission No. 22, Law Council of Australia, p. 412.

[94] Submission No. 25, Law Institute of Victoria, p. 425.

[95] Transcript of evidence, American Express, 28 July 1998, p. 127.

[96] Submission No. 41, Australian Chamber of Commerce and Industry, p. 713, emphasis added.

[97] Submission No. 29, Pacific CDL, p. 501.

[98] Attorney-General's Department, Submission No. 73, Price Waterhouse, p. 1.

[99] Submission No. 36, Australian Direct Marketing Association, p. 645.

[100] Submission No. 39, Credit Union Services Corporation, p. 688.

[101] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 899.

[102] Submission No. 51, Human Rights and Equal Opportunity Commission, p. 901.

[103] Submission No. 51, Human Rights and Equal Opportunity Commission – Privacy Commissioner, p. 899.

[104] These charts reflect the opinions of the original 108 public submissions (they do not include the subsequent 5 submissions) forwarded to the Legal and Constitutional Committee.