Appendix 5
Overseas and Australian developments in privacy
International comparisons Term of Reference 1 (b)
A number of submissions addressed the standing of Australia's privacy
protection efforts by comparing them to those of other nations. The privacy
protection regimes in the following nations were reported on by the Privacy
Commissioner [1] and the Australian Privacy
Charter Council which provided a paper by Mr Nigel Waters. [2]
The material therefore mainly reflects the situation at the time these
submissions were written.
Europe
1.1 Data protection regimes in European countries vary, but all of them
are based on laws that impose obligations on private sector organisations
and establish a supervisory agency to administer those laws. Moreover,
information privacy laws were rapidly being harmonised with the requirements
of the EU Directive.
1.2 Discussion on aspects of the EU Directive is in the main text of
this report, in Chapter 3 and Chapter 5.
Canada
1.3 Like Australia, Canada has for some time had a federal act applying
privacy principles to most federal agencies. Unlike the Australian States,
many provinces followed the Canadian Federal Government's lead, at times
also combining privacy protection laws with freedom of information laws.
According to Mr Waters, Canada flirted with self-regulation of the
private sector
but has now come off the fence
[3].
Mr Waters advised in his submission that in September 1996 the justice
minister announced the Canadian Federal Government's intention:
to bring in legislation to cover both the public and private
sectors, so as to provide and effective and enforceable protection of
privacy rights in the private sector ... According to the Canadian Federal
Privacy Commissioner, the aim of the Federal Government is to enact
privacy laws that will meet the test of adequacy envisaged by the EU
Directive, including having the necessary oversight and enforcement
mechanisms if the data protection principles are contravened. [4]
1.4 The Canadian Government is committed to enact this legislation by
the year 2000. [5]
Japan
1.5 Since 1988, Japan has had a limited privacy law applying to central
government agencies' use of computerised data. It has also some specific
sectoral rules for credit data, and general guidelines for the private
sector since 1989. Following the EU Directive the 1989 guidelines were
amended in 1997 and by a supplementary memorandum in November 1997. In
February 1998, the Finance and Industry Ministry (MITI) established a
supervisory authority to monitor a new system for the grant of `privacy
marks' to businesses committing to the handling of personal data in accordance
with MITI guidelines and to promote awareness of privacy protection for
consumers. The `privacy mark' system was introduced on 1 April 1998. It
is administered by a joint public/private agency. Companies that do not
comply with the industry guidelines will be excluded from relevant industry
bodies and will not be granted the privacy protection mark. The assumption
is that they will be penalised by market forces. [6]
The Japanese approach has been described by the US President as a market-orientated,
private sector-led approach. [7] It is
essentially a self-regulatory, voluntary approach. There are no legislatively
backed sanctions for failure to comply with privacy principles. Stephen
Lau reports that the Japanese measures provide partial conformance with
the EU Directive. Debatable areas include private sector coverage, manual
structured data processing, processing of sensitive data, an independent
supervisory body, transborder data flow and codes of conduct. [8]
New Zealand
1.6 An enforced self-regulatory approach is used, based upon the implementation
and observance of codes of practice and legislated privacy principles
similar to those in the Australian Privacy Act 1988 (Cth). The
New Zealand Privacy Act 1993 is administered by a Privacy Commissioner.
Codes may be developed either by a particular organisation or the Privacy
Commissioner, or through cooperation between them. The New Zealand privacy
regime provides for enforcement of the codes in the case of non-compliance.
The New Zealand Act applies to the entire New Zealand economy,
including the private sector and all levels of government. [9]
Taiwan
1.7 In July 1995 Taiwan enacted an information privacy law that covers
both the public and private sectors, but only in relation to computer
processing systems with personal data. [10]
Stephen Lau reports that there is partial conformance with the EU Directive.
Debatable areas include manual structured data processing, processing
of sensitive data, an independent supervisory body, regulation of transborder
data flow for the public sector and codes of conduct. [11]
Hong Kong
1.8 The Personal Data (Privacy) Ordinance, enacted in 1995, covers both
the public and private sectors. It regulates the processing of both automated
and manual data. The ordinance also creates an independent supervisory
body with significant enforcement powers. The Hong Kong Privacy Commissioner
may issue and approve sectoral codes of practice in consultation with
relevant representative bodies. Formal approval provides a legal basis
for the code. [12] According to Stephen Lau,
in Hong Kong there is general conformance with the EU Directive, except
in some areas including purpose specification and the processing of sensitive
data. [13]
South Korea
1.9 In 1994 South Korea enacted the Act on the Protection of Personal
Information Managed by Public Agencies. There is also consumer credit
information that is regulated separately by the 1995 Act Relating to Use
and Protection of Credit Information. [14]
Malaysia
1.10 It is understood that Malaysia planned to enact a generic law on
personal data protection in March 1998. This legislation will cover both
the private and public sectors, and automated and manual data processing.
The legislation is likely to establish an independent supervisory agency.
The New Zealand model for privacy protection appears to be one of those
under consideration. In January 1998 a committee was studying the implications
of the OECD Guidelines and the EU Directive to formulate the new law.
[15]
Philippines
1.11 There is no general law on personal data protection. [16]
Singapore
1.12 There is no general law on personal data protection. Singapore does
have privacy protection in specific areas, including taxation, provident
funds and banking. Singapore is very conscious of the OECD Guidelines
and the EU Directive. This jurisdiction is monitoring the international
developments. [17]
Indonesia
1.13 This jurisdiction has no general laws concerning personal data protection.
According to Stephen Lau, it is not clear when such a law would be introduced
or whether one is planned. [18]
China
1.14 This jurisdiction has no general law concerning personal data protection.
According to Stephen Lau, it is not clear when such a law would be introduced
or whether one is planned. [19]
Asia in General
1.15 In concluding his review of the privacy protection regimes in Asia,
Stephen Lau said that: The Hong Kong, Taiwan and Japan laws are
in general conformance with the OECD principles. [20]
United States
1.16 Jurisdictions in the United States have taken a cautious approach
to the protection of personal information handled by private sector organisations.
There are, however, many laws at both federal and state level that protect
information privacy in particular contexts. These include:
- personal information held by Federal Government agencies;
- credit records;
- tax return and tax filing information;
- banking and financial records;
- information communicated electronically;
- labour-related records, such as union membership;
- benefits-related records;
- video rental or sale records;
- cable television subscriber records;
- family educational records;
- certain types of medical records [usually addressed at the State level];
and
- social security numbers and information.
1.17 The Privacy Commissioner reported that in the United States, legislation
is not routinely pro-active and this leads to a patchwork of regulatory
bodies:
At times, legislation and regulation have developed in response to
a specific incident. For instance, the Video Privacy Protection Act
of 1988, the so-called `Bork Bill' grew out of a reaction to the
disclosure of the video rental habits of a prominent Federal Court judge.
This [approach] leads to a patchwork of legislative provisions and regulatory
agencies. [21]
1.18 The US privacy protection system suffers from the two defects that
the majority of submissions urged this committee to ensure that any Australian
initiative avoided: a lack of consistent, national coverage and a lack
of effective enforcement processes. In this vein, the Australian Privacy
Charter Council reported that:
The US is often mistakenly portrayed as a country without statutory
privacy protection. This is far from the case, with a plethora of sectoral
or activity-specific laws governing the use of personal information
at both federal level and in many States, in areas such as credit reporting,
telecommunications, motor vehicle and driver registration and video
hire records. What is lacking in almost all cases is any effective supervisory
body, so that compliance is very uneven, and relies generally on litigation
by aggrieved individuals.
the Clinton administration itself has strongly resisted calls
for comprehensive legislation, preferring to see the private sector
provide privacy protection through a range of self-regulatory initiatives.
In practice some of these are co-regulatory in nature with
federal or state agencies able to enforce compliance with rules designed
and implemented by industry associations ... [22]
1.19 The following assessment was given by Mr Nigel Waters of Australia's
position and the effectiveness of the United States approach the
approach that is likely to emerge by default in Australia if no national
initiative is undertaken and the States legislate unilaterally:
It is clear that Australia is one of only a few countries still `holding
out' against a growing international consensus that a legislative framework
is necessary to deal with the privacy issue.
The two other main countries which are still trying, like Australia,
to pretend that self-regulation will suffice, are the United States
and Japan. There may be some chance that in Japan, the centralised and
disciplined private sector may be able to make the recently introduced
`privacy mark' system work. In the US however there is abundant evidence
that self-regulation cannot work in this area. Abuses of privacy for
commercial reasons are rife, and even the forceful exhortations by the
federal government over the last year have failed to elicit significant
progress towards effective self-regulatory mechanisms. [23]
1.20 The Australian Privacy Charter Council assessed Australia's international
position, with respect to privacy protection, in these words:
Australia now lags behind all European Union member states, New Zealand,
Hong Kong, Taiwan and South Korea in its response to concerns about
privacy protection in the private sector. The Canadian federal government
announced in 1996 that it would legislate for private sector protection
before the year 2000
[24]
1.21 In a further submission, the Council stated:
In short, Australia is in danger of becoming isolated in its inadequate
response to privacy concerns, with potentially serious consequences
for business confidence and investment and international trade, as well
as leaving citizens with a sub-standard privacy protection regime which
will inhibit the acceptance of electronic commerce and service delivery.
[25]
Current legislative and other frameworks for privacy regulation in the
Commonwealth, States and Territories Term of reference 1(c) [26]
1.22 Nationally: The Constitution does not explicitly guarantee
a right to privacy. However, it is arguable that, given the implied rights
doctrine that the High Court has been developing, an implied right to
privacy may be found with respect to the operations of representative
government. For example, abolishing the secret ballot or requiring people
to express a political opinion in order to obtain some appointable public
office, may be found to violate the Constitution. As well, Section 116,
which prevents the Commonwealth legislating with respect to religion,
may guarantee the privacy of religious belief and the privacy of the relationship
between a communicant and his or her religious adviser.
1.23 The common law does not specifically protect the privacy of personal
information. Such protections as exist at law rely upon the law of torts
or contracts. Australia, the Privacy Commissioner reported, like other
common law jurisdictions, has not developed a tort of breach of privacy.
The courts have preferred to utilise existing courses of action. [27]
1.24 In addition to the Privacy Act 1988, the Privacy Commissioner
reports that hundreds of statutes in the State and federal jurisdictions
provide limited privacy protections for personal information, usually
information controlled by government agencies. [28]
Most of these statutes operate by way of secrecy provisions that prohibit
public servants from disclosing information to which they have access
in the course of their duties. Some provide specific protections. The
picture that emerges is that of a patchwork of legislation, with significant
holes in the coverage which results in important areas of life being devoid
of privacy protection.
1.25 New South Wales: A privacy committee was established under
the Privacy Committee Act 1975. The committee is responsible for
providing advice about privacy issues to individuals, government agencies
and business organisations, and conciliating complaints about breaches
of privacy. Its jurisdiction extends to both public and private sectors.
In addition to providing advice and conciliating complaints, the committee
can investigate complaints, although the committee does not have the power
to make binding determinations. It also lacks the power of enforcement
of its decisions. The committee also conducts research on significant
developments in law, policy and technology that affect privacy. As well,
the NSW committee promotes public awareness of privacy issues. [29]
1.26 Tasmania: A set of information privacy principles has been
developed and issued on an advisory basis for the guidance of government
agencies. The Tasmanian Government supports the maintenance of privacy
standards by government and non-government bodies through the use of policy
and codes of practice. According to the Privacy Commissioner there are
no other developments in the public area. [30]
1.27 Queensland: There is no general privacy protection applying
to either the public or private sector in Queensland. In April 1998, the
Legal, Constitutional and Administrative Review Committee of the Queensland
Parliament released a report, Privacy in Queensland. The report
recommends the enactment of a privacy act and the appointment of a privacy
commissioner. It was also recommended that the proposed Act make allowance
for information privacy principles modelled on the Privacy Act 1988
(Cth). The Queensland Act would bind all state government departments
and agencies, local governments and private sector service providers contracted
to State or local government.
1.28 The proposed powers of the Queensland Privacy Commissioner would
be similar to the powers of the Commonwealth Privacy Commissioner in the
Commonwealth sphere. The proposed Queensland Privacy Commissioner would
be assisted by a privacy advisory committee, also to be established by
legislation. This legislation would be broadly modelled on Part VII of
the Privacy Act 1988 (Cth). The Queensland Act would also contain
offence provisions modelled on those in the Privacy Act 1988. [31]
1.29 South Australia: Under Cabinet Administrative Instruction
1/1989, in July of that year, eleven information privacy principles were
introduced and applied to South Australian government agencies. The South
Australian principles are identical to those contained in the Privacy
Act 1988 (Cth), but they are guidelines, not law. At the same
time a privacy committee was established to hear complaints about breaches
of the privacy principles and to provide advice on privacy protection
matters. [32]
1.30 Western Australia: There is no general information privacy
legislation applying to either the public or private sector. There are,
according to the Privacy Commissioner, no other developments in the public
arena. [33]
1.31 Northern Territory: There is no general information privacy
legislation applying to either the public or private sector. There are,
according to the Privacy Commissioner, no other developments in the public
arena. [34]
1.32 Australian Capital Territory: All ACT government agencies
are covered by the Privacy Act 1988. In addition, the Legislative
Assembly passed the Health Records (Privacy and Access) Act 1997,
which covers both the public and private sectors.
1.33 This Act provides for: privacy rights in relation to personal information;
the integrity of records containing personal information; consumer access
to personal health information in health records; the consumer to receive
an explanation of his or her personal health information. The Act seeks
to encourage agreement concerning the exercise of a right or the performance
of a duty under the Act, between the persons concerned. [35]
1.34 Victoria: There is currently no general privacy legislation
applying to the private sector in Victoria. Complaints about privacy matters
relating to State government agencies are dealt with by the Ombudsman.
1.35 In July 1998 the Victorian Treasurer and Minister for Information
Technology and Multimedia, Mr Alan Stockdale, released two discussion
papers dealing with privacy issues. The papers also foreshadowed legislation
addressing privacy issues, to be introduced into the spring session of
the Victorian parliament. [36] The Victorian
initiative represents the most extensive attempt to implement privacy
protection legislation since the Commonwealth Attorney-General's proposal
was abandoned in March 1997. The foreshadowed Victorian scheme is based
upon the National Principles for the Fair Handling of Information
released by the Privacy Commissioner in February 1998. [37]
The Bill is likely to have the following key elements, according to the
Discussion Paper: Information Privacy in Victoria: Data Protection
Bill:
- a privacy commissioner, who will oversee the administration and implementation
of the legislation;
- the legislation will provide for a default legislative privacy protection
scheme that will apply to all sectors of the economy unless a sector
has developed and, had accepted by and registered with, the privacy
commissioner, a voluntary code.
- organisations, including all private sector organisations, will be
encouraged to develop voluntary privacy codes. Provided that organisations
comply with their approved code they will be excluded from the default
statutory scheme. Priority will be given to the development of voluntary
codes. [38]
- The privacy commissioner will be unable to prepare or impose a code
and determinations will not be binding. [39]
1.36 The discussion paper also indicated that:
If the Privacy Commissioner refuses to make a determination, he or
she may refer the complaint to the Victorian Civil and Administrative
Tribunal. The people affected by a determination, or the failure to
make one, will be able to apply to the Victorian civil and Administrative
Tribunal for it to be reviewed. This might require the prior approval
of the Commissioner. [40]
1.37 Mr Alan Stockdale provided other details of the proposed Victorian
regulatory scheme in a speech to Information Privacy & Data Protection
Conference:
The Victorian legislative scheme will bridge the gap between
voluntary codes and legislative schemes. We believe we are currently
developing a third generation privacy regime that will be world's best
practice. It is a regime that will address the needs of consumers and
businesses in the Information Age, without stifling innovation and growth.
1. Our scheme will enshrine with legislative force the basic privacy
principle that information collected for one purpose should not be used
for another purpose without the individual's permission.
2. We will establish a default legislative scheme that will support
and promote the development of voluntary privacy codes.
3. The scheme will operate on the basis that priority is given to approved
voluntary privacy codes. The approval process will involve the Privacy
Commissioner certifying that the codes are suitable. The test will be
whether: (i) the code is effective in broadly achieving the privacy
objectives of the legalisation; and (ii) the code is not contrary to
the public interest.
4. The effect of approval will be that provided subscribers to the
code comply with the approved voluntary privacy code, they will be excluded
from the Victorian statutory scheme as long as they continue to comply
with their code.
5. The oversight of compliance, for both codes and the default legislative
scheme, will operate as follows:
- audits. An audit mechanism ensures a means of establishing whether
or not an organisation is complying with its code or the default
legislative regime. It is expected that audits will be triggered
primarily by complaints or requests by the code's promoters
- complaints. A complaints mechanism ensures that individuals are
able to approach an organisation with an expectation of having their
complaint dealt with efficiently and effectively. An individual
will be obliged to approach the relevant organisation in the first
instance.
- education. In line with our general view that information privacy
is largely an educative process, we consider the educational role
to be played by the Privacy Commissioner as being crucial in getting
appropriate privacy information out to business and community groups.
- mediation. We consider that mediation provides an appropriate
means of resolving complaints.
- appeals. An effective privacy regime should ensure that appeals
are the exception rather than the norm. However, for those situations
where resolution cannot be reached by mediation, an appeal mechanism
will be available.
- penalties. Any penalties will be restricted to serious, flagrant
or repeated breaches of a code or the legislative scheme.
6. The framework of the Victorian scheme deliberately takes a national
approach by adoption of the National Principles and, if agreed
by the Commonwealth, we will explicitly reference the federal Privacy
Commissioner in our scheme.
7. The scheme is intended to be a light-handed, primarily educative
scheme.
8. A phase-in period of at least twelve months will ensure that all
organisations have enough time to ensure that they are able to comply
with the Victorian scheme, or to develop their own voluntary code.
[41]
1.38 Several potential problems were identified :
- There is no assured independent complaints handling mechanism in the
first instance. Such independence will occur for a voluntary code only
if the voluntary code specifically provides for it. It is unclear whether
the Victorian legislation will require independent complaints handling
procedures as a condition of registration of a code. Independence would
then seem to be assured only by taking a complaint from the voluntary
code administrator to the Privacy Commissioner. The result is a labyrinthine
system that effectively deters complaints. It seems unlikely that such
a scheme would inspire the confidence of those who may wish to use the
code to redress an invasion of privacy.
- The determinations of the Privacy Commissioner are not binding. As
a consequence, the Victorian scheme may lack credibility.
- Enforceability is possible only if the complaint is taken to the Victorian
Civil and Administrative Tribunal. It is not clear from the documentation
and other information available to the secretariat that the Tribunal
would have the power to enforce the code or any determinations. For
example, amendment to the Victorian Civil and Administrative Tribunal
legislation is not referred to in the Discussion papers, in the section
`consequential amendments' [42].
- It would seem that the proposed Victorian legislation does not specifically
allow for effective, speedy remedies and effective sanctions.
- If a voluntary code is not honoured, the default legislative scheme
applies. It is not specified under what circumstances, and using what
criteria, a decision would be made that a voluntary code has not been
complied with. At present there is no guarantee to citizens that the
voluntary schemes are going to be backed up with effective legislative
muscle.
- Any penalties will be restricted to serious, flagrant or repeated
breaches of a code or the legislative scheme. This may send a message
to citizens that breaches of privacy, that may damage a person's reputation
and standing within the community, are not serious enough to deter by
effective penalties.
- Organisations that have more than one type of business and are members
of more than one trade organisation may find themselves subject to inconsistent
codes. This would increase compliance costs.
- In the Victorian proposal, the Privacy Commissioner cannot impose
or prepare a code. If the New Zealand experience is anything to go by,
many industries would prefer the Privacy Commissioner to prepare a code.
This reduces their running and compliance costs. The Victorian model
seems to have selected a regulatory model that is more costly to business
than others that are available, tested and found acceptable.
- The EU has indicated that it prefers a scheme based on legislation,
that allows for effective and speedy remedies, sanctions for breaches
of privacy, and the resolution of complaints. Only a scheme that meets
these standards will be considered `adequate'. It is not clear, given
the foregoing, that the Victorian proposal will meet the EU `adequacy'
test.
1.39 The nature of Victorian involvement in the development of the Commonwealth
legislation announced in mid-December 1998 is not yet clear. [43]
It is also possible that if satisfactory national legislation is developed
there will be limited need for state-specific legislation. [44]
Footnotes
[1] Submission No 51, Human Rights and
Equal Opportunity Commission, pp. 873-877.
[2] Submission No. 7A, Australian Privacy
Charter Council, pp. 273-278
[3] Submission No. 7A, Australian Privacy
Charter Council, p. 275.
[4] Submission No. 7A, Australian Privacy
Charter Council, pp. 275-276.
[5] In October 1998 private sector privacy legislation
was tabled, intended to ensure protection of all personal data handled
by the federally-regulated private sector. This includes areas such as
banking,telecommuncations and transportation. The legislation is the Personal
Information Protection and Electronic Documents Bill
[6] Submission No. 7A, Australian Privacy
Charter Council, p. 275.
[7] Submissions No. 7A, Australian Privacy
Charter Council, p. 275.
[8] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) p. 151.
[9] Submission No. 51, Human Rights and
Equal Opportunity Commission, p. 876.
[10] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) pp. 145-151.
[11] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) p. 151.
[12] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) pp. 145-151.
[13] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) p. 151.
[14] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 877.
[15] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 877; S. Lau, Observance of
the OECD Guidelines and the EU Directive in Asia, Privacy Law and Policy
Reporter 4 (1998) p. 151.
[16] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) pp. 145-151.
[17] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) p. 151.
[18] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) p. 151.
[19] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) p. 151.
[20] S. Lau, Observance of the OECD Guidelines
and the EU Directive in Asia, Privacy Law and Policy Reporter 4
(1998) p. 151.
[21] Submission No. 51, Human
Rights and Equal Opportunity Commission, p. 874.
[22] Submission No. 7A, Australian Privacy
Charter Council, p. 276.
[23] Submission No. 8, Mr Nigel Waters,
p. 253.
[24] Submission No. 7, Australian Privacy
Charter Council, p. 240.
[25] Submission No.7A, Australian Privacy
Charter Council, p. 296.
[26] The major constitutional issues are discussed
in Chapter 8 of this report, and other aspects of law at Chapter 4. In
general, this Appendix reflects the situation as noted in submissions
to the Committee, that is, prior to the end of 1998.
[27] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 878.
[28] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 880.
[29] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 881.
[30] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 883.
[31] Submission No.51, Human Rights
and Equal Opportunity Commission p. 882; Queensland Legislative Assembly:
Legal, Constitutional and Administrative Review Committee, Report No.
9; Privacy in Queensland, Brisbane, April, 1998.
[32] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 883.
[33] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 882.
[34] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 882.
[35] Submission No. 51, Human Rights
and Equal Opportunity Commission, p. 883
[36] Discussion Paper: Promoting Electronic
Business: Electronic Commerce Framework Bill, July, 1998; Discussion
Paper: Information Privacy in Victoria: Data Protection Bill, July,
1998.
[37] Discussion Paper: Information Privacy
in Victoria: Data Protection Bill, July, 1998, p. 11.
[38] Discussion Paper: Information Privacy
in Victoria: Data Protection Bill, July, 1998, p. 12.
[39] Discussion Paper: Information Privacy
in Victoria: Data Protection Bill, July, 1998, pp. 17 & 37.
[40] Discussion Paper: Information Privacy
in Victoria: Data Protection Bill, July, 1998, p. 37.
[41] Mr Stockdale, speech to the Information
Privacy & Data Protection Conference, available at , p. 5.
[42] Discussion Paper: Information Privacy
in Victoria: Data Protection Bill, July, 1998, p. 38
[43] News Release, Attorney-General, Victorian
Agreement on Privacy Welcomed, 16 December 1998 referred to in the Foreword
to this report.
[44] See above, Chapter 8, Paragraphs 8.38-8.39.