Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner (OAIC). An interim website for the OAIC is available at www.oaic.gov.au. This site (privacy.gov.au), which only contains information related to the OAIC's privacy function, will be maintained until a combined site is established.

Information about the new Office of the Australian Information Commissioner: www.oaic.gov.au

Types

Topic(s):

Getting in on the Act: the Review of the Private Sector Provisions of the Privacy Act 1988

document icon pdf (1.16 MB)

Getting in on the Act:

The Review of the Private Sector Provisions ofthe Privacy Act 1988

March 2005

ISBN 1-887079-46-4

This work is copyright. Apart from any use as permitted under the CopyrightAct 1968, no part may be reproduced by any process without prior writtenpermission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should beaddressed to:

Corporate and Public Affairs

Office of the Privacy Commissioner

GPO Box 5218

SYDNEY NSW 2001

E-mail: privacy@privacy.gov.au

The Hon Philip Ruddock MP

Attorney-General

Parliament House

CANBERRA ACT 2600

Dear Attorney-General

I refer to your request of 13 August 2004 asking me to undertake a review ofthe private sector provisions of the Privacy Act 1988.I have pleasure in presenting to you the report: Getting in on the Act: TheReview of the Private Sector Provisions of the Privacy Act 1988.

Yours sincerely

Karen Curtis

Privacy Commissioner

31 March 2005

Foreword viii

Overview and Executive Summary 1
Approach to the review 1
Terms of reference 1
Participants in the review 1
Timing of the review 1
Provisions work well on balance 2
A single national scheme 4
Main recommendations 6
Recommendations: 8
Recommendation: Wider review of Privacy Act 8
Recommendations: National consistency 8
Recommendations: Telecommunications consistency 9
Recommendations: Health consistency 9
Recommendations: Residential tenancy databases 9
Recommendation: EU ‘adequacy' and APEC 10
Recommendation: NPP 9 10
Recommendations: Control over personal information 10
Recommendations: Direct marketing 11
Recommendations: Consumer education 11
Recommendations: Access generally 11
Recommendations: Transfer of health records 12
Recommendations: Health service ceases to operate 12
Recommendations: Complaints handling and compliance 13
Additional powers 14
Recommendation: Approved privacy codes 14
Recommendations: Business awareness 14
Recommendations: Small business exemption 15
Recommendations: Private sector contracting 15
Recommendation: Due diligence 15
Recommendations: Media exemption 15
Recommendations: Research 16
Recommendations: Decision-making where capacity is impaired 16
Recommendation: Law enforcement 17
Recommendation: Private investigations 17
Recommendations: Alternative dispute resolution schemes 17
Recommendations: Large scale emergencies 18
Recommendations: New technologies 18
Recommendation: NPP 1.3(d) 19
Recommendation: Reasonable steps for NPP 1.3 and 1.5 19
Recommendation: NPP 1.5 - ‘Someone' 19
Recommendations: Primary purpose and health information 20
Recommendation: NPP 3 - Data quality 20
Recommendation: NPP 7 - Identifiers 20
Recommendations: NPP 10 - Public Interest Determinations 20
Recommendations: NPP 10.2(b) 21
Recommendations: Deceased persons 21

1 Background 22
1.1 This Inquiry 22
Background to the review 22
Terms of Reference 22
Matters not included in the review 22
Other relevant privacy related reviews and processes 23
Research 23
Framework for assessing issues 23
Conduct of the review- overview of consultation 24
Issues Paper 25
Consultation Meetings 25
Written Submissions 26
Structure of report 26
1.2 Private Sector Provisions of the Privacy Act 27
History of Commonwealth Privacy Legislation 27
What do the Private Sector Provisions cover? 29

2 National Consistency 32
2.1 National consistency overall 32
National consistency was goal of legislation 32
Issues 32
Other law impacting on privacy 33
Submissions favour national consistency 35
What submissions say - issues 37
What submissions say - addressing the issues 42
Options for reform 45
2.2 Recommendations: National consistency 48
2.3 Consistency in telecommunications 49
Law and policy 49
Complaints and enquiries 51
What the submissions say - issues 53
What submissions say - addressing the issues 57
Options for reform 58
2.4 Recommendations: Telecommunications consistency 63
2.5 Consistency in protection of health information 64
Law and policy 64
What the submissions say - issues 65
Options for reform 68
2.6 Recommendations: Health Consistency 71
2.7 Residential tenancy databases 72
What are residential tenancy databases? 72
Application of the Privacy Act 72
Issues 72
Options for reform 72
2.8 Recommendations: Residential tenancy databases 73

3 International issues and obligations 74
3.1 EU Adequacy and APEC 74
Law and Policy 74
Issues 75
What submissions say - issues 75
3.2 Recommendation: EU ‘adequacy' and APEC 76
3.3 NPP 9 76
Law and policy 76
Issues 77
What submissions say - issues 77
What submissions say - addressing the issues 78
Options for reform 79
3.4 Recommendation: NPP 9 80

4 Protecting individual's right to privacy 81
4.1 Control over personal information 81
Law and policy 81
Issues 81
Community attitudes survey 82
What submissions say - issues 83
What submissions say - addressing the issues 89
Options for reform 91
4.2 Recommendations: Control over personal information 93
4.3 Direct marketing 94
What is direct marketing? 94
Law and policy 94
Rationale 95
Community attitudes survey 96
Issues 96
What submissions say - the issues 96
What submissions say - addressing the issues 100
Options for reform 102
4.4 Recommendations: Direct marketing 103
4.5 Awareness of, confidence in and capacity to exercise rights 104
Law and policy 104
Issues 104
Role of the Office 105
Role of organisations 105
Community awareness survey 105
Demographic information about complainants 106
What submissions say - issues 107
What submissions say - addressing the issues 108
Options for reform 110
4.6 Recommendations: Consumer education 111
4.7 Access generally 112
Law and policy 112
Issues 112
What submissions say - issues 113
What submissions say - addressing the issues 115
Options for reform 117
4.8 Recommendations: Access generally 118
4.9 Transfer of health records to another health service provider 119
Law and policy 119
What submissions say 119
Options for reform 119
4.10 Recommendations: Transfer of health records 121
4.11 Access to health records when health service ceases to operate 122
Law and policy 122
Health services ceasing to operate 122
What submissions say 123
Options for reform 123
4.12 Recommendations: Health service ceases to operate 124

5 Enforcing individual rights and ensuring compliance 125
5.1 Introduction 125
5.2 Law and policy 125
Approach to compliance 125
Complaints process 126
Review rights 128
5.3 Issues 130
5.4 What submissions say - issues 130
Approach to compliance 130
Level of compliance 131
Office does not use existing powers 134
Systemic issues not being addressed 134
Complaints process 137
5.5 What submissions say - addressing issues 142
Transparency 142
Fairness 144
More help to complainants - streamline process 145
Improving levels of compliance 145
Are levels of compliance adequate? 146
5.6 Options for reform 151
More education and awareness 151
Increase transparency in complaints process 151
More external review 153
Fairer process 154
Make better use of existing powers 154
Power to enforce own motion investigations 155
Power to audit private sector 157
Other power to address systemic problems in complaints 157
Improve liaison with overlapping complaint handlers 159
Advice about complaint rights 160
Address delay in handling complaints 160
Review practices 161
5.7 Recommendations: Complaints handling and compliance 162

6 Balancing individual privacy interests with business efficiency 164
6.1 Introduction 164
Law and policy 164
Issues 164
Striking the balance 164
Principles or rules 165
Principles may need some illumination 165
6.2 Approved Privacy Codes 166
Law and policy 166
Issues 166
What submissions say - issues 167
What submissions say - addressing the issues 169
Options for reform 170
6.3 Recommendation: Approved Privacy Codes 171
6.4 Compliance costs 171
Law and policy 171
Issues paper 171
What submissions say 172
6.5 Business awareness 175
Issues 175
What submissions say 175
Options for reform 177
6.6 Recommendations: Business awareness 178
6.7 Small business exemption 179
Law and policy 179
Issues 179
What submissions say 180
Options for reform 183
6.8 Recommendations: Small business exemption 185
6.9 Private sector contracting 186
Law and policy 186
What submissions say 186
Options for reform 188
6.10 Recommendations: Private sector contracting 189
6.11 Due diligence on sale or purchase of business 189
What is due diligence? 189
Information Sheet 16 189
Issues 190
What submissions say 190
Options for reform 191
6.12 Recommendation: Due diligence 191

7 Balancing individual rights and other social interests 192
7.1 Media exemption 192
Introduction 192
Law and policy 192
Issues 195
What submissions say - issues 195
Options for reform 197
7.2 Recommendations: Media exemption 199
7.3 Medical research 199
Law and Policy 199
What submissions say - issues 201
What submissions say - addressing the issues 206
Options for reform 209
7.4 Recommendations: Research 212
7.5 Decision-making where capacity is impaired 213
Introduction 213
Relevant privacy principles 214
What submissions say - issues 215
Options for reform 217
7.6 Recommendations: Decision-making where capacity is impaired 219
7.7 Law enforcement 219
Law and policy 219
Issues paper 221
What submissions say - issues 221
Options for reform 223
7.8 Recommendation: Law enforcement 223
7.9 Private investigation 224
Introduction 224
What submissions say - issues 224
Private detectives and other jurisdictions 227
Options for Reform 228
7.10 Recommendation: Private investigations 231
7.11 Alternative Dispute Resolution 231
Alternative Dispute Resolution 231
What submissions say - issues 231
What submissions say - addressing the issues 233
Options for Reform 233
7.12 Recommendations: Alternative dispute resolution schemes 234
7.13 Responding to large scale emergencies 234
Introduction 234
Law and policy 234
Issues 235
What submissions say - addressing the issues 235
Options for reform 235
7.14 Recommendations: Large scale emergencies 237

8 New technologies 239
8.1 Developments 239
Telecommunications and internet 239
Data aggregation and mining 240
Biometrics 240
Electronic health records 241
Role of technology in protecting privacy 241
Issues 242
8.2 What submissions say - the issues 242
8.3 What submissions say - addressing the issues 249
8.4 Options for reform 252
8.5 Recommendations: New technologies 257

9 Clarifying how the National Privacy Principles work 258
9.1 NPP 1.3(d) 258
Law and Policy 258
The issue 258
Options for Reform 259
9.2 Recommendation: NPP 1.3(d) 260
9.3 NPP 1.3 and 1.5 - ‘reasonable steps' 260
Law and Policy 260
The issue 260
Options for Reform 261
9.4 Recommendation: Reasonable steps for NPP 1.3 and 1.5 261
9.5 NPP 1.5 - collection from ‘someone' else 261
Law and Policy 261
Options for Reform 262
9.6 Recommendation: NPP 1.5 - ‘Someone' 263
9.7 NPP 2 - primary purpose and the collection of health information 263
Background 263
Options for Reform 265
9.8 Recommendations: Primary purpose and health information 266
9.9 NPP 3 267
Law and Policy 267
What submissions say - issues 267
Options for Reform 268
9.10 Recommendation: NPP 3 - Data quality 268
9.11 NPP 4 269
9.12 NPP 5 269
9.13 NPP 6 269
9.14 NPP 7 269
Law and policy 269
Issues 270
What the submissions say - issues 270
Options for reform 271
9.15 Recommendation: NPP 7 - Identifiers 273
9.16 NPP 8 273
9.17 NPP 9 273
9.18 NPP 10 - Collection of Family History Information - PID 9 and 9A 273
Law and Policy 273
What the submissions say - issues 275
Options for Reform 276
9.19 Recommendations: NPP 10 - Public Interest Determinations 277
9.20 NPP 10.2 - Collecting health information without consent 277
Law and Policy 277
Scope of the exception 278
Options for Reform 279
9.21 Recommendations: NPP 10.2(b) 280

10 Other issues with the private sector provisions of the Privacy Act 281
10.1 Information of deceased persons 281
Law and Policy 281
What submissions say - issues 282
Options for Reform 283
10.2 Recommendations: Deceased persons 284
10.3 Employee Records Exemption 285
Law and Policy 285
What submissions say 285
10.4 Political Exemption 285
Law and Policy 285
What submissions say 286

Appendix 1 287
Terms of Reference 287
Appendix 2 288
Review Reference Group 288
Appendix 3 290
Submissions Received 290
Appendix 4 293
National Privacy Principles 293
Appendix 5 305
Information Privacy Principles 305
Appendix 6 311
Community Attitudes towards Privacy 2004 311
Appendix 7 317
Information Sheet 13: 317
2001 Privacy Commissioner's Approach to Promoting Compliance 317
Appendix 8 321
Summary of complaint handling provisions, including powers to investigate 321
Appendix 9 326
Complaints Statistics 326
Appendix 10 335
Own Motion (section 40 (2)) power 335
Appendix 11 337
Current Powers to enforce determinations 337
Appendix 12 338
Decision Appeal Processes in comparable legislation 338
Appendix 13 340
Demographic information about complainants 340
Appendix 14 342
Complainant and respondent satisfaction survey 342

Foreword

This report is the first major examination of how the laws governing the use of personal information by the private sector in Australia have worked in their first years of operation.

It has been a significant project for the Office and leadership team since lastAugust. The project team was headed by Robin McKenzie.

The report has drawn on information and views from a wide range of sources including individuals, businesses, industry organisations, interest groups, andgovernment agencies across the Commonwealth, and states and territories.

The review has benefited from discussions, consultations and material contained in submissions. I thank all those involved for contributing theirideas and views, and for the constructive way in which those views were conveyed.

I particularly thank the members of the Steering Committee and the Reference Group for their advice and guidance.

Many members of staff contributed in various ways – preparation of theIssues Paper, organising meetings for the Steering Committee and ReferenceGroup, organising public consultations, analysing submissions, developingpolicy options, putting submissions on the website, undertaking surveys,writing sections of the report, editing and formatting. The Corporate andPublic Affairs Section of the Office was involved in all aspects of the reviewprocess.

While I hesitate to single out individuals, it would be remiss if I did not acknowledge the major contributions of Robin McKenzie, Pauline Kearney,Paul Armstrong, Chris Cowper and Timothy Pilgrim. Suzanne Christian was responsible for the report compilation, formatting and editing.

To my staff, I express my gratitude for their contribution to this important review and I look forward to further improving the operation of the private sector provisions for the benefit of the community and business.

Karen Curtis

Privacy Commissioner

March 2005

Overview and Executive Summary

Approach to the review

Terms of reference

The Office has undertaken a review of the operation of the private sector provisions of the Privacy Act to see whether they meet their objectives. The objects are outlined in the terms of reference from the Attorney-General which are at Appendix 1.

Participants in the review

In the course of the review, information has been considered from a wide range of sources. They are:

136 written submissions
12 stakeholder workshops in all capital cities
the Review Steering Committee, which includes members of the PrivacyAdvisory Committee
the Review Reference group, which includes over 40 representatives fromcommunity, business and government
the Office’s Community Attitudes Research
research conducted by other stakeholders, for example, the National Health and Medical Research Council and the Australian Direct MarketingAssociation
statistics collected by this Office either specifically for this review, or fromits complaints management system
Office staff experience in the course of providing policy advice tostakeholders, or managing complaints
meetings with stakeholders.

A wide range of stakeholders have participated in the review. They include major business and industry sectors, including banking, insurance, finance,private detectives and debt collection, credit reporting, marketing, fundraising,health and allied care, manufacturing, retail, small business, housing, realestate, superannuation, internet, hospitality and welfare. There has also beeninput from consumer and privacy advocacy groups including consumer, credit,health and academia. In addition, the Office has received input from state andfederal government agencies, including health, law enforcement agencies andother regulators, and also dispute resolution bodies.

Timing of the review

The private sector provisions have been in operation since 21 December2001, or just over three years for non-small business operators, and since21 December 2002, or just over two years for small businesses that do notqualify for the small business exemption. Given that implementing a privacyscheme, particularly for some sectors, involves complex attitude change andunderstanding rather than simply complying with clear, black letter law, this isa relatively short period of time to be assessing the operation of theprovisions.

In addition, it was not possible to conduct the kind of detailed quantitativeresearch that might give a clearer indication of the actual level of businesscompliance with its obligations under the scheme. Further, because thescheme is complaint based and the Office has only limited powers toinvestigate practices on its own initiative, it is possible that there are areas ofnon-compliance of which the Office is not aware. As a result, although theOffice has sought to gain and draw upon quantitative evidence to the extent itis possible and available, it is in the end relying to a considerable extent onanecdotal evidence as well as its own complaint statistics for its conclusions.

Provisions work well on balance

Overview

The review process shows that the private sector provisions have met withtheir objectives in some areas and not in others. In some areas it has failed tomeet with an objective, but in practice the impact may not have beensignificant. In others, objectives were met in a way quite different from thatenvisaged at the time the legislation was implemented. In some, theprovisions have not met the objective.

Indeed, it could be argued for example that the private sector provisions havenot met the two objectives of ‘a national scheme’ or ‘international concerns’.But this does not take away from the overall effect that the National PrivacyPrinciples (NPPs) have worked well and delivered to individuals protection ofpersonal and sensitive information in Australia in those areas covered by theAct.

No fundamental flaw

Although 85 recommendations have been made, this does not equate todissatisfaction with the provisions. Rather, it means with the benefit of threeyears experience it has become apparent there are ways to improve existingelements of the regime, and there are external influences which haveimpacted on the efficacy of the legislation.

Although there were a few calls from privacy advocates for the Government to‘go back to the drawing board’ entirely on the provisions, the Office has nosubstantive evidence to suggest that the private sector scheme has anysignificant flaws to warrant dramatic changes.

Provisions have generally worked well for business

The overall view from the business sector is that the scheme has worked wellfor them, and that there is considerable support for it as it currently stands.Generally speaking, it appears that in most areas, the scheme has met itsobjective of not unduly impeding the free flow of information, or the right ofbusiness to achieve their objectives in an efficient way.

Consumers are less satisfied

Generally speaking however, those representing the consumer and privacyadvocate groups were less satisfied that the private sector provisions had mettheir objectives of adequately providing for the privacy rights of individuals.

International concerns

One area where the private sector provisions have not met their objectives inthe way that was anticipated is the objective of meeting international concernsand Australia’s international obligations relating to privacy. It appears that thishas been less of a concern to many stakeholders than might have beenexpected at the time the provisions were enacted. A particular example ofthis is achieving European Union (EU) adequacy to enable businesses toengage in trade involving personal information with European businesses.

Despite the fact that the private sector provisions have not yet been foundadequate by the EU, in general, business does not report a major impedimentto trade. In addition, the issue of global trade beyond the EU has meant thatthe need to address consistency in privacy regulation at a global level hasbecome important. The APEC initiatives on privacy are evidence of this shift.

Approved NPP Codes

Another area where the objectives of the private sector provisions have notbeen achieved in the way that was anticipated is the adoption of industry andorganisation codes by the private sector to regulate their collection, use anddisclosure of personal information. There are only three approved codesunder the Privacy Act. However, there is no call for the repeal of the codeprovisions of the Act despite the very low level of take-up. Most businessesappear content to be regulated by the NPPs and to have the Office as theirexternal complaints handling body.

A single national scheme

There is significant inconsistency

There is evidence that the failure of the privacy sector provisions to meet theirobjective of achieving national consistency in privacy regulation has hadconsequences for business efficiency. There is also some evidence that thishas posed some impediments in the way of individuals seeking to be awareof, and have respected, their privacy rights. The inconsistency operates at anumber of levels, including within the Privacy Act itself, within Commonwealthregulation impacting on privacy, and between state and Commonwealthlegislation. The area of privacy involving health information, including healthresearch has been clearly identified as being greatly affected by all theselevels of inconsistency. Other areas affected include employee privacy andtenancy databases.

Reasons for the inconsistency

These inconsistencies have emerged for a number of reasons, some of whichrelate directly to the formulation of the private sector provisions. Others are aconsequence of the rapidly changing environment in which the provisions areoperating, and in particular, the heightened security concerns followingSeptember 11, and the developments in new technology.

One factor contributing to inconsistency is that within the Privacy Act, thereare two sets of slightly different privacy principles, one for the Australianpublic sector and one for the private sector. As the Government hasincreasingly drawn upon the private sector - for example, welfareorganisations - to carry out activities that were once performed by itsagencies, this has become more of an issue.

Another factor appears to be the presence of exemptions in the Act.Submissions and consultations suggest that areas of inconsistency are arisingbecause states and territories are legislating in areas covered by theexemptions. A key example of concern to business is the area of surveillancein the workplace. In the absence of privacy protection in this area in thefederal Privacy Act, states and territories are legislating and each in a slightlydifferent way.

There are also problem areas such as the regulation of tenancy databases bystates and territories. As the NPPs do not totally regulate tenancy databasesstates and territories are legislating in this area, once again, in a slightlydifferent way.

The desire for more detailed and binding guidance for health care providerstogether with inconsistency between private sector provisions and state publicsector privacy principles, could also be considered reasons for states tolegislate in the health area. Submissions from business and consumers, andconsultations indicate overwhelmingly that this has created a range ofdifferent rules that is confusing for health care providers, other businessesholding health information and consumers.

The Office’s complaints caseload that is larger than expected as a result ofthe private sector provisions has meant that the Office has not clarified theapplication of the NPPs in some of these areas (for example, tenancydatabases) as speedily as it would like. In the mean time, states have movedto address what was emerging as a community need to ensure that tenantswere not denied housing as a result of inaccurate and unfair listings.

Finally, rapidly changing technology has resulted in Commonwealth legislationthat is outside of, but overlaps with, the Privacy Act. The Spam Act 2003 isan example. Spam was less of a concern in 1999 when the private sectorprovisions were formulated and the private sector provisions did not addressthis issue. This situation may arise again with the (future) development ofnew pervasive technologies. Businesses are concerned to ensure that whenit does, the provisions fit well with the private sector provisions.

Approach to recommendations

This report makes a range of recommendations including strategies toaddress these inconsistencies. But as indicated by the complex factorscontributing to these, there is no easy or single fix, especially in a federalsystem of government. Resolving the issues will involve commitment from alllevels of government and a willingness to focus on the big picture.

One thing that became clear in conducting the review is that many of theissues that arise in relation to the operation of the private sector provisionsare inter-related. This inter-relation has to be taken into account inrecommendations. Recommendations on one aspect of operation will alsohave the potential to address issues on other aspects of operation.

It is also the case that there are a number of ways that issues arising out ofthe review could be addressed. Which approach is taken in one area, mayaffect what approach is best taken in other areas. For this reason, in anumber of areas, this report has made recommendations as options thatcould be taken up depending on the approach taken in addressing otherissues.

Resourcing implications of reform

In developing recommendations as part of this review, the Office has beenaware of the resource implications of reform. Since the implementation of theprivate sector provisions, the Office has shifted resources from its guidanceand advice role to its compliance role to try to better manage and resolve thecomplaints received. Even so, there is an unacceptably long waiting list ofcomplaints to be handled. This satisfies neither business, who have investedin compliance and in whose interest it is to have complaints against themsettled quickly, nor consumers.

Submissions from all sectors discuss funding for the Office[1]. A number ofsubmissions expressly support an increase in resources being granted to theOffice[2]. Many of these submissions are particularly concerned by the backlogof complaints and subsequent delay in resolving complaints[3].

There was also a general call for more resources to ensure consumers andbusinesses are educated about their rights and obligations under privacylaws.[4]

In this review recommendations are made that, if implemented, will impactupon the operation of the Office. This has implications in terms of resources,for both staff and program delivery.

Main recommendations

This report makes recommendations about how the operation of the privatesector provisions could be improved. Recommendations are primarily writtenas either actions that the Australian Government should consider doing, or asmeasures that the Office could or intends to undertake. A small number ofrecommendations involve measures that could be taken by state and territorygovernments.

Some recommendations involve broad high level principles around theoperation of the private sector provisions, for example, recommendations toimprove national consistency in privacy regulation, including health privacyregulation, and to ensure that the private sector provisions adequately protectprivacy in the face of rapidly developing new technologies.

Recommendations for measures to raise awareness of both consumers andbusiness on a range of topics are found in a number of places in the report.These particular recommendations could be regarded as forming the ‘lynchpin’ for a scheme that is intended to operate in a way that benefits individualswhile recognising the right of businesses to achieve their objectives in anefficient way.

Other recommendations aim to increase the control that individuals have overtheir personal information, particularly in relation to information collectedabout them indirectly or used or disclosed for other purposes such as directmarketing. These include measures to promote short form privacy notices,and a general opt-out right for direct marketing.

The report makes recommendations about the small business exemptionaimed at simplifying its application while suggesting that some sectors thathave higher privacy risks should be covered by the private sector provisions.

The report also makes recommendations aimed at improving thetransparency and fairness of the Office’s complaints process, and to enable itto better identify and address systemic issues.

Some issues raised are complex and need further consideration by theAustralian community. The Office identified the application of the privatesector provisions to research, in particular medical research, and to newtechnologies as warranting further debate. The main recommendations onthese issues are that they should be considered in the context of a widerreview of the Privacy Act.

In response to concerns that organisations need more guidance or that theNPPs may need amending to ensure that they are applied in a commonsenseway, recommendations are made on such matters as alternative disputeresolution schemes, access to health records and major national emergences.

The report makes a number of more technical recommendations that aim toincrease certainty about the application of the NPPs, which in many casesclarify what is already existing practice.

Throughout the report, but particularly in the recommendations, there hasbeen careful consideration of the balance between protecting individual rightswhile recognising the collective needs of the community including thebusiness community.

Finally, it became apparent that while the private sector provisions work well,it may be appropriate for the Government to undertake a wider review ofprivacy for Australians in the 21st century.

The NPPs are based on principles developed in the 1970s and it may befitting to consider how the operating environment has changed over the last30 years. For example: Is our definition of personal information stillappropriate given technological advances? Do we need different sets ofprivacy principles covering the private and public sectors? Should thelegislation make a distinction between data controllers and data operators?Should the legislation only cover protection of data about living persons? In achanged security environment what are people’s expectations about theirpersonal information?

In some of the 85 recommendations there is a reference to this wider reviewof privacy. Given that it is a recurring theme throughout the report to givemore considered thought to ‘bigger picture’ issues, a recommendation hasbeen made here in the Overview Section. It is the first recommendation listedbelow, and is followed by the recommendations as identified in each chapter.

Recommendations:

Recommendation: Wider review of Privacy Act

1. The Australian Government should consider undertaking a widerreview of privacy laws in Australia to ensure that in the 21st century thelegislation best serves the needs of Australia.

Recommendations: National consistency

The Privacy Act has not achieved its object of establishing a ‘singlecomprehensive national scheme’ for the protection of personal information.As submissions reveal, national consistency is important to business, tocharities and to individuals. The lack of national consistency contributessignificantly to the costs imposed on business.

2. The Australian Government should consider amending section 3 of thePrivacy Act to remove any ambiguity as to the regulatory intent of theprivate sector provisions.

3. The Australian Government should consider asking the Council ofAustralian Governments (COAG) to endorse national consistency in allprivacy related legislation.

4. The Australian Government should consider setting in placemechanisms to address inconsistencies that have come about, or willcome about, as a result of exemptions in the Privacy Act, for example,in the area of workplace surveillance.

5. The Australian Government should consider commissioning asystematic examination of both the IPPs and the NPPs with a view todeveloping a single set of principles that would apply to both AustralianGovernment agencies and private sector organisations. This wouldaddress the issues surrounding Australian Government contractors.

6. The Australian Government should consider changing, by legislativeamendment, the name of the Office of the Privacy Commissioner to theAustralian Privacy Commission.

7. The Australian Government should consider amending the Privacy Actto provide for a power to make binding codes.

Recommendations: Telecommunicationsconsistency

8. The Australian Government should consider amending the Privacy Actand the Telecommunications Act to clarify what constitutes authoriseduses and disclosures under the two Acts, and to ensure that thePrivacy Act cannot be used to lower the standard of privacy protectionin the Telecommunications Act.

9. The Australian Government should consider making regulations undersection 6E of the Privacy Act to ensure that the Privacy Act applies toall small businesses in the telecommunications sector, includingInternet Service Providers and Public Number Directory Producers.

10. The Office will discuss with the Australian Communications Authoritythe development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and Part 13 of theTelecommunications Act.

11. The Office will discuss with the Australian Communications Authoritythe development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and the Spam Act.

Recommendations: Health consistency

12. The Office urges the National Health Ministers’ Council to finalise theNational Health Privacy Code. This should include agreement by alljurisdictions on the contents of the code and on its consistentimplementation in each jurisdiction.

13. The Australian Government should consider adopting the NationalHealth Privacy Code as a schedule to the Privacy Act. This wouldrecognise the Australian Government’s part in the consistent enablingof the Code. Should agreement not be reached by all jurisdictionsabout implementing the Code, the Australian Government should stillconsider adopting the code as a schedule to the Act to provide greaterconsistency of regulation for the handling of health information byAustralian Government agencies and the private sector. (See alsorecommendations 29, 33 and 35.)

Recommendations: Residential tenancy databases

14. The Australian Government should advance as a high priority the workcurrently being undertaken by the Working Group on ResidentialTenancy Databases of the Ministerial Council on ConsumerAffairs/Standing Committee of Attorneys-General.

15. The Australian Government should consider, depending on theoutcome of the Ministerial Council on Consumer Affairs/StandingCommittee of Attorneys-General, making the Privacy Act apply to allresidential tenancy databases. This could be done by using theexisting power under section 6E to prescribe them by regulation, or byamending the consent provisions (section 6D(7) and section 6D(8))that apply to the small business exemption. (See recommendation 53.)

16. If the Privacy Act is amended to provide for a power to make a bindingcode, (see recommendation 7), and depending on the outcome of theMinisterial Council on Consumer Affairs/Standing Committee ofAttorneys-General, the Privacy Commissioner could make a bindingcode that applies to tenancy databases.

Recommendation: EU ‘adequacy’ and APEC

17. There is no evidence of a broad business push for ‘adequacy’. Giventhe increasing globalisation of information, however, there may be longterm benefits for Australia in achieving EU ‘adequacy’. Certainly theglobalisation of information makes the implementation of frameworkssuch as APEC important. The Australian Government should continueto work with the European Union on the ‘adequacy’ of the Privacy Actand to continue work within APEC to implement the APEC PrivacyFramework.

Recommendation: NPP 9

18. The Office will provide further guidance to assist organisations complywith NPP 9 by issuing an information sheet outlining the issues thatshould be addressed as part of a contractual agreement and how tomore easily assess whether a privacy regime is substantially similar.

Recommendations: Control over personalinformation

19. The Australian Government should consider amending NPP 5.1 toprovide for short form privacy notices. This could also clarify theobligations on organisations to provide notice, and to clarify the linksbetween NPP1.3 and NPP 5.1.

20. The Office will encourage the development of short form privacynotices. It will also play a more active role in assisting businessesdevelop their notices by developing template notices for differentsectors, in consultation with them, and by issuing example of bothsatisfactory and unsatisfactory notices

21. The Office will develop guidance to the effect that privacy noticesshould be dated.

22. The Office will develop guidance on bundled consent, noting thepossible tension between the desirability of short form privacy noticesand the desirability of lessening the incidence of bundled consent.

Recommendations: Direct marketing

23. The Australian Government should consider amending the Privacy Actto provide that consumers have a general right to opt-out of directmarketing approaches at any time. Organisations should be requiredto comply with the request within a specified time after receiving therequest.

24. The Australian Government should consider amending the Privacy Actto require organisations to take reasonable steps, on request, to advisean individual where it acquired the individual’s personal information.

25. The Australian Government should consider exploring options forestablishing a national ‘Do Not Contact’ register.

Recommendations: Consumer education

26. The Australian Government should consider specifically funding theOffice to undertake a systematic and comprehensive educationprogram to raise community awareness of privacy rights andobligations.

27. The Office will continue to collect demographic information aboutcomplainants. It will seek to identify and then remove any barriers thatprevent sectors of the community from knowing about and exercisingtheir privacy rights.

Recommendations: Access generally

28. The Australian Government should consider amending NPP 6 toprovide that when an individual’s personal information is corrected inresponse to a request from the individual, the organisation should beobliged to notify third parties, where practicable, that they havereceived the inaccurate information.

29. The Australian Government should consider adopting the AustralianHealth Ministers’ Advisory Council (AHMAC) Code as a schedule to thePrivacy Act (see recommendation 13). This will address the issue ofintermediaries, and the issue of fees for access. (See alsorecommendations 13, 33 and 35.)

30. The Office will develop further guidance on the operation of NPP 6.1 on‘serious threat to life or health’, explaining that a serious threat to atherapeutic relationship could be a serious threat to a person’s health.This will go some way towards addressing what appears to be a toonarrow interpretation of NPP 6.1(b) by some practitioners.

31. The Office will develop guidance on fees for access to personalinformation.

32. The Office will develop guidance on the meaning of NPP 6.5 whichrequires than an individual ‘establish’ that information is not accuratebefore the organisation need to take reasonable steps to correct it.

Recommendations: Transfer of health records

33. The Australian Government should consider adopting the AustralianHealth Ministers’ Advisory Council (AHMAC) code as a schedule to thePrivacy Act. This will address the issue of the transfer of health recordsto another health service provider. (See also recommendations 13, 29and 35.)

34. The Australian Government should consider, if the AHMAC Code is notadopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 11 in theAHMAC Code.

Recommendations: Health service ceases tooperate

35. The Australian Government should consider adopting the AHMACcode as a schedule to the Privacy Act. This will address the issue ofaccess to health records when a health service ceases to operate.(See also recommendations 13, 29 and 33.)

36. The Australian Government should consider, if the AHMAC Code is notadopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 10 in theAHMAC Code.

Recommendations: Complaints handling andcompliance

Approach to compliance

37. The Office will maintain its current approach to compliance includingthe focus on attempting to conciliate complaints in the first instance asset out in Information Sheet 13. However, the Office will considerwhether it might be appropriate in some circumstances to use its otherpowers earlier, such as the determination making power.

38. The Office will consider options for providing more feedback onsystemic issues either in advice or guidance or in some form of regularupdate to stakeholders.

39. The Office will consider promoting privacy audits by private sectororganisations, including by providing information on the value ofauditing as evidence of compliance in the event of complaints and bydeveloping and providing privacy audit training for organisations.

Review rights for complaint decisions

40. The Australian Government should consider amending the Privacy Actto give complainants and respondents a right to have the merits ofcomplaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

41. The Australian Government should consider amending NationalPrivacy Principle 1.3 to require organisations to tell individuals howthey can complain to the organisation; and that, if the complaint is notresolved, they can also complain to the Privacy Commissioner or(where relevant) the code adjudicator.

42. The Office will review its complaints handling processes and willconsider the circumstances in which it might be appropriate to makegreater use of the Commissioner’s power to make determinationsunder section 52 of the Privacy Act.

43. The Office will also consider measures to increase the transparency ofits complaints processes and complaint outcomes.

Additional powers

44. The Australian Government should consider amending the Privacy Actto:

expand the remedies available following a determination undersection 52 to include giving the Privacy Commissioner power torequire a respondent to take steps to prevent future harm arisingfrom systemic issues
provide for enforceable remedies following own motioninvestigations where the Commissioner finds a breach of the NPPs
provide a power for the development of binding codes and/orbinding guidelines in cases where there is a strong public interest,where more detailed guidance is warranted or complaints revealrecurrent breaches (see recommendation 7).

Resourcing implications and complaint handling

45. The Australian Government should consider the strong calls by a widerange of stakeholders for the Office to be adequately resourced tomeet its complaint handling functions.

46. The Australian Government should consider amending the Privacy Actto give the Commissioner a further discretion not to investigatecomplaints where the harm to individuals is minimal and there is nopublic interest in pursuing the matter.

Recommendation: Approved privacy codes

47. The Office will review the Code Development Guidelines dealing withthe processes relating to code approval with a view to simplifying them.

Recommendations: Business awareness

48. The Australian Government should consider the benefits of greaterbusiness and community awareness of privacy and specifically fundthe Office to undertake a systematic and comprehensive educationprogram to raise business awareness.

49. The Office will review existing information sheets and developinformation sheets on key issues identified in submissions.

50. The Office will develop strategies for communication with stakeholders,including establishing a privacy contact officer network for privatesector organisations.

Recommendations: Small business exemption

51. The Australian Government should consider retaining but modifying thesmall business exemption by amending the Privacy Act so that thedefinition of small business is to be expressed in terms of the ABSdefinition, currently 20 employees or fewer, rather than annualturnover.

52. The Attorney-General should consider using the power to prescribeunder section 6(E) of the Privacy Act, the tenancy databases andtelecommunications sectors including Internet Service Providers andPublic Number Directory Producers as businesses to be covered bythe Act. (See recommendations 9 and 15.)

53. The Australian Government should consider amending the Privacy Actto remove the consent provisions (sections 6D(7) and 6D(8)).

Recommendations: Private sector contracting

54. The Australian Government should consider amending NPP 4 toimpose an obligation on an organisation to ensure personal informationit discloses to a contractor is protected.

55. The Australian Government should consider, in the context of the widerreview of the Privacy Act, (see recommendation 1) whether thereshould be a distinction between data controllers and data operators.

56. The Office will amend the Guidelines to the National Privacy Principlesto clarify that businesses that give personal information to contractorsfor the purpose of performing a function on their behalf should imposecontractual obligations on the contractor to take reasonable steps toprotect the information.

Recommendation: Due diligence

57. The Australian Government should consider amending the NPPs totake into account the practice of due diligence.

Recommendations: Media exemption

58. The Australian Government should consider amending the Privacy Actso that:

• the Australian Broadcasting Authority (ABA) and media bodies mustconsult with the Privacy Commissioner when developing codes thatdeal with privacy and

• the term ‘in the course of journalism’ is defined and the term ‘mediaorganisation’ is clarified.

59. The Office will, in conjunction with the ABA, provide greater guidanceto media organisations as to appropriate levels of privacy protection,especially in relation to health issues, and make organisations awarethat the media exemption is not a blanket exemption.

Recommendations: Research

60. As part of a broader inquiry into the Privacy Act (see recommendation1), the Australian Government should consider:

how to achieve greater consistency in regulating research activitiesunder the Privacy Act
whether regulatory reform is needed to address the issue ofde-identification in the context of research and the handling ofhealth information
where the balance lies between the public interest incomprehensive research that provides overall benefits to thecommunity, and the public interest in protecting individuals’ privacy(including individuals having choices about the use of theirinformation for such research purposes)
whether there is a need to amend NPP 2 to permit the use anddisclosure of personal information for research that does not involvehealth information
undertaking further research and education work with the broadercommunity to ensure that the balance between research andprivacy accords with what the community expects and understands.

61. The Office will issue guidance in relation to NPP 2 to clarify thatorganisations can disclose health information for the management,funding and monitoring of a health service.

62. The Office will work with the National Health and Medical ResearchCouncil to simplify the reporting process for human research ethicscommittees under the section 95A guidelines.

Recommendations: Decision-making wherecapacity is impaired

63. The Australian Government should consider, in order to ensure that thePrivacy Act does not prevent individuals with a decision-makingdisability from receiving a range of utilities and other services,amending NPP 2 to permit the disclosure of non-health information to aclass of persons the same, or similar, to that described in NPP 2.5,where an organisation considers the disclosure to be necessary for themanagement of the person’s affairs in a way that their financial or otherinterests are secured or safeguarded.

It would be appropriate to consider developing such an amendment inconsultation with the Australian Guardianship and AdministrationCommittee.

64. The Office will, in recognition that disclosures of health informationunder NPP 2 are appropriately permitted in law but may not occur inpractice, develop further and more practical guidance.

Recommendation: Law enforcement

65. The Office will work with the law enforcement community, privatesector bodies and community representatives to develop more practicalguidance to assist private sector organisations to better understandtheir obligations under the Privacy Act in the context of lawenforcement activities.

Recommendation: Private investigations

66. The Australian Government, through the Attorney-General, shouldconsider requesting that the Standing Committee of Attorneys General(SCAG) consider the issues raised by the Australian Institute of PrivateDetectives as they are broader than the Privacy Act.

Recommendations: Alternative dispute resolutionschemes

67. The Australian Government, in recognising the important role played byAlternative Dispute Resolution (ADR) schemes, and in an attempt toformalise advice already given by the Office, should consider:

amending NPP 2 to enable use and disclosure of personalinformation to ADR schemes in the course of handling disputes
amending NPP 10 to enable collection of sensitive informationwhere it is necessary for the investigation and resolution of claimsunder an ADR scheme
defining the term ‘Alternative Dispute Resolution Scheme’ for thesepurposes in the Act.

Recommendations: Large scale emergencies

68. Privacy laws should take a common sense approach. There needs tobe an appropriate balance between the desirability of having a flow ofinformation and protecting individual’s right to privacy. In developingan exception to disclosure for cases of national emergencies,consideration should be given to the seriousness of the privacy breachversus that of protecting privacy.

In large scale emergencies, the consequences of disclosure should becompared to the consequences of non-disclosure. Consideration alsoneeds to be given to the potential identity fraud that may occur duringsuch a time, especially if disclosure is allowed to the media.

The Australian Government should consider:

amending NPP 2 to enable disclosure of personal information intimes of national emergency to a ‘person responsible’
extending the NPP 2.5 definition of ‘person responsible’ to include aperson nominated by the family to act on behalf of the family
amending the Privacy Act to enable the Privacy Commissioner tomake a Temporary Public Interest Determination without requiringan application from an organisation
defining ‘National Emergency’ as ‘incidents’ determined by theMinister under section 23YUF of the Crimes Act 1914.

Recommendations: New technologies

69. The Australian Government should consider, in the context of a widerreview of the Privacy Act (see recommendation 1) reviewing theNational Privacy Principles and the definition of personal information toassess whether they remain relevant in the light of technologicaldevelopments since the OECD principles were developed. This shouldensure that the private sector provisions remain technologically neutraland relevant to protect data privacy in the main contexts in whichinformation about people is currently collected, used and disclosed.

70. The Australian Government should consider initiating discussionsthrough appropriate international forums about how to deal with majorinternational jurisdictional issues arising from global reach of newtechnologies such as Voice over Internet Protocol (VoIP).

71. The Australian Government should consider developing specificenabling legislation to underpin any national electronic health recordssystem. The legislation should be consistent with the National HealthPrivacy Code, but also include enhancing protections for matters suchas the voluntariness of the system and limitations upon the uses ofpeople’s health records.

72. The Office will issue further guidance, consistent with the current law,on what is personal information which takes into account the fact that inthe current environment it is more difficult to assume that anyinformation about people cannot be connected.

73. The Office could use, if necessary, any new powers to develop bindingcodes (see recommendation 7) to deal with technologically specificsituations.

Recommendation: NPP 1.3(d)

74. The Australian Government should consider amending NPP 1.3(d) tomake clear that an organisation collecting personal information from anindividual must take reasonable steps to notify them of likelydisclosures generally, including to public sector agencies of theAustralian Government, state or local governments, other bodies andprivate individuals.

Recommendation: Reasonable steps for NPP 1.3 and1.5

75. The Australian Government should consider amending NPP 1.3 andNPP 1.5 to make clear that there are situations in which the reasonablesteps an organisation might take to provide notice to an individual mayequate to no steps.

Recommendation: NPP 1.5 – ‘Someone’

76. The Australian Government should consider amending NPP 1.5 toremove the term ‘someone’, and to make clear that an organisation hasan obligation to take reasonable steps to provide notice to an individualwhen collecting their personal information indirectly, from any source.

Recommendations: Primary purpose and healthinformation

77. The Office will work with the health sector to develop further guidanceabout the operation of NPP 2 as it specifically relates to the issue ofprimary and secondary purpose in health care.

78. The Office will provide clearer guidance on the operation of NPP 2 togive more effective and practical assistance to demonstrate how theprinciple operates. This will take into account the range ofrelationships between health services and individuals, particularlywhere individuals agree to a holistic approach to the delivery of ahealth service.

Recommendation: NPP 3 – Data quality

79. The Office will provide further guidance to organisations about theirobligations under NPP 3, particularly to ensure they take a proportionalapproach to complying with the principle. This will include guidanceabout organisations taking into account whether or not there are goodprivacy reasons for seeking to update an individual’s personalinformation.

Recommendation: NPP 7 - Identifiers

80. The Australian Government should consider using the existingregulation-making mechanism under NPP 7 to address circumstancessuch as those identified by Centrelink regarding concessionalentitlements.

Recommendations: NPP 10 – Public InterestDeterminations

81. The Australian Government should consider amending NPP 10 toinclude an exception that mirrors the operation of Public InterestDeterminations 9 and 9A.

82. The Australian Government should consider undertaking consultationon limited exceptions or variations to the collection of family, social andmedical history information, particularly with regard to geneticinformation and the collection practices of the insurance industry.

Recommendations: NPP 10.2(b)

83. The Australian Government should consider amending NPP 10.2 topermit the collection of health information (under NPP 10.2(b)(i)) ‘asauthorised by law’ in addition to ‘as required by law’.

84. The Australian Government should consider amending NPP 10.2(b) (ii)to clarify the nature of the binding rules intended to be covered by thisprovision, particularly with regard to the substantive content of suchrules.

Recommendations: Deceased persons

85. If the National Health Privacy Code is adopted into the Privacy Act (seerecommendation 13), then protection for health information under theseprovisions would extend to deceased persons. Also, the AustralianGovernment’s response to the Australian Law Reform Commission andthe Australian Health Ethics Committee’s inquiry into the protection of human genetic information in Australia may have implications for thePrivacy Act. In addition, the Australian Government should consider aspart of a wider review (recommendation 1) whether the jurisdiction ofthe Privacy Act should be extended to cover the personal informationof deceased persons.

1. Background

1.1 This Inquiry

Background to the review

The Review of the Privacy Act was foreshadowed by the former Attorney-General the Hon Daryl Williams AM QC MP in his second reading speech forthe Privacy Amendment (Private Sector) Act 2000. The Commissioner wasasked to review the operation of the private sector provisions of the Act by theAttorney-General, the Hon Philip Ruddock MP, on 13 August 2004.

Terms of Reference

The Office conducted the review within the terms of reference outlined by theAttorney-General. They are included in full at Appendix 1 of this report. Theyprovide for an assessment of the operation of the private sector provisionsand a consideration of the extent to which the private sector provisions meettheir objects. These objects include creating a single comprehensive nationalscheme for the appropriate handling of an individual’s personal information byorganisations, in a way that:

meets international concerns and obligations relating to privacy
recognises individuals’ interests in protecting privacy and
recognises important human rights and social interests that compete withprivacy, including the general desirability of the free flow of information(through the media and otherwise) and the right of business to achieve itsobjectives efficiently.

Matters not included in the review

The terms of reference exclude aspects of the private sector provisions fromthe review including:

genetic information
employee records
children’s privacy and
electoral roll information and the related exemption of politicalorganisations from the Privacy Act.

The terms of reference state that these areas are currently, or have recentlybeen subject to processes of review.

The terms also mean that Part IIIA of the Privacy Act, which deals with creditreporting has not been reviewed. However the credit reporting provisionswhere relevant to the operation of the private sector provisions have beenconsidered.

Other relevant privacy related reviews and processes

There are a number of processes underway that touch on privacy in someway. For example, initiatives to develop a national health code (AustralianHealth Ministers’ Advisory Council (AHMAC) process) and the review ofprivacy protection for employee records. In developing the recommendationsin this report, the Office has taken into account, where appropriate, the workbeing done in these areas.

Research

To help inform the review work, including submissions to the review, theOffice conducted research into community attitudes towards privacy in April2004. This complements research it conducted in July 2001 into attitudestowards privacy in the spheres of government, business and the community.This Community Attitudes Research can be found on the Office’s website.The results of the 2004 research are summarised at Appendix 6 and the fullreport is to be found on the Office’s web site.

Framework for assessing issues

The terms of reference ask the Privacy Commissioner to consider the degreeto which the private sector provisions meet their objects. The Office used thisframework for assessing the provisions. This involved considering thefollowing issues.

1. Do the provisions provide a comprehensive, national, consistent set ofstandards for privacy? Do they fit seamlessly into the Privacy Act? Dothey relate effectively with other federal privacy provisions, the privacylaws of the States and Territories and other relevant federal law?

2. Do the provisions operate in a way that assists Australian businesses tooperate internationally? Are they adequate to ensure Australia fulfils itsinternational obligations relating to privacy?

3. Are individuals confident that their interests in protecting their privacy arerecognised and that personal information that is collected, used, storedand disclosed by organisations is adequately protected? Are individualsaware of, and able to exercise, their rights?

4. Do the provisions strike an appropriate balance between privacy andcompeting human rights and social interests, including free speech,medical research, national security, law enforcement and property rights?Is there a free flow of information? Is business aware of its obligations andable to comply with them while still achieving its objectives efficiently?

Conduct of the review- overview of consultation

The Privacy Commissioner received the terms of reference from the Attorney-General on the 13 August 2004. The review of the private sector provisionswas completed by 31 March 2005. The Privacy Commissioner encouragedwidespread public participation in the review through a number of measures.The Office:

made three media releases in August, September and October advertisingthe review, asking organisations and individuals to give their views aboutthe operation of the private sector provisions and informing the publicabout key dates in the conduct of the review
contacted stakeholders listed on the Office’s contacts database andnetwork list via e-mail about the review requesting submissions andpromoting the public consultation forums. The Office made follow upphone calls to stakeholders preceding their local public consultation forum.
circulated an e-mail notification about the review through relevant industryand government networks
gave a number of presentations to industry forums and nationalconferences
conducted a number of private meetings with stakeholders at their requestregarding the review and the operation of the private sector provisions ofthe Act.

The Commissioner appointed a steering committee to assist with and adviseon the conduct of the review. The Steering Committee members were:

Charles Britton, Senior Policy Officer, Information Technology andCommunications, Australian Consumers' Association
Peter Coroneos, Chief Executive Officer, Internet Industry Association
Ian Gilbert, Director of Retail Regulatory Policy, Australian Bankers'Association
Graeme Innes, Deputy Discrimination Commissioner, Human Rights andEqual Opportunity Commission
John O'Brien, Senior Lecturer in Industrial Relations and OrganisationalBehaviour, University of New South Wales
Joan Sheedy, Assistant Secretary, Information Law Branch, AttorneyGeneral's Department.

The Steering Committee met on five separate occasions throughout theprocess to discuss the conduct of the review.

The Commissioner also reconvened the core consultative group which hadbeen formed by the Attorney-General in 1998 to advise on the development ofthe private sector provisions. The group, reconvened by the Commissionerand renamed the Review Reference Group, consisted of approximately 40representatives from consumers groups, industry and government who havebeen affected by the operation of the Act. Approximately half of thereconvened group were part of the original group that advised on theintroduction of the private sector provisions. The Review Reference Groupwas consulted regarding the conduct of the review, the issues contained inthe issues paper, and the options for reform. The list of members is availableat Appendix 2.

Issues Paper

To assist stakeholders to make submissions the Commissioner released anissues paper on 27 October 2004.

The issues paper sought to provide a framework for assessing the extent towhich the private sector provisions met their objectives as defined in the termsof reference. The issues paper closely followed the terms of reference andsought to help stakeholders assess whether the provisions meet internationalconcerns and Australia’s obligations relating to privacy. It raised issues aboutwhether the legislation provides appropriate protection of individuals’ privacywhile allowing a balance to be struck with competing human rights and socialinterests including the desirability of a free flow of information and the right ofbusiness to achieve its objectives efficiently.

Consultation Meetings

The Office organised consultation meetings in all of the capital cities during2004. Meetings were held in:

Adelaide on 4 November
Perth on 11 November
Hobart on 17 November
Melbourne on 18 November
Sydney on 22 November
Darwin on 25 November
Brisbane on 30 November
Canberra on 8 December

There were also health forums held in Perth on 11 November, Melbourne on18 November and Darwin on 25 November. In addition, atelecommunications forum was convened in Melbourne on 19 November2004.

At each meeting the Commissioner or a representative of the Office led thediscussion using a presentation which can be found on the Office’s website.

The consultation forums were attended by a wide range of participants fromdiverse industry sectors including the finance sector, direct marketing, creditreporting, debt collection, law firms, law societies, telecommunications, retail,real estate, fundraising and the health sector including, doctors, researchersand pharmacists, and the community sector including consumer and publicinterest advocates, community legal and tenancy advice centres and unionrepresentatives.

Issues raised in theses forums have been incorporated throughout this report.

Written Submissions

The Commissioner encouraged stakeholders to make written submissions toaid the Review. In all the Review received 136 written submissions (seeAppendix 3) ranging in length and style from individuals, organisations,industry bodies, advocacy groups and government agencies. Of these, 20submissions requested to remain confidential. These submissions can befound on the Office’s website.

Structure of report

The structure of this Report reflects the Terms of Reference received from theAttorney-General.

Chapter 1 gives background to the inquiry and an overview of the privatesector provisions of the Privacy Act.

Chapter 2 examines the degree to which the private sector provisionsestablish national consistency in the way private sector organisations collect,hold, use, correct, disclose and transfer personal information.

Chapter 3 considers how adequately the private sector provisions meetinternational concerns and Australia’s international obligations relating toprivacy.

Chapter 4 considers the effectiveness of the private sector provisions inprotecting individuals’ rights to privacy.

Chapter 5 considers the effectiveness of the private sector provisions inenforcing individual rights to privacy.

Chapter 6 considers how effectively the private sector provisions balance anindividual’s right to privacy with other competing social interests such asbusiness efficiency and the desirability of a free flow of information.

Chapter 7 considers other social interests that compete with privacy andwhether the private sector provisions have achieved the appropriate balance.

Chapter 8 looks at developments in new technologies.

Chapter 9 looks at whether any NPPs not addressed elsewhere in the reportmay need to be amended to create greater certainty in their interpretation.

Chapter 10 covers other issues that arise in relation to the private sectorprovisions.

1.2 Private Sector Provisions of the PrivacyAct

History of Commonwealth Privacy Legislation

Commonwealth agencies

The Privacy Act was enacted in 1988. It provides for the Office of the PrivacyCommissioner and a Privacy Commissioner and lists 11 principles governingthe collection, use, storage, access to, maintenance and disclosure of anindividual’s personal information. These Information Privacy Principles (IPPs)apply to personal information held by Australian Government agencies. Since1994, the IPPs have also applied to Australian Capital Territory (ACT)agencies.

Tax file numbers and credit reporting

The Privacy Act also provides for the Commissioner to issue tax file numberguidelines and to investigate acts or practices of tax file number recipientsthat breach these guidelines.

In 1990, the Privacy Act was amended to regulate the handling of creditreports and other credit worthiness information about individuals held by creditreporting agencies and credit providers[5].

Private sector

Voluntary principles

In February 1998, following extensive consultation, the Privacy Commissionerissued the National Principles for the Fair Handling of Personal Information(the National Principles), compliance with which was voluntary. This waspartly in response to a directive on information privacy adopted in October1995 by the European Parliament and the Council of the European Union(EU) which included a provision that personal data could not be transferredfrom an EU country to a non-EU country unless there was an adequate levelof information privacy.

Privacy Amendment (Private Sector) Act 2000

In late 1998, the Government announced its intention to legislate to supportand strengthen privacy protection in the private sector. After widespreadconsultation the Privacy Amendment (Private Sector) Act 2000 was passed inDecember 2000 with a commencement date of 21 December 2001. It aimedto establish a single comprehensive national scheme governing the collection,holding, use, correction, disclosure and transfer of personal information byprivate sector organisations. It did so by means of the National PrivacyPrinciples (NPPs) and provisions allowing organisations to adopt approvedprivacy codes.

Co-regulation

The approach adopted by the legislation was one of co-regulation. This refersto a legislative framework within which self regulatory codes of practice canbe given official recognition[6]. The aim of the legislation was ‘to encourageprivate sector organisations and industries which handle personal informationto develop privacy codes of practice’[7]. In the absence of a code, the NPPswould apply. This co-regulation aimed to ensure consistency andstandardisation of personal information handling[8].

Balancing rights and obligations

The legislation acknowledges that privacy is not an absolute right and that anindividual’s right to protect his or her privacy must be balanced against arange of other community and business interests. These include the generaldesirability of a free flow of information (through the media and otherwise) andthe right of business to achieve its objectives efficiently. The legislation seeksto achieve the appropriate balance by providing for, among other things, anumber of exemptions from the legislative requirements, including most smallbusinesses.

Key drivers for private sector provisions

The Explanatory Memorandum for the private sector provisions outlinedconcerns raised in consultations on the absence of privacy protection thatself-regulation had not resolved. It said:

‘These concerns include

the potential for barriers to international trade for business
the lack of protection afforded to the consumer
the effects on the take-up of electronic commerce resulting from lack ofprotection to consumers
the lack of comprehensive coverage of business
the possibility that some States and Territories will impose stricter controls,which may result in inconsistencies between jurisdictions’[9].

Another factor underpinning the legislation was the International Covenant onCivil and Political Rights (ICCPR) that Australia had ratified. This providesthat individuals shall not be subjected to arbitrary or unlawful interference withtheir privacy and that they have the right to the protection of the law againstsuch interference or attacks[10].

2004 amendments to the legislation

Amendments to the legislation in April 2004[11]make it clear that the protectionprovided by NPP 9, which regulates transborder data flows, applies equally tothe personal information of individuals who are Australian and those who arenot. They remove the nationality and residency limitations on the power of thePrivacy Commissioner to investigate complaints relating to the correction ofpersonal information. They also give businesses and industries moreflexibility in developing privacy codes by allowing the codes to cover otherwiseexempt acts and practices where the authors of the code wish to do so.

What do the Private Sector Provisions cover?

Purpose

The private sector provisions of the Privacy Act give individuals control overthe way personal information about them is handled by private sectororganisations. They regulate the way many private sector organisationscollect, use, keep secure and disclose personal information. They also giveindividuals a right to know what information an organisation holds about themand a right to correct it if it is wrong.

Who is covered?

The provisions apply to organisations, including corporations andunincorporated associations, with an annual turnover of more than $3 million.They also apply, regardless of annual turnover, to all private sector healthservice providers, to organisations that buy and sell information without theindividual’s consent, and contracted Commonwealth service providers inrelation to their contractual activities[12]. Specified acts and practices oforganisations are exempt from the operation of the Privacy Act. Theseinclude in general terms acts or practices:

done by an individual other than in the course of the individual’s business,for example, in the course of his or her personal, family or householdaffairs[13]
that are related to an employee record and directly related to theemployment relationship[14]
done in the course of journalism by a media organisation that is publiclycommitted to observing published privacy standards[15]and
done by a politician or political organisation, and their contractors,subcontractors and volunteers, in relation to electoral matters[16].

What obligations are imposed?

In general terms, a private sector organisation covered by the Act must not doanything that breaches an approved code binding on it. If not bound by anapproved code, it must not do anything that breaches an NPP.

National Privacy Principles

The NPPs govern the collection, use and disclosure, security, quality andaccess to and correction of personal information. They include principlesapplicable to the use and disclosure of personal information for specificpurposes, including:

direct marketing
in the case of health information, research or statistical compilation oranalysis relevant to public health or public safety
protection of health and safety and
law enforcement.

The general principle that a person should have access to informationorganisations hold about them includes exceptions, such as exceptions basedon health and safety, law enforcement and national security. Specialprovisions apply to sensitive information, including information about anindividual’s racial or ethnic origin, membership of political or professional ortrade associations, religious beliefs and so on. Generally speaking, a higherlevel of protection is afforded sensitive information than personal information.

Advice and guidance

The Office plays an active role in raising awareness about individuals’ privacyrights and in addressing providing advice to business about its obligations. Itprovides information by way of its information hotline and its web site. Theweb site contains all the Office’s publications, answers to Frequently AskedQuestions, media comments, media releases, speeches, case notes, anonline complaint checker, multi-lingual web pages, guidelines, informationsheets, brochures and the annual report. Members of the Office also makespeeches and presentations at a range of events.

Approved Codes

The Act provides for the approval of privacy codes by the Commissioner. Tobe approved a code must:

set out obligations that, overall, are at least the equivalent of all theobligations set out in the NPPs
specify which organisations are bound by the code
bind only organisations that consent to be bound and
if the code includes procedures for dealing with complaints, theprocedures must meet specified standards.

In addition, members of the public must have been given adequateopportunity to comment on a draft of the code[17]. The Commissioner mustkeep a register of approved privacy codes[18].

Complaints

An individual may complain to the Commissioner about an interference withhis or her privacy, unless an approved code applies and the code has its owncode adjudicator. The Commissioner is required to investigate complaints,unless it is appropriate to exercise one of the discretions not to investigate,including for example, if the individual has not first complained to theorganisation in question. If the complaint is upheld, the Commissioner maymake a determination that the organisation should not repeat the conductcomplained about.

2 National Consistency

2.1 National consistency overall

National consistency was goal of legislation

In introducing the private sector provisions of the Privacy Act, the thenAttorney-General, the Hon Daryl Williams AM QC MP, noted that althoughsome Australian businesses had already established privacy codes of practicethis was not being done consistently. By contrast, the private sectoramendments provide ‘a national, consistent and clear set of standards toencourage and support good privacy practices’. It was the Government’sintention:

‘to establish a single national comprehensive scheme for the protectionof personal information by the private sector. However, state andterritory laws would continue to operate to the extent that they are notdirectly inconsistent with the terms of the bill’[19].

Issues

The issues paper suggested a number of topics for submissions related tonational consistency. It asked:

whether national consistency was important and whether or not it wasbeing achieved
about areas of overlap, including overlap between the private sectorprovisions and other laws or regulatory schemes and jurisdictional overlap
about lack of clarity as a possible issue and
about areas that are unregulated or under-regulated by the private sectorprovisions or other laws, and areas that are over-regulated.The issues paper also suggested a number of topics for submission focussedon the Privacy Act itself. It asked about:
issues arising from differences between the NPPs and IPPs
the workability of the Australian Government contractor provisions,especially for contractors that would otherwise be exempt as a smallbusiness, and whether they could be improved
the interaction between the private sector provisions and the otherprovisions of the Act, and between the NPPs and Part IIIA of the Act and
how the identified issues could be addressed.

Finally, the issues paper addressed the issue of new developments intechnology. This is addressed in Chapter 8.

Other law impacting on privacy

Other provisions of the Privacy Act

Public and private sector provisions integrated

The private sector provisions were enacted as an amendment to the existingPrivacy Act 1988. It was intended that the NPPs would operate alongside thepre-existing provisions of the Act, including the IPPs, which apply to publicsector agencies, and the provisions regulating credit reporting (largelycontained in Part IIIA of the Act). Although the NPPs are similar to the IPPs,there are differences. Unlike the IPPs, the NPPs include specific provisionsabout the transfer of data overseas (NPP 9), and the NPPs provide moreprotection to defined types of ‘sensitive personal information’, including healthinformation. The NPPs and the IPPs are included at Appendices 4 and 5respectively.

Interaction of private sector provisions with other provisions

There are circumstances when an organisation might be subject to both theNPPs and the IPPs. An Australian Government contractor, for example, maybe bound to comply with the NPPs, and will also be bound by contract tocomply with the IPPs. Some government enterprises are, for the purposes ofthe Privacy Act, both an ‘agency’ (in relation to their non-commercialactivities) and an ‘organisation’ (in relation to their commercial activities).Similarly, credit providers and credit reporting agencies will generally be an‘organisation’ for the purposes of the private sector provisions and will bebound by the NPPs as well as the provisions of Part IIIA of the Act whichimpose specific obligations on them.

Other Commonwealth legislation

Overview

A number of pieces of Commonwealth legislation impose obligations onorganisations that may have an impact on how those organisations complywith their obligations under the Privacy Act. This legislation is administered byvarious Australian Government agencies.

Misleading and deceptive conduct

Section 52 of the Trade Practices Act 1974, administered by the AustralianCompetition and Consumer Commission (ACCC), provides that a corporationshall not, in trade or commerce, engage in conduct that is misleading ordeceptive, or is likely to mislead or deceive. This may influence the way inwhich an organisation complies with NPP obligations such as making peopleaware it has collected their personal information, openness and givingreasons for denying access or refusing to correct personal information. Asimilar provision in the Australian Securities and Investments Commission Act2001 (ASIC Act), administered by the Australian Securities and InvestmentsCommission (ASIC), section 12D, applies to financial services.

Telecommunications

The Telecommunications Act 1997, administered by the AustralianCommunications Authority (ACA), includes provisions relating to privacy. TheTelecommunications (Interception) Act 1979 makes it an offence to interceptcommunications and specifies the circumstances in which interception maylawfully take place. The Spam Act 2003 establishes a scheme for regulatingcommercial email and other types of commercial electronic messages. This isdiscussed in more detail later in this chapter at 2.3.

Other

Other relevant Commonwealth legislation includes the Corporations Act 2001,which limits use or disclosure of information on company shareholderregisters (section 177), and the Commonwealth Electoral Act 1918, whichregulates access to, and use and disclosure of, electoral roll information. TheAustralian Broadcasting Authority (ABA) may investigate complaints alleging abreach of broadcasting industry codes, some of which include provisionsintended to protect individual privacy, or practice[20].

State and territory legislation

New South Wales, Victoria, the Australian Capital Territory and the NorthernTerritory have privacy legislation that covers all or part of their own publicsectors. In Tasmania, similar legislation commences on 1 July 2005. Otherjurisdictions have administrative arrangements which seek to establishappropriate information handling practices. Queensland has established twostandards for privacy regulation in its public sector on an administrative basis.In South Australia, an administrative instruction applies to governmentagencies and a Code of Fair Information Practice, based on the NPPs,applies to all personal information handled by the Department of HumanServices and its agencies. The Western Australian public sector does notcurrently have a legislative privacy regime.

Each jurisdiction’s scheme is slightly different and so are the principles onwhich they are based. In addition, New South Wales and Victoria have healthprivacy legislation that regulates the handling of personal information in theirpublic sectors and the private sector. They contain similar, though notidentical, principles to the NPPs. The Australian Capital Territory haslegislation, that predated the NPPs, covering health service providers in thepublic and private sector. The Australian Health Ministers’ Advisory Council(AHMAC) is currently working towards a National Health Privacy Code, whichmay be one way of achieving national consistency for the handling of personalhealth information.

Other law

Other obligations overlap with responsibilities imposed on organisations bythe Privacy Act. They include:

legal obligations of confidence (for example, patient/doctor confidentialityand the banker’s duty of confidence) and
legal professional privilege.

Self regulatory mechanisms

A number of industry organisations developed their own codes.

Telecommunications.The Australian Communications Industry Forum(ACIF) has developed a number of industry codes and guidelines, some ofwhich deal with matters relating to the handling of personal information.

Direct Marketing. The Australian Direct Marketing Association (ADMA) hasdeveloped a model code, which includes the NPPs and a reference to theNPP Guidelines. It enforces the code against its members.

E-marketing.Following passage of the Spam Act, the Australian eMarketingCode of Practice was registered under Part 6 of the Telecommunications Act.

Submissions favour national consistency

Submissions overwhelmingly support the goal of national consistency.Business generally, and the finance and retail industries in particular, thinkthat national consistency is important.

Members of the Australian Finance Conference (63) support theGovernment’s object of achieving a single comprehensive scheme forhandling personal information and it continues to remain important for them.It remains relevant and important to the Australian Bankers’ Association (70).It is ‘essential’ for the financial planning industry says the Financial PlanningAssociation (85). In the view of the Australian Association of PermanentBuilding Societies (91), it is ‘imperative’ for there to be a single nationallyconsistent scheme.

The charity sector agrees. Fundraising Institute Australia Ltd (52) argues thatnational consistency is important in ensuring compliance and reports that itsmembers advise that consistency would improve their capacity to undertaketheir work as fundraisers.

Consumers also agree. The Consumers’ Federation of Australia (65), forexample, says national consistency is essential for privacy protection forconsumers in Australia. The Australian Consumers’ Association (15):

‘endorses the goal of a single, comprehensive, nationally consistentscheme for privacy protection in Australia. Such consistency makesthe task of compliance by industry easier and cheaper. It facilitateseducation.’

On the other hand, in stakeholder forums, consumer groups made the pointthat they do not want national consistency at the cost of reducing privacyprotection to the lowest common denominator.

The health sector, including the private hospital sector, professionalorganisations and public sector bodies like the Health ServicesCommissioner, Victoria (27), say there should be nationally consistent healthstandards. The Royal District Nursing Service (78) says national consistencyis ‘vital’.

Objective has not been achieved

Despite the almost universal support for consistency, the objective has notbeen achieved in the view of very many submissions. Business andconsumers agree that the objective has not been met. The AustralianConsumers’ Association (15), the National Health and Medical ResearchCouncil (32), Promina (34), the Consumers’ Federation of Australia (65) andthe Australian Health Insurance Association Ltd (76), for example, all agreethe objective has not been achieved.

The Australian Chamber of Commerce and Industry (22) says there is ageneral trend towards ‘fragmentation’, which has ‘adverse consequences interms of magnified compliance burdens, administrative duplication andoverlap between the separate regimes’.

Submissions from business and consumer organisations describe anemergence of a ‘patchwork’ of federal and state and territory legislation,driven by, according to the Consumers Federation of Australia (65):

‘divisions by public and private sectors of the economy, state andfederal levels of government, specific economic sectors (such ashealth), emerging technologies [and] gaps embodied in the federallegislation’.

Telstra (110) identifies state and territory legislation which contracted serviceproviders must comply with and says that:

‘the proliferation of State-based legislation and inconsistency betweenState-based and Commonwealth legislation has the potential to addcosts to conducting business with Government agencies’.

The Australian Retailers Association (111) describes recently introduced (orabout to be introduced) state legislation as ‘designed to subvert the authorityof the Federal Privacy Commissioner and create a complicated complianceregime for business.’

ANZ (40) is concerned that Australia will end up with differing laws amongstates that will confuse customers and increase compliance costs. TheInsurance Council of Australia (59) describes privacy law as a ‘patchwork’, asdoes the Australian Bankers’ Association (70). The AustralianCommunications Authority (94) says there are gaps, overlap and jurisdictionalconfusion.

Coles Myer (60), concerned about the introduction of workplace surveillancelegislation by the states, says that:

‘as with any other area of regulation (eg tax) any exemptions orpossible inconsistencies provide an opportunity for the States andTerritories to impose their own requirements’.

What submissions say - issues

State and territory laws are inconsistent with the Privacy Act

Overview

One of the consequences of the lack of national consistency in the wayprivacy is regulated is that organisations may be subject to inconsistent laws.There are inconsistencies between the Privacy Act and some state andterritory legislation. Submissions identify a number of examples of this.

Health services

Health services provided by the private sector are subject to the Privacy Act.They may also be subject to state and territory health records legislationwhich may not be consistent with the Privacy Act. This is discussed in detaillater in this chapter at 2.5.

Welfare organisations

Welfare organisations administer programs that are government funded. Theymay be funded by both the Australian Government and a state or territory. Acharitable organisation (11) points out that in administering its EmploymentServices and Community Services programs it may have to comply with theNPPs, the IPPs, department procedural requirements and state or territorylaw. Furthermore, as their Community Services contracts are often negotiatedon an individual program basis, the responsibility for interpreting thecontractual provisions will fall on local management. The issue is furthercomplicated by the fact that the organisation may need to collect healthinformation as well, which is subject to state or territory health recordslegislation.

Tenancy databases

The Real Estate Institute of Australia (13) identifies legislation relating totenancy databases as an example of lack of consistency between federal andstate and territory legislation. Its submission to the working group of theMinisterial Council of Consumer Affairs advocated that a nationally consistentframework should be developed for the operation of tenancy databases. Inthe meantime, Queensland and New South Wales have their own legislationand the Australian Capital Territory is considering it.

Occupational health and safety

St John Ambulance Australia (97) identifies an inconsistency between thePrivacy Act and occupational health and safety legislation in the context ofreporting casualties at events.

Commonwealth laws are complex

Telecommunications

Submissions have drawn attention to inconsistencies between the Privacy Actand other Commonwealth legislation, for example, between Part 13 of theTelecommunications Act and the Privacy Act in relation to disclosure ofcustomer information. Telecommunications companies may be subject toboth. This is discussed in detail later in this chapter at 2.3.

Credit unions

There are other difficulties in the relationship between the Privacy Act andother Commonwealth legislation. The Credit Union Services Corporation(CUSCAL) (64) is concerned that the Corporations Law provides that creditunions must give anyone access to their share register which containspersonal information about their shareholders who are also their customers.

Private health insurance

The Private Health Insurance Ombudsman (10) draws attention to difficultiescaused by the notion of ‘contributor’ and ‘dependents’ in relation to a privatehealth insurance contract in the National Health Act.

Inconsistency between the NPPs and IPPs

Organisation may be subject to both

There are inconsistencies between the NPPs and the IPPs. Someorganisations may be subject to both. Australia Post (109) points out that theIPPs apply to its ‘non-commercial activities’ but the NPPs apply to itscommercial activities. In addition, its employees must comply with further, andmore specific, obligations of privacy and confidence in the Australian PostalCorporation Act 1989.

Commonwealth contractors

An organisation contracted by the Australian Government (or subcontractedby an Australian Government contractor) to perform outsourced functions forthe Australian Government must comply with the IPPs and the NPPs. Thecontract will require the contractor to comply with the IPPs. Where there isno provision in the contract equivalent to one or more of the NPPs, the NPPsapply.

The Chamber of Commerce and Industry WA (Inc) (77) says that there areaspects of the IPPs which may be problematic or confusing. The Tenants’Union of Queensland Inc (69), which is funded through the Community LegalCentres funding program, notes that having to comply with both the IPPs andthe NPPs is unreasonably cumbersome on community sector organisations.

In the view of Telstra (110), the differences between the IPPs and the NPPsmay lead to uncertainty about the obligations that apply when a contractedservice provider collects (or otherwise handles) personal information on behalfof an Australian Government agency.

Finally, the Australian Government Department of Health and Ageing (99)identifies inconsistencies that have arisen in the context of AustralianGovernment funded Aboriginal health services. It draws attention tocircumstances when compliance with the NPPs alone would, in theappropriate circumstances, allow a doctor to discuss the care of a patientwith a relative without the patient’s consent but compliance with the IPPswould not.

An organisation may be subject to several privacy regimes

A number of submissions describe the difficulties they face complying withseveral privacy regimes at the same time. Promina (34), whose operationsare national, is ‘subject to a complex matrix of federal and state legislation’. Aconfidential submission notes that each business activity is subject to differentprivacy legislation according to the state or territory the business operates in;the type of business; the type of personal information collected (personalinformation or health information); and whether the business unit isconsidered a government agency or a private sector organisation.

The Department of Health and Ageing (99) gives an example of the effect ofseveral layers of privacy regulation. In giving advice to ACT pathologists whowere changing their forms in a way that gave rise to privacy implications, theDepartment had to refer to the Privacy Act (the IPPs and NPPs), the HealthRecords (Privacy and Access) Act 1997 (ACT) and other ACT legislation,applying to pathologists operating as a private sector organisation.

Single piece of information may be subject to different laws

A number of submissions, particularly those from financial servicesorganisations, have pointed out that one consequence of the plethora oflegislation is that a single item of personal information may have severalpieces of legislation, possibly inconsistent, applying to it. Promina (34), agroup of insurance and financial services companies that operates nationallynotes that:

‘a single piece of personal information may be subject to two or more. . . legislative regimes at one time, creating conflicting obligations,different obligations or more onerous obligations in respect of thewhole or parts of that same piece of information.’

Suncorp-Metway Ltd (35), another banking, insurance, investment andsuperannuation conglomerate, notes that the:

‘same piece of personal information may have multiple pieces oflegislation applying to it, some of these obligations may compete withothers and we may have to quarantine particular parts of thatinformation and apply federal or state laws as applicable.’

There are jurisdictional problems

The plethora of legislation gives rise to jurisdictional problems. This affectsboth organisations and consumers. Telecommunications companies, forexample, are subject to multiple regulators, including, for example, the PrivacyCommissioner, the Australian Communications Authority (ACA), and theTelecommunications Industry Ombudsman (TIO). However, Optus (98), whichdeals with the ACA, the Office and other government bodies on variousaspects of privacy, says that dealing with different regulators has not caused itany difficulties. The ACA (94) says that even the regulator may not know if ithas jurisdiction until the investigation has begun.

The Private Health Insurance Ombudsman (10) notes that there is no clearjurisdiction in relation to privacy complaints between the federal and NewSouth Wales Privacy Commissioners. Consequently, a person in New SouthWales may complain to both.

ANZ (40) notes that banking customers with a privacy complaint may chooseto go to the Banking and Financial Services Ombudsman (BFSO) or to thePrivacy Commissioner. In a recent case a customer took part of a complaintto the BFSO and the privacy aspect of it to the Privacy Commissioner. (Thewhole complaint was ultimately resolved at a conciliation conference betweenthe customer, the bank and the BFSO).

Telecommunications customers may also choose between the TIO and thePrivacy Commissioner.

Compliance is more difficult

The lack of a single, national and comprehensive regime increases theadministrative and cost burden of compliance on organisations. Submissionsfrom a number of industries have drawn attention to this.

Suncorp-Metway Ltd (35) notes that its staff need to deal with various piecesof legislation and to deal with a number of regulators, ranging from the PrivacyCommissioner to the Health Care Complaints Commissions of the states. Itnotes:

‘this makes the practice of providing information, adhering to thecorrect legislation and reference to a Regulator difficult for our staff andmay result in the incorrect information being provided, incorrectprinciples or guidelines being applied or information not being fullyprovided.’

ANZ (40) is particularly concerned that if New South Wales or Victoriaintroduces their own workplace privacy legislation, which seems likely, theprospect of non-uniform laws throughout Australia would be opened again.Organisations that operate nationally would be subject to contradictory lawsaffecting the national workforce.

‘This would be likely to create significant additional compliance costsdue to systems modifications, altered practices and staff training inorder to manage the differences and ensure compliance.’

Comcare (12), which deals with health professionals, says that they are oftenunsure as to which privacy regime they are subject to when dealing withinformation relating to people in the Commonwealth jurisdiction.

The Australian Compliance Institute (16) notes that many national healthservices comply with what they consider to be the more onerous Victorian andNew South Wales provisions across all jurisdictions to ensure they need dealwith only one compliance system.[21]

Difficult to advise

The Australian Physiotherapy Association (37) notes that inconsistentlegislation creates confusion for its members. Furthermore, it createsdifficulties for the association itself in keeping abreast of the legislation andputting out a consistent message to its members about their privacyobligations.

Lack of consistency is getting worse

Many submissions say that the problem of inconsistency is getting worse.They cite, for example, the proliferation of state and territory health recordsActs and the Australian Government’s recently enacted Spam Act. Financialinstitutions in particular express concern about the developments in workplacesurveillance legislation at a state and territory level, and the Real EstateInstitute of Australia (13) is concerned that legislation regulating tenancydatabases is being introduced in a piecemeal fashion. The Credit UnionServices Corporation (CUSCAL) (64) is concerned about proposed anti-moneylaundering laws that will force credit unions to collect more, not less,personal information about its members. CUSCAL:

‘is particularly concerned about the need to educate consumers aboutthese obligations and the reasons why privacy rights must yield tosecurity concerns.’

What submissions say – addressing the issues

Australian Government should exercise its constitutionalpower

Some submissions suggest that the Australian Government should exerciseits constitutional power to ensure that Commonwealth law prevails. Acharitable organisation (11) says that the Australian Government shouldenforce its overriding constitutional power to the extent that all formalcomplaints about privacy should go to the Privacy Commissioner. TheSalvation Army Australia Southern Territory (74) argues that Commonwealthlaw should prevail over state and territory law to provide consistency.

Review and simplify

The complex nature of privacy law in Australia leads a charitable organisation(11) to suggest that the legal requirements imposed by privacy law should bereviewed and simplified. The National Health and Medical Research Council(32) says that there should be a single, simplified national health privacyregulatory scheme.

Greater co-operation among governments

Submissions from health services raise the lack of consistency between thePrivacy Act and state and territory legislation regulating health records as aproblem, and a problem that will become worse as electronic medical recordsbecome commonplace.

Banks and other financial institutions are concerned that at least two statesare developing workplace surveillance legislation independently of each other.

A participant in a stakeholder forum hopes that at least the various bodiesmight consider a consistent interpretation of terms such as ‘related’ and‘reasonable’ because currently they are interpreted differently acrossjurisdictions.

There clearly needs to be greater co-operation between the Australian andstate and territory governments in developing legislation that has privacyimplications if national consistency is to be achieved. In the view of theAustralian Information Industry Association (43), the Australian Governmentneeds to take the lead to ensure that disparate policies do not emerge. TheInsurance Council of Australia (ICA) (59) recommends that

‘Federal and State Ministers should work together to ensure thatprivacy regulation is developed in a coherent and consistent manner.Health ministers should promote co-ordination between the States inthe development of privacy legislation.’

Telstra (110) wants to see more co-operation between the Office and otherregulators to ensure a national and consistent approach to enforcement.

There needs to be a process for ensuring ongoing Australian and state andterritory government co-operation. This has already happened in the area ofhealth privacy. A National Health Privacy Working Group of the AustralianHealth Ministers’ Advisory Council (AHMAC) is developing a national privacycode. Applauding the commitments of the health ministers, the ICAencourages AHMAC to finalise the health code.

Enhance the Privacy Commissioner’s role

Given the need for a national approach it is appropriate that the AustralianGovernment should take the lead in any process that is established to ensureconsistency.

In the view of Telstra (110), the Australian Government should liaise withState and Territory governments to encourage a consistent approach. TheSalvation Army Australia Southern Territory (74) urges the Office to take arole in ensuring consistency.

A number of possible mechanisms for doing this are identified in submissions.The Association of Market Research Organisations (AMRO) and theAustralian Market and Social Research Society (AMSRS) (61) suggest thatthere should be a clearing house for ensuring that proposed legislation isconsistent with the Privacy Act and that there should be a Privacy ImpactStatement made for each new law. In the view of the Australian Bankers’Association (70), the clearing house should be the Office.

‘The ABA would support the Privacy Commissioner taking a lead role inthe oversight and co-ordination of developments in other legislationthat have implications for privacy regulation acting as a clearing houseto ensure national consistency with the Act wherever possible’.

Other submissions recommend an enhanced role for the Office. TheAustralian Direct Marketing Association (67) suggests that the Office shouldbe given increased authority to ensure there are appropriate mechanisms toensure legislation that is inconsistent with the private sector provisions is notpassed.

The Australian Nursing Federation (127) suggests that the Office shouldinitiate a process to consult with all stakeholders to develop a single piece ofnational health privacy legislation.

Coles Myer Ltd (60) suggests the Office should be adequately funded to beinvolved in proposed laws. In the view of the Credit Union ServicesCorporation (64), it should also be well enough funded to participate activelyin the development of new anti-money laundering laws.

Combine the NPPs and the IPPs

A number of submissions recommend that the NPPs and IPPs be combinedinto a single set of privacy principles that would apply to both AustralianGovernment agencies and private sector organisations. In the view of acharitable organisation (11), the NPPs should prevail. Electronic Frontiers(51) says that the harmonisation of the two sets of principles should be doneso as to provide the highest level of privacy protection from each of them.

Remove exemptions from the Privacy Act

One of the ways to ensure greater national consistency could be to removethe existing exemptions from the Privacy Act. In the view of a number ofparticipants in the stakeholder forums, the exemptions provide gaps inprotection that states and territories need to fill with their own legislation.Among the drivers of the development of privacy law in other jurisdictions arethe gaps in the protection provided by the federal law. The exemptions in thePrivacy Act are undermining the goal of national consistency.

Options for reform

Clarify constitutional issue

The failure of the Privacy Act to achieve its object of establishing a ‘singlecomprehensive national scheme’ for the protection of personal information isan issue for the private sector. As submissions reveal, national consistency isimportant to business, to charities and to individuals. The lack of nationalconsistency contributes significantly to the costs imposed on business. It isnot clear whether section 3 of the Privacy Act, which provides that theoperation of state and territory laws that are ‘capable of operating concurrentlywith’ the Act are not to be affected, covers the field or not. This provisiondetermines whether or not a state or territory privacy law, or part of it, is or isnot constitutional.

This lack of clarity leaves the way open to a state or territory to pass its ownlaws on the ground that there is no constitutional barrier to doing so. Itcertainly may be that state and territory legislation purporting to regulatehealth records is inconsistent at least to the extent that it imposes obligationson organisations covered by the Privacy Act. If so, it may be unconstitutional.Section 3 could be amended to make it clear that the Privacy Act wasintended to cover the field.

Australian Government to promote national consistency

All stakeholders regard national consistency as very important and claim thatit has not been achieved. Because of the exemptions in the Privacy Act,some hold the Australian Government at least partly responsible for notachieving the ‘single comprehensive national’ scheme it promoted. It is also aconsequence of our federal system. It is clearly the role of the AustralianGovernment, rather than the states and territories, to play the leadership rolein promoting national consistency. To succeed it has to be done at thehighest level. The Australian Government could ask the Council of AustralianGovernments (COAG) to endorse national consistency in all privacy relatedlegislation.

Consult Privacy Commissioner about all privacy relatedlegislation

There would be more consistency in privacy related legislation if a centralisedbody had oversight of all proposed legislation. One possibility is that thePrivacy Commissioner plays that role. The Privacy Commissioner is alreadyconsulted when Australian Government policy affecting privacy is beingdeveloped. Even if desirable, it may not be practical to nominate a federalbody to play such a role in relation to the states and territories.

Examine IPPs and NPPs

The lack of consistency between the IPPs and the NPPs causes considerablecompliance difficulties for organisations that are public sector organisationsthat undertake commercial activities and for some private sectororganisations, especially those who are funded by Australian Governmentagencies or are contracted to Australian Government agencies. Althoughboth sets of principles draw on the 1980 Organisation for Economic Cooperationand Development (OECD) Guidelines for the Protection of Privacyand Transborder Flows of Personal Data, each set of principles reflects thetime in which it was developed.

Similar functions are performed by both public and private sector bodies, andboth public sector and private sector bodies may be characterised as both anagency and an organisation for the purposes of the Privacy Act. There seemsno clear rationale for applying similar, but slightly different, privacy principlesto public sector agencies and private sector organisations and certainly noclear rationale for applying both to an organisation at the same time. There isno clear policy reason why they are not consistent. The time may have comefor a systematic examination of both the IPPs and the NPPs with a view todeveloping a single set of principles that would apply to both AustralianGovernment agencies and private sector organisations.

Consider Australian Government contractors

As part of the suggested examination of the IPPs and NPPs the application ofboth the IPPs and the NPPs to Australian Government contractors could beconsidered.

Power to make a binding code

When state and territory governments pass legislation regulating activities thatbusinesses engage in on a national basis that is not uniform, there is anegative impact on business.

Having to comply with similar but different legislation in the states andterritories adds to the costs and complexity of compliance.

One way of overcoming the problems caused by inconsistent state andterritory legislation regulating a particular activity is to provide for a powerwithin the Privacy Act to develop binding codes. There are a number of waysin which this could be achieved. For example, the Attorney-General, afteridentifying the need for a code in a specific sector, could ask the PrivacyCommissioner to commence a process to develop a code in consultation withkey stakeholders. The Privacy Act would need to be amended to provide apower for the Privacy Commissioner to develop a code following a requestfrom the Attorney-General.

A model that is worth considering is that set out in the Trade Practices Act1974. The Act provides by regulation for the Minister to declare a codemandatory for the industry in question.

Alternatively, the Privacy Act could be amended to provide for the PrivacyCommissioner, at his or her own initiative, to make a binding code inappropriate circumstances, again drawing on strong stakeholder consultation.

A model that may be worth considering is that set out in theTelecommunications Act. The Act provides for the telecommunicationsindustry to develop self regulatory codes on a range of matters includingprivacy. Section 125 of the Act provides a mechanism for the regulator, theAustralian Communications Authority, to issue a binding industry standardwhere a self regulatory code is failing or where no code has been developed.The process places strong emphasis on stakeholder consultation.

Change the name of the Office to the Australian PrivacyCommission

Section 19 of the Privacy Act established the Office of the PrivacyCommissioner, also known as the Office of the Federal PrivacyCommissioner. The NSW Office is known as the Office of the NSW PrivacyCommissioner or Privacy NSW; the Victorian Office is the Office of theVictorian Privacy Commissioner or Privacy Victoria.

The similarity of these names causes confusion, especially for consumerswho are trying to work out to whom they should make a complaint. Changingthe name of the Office would avoid unnecessary confusion. It would also bemore consistent with other Australian Government regulatory bodies, such asthe Australian Competition and Consumer Commission and the AustralianSecurities and Investments Commission.

2.2 Recommendations: Nationalconsistency

2. The Australian Government should consider amending section 3 of thePrivacy Act to remove any ambiguity as to the regulatory intent of theprivate sector provisions.

3. The Australian Government should consider asking the Council ofAustralian Governments (COAG) to endorse national consistency in allprivacy related legislation.

6. The Australian Government should consider changing, by legislativeamendment, the name of the Office of the Privacy Commissioner to theAustralian Privacy Commission.

7. The Australian Government should consider amending the Privacy Actto provide for a power to make binding codes.

2.3 Consistency in telecommunicationsLaw and policy

Businesses in the telecommunications sector handle a large range ofpersonal information, including customer details, telephone or internet servicedetails, as well as carrying the contents of telecommunications such as voicecalls, SMS and MMS messages, and emails.

Telecommunications carriers, as a group, collect personal information aboutall telephone and internet subscribers, amounting to a very large proportion ofthe population. There are 11.7 million fixed telephone lines in Australia, 16.5million mobile phone services, and 5.2 million internet subscribers[22]. Some ofthis information is routinely transferred between telecommunications carriersas an integral part of the operation of the telecommunications network.Telecommunications carriers also hold information of interest to emergencyservices and law enforcement agencies.

In addition to information about subscription to telephone, internet and othertelecommunications services (e.g. name, address, phone number etc.), thecontents of voicemails, emails, SMS and MMS messages can include some ofthe most sensitive and personal information we have. Such messages areoften stored, for varying lengths of time, by telecommunications companies.

The community’s interest in protecting the privacy of telephone calls and othertelecommunications is reflected in a range of legislation that pre-dates the private sector provisions of the Privacy Act. The Office’s community attituderesearch shows that individuals are more reluctant to give organisations theirhome phone number than all other sorts of information, with the exception ofbank account details and income. The Office’s research also shows that thissensitivity has increased over recent years[23].

The private sector provisions of the Privacy Act regulate organisations thatoperate within the telecommunications sector. These provisions do not,however, include specific references to the telecommunications sector.Telecommunications-related businesses with a turnover less than $3 millionmay not be covered by the Privacy Act.

In the telecommunications sector, privacy is also regulated through theTelecommunications Act 1997 (Telecommunications Act), theTelecommunications (Interception) Act 1979 (Interception Act), and the SpamAct 2003 (Spam Act).

A number of submissions focused on the regulation of telecommunicationsprivacy in considering the question of national consistency. Many of thesesubmissions referred in particular to the operation of the Privacy Act with theTelecommunications Act, in some cases analysing in detail the interaction ofspecific provisions of both Acts.

Telecommunications Act

Part 13 of the Telecommunications Act provides for the confidentiality ofpersonal information and the contents of communications, includingrestrictions on how telecommunications carriers and carriage serviceproviders may use and disclose information that relates to the affairs of otherpersons, the contents of communications, and the services they provide. ThePrivacy Commissioner has the function of monitoring compliance with therecord-keeping requirements in Division 5 of Part 13 of theTelecommunications Act.

Part 6 of the Telecommunications Act provides for industry to develop bindingcodes, for example codes developed by the Australian CommunicationsIndustry Forum, which are registered with the Australian CommunicationsAuthority. The private sector provisions of the Privacy Amendment (PrivateSector) Act 2000 include amendments to Part 6 of the TelecommunicationsAct, and were intended to recognise and promote the pre-eminence of thePrivacy Act and the role of the Privacy Commissioner within thetelecommunications environment without diminishing the integrity of thetelecommunications self-regulatory regime.

Industry codes provide a mechanism that permits the inclusion of privacyprovisions beyond those in the Privacy Act, where the telecommunicationsindustry considers that the NPPs do not readily address some specificindustry or service related privacy concern. The Privacy Commissioner has astatutory role during the development phase of industry codes that relate toprivacy, which involves the telecommunications sector consulting the PrivacyCommissioner about such codes.

Telecommunications (Interception) Act

The Telecommunications (Interception) Act 1979 (Interception Act) has twokey purposes. Its primary object is to protect the privacy of individuals whouse the Australian telecommunications system by making it an offence tointercept communications. The second purpose of the Interception Act is tospecify the circumstances in which it is lawful for interception to take place.

Following amendments to the Interception Act in 2004, storedcommunications such as emails, SMS and MMS messages are not protectedby the prohibition on interception and the associated penalties in theInterception Act. Submissions made no substantial comment on theInterception Act or its interaction with the Privacy Act.

Spam Act

The Spam Act 2003 (Spam Act) sets up a scheme for regulating commercialemail and other types of commercial electronic messages. Under the SpamAct, unsolicited commercial electronic messages must not be sent, and thereare restrictions on the use of address-harvesting software.

Telecommunications regulators

There is more than one regulator with an interest in privacy in thetelecommunications sector. The Australian Communications Authority (ACA)monitors the performance of telecommunications carriers and carriage serviceproviders. The Telecommunications Industry Ombudsman (TIO), set up bythe industry, investigates complaints about a range of telecommunicationsissues, including printed and electronic White Pages, privacy and breaches ofthe Customer Service Guarantee, and industry Codes of Practice.

Complaints and enquiries

During the review reporting period (21 December 2001-31 January 2005),approximately 9% of all NPP complaints received by the Office (223complaints) related to the telecommunications sector, positioning it as thethird most complained about sector behind the finance and health sectors.The Office also received 1725 telecommunications enquiries over the period,or approximately 4% of NPP enquiries.

The Telecommunications Industry Ombudsman, which also deals with someprivacy-related complaints in the telecommunications sector, reports that inthe 2003-2004 year, it dealt with 1271 telecommunications complaints thatrelated directly to issues concerning privacy. This suggests that the Office’sNPP complaints represent approximately 6% of the privacy complaints in thetelecommunications industry.[24]

Compared to all NPP complaints received in the reporting period, complaintsagainst telecommunications sector organisations were much more likely toconcern use and disclosure issues and much less likely to concern accessissues.[25]

The following graph shows the NPP complaints received by the Office againsttelecommunications sector organisations according to the issues raised in thecomplaint.[26]

NPP Complaints against Telecommunications SectorOrganisations: by Issue Type

Complaints Received from 21 Dec 01 - 31 Jan 05

Collection – 51

Use and Disclosure – 125

Data security issues – 42

Data quality issues – 36

Refused access – 19

Other – 5

Disclosure of silent numbers

The disclosure of silent numbers by telecommunications carriers was possiblythe most recurrent single issue in NPP complaints received againsttelecommunications sector organisations. Similarly, the disclosure of silentnumbers was a recurrent issue in the ten own motion investigations intoorganisations in the telecommunications sector commenced by the PrivacyCommissioner under section 40(2) in the Act, during the reporting period.These figures reinforce the results in the Office’s community attitude surveyabout the sensitivity of telephone numbers in the community.

Some of the own motion investigations in the telecommunications sectorrelated to the personal information of many hundreds, and even thousands, ofindividuals.

Complaints closed

A total of 181 NPP complaints against telecommunications sectororganisations were closed in this period of which 34 were closed asadequately dealt with under section 41(2)(a) of the Privacy Act followinginvestigation or preliminary enquiries by the Office. An analysis of the numberof complaints closed under this provision provides an indication of the numberof complaints that were substantiated by the Office.

The following graph indicates the issues raised in NPP complaints againsttelecommunications sector organisations that were closed under section41(2)(a)[27]. As with complaints received against this sector, over half of the 34complaints closed under this provision concerned use and disclosure issues.

Complaints Resolved by Respondentfollowing intervention by OPC

Complaints closed from 21 Dec 01 - 31 Jan 05

Collection – 2

Disclosure – 18

Data quality issues – 11

Data security issues – 8

Refused access – 3

The operation of other laws

Some use and disclosure complaints against telecommunications sectororganisations may have been closed where it was assessed that the use ordisclosure was required or authorised by or under another law. In addition,seven of the 181 NPP complaints against telecommunications organisationsclosed in the reporting period were declined, having been assessed as beingmore appropriately or currently dealt with under another law, including theTelecommunications Act.

Small business exemption

The Office recently contacted a wide range of Internet Service Providers(ISPs) in the course of its enquiries into an industry-wide practice. At least25% of the ISPs that responded advised that they could claim the smallbusiness exemption. Between 10 and 15% of telecommunications sectorrespondents to NPP complaints received by the Office were ISPs.

What the submissions say - issues

Overlap of privacy and telecommunications legislation

Electronic Frontiers Australia (51) argues that the telecommunications sectorhas, of necessity, access to a great deal more information about individualsthan do most private sector organisations. This information not only relates tocustomers, but also to the public in general, and includes the contents of theircommunications.

To illustrate the scope and importance of the personal information at issue inthis sector, Electronic Frontiers Australia (51) quotes at length from aninternet service provider executive who said, in 2000 that:

‘we have the username and password for every one of our users, wehave their credit card details, we have a lot of information about theirliquidity, we can know about every purchase they make online, withwhom, when and for how much. We can know every site they visit onthe web – every page, every newsgroup, every picture they look at.We could read all of their e-mail and know all about their romances andthe jobs they’re applying for. The commercial opportunities arisingfrom this are endless …’.

Telstra (110) says that there is an over-regulation of privacy and information-handlingpractices, causing regulatory uncertainty and additional compliancecosts. Telstra also submits, however, that the private sector provisions of thePrivacy Act are working well, and that industry-specific regulation such as Part13 of the Telecommunications Act is working well.

Electronic Frontiers Australia (51) expresses concern that, in the onlineenvironment, individuals have almost no privacy rights, and the obligationsthat do exist may be difficult to have enforced. It argues that this arises fromfactors such as uncertainty regarding the definition of ‘personal information’,the ability of organisations to collect personal information without anindividual’s consent, the use of ‘bundled’ consents, the small businessexemption and technological developments.

Protections on use and disclosure

Sensis (84), the Australian Communications Authority (94), and ElectronicFrontiers Australia (51) note that Part 13 of the Telecommunications Actcontains different standards for the use and disclosure of personal informationthan does NPP 2.

Uses and disclosures permitted by the Telecommunications Act

Section 303B of the Telecommunications Act provides that uses anddisclosures of personal information that are permitted by Divisions 3 and 4 ofPart 13 of that Act, are ‘authorised by law’ for the purposes of the Privacy Act.The Telecommunications Act also allows legal proceedings or administrativeaction to be taken under both the Telecommunications Act and the PrivacyAct, in relation to uses and disclosures of personal information.[28]

Telstra (110) suggests that despite the provisions of section 303B of theTelecommunications Act, there may still be uncertainty regarding whether adisclosure of customer information that falls within one of the exceptions inDivision 3 or 4 of Part 13 of the Telecommunications Act may nonethelessbreach the NPPs or the credit reporting provisions in Part IIIA of the PrivacyAct.

Uses and disclosures permitted by NPP 2

Electronic Frontiers Australia (51) raises a further question about theinteraction between the Privacy Act and the Telecommunications Act in thatsection 280(1)(b) of the Telecommunications Act provides that uses anddisclosures that are required or authorised by another law are not prohibitedby Part 13 of the Telecommunications Act. One possible interpretation of thisprovision is that the uses and disclosures permitted by the secondary purposeexceptions to NPP 2.1 (for example, for direct marketing) may be available totelecommunications companies, in addition to the exceptions in Part 13 of theTelecommunications Act.

Different standards of protection

Section 289 of the Telecommunications Act permits the use or disclosure ofpersonal information if the person to whom the information relates is eitherreasonably likely to be aware of the use or disclosure, or has consented to it.Electronic Frontiers Australia (51) argues that section 289 of theTelecommunications Act offers greater privacy protection in relation to use ordisclosure for the primary purpose of collection than does NPP 2. Forsecondary purposes, however, that section is significantly less protective.Unlike NPP 2, section 289 of the Telecommunications Act does not requirethe use or disclosure to be related to the purpose of collection. As aconsequence, a disclosure for a secondary purpose may be permitted bysection 289, but not by NPP 2.

Electronic Frontiers Australia (51) also argues that section 291 of theTelecommunications Act is less privacy protective than NPP 2, for example,allowing disclosures for the unrelated secondary purpose of direct marketingby other organisations. Electronic Frontiers Australia also identified section290 as requiring attention in relation to the disclosure of personal informationabout third parties.

Section 285 of the Telecommunications Act relates to the use and disclosureof customer information to produce public number directories, and includes aprohibition on the use or disclosure of customer information in connection witha directory with a reverse searchcapability (that is, where searching on anumber provides a person’s name and address).Sensis (84) suggests thatthe NPPs, rather than industry specific regulation, would be adequateregulation in relation to reverse search functionality.

Small business exemption

A number of submissions noted that the small business exemption may leaveunregulated some organisations operating in, or close to, thetelecommunications sector.

The Australian Communications Authority (94) notes that Part 13 of theTelecommunications Act does not apply to producers of public numberdirectories (including list brokers). Where a public number directory producerfalls within the small business exemption of the Privacy Act, then there maybe few or no privacy protections in place.

Electronic Frontiers Australia noted that a range of smaller businesses couldfall under the small business exemption, including internet service providers(ISPs), resellers of carrier and/or ISP services; carriage service intermediariesand telecommunications contractors. This is confirmed by the Office’sexperience, which suggests that approximately 25% of ISPs may claim thesmall business exemption.

After the private sector provisions of the Privacy Act commenced in December2001, the Australian Communications Authority decided to de-register thecode ACIF 523 - Protection of personal information of customers oftelecommunications providers (October 2001) (CPI Code), to avoid aduplication in the telecommunications privacy jurisdiction[29].

The CPI Code applied to large telecommunications companies, as well assmall businesses including ISPs, resellers of carrier and/or ISP services,carriage service intermediaries and telecommunications contractors.

Electronic Frontiers Association (51) says that a net result of the introductionof the private sector provisions and the removal of the CPI Code may be thatindividuals currently have less protection, overall, in relation to the handling oftheir personal information by small businesses in the telecommunicationssector, than they did prior to 2001. Given the nature and scope of thepersonal information that is collected, used and disclosed by thetelecommunications sector, there would appear to be a notable gap in privacyregulation.

These considerations are also relevant to the broader consideration of thesmall business exemption in Chapter 6.

Telecommunication regulators

Submissions generally do not indicate that regulatory overlap is a majorproblem in the telecommunications sector, however there are issuesdeserving attention according to the Australian Communications Authority(94), Optus (98), and Telstra (110). For example, the AustralianCommunications Authority says that in the handling of complaints, whileregulatory overlap may not have been a significant barrier to resolvingcomplaints, it may have led to some delays, frustration and waste (94).

Spam

Submissions highlighted the recent Spam Act as an example of appropriatelyspecific legislation to deal with a particular challenge posed by newtechnology.

What submissions say – addressing the issues

Overlap of privacy and telecommunications legislation

No change required

Telecommunications companies Virgin Mobile (26), Optus (98), Telstra (110)and Vodafone (112) are generally opposed to further regulation, howeversome call for further clarification of specific issues (see below). VirginMobile (26) considers the current level of regulation applying totelecommunications companies to be very significant and that furtherregulation is not warranted, noting that the current set of legislativerequirements impose significant compliance costs.

Protections on use and disclosure

Uses and disclosures permitted by the Telecommunications Act

Telstra submitted that Part 13 of the Telecommunications Act should beamended to clarify that a disclosure that fits an exception to Part 13 of theTelecommunications Act is not a breach the Privacy Act, or that the Officeshould publish information sheet outlining its views in relation to privacycomplaints in the telecommunications sector.

Uses and disclosures permitted by NPP 2

Electronic Frontiers Australia (51) recommends that the law be clarified toensure that NPP 2.1 does not authorise uses or disclosures that wouldotherwise be in breach of the Telecommunications Act.

Different standards of protection

A range of submissions from consumer and industry perspectives feel that therelationship between the Telecommunications Act and the Privacy Act couldbe further clarified, either through additional guidance or through legislativechange[30]. Electronic Frontiers Australia (51) argues that privacy protectionsshould be at least maintained, and in some cases strengthened, in the courseof that clarification.

Optus (98), Telstra (110) and Electronic Frontiers Australia (51) saw merit inconsidering the appropriateness of the privacy protections in Part 13 of theTelecommunications Act. Optus argues that, notwithstanding the usefulnessof Part 13 of the Telecommunications Act, it would be beneficial to review itwith the aim of making it easier to interpret.

Small business exemption

Electronic Frontiers Australia (51) recommends that the small businessexemption be deleted from the Privacy Act.

Telecommunications regulators

Telstra (110) suggests that in the first instance complaints should beinvestigated by the appropriate industry body, for example the TIO.

Spam

A range of submissions suggest that the relationship between the Spam Actand the Privacy Act could be further clarified, for example through guidanceissued jointly by the Office and the Australian Communications Authority.[31]Inparticular, the different approach to ‘opting out’ between NPP 2.1(c) and theSpam Act was noted by both industry (for example the Australian BankersAssociation 70) and consumers (for example, Electronic Frontiers Australia51). For more discussion on direct marketing see Chapter 4.

Options for reform

Overall it appears from the submissions that the combination of generalprivacy regulation through the Privacy Act, with technology and sector-specificregulation, is working reasonably well in many areas relating to thetelecommunications sector.

Overlap of Privacy and Telecommunications legislation

Exclude telecommunications from the Privacy Act

While excluding telecommunications companies from the Privacy Act maysimplify the regulatory arrangements for companies that operate solely in thetelecommunications sector, the additional protections offered by NPPs,particularly relating to collection, data quality, data security and access, wouldbe foregone. There does not appear to be sufficient reason to support thisoption, particularly considering the special nature and broad scope ofpersonal information handled in the telecommunications sector.

As telecommunications is the third most complained about sector under theNPPs, it appears that the Privacy Act provides an important contribution toprotecting privacy in this sector.

Repeal Part 13 of the Telecommunications Act

While repealing Part 13 of the Telecommunications Act may simplify theregulatory arrangements for companies that operate in thetelecommunications sector, the relatively strong protections on use anddisclosure of telecommunications-related personal information offered by Part13 of the Telecommunications Act would be foregone. There does not appearto be sufficient reason to support this option, particularly considering thespecial nature and broad scope of personal information handled in thetelecommunications sector.

The relatively large number of privacy-related complaints handled by theTelecommunications Industry Ombudsman may suggest that the regulatoryscheme provided by the Telecommunications Act is critically important toprotecting privacy in this sector.

Transfer Part 13 of the Telecommunications Act to the Privacy Act

The intention of this option would be to retain the protections of both the NPPsand Part 13 of the Telecommunications Act, but to do so under the one Act.In doing so, careful consideration would have to be given to the relationshipbetween the definition of ‘personal information’ in the Privacy Act, and‘information’ as used in Part 13 of the Telecommunications Act. Similarly,careful consideration would have to be given to whether the requirement insection 16B of the Privacy Act that the Privacy Act applies only to the collection of personal information for inclusion in a record (or a generallyavailable publication) would narrow the application of the provisions of Part 13of the Telecommunications Act, were they to be transferred to the Privacy Act.

Guidance

Detailed guidance, issued jointly by the Office and the ACA may assist inincreasing understanding of the interaction of the Privacy and theTelecommunications Act. This guidance could concentrate on the issuesraised in the submissions, such as the operation of section 303B of theTelecommunications Act. Detailed guidance could also assist to clarify thatthe exceptions to NPP 2 do not provide an ‘authorisation’ under law, for thepurposes of other Acts such as the Telecommunications Act.

However, where there is genuine legal uncertainty about the joint operation ofthe two acts, guidance would not assist.

Amendments to the Privacy Act and the Telecommunications Act

Changes to the Privacy Act alone are unlikely to resolve concerns about thepotential for inadequate or inconsistent use and disclosure protections. Theoverall standard of protection for personal information, set by the combinationof Part 13 of the Telecommunications Act and the Privacy Act, could beaddressed through coordinated amendments to those Acts which clarify theirrelationship, particularly in terms of the respective provisions concerning whatconstitutes authorised uses and disclosures under the two Acts.

At a minimum, amendments could clearly specify that the Privacy Act cannotbe used to lower the overall standard of privacy protection, so that anexception under NPP 2.1 cannot ‘authorise’ a use or disclosure under section280(1)(b) of the Telecommunications Act. For example, it should be clear thata disclosure permitted by NPP 2.1(c), for a secondary purpose of directmarketing, would not, through appealing to NPP 2.1(c), also be permitted bysection 280(1)(b) of the Telecommunications Act. Amendments should clarifythat if a use or disclosure of personal information is not permitted by Part 13of the Telecommunications Act considered in the absence of the Privacy Act,then it is not permitted even when considered in the context of the PrivacyAct.

Amendments to ensure that the higher privacy standard always operates

Recognising the significant quantity, scope and sensitivity of the personalinformation that is held by, and that flows through, organisations in thetelecommunications sector, a further step could be to amend both the PrivacyAct and the Telecommunications Act to ensure that the higher privacystandard always operates. This would require amending or repealing section303B of the Telecommunications Act to ensure that uses or disclosuresprohibited by NPPs 2, 7 and 9 are not permitted by the TelecommunicationsAct, unless there is a clear, sector-specific requirement that meets the publicpolicy goals of the private sector privacy regulatory scheme.

Small Business Exemption

Public number directory producers are authorised under theTelecommunications Act to access the Integrated Public Number Database(IPND). The IPND is a database of all listed and unlisted telephone numbers.It is a repository of personal information (including names and addresses)relating to the end-users of telephone numbers. According to the AustralianCommunications Authority:

‘In addition to the publication of public number directories, PublicNumber Directory Producers (PNDPs) are understood to usetelecommunications customer information for a variety of otherpurposes. These uses are referred to by the industry as ‘databaseenhancement’, ‘data cleansing’, ‘data verification’, ‘list management’services or ‘information management tools’[32].

Some of the significance of IPND data is that it provides a means for directlycontacting a large proportion of the Australian population. The use oftelephone numbers to direct market is discussed in Direct Marketing, Chapter4, including evidence from submissions both that there is a level of irritation inthe community about the intrusiveness of phone marketing, and that somecustomers like direct marketing. The option of establishing a ‘Do Not Contact’register is also discussed there.

The Australian Communications Authority has decided to determine anindustry standard to regulate the use of telecommunications customerinformation. The Office understands that this standard, in conjunction with theNPPs, will aim to regulate the appropriate use of IPND data.

Producers of public number directories clearly handle personal information,and typically in quantity. In the case of any public number directory producerthat has an annual turnover of less than $3 million, there may then be someuncertainty about whether or not the small business exemption applies.

Subsections 6D(4)(c) and (d) provide that a business is not eligible for thesmall business exemption if it trades in personal information. Subsections6D(7) and (8), however, permit a business that has an annual turnover of lessthan $3 million, and trades in personal information, to nonetheless benefitfrom the small business exemption if the trading in personal information isconducted with the consent of the individuals whose information is traded, or ifanother law requires or authorises the trading of the information.

Regulate-in small telecommunications businesses

The small business exemption could be removed for a nominated class oftelecommunications-related small businesses and public number directory producers, by way of a regulation under section 6E of the Privacy Act. Thisoption is less likely to lead to the kind of regulatory confusion that may ariseunder other options (outlined below). However, it has the disadvantage offurther complicating the nature of the small business exemption.

Telecommunications businesses not eligible for the small business exemption

An alternative to regulation would be to amend the Privacy Act to provide thattelecommunications businesses and public number director producers are not eligible for the small business exemption. This may have the disadvantage offurther complicating the structure of the small business exemption.

Self-regulatory privacy code registered with the ACA

Making use of the self-regulatory scheme for the telecommunications sector,under the Telecommunications Act, a new telecommunications industryprivacy code could be registered with the Australian CommunicationsAuthority, so that all telecommunications organisations and public numberdirectory producers will have NPP obligations through that means.

Disadvantages with this approach include the duplication of privacy regulationfor the great majority of telecommunications companies who are alreadybound by the Privacy Act, and are also bound by registered industry codes,and the confusion and uncertainty that may arise as a result; and a furthersplintering of privacy regulation, because the Privacy Commissioner may notbe the complaint handler for all privacy complaints in the sector.

Commissioner to issue mandatory code

If the Commissioner had a power to issue a mandatory code which covered acertain group of businesses (see recommendation 7), this power could beused to develop and issue a telecommunications sector privacy code.

Remove the consent provisions from the small business exception

This would ensure that all organisations that ‘trade’ in personal information (asdescribed by subsections 6D(4)(c) and (d) of the Privacy Act) would beregulated by the Privacy Act. This would assist in ensuring that public numberdirectory producers cannot make use of the small business operatorexemption. This option is also discussed in Chapter 6, Small BusinessExemption.

Overlapping regulators

See Chapter 5, Complaint Handling, for further discussion of options forminimising problems arising from overlapping regulators.

Spam

The issue of different standards for opting out of direct marketing is taken upin Chapter 4, Direct Marketing. Beyond the recommendations there, theOffice and the Australian Communications Authority could work together toissue joint guidance on the operation of the Privacy Act and the Spam Act.

2.4 Recommendations:

Telecommunications consistency

2.5 Consistency in protection of healthinformation

Research on community attitudes towards privacy, conducted by the Office[33],shows the importance that Australians place on the protection of their healthinformation. There are risks of serious harm arising from a failure toadequately protect an individual’s health information, for example whenhandling genetic information that indicates an individual’s susceptibility to aserious disease or information about an individual’s sexual health. Someindividuals may be stigmatised or discriminated against if their healthinformation is mishandled.

While a health service provider’s principal concern is for the health care oftheir patient, the individual’s right to have their health information protected,and to retain control over it, is also important.

Law and policy

Privacy regulation for health information across Australia consists of a set ofoverlapping, incomplete and sometimes inconsistent federal, state andterritory legislation. The shared intent is to regulate the handling of thissensitive information, and to ensure its protection. However, the multiplicity oflaws and provisions, many very similar but not the same, results in confusionand undue complexity.

Commonwealth, state and territory privacy legislation

At the Commonwealth level, the handling of health information is regulated inthe private sector and Australian Government public sector through thePrivacy Act by the National Privacy Principles (NPPs), the Information PrivacyPrinciples (IPPs) and Public Interests Determinations[34].

Some state and territory jurisdictions[35]have developed privacy legislation fortheir public sectors. Others have administrative arrangements for thispurpose. For example, Queensland has established two administrativestandards for privacy in its public sector (one scheme for health sectoragencies, and one scheme for other government agencies)[36]. Eachjurisdiction’s scheme is slightly different, as are the principles on which theyare based.

For privacy in the private sector, two states (in addition to the ACT, which in2001 already had law covering health services in the private sector) haveenacted law seeking to regulate the handling of health information in theprivate sector. Victoria has enacted the Health Records Act 2001 and inNSW, the Health Records Information Privacy Act 2002 came into force on1 September 2004.[37]These Acts contain similar, though not identical,principles to the NPPs. For example, the Victorian legislation has certainprovisions regarding access to ‘old’ personal health information; there are noequivalent provisions in the NPPs.[38]

Other forms of regulation

Additionally, there are other forms of protection for an individual’s healthinformation. These include ethical and professional codes of conduct adheredto by health professionals, common law obligations of confidence that healthprofessionals must abide by, as well as federal, state and territory statutesabout matters such as public health. Also, the enabling legislation of manyhealth agencies often contains secrecy provisions.

Proposed National Health Privacy Code

At the request of Health Ministers, the National Health Privacy Working Groupof the Australian Health Ministers’ Advisory Council was set up in 2000 todevelop a national framework for health privacy. This proposed frameworkhas become known as the National Health Privacy Code.

After public consultation on the draft code in 2003, a revised version, as wellas draft mandatory guidelines for research, and draft explanatory notes for theuse or disclosure of genetic information, were developed.[39]These documentsare yet to be considered by Health Ministers. The Department of Health &Ageing (99) states this will occur in 2005.

What the submissions say - issues

Problems for health privacy

Submissions overwhelmingly support the conclusion that the existing state ofhealth privacy laws in Australia is unsatisfactory for health service providersand individuals.

Submissions from health services (and organisations representing them) andfrom insurers identify problems raised by this lack of consistency. Aconfidential submission says that health insurers, for example, have gone tothe expense of setting up systems consistent with the private sectorprovisions and then have had to look at separate state and territorylegislation, regulations and guidelines, involving them in more expense. TheInvestment and Financial Services Association Ltd (89) says that theinconsistencies cause a significant compliance burden, resulting in increasedcompliance costs for many of their member organisations. Furthermore,inconsistencies make it difficult for consumers to understand their rights.

The experience of the Office also indicates that this issue represents one ofthe biggest obstacles to effective and consistent national developments in thehealth sector, such as electronic health records systems.

The Australian Law Reform Commission (ALRC) and Australian Health EthicsCommittee (AHEC) considered the need for harmonisation of privacyregulation in the context of protecting genetic information. Their reportrecommended ‘as a matter of high priority’, the development of nationallyconsistent rules for the handling of all health information[40]. This has alsobeen acknowledged in regard to other national initiatives, such asHealthConnect[41].

Obstacles to national consistency

The obstacles to national consistency in health privacy protection aresummarised by the Insurance Council of Australia (59):

Inconsistencies between state and territory legislation and the Privacy Act(federal)
Additional obligations imposed by state and territory legislation, over andabove the Privacy Act
Differences between the various state and territory regimes.

Submissions identify a number of recurring issues which are discussed below.

Compliance issues

A number of submissions noted the additional compliance costs which areincurred by having multiple layers of privacy legislation.

The Australian Compliance Institute (16) submits, in regard to privacyregulation generally, that ‘as each State introduces new legislation, legal costsare incurred in understanding any potential impact’.

In regard to health privacy specifically, the Law Council of Australia (36)states that:

’…increased compliance costs are incurred, particularly byorganisations operating in more than one state or territory, which costswill be passed on to the consumer’.

The Pharmacy Guild of Australia’s (93) submission concurs with this view,noting also that many pharmacies may be small businesses (though they arestill regulated by the Privacy Act because they handle health information andprovide a health service).

A practical problem was identified in a stakeholder forum. A nationalmedication service operating via a call centre must read different statementsto obtain consent depending on the location of the individual (and the law thatapplies in that jurisdiction).

The Insurance Council of Australia (59) notes that these compliance costsmay be incurred by any organisation which handles health information.

Forum shopping

A submission from a not-for-profit organisation (11) notes that ‘…potentialcomplainants/plaintiffs [may] ‘shop around’, to select the most suitablelegalisation to further their case or grievance’.

This view is supported by the Mental Health Privacy Coalition (58) whichstates that:

’…small differences also allow legal practitioners the avenue towardsarguing different aspects of privacy law in different jurisdictional legalsettings, thus creating unnecessary headaches for healthcareproviders’.

Confusion about which law to apply

A number of submissions contest that multiple privacy regimes createconfusion for providers and consumers. Comcare (12) submits that:

‘our assessment is that some health professionals are unsure as towhich privacy regime they are subject to when dealing with informationrelating to people in the Commonwealth jurisdiction’.

However, it also notes that ‘having said that, the incidence of this issue doesseem very low.’

The Mental Health Privacy Coalition (58) submits that ‘a plethora of differentlaws or guidelines tends to confuse the health sector’. The AMA (29) statesthat ‘the mish-mash of privacy and health specific privacy legislation isconfusing to both doctors and their patients’. A number of other submissionsconcur that the current arrangements create confusion[42].

Individuals uncertain about enforcing rights

The Insurance Council of Australia (59) notes that multiple privacy regimesaffect the ability of individuals to exercise their rights, as individuals need tobe aware of the range of bodies to which they may seek recourse.

The Law Council of Australia (36) has expressed the view that “consumersare less likely to be able to clearly understand their rights in any particularsituation and are likely to experience increased difficulty and frustration inenforcing those rights”.

The Australian Nursing Federation (ANF) (127) has submitted that there isconsumer uncertainty about their rights, at least partly due to the exemptionsin the Privacy Act, particularly the small business exemption, the employeerecords exemption and the journalism exemption.

In addition, the ANF (127) also holds that ‘general confusion exists regardingcomplaints processes’. Other submissions concluded also that multipleprivacy regimes contribute to consumer uncertainty, as consumers may beunsure which regulator to complain to, and which law applies to their matter[43].

A confidential submission refers to the ‘inequitable’ situation where individualsin some states can access their health information regardless of its collectiondate, but others can access only information collected after 21 December2001 (the commencement date of the private sector provisions).

The Royal District Nursing Service of Melbourne (78) submits that while thereappears to be adequate awareness of privacy rights in the generalcommunity, there ‘…is some difficulty in the awareness or understanding ofthe elderly’.

Options for reform

Adoption of the proposed National Health Privacy Code

Submissions support the work of the National Health Privacy Working Groupin developing the proposed National Health Privacy Code. Adoption of thecode by all jurisdictions would promote national consistency in the handling ofhealth information.

The success of a national code will depend critically upon how it isimplemented. Achieving consistency would involve all jurisdictionsimplementing the code unamended and in the same manner.

Therefore, one option is for each jurisdiction to incorporate the agreed code,as is, within its laws. The manner for legislatively enabling the code wouldalso need to be the same in each jurisdiction.

Code to be adopted as a Schedule to the Privacy Act

For the Australian Government jurisdiction, the code could become aSchedule to the Privacy Act. The Schedule would apply the code to thosebodies already within the jurisdiction of this legislation and that handle healthinformation; that is, many Australian Government agencies and a range ofprivate sector organisations.

This step could occur whether or not all jurisdictions adopt the proposed code.However, it is preferable that this step by the Australian Government ismirrored by each jurisdiction.

The need to ensure that the code is reflected in the Privacy Act is noted bythe Victorian Health Services Commissioner (27). Similarly, the NationalHealth and Medical Research Council (32) recommends that ‘a single,simplified national health privacy regulatory scheme’ (that is, the code) shouldreplace and not supplement existing regulatory arrangements. The AustralianNursing Federation (127) highlights the importance of consistency betweenthe Privacy Act and the code, and looks forward to a national regulatoryframework that incorporates ‘a national process for [addressing] complaintsand breaches’.

Once the code is adopted into the Privacy Act (particularly if as a schedule),the Australian Government could seek agreement from all jurisdictions for anysubsequent regulatory measures in this area by them to be consistent withthese provisions.

The code, as established through the Privacy Act, could become the de factonational standard for health privacy. If agreed, all other jurisdictions would beexpected to adhere to this standard. Through this approach, the AustralianGovernment would provide national leadership in this complex area.Success, however, again depends upon agreement by all jurisdictions.

Code to be adopted by amending the NPPs

Similar to the previous option, whether or not all jurisdictions adopt the code inthe same way, the NPPs in the Privacy Act could be amended to ensureconsistent privacy protection for Australian Government agencies and privatesector organisations that handle health information. The NPPs would beamended to incorporate the provisions of the code.

This approach would entail one set of privacy principles to regulate thehandling of health information. These principles would be based on theNPPs, and include the provisions of the code. This would go some waytoward addressing broader national consistency issues identified in thisreport; such as the differences between the IPPs and the NPPs.

However, the resulting principles would be longer and more complex. Thisoption would require the insertion of multiple sub-principles and exceptions tothe NPPs to take account of the code.

This approach would run counter to the intent of delivering general, high-levelprinciples for all business and government sectors. For instance, theapproach would mean that non-health organisations and agencies wouldneed to deal with a more complex set of privacy principles, where much of thecontent may not apply to them. This would not improve, and may evenincrease, regulatory complexity overall.

Stakeholder awareness and education

If national consistency is pursued by legislative or regulatory intervention, andwhether or not it is fully achieved, substantial awareness and educationprogrammes could be developed to explain how the various privacy regimesinteract.

This approach would involve providing awareness and education forconsumers, providers and other stakeholders about the roles of the variousschemes, the differences between them, and how to assert rights or to complywith obligations. The approach could reduce perceived uncertaintiessurrounding which laws apply to various organisations and agencies,including which complaint handling arrangements would operate. It wouldseek to assist stakeholders to work their way through the multiple andinteracting privacy schemes.

This is likely to be resource intensive, not only for the Office and those in theAustralian Government jurisdiction, but for state and territory agencies withregulatory and education/awareness responsibilities, and for private sectorprofessional entities. It would not resolve national consistency issues (or thelack thereof) at law, nor would it create assurances about how health privacylaws interact.

2.6 Recommendations: Health Consistency

2.7 Residential tenancy databases

What are residential tenancy databases?

Residential tenancy databases are privately owned electronic databases thatcontain information on the tenancy history of tenants. Property managers andlandlords use them to assist in assessing risk and identifying potentialproblem tenants during the rental application process. Most propertymanagers and real estate agents routinely subscribe to at least one tenancydatabase to screen prospective tenants. There do not appear to be industrystandards or codes of practice which apply to them.

Application of the Privacy Act

The Privacy Act applies to tenancy databases with an annual turnover of morethan $3 million. They also apply to tenancy databases with a turnover of $3million or less, despite the small business exemption, because they trade inpersonal information. If, however, a tenancy database that is a smallbusiness, gains consent for the collection or disclosure of an individual’spersonal information, then the Privacy Act does not apply.

Issues

There is a wide range of concerns about how tenancy databases operate.This section of the report is not concerned with the substantive issues. It isconcerned only with the national consistency issues.

Tenancy databases are regulated by the Privacy Act and state and territoryprivacy legislation, including specific legislation regulating tenancy databasesin some jurisdictions. Queensland and New South Wales have introducedlegislation to prescribe listing and notification practices, and dispute resolutionframeworks, and the ACT has foreshadowed similar legislation.

The Real Estate Institute Australia (13) draws attention to the lack ofconsistency in the various legislation, federal and state and territory, relatingto tenancy databases. As this impacts negatively on consumers andbusiness, the Institute suggests that a nationally consistent framework, withguidelines, should be developed for the operation of tenancy databases.

Options for reform

Australian Government could regulate tenancy databases

Tenancy databases operate nationally. The issues addressed by state andterritory legislation are not confined to those states and territories, but arenational. A patchwork of legislation is emerging and adding to the lack ofnational consistency in privacy protection. The Australian Government couldregulate residential tenancy databases.

Commissioner could make a binding code

Earlier in this chapter, the Report recommends that the AustralianGovernment should consider amending the Privacy Act to give the PrivacyCommissioner a power to make binding codes. One of the policy reasons fordoing so is that there may be some business activities that give rise to issuesthat demand a regulatory response on a national basis. In the absence offederal legislation or uniform, or at least consistent, state and territorylegislation, and assuming that the Australian Government amends the Act inaccordance with the recommendation, the Privacy Commissioner could makea binding code to apply to residential tenancy databases.

MCCA/SCAG process

In August 2003, the Ministerial Council on Consumer Affairs (MCCA) and theStanding Committee of Attorneys-General (SCAG) agreed to establish a jointworking party to consider residential tenancy databases. The Office isrepresented on the working party, which is chaired by the Attorney-General’sDepartment of the Australian Government. The working party intends toreport to MCCA and SCAG by the middle of 2005. The AustralianGovernment could make this process a matter of high priority.

2.8 Recommendations: Residential tenancydatabases

3 International issues and obligations

3.1 EU Adequacy and APEC

Law and Policy

EU adequacy a driver of the legislation

An object of the private sector provisions was to ensure that Australia wouldbe able to meet international obligations and not be disadvantaged in theglobal information market. The provisions aimed to provide adequate privacysafeguards to facilitate further trade with the European Union (EU). In theabsence of the new provisions, the Explanatory Memorandum stated:

‘there are serious questions surrounding the ability of Australia to meetthe requirements for continued trade with EU members under theEuropean Union Directive on the Protection of Individuals with regardto the Processing of Personal Data and onthe Free Movement of SuchData’[44].

Privacy Act is not yet EU ‘adequate’

Negotiations with the European Commission regarding the adequacy of thePrivacy Act in meeting the EU Directive have been continuing. Theamendments to the Privacy Act in April 2004 were a result of thesediscussions[45]. These amendments to the legislation make it clear that theprotection provided by NPP 9, which regulates transborder data flows, appliesequally to the personal information of individuals who are Australian and thosewho are not. They remove the nationality and residency limitations on thepower of the Privacy Commissioner to investigate complaints relating to thecorrection of personal information. They also give businesses and industriesgreater flexibility in developing privacy codes by allowing the codes to coverotherwise exempt acts and practices where the authors of the code wish to doso. However, there are ongoing discussions with the European Commissionregarding the small business and employee records exemptions from thePrivacy Act.

The EU has not granted Australia ‘adequacy status’ regarding the EUDirective nor has it stated that Australia’s privacy regime is inadequate. Atthis stage, the EU has declared Switzerland, Canada, Argentina, Guernsey,Isle of Man, the US Department of Commerce's Safe Harbour PrivacyPrinciples, and the transfer of Air Passenger Name Record to the UnitedStates' Bureau of Customs and Border Protection as providing ‘adequate’privacy protection.

Asia-Pacific Economic Cooperation (APEC) framework

The endorsement of the APEC Privacy Framework by APEC Ministers inNovember 2004 means that APEC countries, including Australia, need tomake sure that their privacy regimes meet a new set of internationalobligations. The APEC privacy framework has a number of aims includingpromoting electronic commerce, providing guidance to APEC economies andhelping to address common privacy issues for business and consumers in theregion. The initiative has the potential to accelerate the development ofinformation privacy schemes in the APEC region and to assist in theharmonisation of standards across national jurisdictions.

The APEC framework, like the NPPs, was designed to be consistent with thecore values of the Organisation for Economic Cooperation and Development’s(OECD) 1980 Privacy Guidelines[46]. The APEC Principles cover areas suchas notice, collection, use and disclosure, choice, integrity of personalinformation, security safeguards, access and correction and accountability.APEC will continue making decisions about the implementation of the APECprinciples during 2005.

Issues

The issues paper noted that it was not clear whether organisations are findingthat their commercial activities are impeded by the private sector provisions intheir current form. It raised issues such as whether the private sectorprovisions are working for businesses in relation to their global operations andwhether they will work in the future and what strategies businesses are usingto deal with any issues that are arising, for example, using contractualprovisions.

What submissions say - issues

Lack of EU adequacy has not inhibited trade

One submission (confidential) says the Privacy Act does not seem to resolvethe question of whether privacy laws meet the standards of internationalobligations. Nevertheless, only a very small proportion of the submissionsthat the Office received from stakeholders[47]and few of the comments made inconsultation meetings indicate that the failure to achieve EU adequacy hasimpaired business and trade with European organisations. One confidentialsubmission, for example, raised concerns that Australian organisations areunable to state that their privacy policies actually meet contractual obligationsof international agreements. On the other hand, the Australian DirectMarketing Association (67) states:

‘it is clear that although Australia’s privacy regime has not beenrecognised as ‘adequate’ for the purposes of the EU this has nothindered organisations’ ability to conduct business with Europeancounterparts’[48].

The Australian Bankers Association (70) and the Investment and FinancialServices Association Ltd (89) call for the Privacy Commissioner to press forEU adequacy.

3.2 Recommendation: EU ‘adequacy’ andAPEC

3.3 NPP 9

Law and policy

The operation of NPP 9 is an important aspect of the global operation of theprivate sector provisions. NPP 9 outlines the circumstances in which anorganisation can transfer personal information it holds to other countries. Thisprinciple is based on the restrictions on international transfers of personalinformation set out in the European Union Directive 95/46.

In its simplest terms, NPP 9 prevents an organisation from disclosing personalinformation to someone in a foreign country that is not subject to acomparable information privacy scheme, except where it has the individual'sconsent or some other circumstances apply including where:

the transfer is for the benefit of the individual and the organisation canshow grounds for a belief that if it were practicable to obtain consent theindividual would be likely to give it or
the transfer is necessary for the conclusion or performance of a contractconcluded in the interest of the individual between the organisation and athird party.

NPP 9 does not prevent transfers of personal information outside Australia byan organisation to another part of the same organisation, or to the individualconcerned. On the other hand, a company transferring personal informationoverseas to a related company must comply with NPP 9.

Issues

The issues paper noted that it is not clear how easy or otherwiseorganisations are finding it to work with the provisions of NPP 9 whentransferring information, or the extent to which organisations are complyingwith NPP 9.

What submissions say – issues

Related companies

The Law Council of Australia (36) and the Investment and Financial ServicesAssociation Ltd (89) call for clarification in the way NPP 9 and section 13B(1)operate together. These submissions argue that it is not clear whethersection 13B(1) enables a body corporate in Australia to transfer personalinformation to a related body corporate located outside of Australia withoutreference to NPP 9. One confidential submission states that transfer betweenrelated companies should not require additional consent.

Establishing a law is substantially similar

Comments made during the consultation process indicate that there are anumber of problems faced by organisations in respect to NPP 9. Manystakeholders express frustration at the fact that there is a lack of guidanceregarding the countries whose regimes provide adequate protectionequivalent to the NPPs[49]. In this situation the onus is on the organisation toassess the regime of the country in which their trading partner resides. Manystakeholders, especially small businesses, have criticised the efficiency of thissystem arguing that they neither have the expertise or the resources toassess a foreign country’s privacy laws.

Contract

From submissions and the comments received during stakeholder workshops,it appears that organisations are fulfilling their NPP 9 obligations of ensuringthat personal information is protected when it is transferred to regions withoutprivacy regimes through contractual arrangements with their tradingpartners[50]. While some submissions find this to be an effective solution[51],others are concerned about the costs associated with monitoring thecompliance of their trading partners[52].

Other Issues

During stakeholder consultations, many consumers expressed concernsabout overseas call centres[53]. The recent growth of international call centreshas also attracted some attention in the media. The transfer of personalinformation overseas brings with it a perceived loss of privacy and control.

What submissions say – addressing the issues

Publish a list of countries with adequate privacy regimes

It has been suggested during consultations that the Privacy Commissionershould publish a list of countries found to have adequate privacy regimes[54].Coles Myer Ltd (60) argues that publishing such a list would require theCommissioner to review and rate laws and governmental directives beyondprivacy legislation which would need to be constantly updated. Coles MyerLtd (60) does not recommend the Commissioner’s resources be used onNPP 9.

Greater guidance

Some submissions suggest that the Office could provide greater guidancethrough publishing approved standard contracts to be signed by Australiancompanies and international trading partners which include provisions thatprotect information collected in Australia when it is transferred toorganisations overseas[55]. The Australian Direct Marketing Association (67)states that an information sheet outlining the issues that should be addressedas part of a contractual agreement would also be beneficial.

Require notice that information sent overseas

Electronic Frontiers Australia (51) argues that the NPPs should be amendedto require organisations give individuals notice that their information will besent to a foreign country and that the individual will be required to deal withcall centres located in a foreign country. Electronic Frontiers Australia (51)also supports requiring organisations to notify individuals of the means bywhich the Australian organisation has ensured their personal information willbe adequately protected, unless the overseas organisation is subject tosubstantially similar privacy laws or the individual has consented to thetransfer.

Options for reform

Exclude related companies from complying with NPP 9

Disclosure of personal information about an individual by a body corporate toa related body corporate is not ‘an interference with the privacy of anindividual’ under section 13B(1)(b). Section 13B relates to the purposes forwhich information can be disclosed. NPP 9 on the other hand relates towhether or not information can be sent overseas. As section 13B(1)(b)enables disclosure of information, compliance with NPP 9 for transfers ofinformation to a foreign country is still required.

If a company has an organisational link with Australia under section 5B, theextra-territorial provisions in the Privacy Act will apply. Therefore, if personalinformation is sent overseas to the same company, it will continue to beprotected by the Privacy Act because the extra-territorial provisions apply.Section 5B does not appear to apply to related entities outside of Australia.As such, if information is sent to a related company, it may not be protectedby the Privacy Act.

Where information is transferred outside of Australia and the extraterritorialprovisions do not apply, it is in the public interest that NPP 9 applies. NPP 9ensures that once the information is transferred, it will be treated in a way thatis consistent with Australian privacy laws, or in a way in which the individualconsents. The Office does not recommend excluding related corporationsfrom NPP 9.

Publish a list of countries with substantially similar laws

Publishing a list of countries with substantially similar privacy laws would giveorganisations that transfer information overseas certainty about the countriesto which they can safely transfer information. Establishing whether laws aresubstantially similar is, however, a very complex task. It would requireconsiderable resources and would have implications for our relationships withother countries. It is not clear that this is an appropriate role for the Office.

Publish standard contractual provisions

The Office could provide greater guidance through publishing approvedstandard contractual provisions for use by Australian companies andinternational trading partners. These contractual provisions could provide forhow the international company must protect information when the informationcollected in Australia is transferred to organisations overseas. The EU hasissued contract provisions. Developing standard contractual provisions wouldhave resource implications for the Office.

Provide greater guidance through information sheet

The Office could provide greater guidance through publishing an informationsheet that outlines the types of issues that should be addressed as part of acontractual agreement and how to more easily assess whether a privacyregime is substantially similar. Although still resource intensive, this may be amore practical approach to take than issuing standard contractual provisions.

3.4 Recommendation: NPP 9

4 Protecting individual’s right to privacy

4.1 Control over personal information

Law and policy

The NPPs reflect the policy that an individual should generally know whatpersonal information an organisation has about him or her and how it intendsto use it. The organisation must not collect information unless it is necessaryfor one or more of its functions or activities (NPP 1). Whether the informationis collected directly from the individual or indirectly from a third party, theorganisation should ‘take reasonable steps’ to tell the individual, among otherthings, the purposes for which the information was collected, to whom theorganisation usually discloses such information and the consequences of notproviding it (NPP 1.3 and NPP1.5).

Generally speaking, the organisation cannot use or disclose the informationfor a purpose other than that for which it was collected (a secondary purpose)unless:

the purpose is related (or directly related if the information is sensitiveinformation) to the primary purpose and the individual would reasonablyexpect the organisation to use it for such a purpose or
the individual has consented to the use or disclosure (NPP 2.1).

The NPPs apply to the collection of personal information for inclusion in agenerally available publication, such as a telephone directory. They do notapply, however, once the information has been collected.

Issues

Possible topics for submissions

The issues paper suggested possible topics for submissions. They are:

extent to which organisations are adopting a bundled consent approach totheir information handling practices
collection practices that limit an individual’s control over his or her personalinformation
extent to which current practices are essential to business efficiency thatoutweighs the impact on individual privacy interests
effectiveness of NPPs in ensuring consent to use and disclosure ofpersonal information, where required, is real and voluntary, or if notpossible, measures needed to compensate for not having a chance to givereal consent
extent to which it should be possible for individuals to consent to unrelatedsecondary purposes
issues arising in relation to the private sector provisions and personalinformation that is publicly available and
ways of overcoming any issues that arise on this topic.

Information collected indirectly

The issues paper noted that it may be more difficult to ensure the individual isaware of the matters listed in NPP 1.3 and NPP 1.5 when the organisationcollects personal information indirectly. It acknowledged that in some casesit may be ‘reasonable’ to make less effort to give people NPP 1.3 informationthan it would otherwise be, or even to do nothing at all.

If the individual is not informed, however, he or she may have lost the controlover personal information that the NPPs intended individuals should generallyhave. Information given to one organisation (compulsorily in the case ofsome publicly available information) may be used by another organisation fora completely different purpose without the individual’s knowledge.

Bundled consent

The issues paper noted that the NPPs do not specifically requireorganisations to get an individual’s consent to collect personal information(except sensitive information). An organisation can use and disclosepersonal information without consent as long as the use or disclosure is forthe main purpose of collection, or a related (or directly related in the case ofsensitive information) purpose and is within the individual’s reasonableexpectations. Generally speaking, an organisation need only get anindividual’s consent for uses and disclosures of personal information that arefor unrelated secondary purposes[56].

The issues paper focussed on bundled consent, that is, the bundling togetherof consent to a wide range of uses and disclosures of personal informationwithout giving the individual an opportunity to choose which uses anddisclosures they agree to and which they do not, often sought as part of theterms and conditions of a service.

Community attitudes survey

The Office commissioned research into community attitudes towards privacyin 2001 and 2004[57]. Community Attitudes Towards Privacy 2004, reports thatwhile the quality of a product or service was rated as the most importantelement of customer service by respondents, respect for and protection ofpersonal information was rated almost as highly.

The survey also reports that privacy policies are not necessarily being read,partly due to the length and complexity of the information. Respondents wereasked what aspects of privacy policy are most important to be included in ashort privacy notice. The order of importance is:

how the information will be used (47%)
if and when the organisation will pass on my information (15%)
what information will be kept (15%)
how to prevent being contacted for marketing purposes (12%)
how to access or change my information (6%)
can’t say (4%).

What submissions say - issues

Collection practices

Submissions raise a number of issues arising from the collection of personalinformation. In the view of the Australian Privacy Foundation (90), there iswidespread non-compliance with the requirements of NPP 1.3 and NPP1.5,which will not be likely to be exposed by complaints. Nevertheless, it issatisfied with the qualification that an organisation take ‘reasonable steps’ toensure that the individual is aware of the matters listed in NPP 1.3.

An organisation’s functions or activities

NPP 1.1 limits the collection of personal information by an organisation to thatnecessary for its ‘functions or activities’. The organisation itself, however,determines what its functions and activities are and the limitation on thecollection of information may be seen to be illusory.

A number of participants in stakeholder forums raised the issue of thecollection of unnecessary personal information. It was said, for example:

when real estate agents collect personal information from tenants, thetenant has little choice but to give the agent the information, otherwise theagent may not deal with them
there are problems with the extent of health information sought as part ofpre-employment checks
insurers also sometimes seek more information than seems to benecessary and
a charity organisation said it could not afford to oppose a subpoenademanding access to its files.

Privacy notices

It was suggested that some NPP 1.3 and 1.5 notices are unhelpful andconfusing and probably do more harm than good in terms of public awarenessand understanding. The Law Council of Australia (36) notes that a practicehas emerged of organisations providing lengthy privacy collection notices. Itbelieves organisations are trying to address the criteria required by NPP 1.3and to put individuals on notice as to what uses and disclosures they mightreasonably expect. As a result, it says, consumers are confused.

Electronic Frontiers Australia Inc (51) expresses concern about the practice ofincluding NPP 1.3 information in privacy policies that are subject to changewithout notice and often are not dated. It provides examples of such notices,including:

[Mobile phone company] reserves the right to change this PrivacyPolicy at any time and notify you by posting an updated version of thePolicy on its web site. The amended Privacy Policy will apply betweenus whether or not we have given you specific notice of any change.We encourage you to review this Privacy Policy periodically because itmay change from time to time.

Confusion about who should notify

Another issue is the question of who should be responsible for notifying theindividual when personal information is rented or sold by one organisation toanother: the organisation that collected the information in the first place, or theorganisation to whom it has been sold for use. Australia Post (109) and twoconfidential submissions address this issue.

Indirect collection

Finally, the Australian Consumers Association (15) raises the issue of indirectcollection. It is concerned that an individual has no control when personalinformation is collected indirectly. The collector may collect the informationfor a primary purpose quite unrelated to the individual’s expectations when heor she handed over the information in the first place:

‘Many of the ‘protections’ in the Act revolve around the control ofsecondary uses of personal information. However indirect collectioncan have a primary purpose unrelated to the consumers’ expectationswhen the data was originally given up – and hence the data ismagically transmuted into information the use and possession of whichat best the consumer can expect to be informed in retrospect.’

Bundled consent – consumer viewpoint

Most submissions that address the issue of consent discuss bundled consent.The submissions fall into two categories. Submissions from consumergroups are highly critical of the practice of bundling consent. Submissionsfrom business organisations say why it is necessary.

‘Bundled consent’ refers to the practice of bundling together consent to a widerange of uses and disclosures of personal information without givingindividuals an opportunity to choose which uses and disclosures they agree toand which they do not. Many submissions address the issue. Submissionsfrom consumer groups criticise the practice.

The Australian Consumers’ Association (15) describes it as ‘where consent issought too broadly for the consent to have any real controlling influence onthe relationship the consumer has with the business.’ Xamax ConsultancyPty Ltd (3) says that it totally undermines the requirement that consent bemeaningful, informed and freely given.

In the view of Electronic Frontiers Australia Inc. (51), individuals cannot givefree and informed consent when they are presented only with broad and/orvague statements concerning possible uses and disclosures, and/or told thatservices will not be provided if they do not ‘consent’ to the bundle.

The Consumer Credit Legal Centre’s (62) submission includes a case studyhighlighting a credit contract which included the statement:

‘I hereby authorise [Finance Corp] or their agents or employees todiscuss any information about my account with anyone (emphasisadded).’

Some insurers insist members sign a release form allowing the insurer toaccess any of their records at any time for any reason. The AustralianPhysiotherapy Association (37) says that this is inappropriate for sensitivehealth information. It also identifies another unacceptable practice, namelythe use of bundled consent by third party insurers to obtain information,sometimes years after the treatment.

The Australian Communications Authority (94) is concerned that individualsare not given the opportunity to consent to some uses and not to others. Itsays that denial of service is common and that organisations also bundle thereceipt of commercial electronic messages from the organisation itself orothers with delivery of service or membership arrangements. It is not, in itsview, good practice to make provision of a service or other benefitsconditional on consent to receive commercial electronic messages.

The Australian Privacy Foundation (90) distinguishes between bundlingconsent to use or disclosure for a variety of purposes, which may bereasonable in some circumstances, and making consent for a non-essentialsecondary purpose a condition of doing business, which is not.

Bundled consent – business viewpoint

Many submissions from business, in particular the finance andtelecommunications industries, outline the reasons why it is often necessaryto bundle consent. Submissions from the health sector also address thisissue.

Telecommunications

Both Virgin Mobile (Australia) Pty Ltd (26) and Vodafone Australia Ltd (112)state that obtaining consent for each specific use of an individual’s personalinformation would significantly increase the complexity and the costs ofcompliance. Virgin says that these costs would inevitably be passed on toconsumers. Furthermore, says Vodafone, unbundling consent would result inan undesirable customer experience for both consumers and suppliersbecause of the increased volume and frequency of communications thatwould be necessary to achieve the same result that bundled consent achievesmore efficiently.

Finance

Submissions from the finance industry explain why, in the industry’s view,bundling consent is necessary. The Australian Finance Conference (AFC)(63) states that bundled consents have arisen because the meaning of‘primary purpose’ is uncertain. ‘Primary purpose’ can be interpreted narrowlyor broadly. When a customer submits an application for finance, it asks, isthe processing of the application the primary purpose of collection, or is it,more broadly, the provision of finance. If the latter, it would include, inaddition to processing the application, managing the account, administeringinsurance claims, recovering money owed and maintaining the value of theasset. The Investment and Financial Services Association Ltd (89) makes asimilar point. Both submissions state that to require individual consents foreach process would be very costly. In the view of the AFC (63):

‘It was not Parliament’s intention that a financier should be obliged toseparately identify each of these uses and provide the individual withthe option of selecting which of them he or she consents to . While acomputer program could be designed to implement this the cost wouldbe prohibitive and the daily management of customer choices virtuallyimpossible.’

The AFC (63), the Australian Bankers Association (70) and SuncorpMetwayLtd (35) identify other reasons relevant to the issue of bundled consent in thefinance industry. For example, the banker’s duty of confidentiality and motorvehicle licensing and registration may require a disclosure notification beyondthat required by the Privacy Act. Banks outsource many of their functions toservice providers, many of whom are offshore, and if a customer failed toconsent to the disclosure of their information to the service provider it wouldbe unlikely that the organisation could provide a service to the customer.Finally, they say customers have extensive freedom and choice of productand provider in the finance sector.

Doctors

The Australian Medical Association Ltd (29) states that doctors will continue tobundle consent as long as the primary purpose for collecting personalinformation in NPP 2 is taken to relate to an episode of care. If, on the otherhand, primary purpose were the health and well being of the patient thenthere would be no need for doctors to bundle a series of consents. Inaddition, in the view of the Department of Health, South Australia (53) it isimpractical not to have bundled consent in the context of existing electronicarchitecture and general medical practices, and that it is impractical to make adecision in one sector (for example, the private health sector) because it willinevitably affect the other because of the interconnectedness of the public andprivate medical sectors.

Residential tenancy databases

Residential tenancy databases are a particular case. Many real estate agentsuse tenancy databases to help them decide whether or not to let a property toa particular person. When applying to rent a property a prospective tenant willbe expected to provide personal information for disclosure to a tenancydatabase. He or she has little choice but to consent. The Tenants’ Union ofQueensland (69) says:

‘Through one signature, individuals’ consent is gained for a range ofmatters, and without this they will be denied the tenancy. By gainingthis consent, the collecting organisation has a greater ability to use anddisclose the information. The uneven bargaining power meansconsumers have little or no power to resist the invasion of privacy andare pressured to consent to a range of things they may not really agreewith’.

The Tenants’ Union ACT (87) agrees. It believes that, because of thispractice, a prospective tenant has no real choice about handing over theirpersonal information, so the protection that would otherwise be provided bythe NPPs is lost to them, that is, the NPPs do not work.

At recommendation 7, this report suggests that the Australian Governmentshould consider amending the Privacy Act to provide for a power to make abinding code. It also recommends that, assuming the Act is amended, theCommissioner could make a binding code that applies to tenancy databases.(See recommendation 16 in Residential Tenancy Databases section.)

Publicly available information

Many people are uncomfortable with the notion that publicly availableinformation, including the electoral roll and the white pages, can be used forpurposes other than those for which the information was collected. In thesurvey, Community Attitudes towards Privacy 2004, commissioned by theOffice, for example, 77% of respondents thought that the electoral roll shouldnot be used for direct marketing and 46% thought that the white pages shouldnot be. The issue is more critical as technological developments make iteasier to manipulate the material, for example, by reverse sorting it to identifya person’s address from their telephone number.

Submissions are divided as to whether or not publicly available personalinformation should be subject to the NPPs. Some, for example, Xamax (3)say that publicly available information should be used only for the purpose forwhich it was collected. The Australian Privacy Foundation (APF) (90) urgesthe reconsideration of the breadth of the exemption of publicly availableinformation from the operation of the NPPs, other than the collectionprinciples.

The Australian Communications Authority (94) states that the use of publiclyavailable information should be conditional so that ‘it is not automaticallyassumed an individual agrees to it being used for a myriad of purposes simplyas a result of it being readily available’.

Charities are of the opinion that access to generally available information isnecessary in order to raise funds. According to the Cerebral Palsy League ofQueensland (44), ‘access to publicly listed information is the key to thesurvival of many organisations’. Not having access would limit its ability toraise funds and to assist in providing services to people with cerebral palsy[58].

Some businesses use publicly available personal information to cleanse theirdata. Coles Myer (60) is concerned that access to public registers isdiminishing as they are ‘a valuable tool to ensure data quality and accuracyobligations under the Privacy Act are met.’[59]In the view of the AustralianDirect Marketing Association (ADMA) (67), the industry would struggle tomaintain current levels of accuracy without publicly available information,which it regards as an ‘essential updating and validation tool’.

For members of the Australian Finance Conference (63), it is imperative to beable to continue to collect personal information from public sources to verifyobjectively the identity of an applicant for finance and his or her assetholdings, and to confirm capacity to repay. They believe also that access topublic sources is essential to meet their obligations under NPP3.

The Australian Institute of Private Detectives (38) and the Institute ofMercantile Agents, the Australian Collectors Association and the AustralianInstitute of Credit Management (115) argue in favour of the continuedavailability of publicly available information to enable them to carry out theirinvestigative and debt collecting functions.

Finally, some submissions want no change to the existing law. Australia Post(109), for example, believes that any proposal to review the collection and useof publicly available personal information is unnecessary. Similarly, theVictorian Automobile Chamber of Commerce (113), whose members usepublicly available personal information, among other sources, to identifypotential customers, would oppose any proposal to prohibit or limit its use.

What submissions say – addressing the issues

Short form privacy notices

One of the consequences of the requirements of NPP 5 (Openness) andNPPs 1.3 and 1.5 is that privacy notices are often very long. In the view ofAustralia Post (109), the obligations imposed on organisations by NPP 5,particularly NPP 5.1 have had the positive effect of creating privacyawareness in the community.

The Law Council of Australia (36) supports the move by the Data Protectionand Privacy Authorities internationally to develop a condensed or shortprivacy notice. Furthermore, it considers that organisations should not berequired to include information which is obvious to the ordinary consumer in aprivacy collection notice. The need for short privacy notices was also raised inconsultations. On the other hand the Investment and Financial ServicesAssociation (89) says that although disclosure documents issued by itsmembers may appear lengthy they contain detailed information assistingconsumers to understand their rights.

Office should give more guidance

The Australian Privacy Foundation (90) suggests that further guidance fromthe Office as to what constitutes an acceptable NPP 1.3 or NPP 1.5 notice, orwhat does not, would be helpful. It also suggests the Office could play a rolein improving the intelligibility and clarity of notices. It suggests the Officeshould become much more proactive in issuing template notices for differentsectors and that these should be developed in consultation with industrybodies and relevant non- government organisations.

Stricter regulation of privacy notices

Electronic Frontiers (51) suggests that privacy policies containing NPP 1.3and NPP 1.5 information should have to include the date of issue andchanges made since the earlier version should have to be highlighted ornoted. It also suggests that changes to NPP 1.3 and NPP 1.5 informationinvolving new uses or disclosures should not be able to apply to previouslycollected information, unless the organisation has directly notified theindividual concerned of the changes and provided an opportunity to opt-out ofthe new uses or disclosures, or to terminate the relationship with theorganisation without detriment.

Finally, Electronic Frontiers (51) suggests an organisation should not be ableto rely on NPP 2.1 to use or disclose an individual’s personal information,unless the information in the NPP 1.3 or NPP 1.5 notice is specific enough toenable the individual to give free and informed consent, or to make aninformed choice about whether to provide the information. A confidentialsubmission also states that the notification requirements should bestrengthened in the context of the transfer of health information withinmultidisciplinary teams.

Onus should be on supplier of personal information

A confidential submission states that list brokers and telecommunicationscompanies that supply lists to other organisations should be required toensure that their list collection and generation processes are compliant withNPP 1.3 and NPP 1.5 to reduce complaints to the organisations using thelists.

Limit collection

The Australian Privacy Foundation (APF) (90) suggests that, unless NPP 1.1requires an objective test of what is necessary for an organisation’s functionsor activities, that is, that the organisation cannot determine for itself whetheror not information is necessary. It says NPP 1.1 should be amended to makeit clear that compliance can legitimately be challenged by a third party,particularly by the person whose information is being collected.

APF (90) goes on to say that there should also be a proportionalityrequirement, that is, the type and amount of personal information collectedshould be no more than is required for the collector’s primary purpose.Consideration should also be given to including a provision that collectionshould be allowed ‘only for purposes that a reasonable person would considerare appropriate in the circumstances’[60].

The Australian Retailers’ Association (111) recommends that the collection ofpersonal information for the purpose of making refunds should be explicitlyallowed under the Act. This is because, it says, the ability to collect personalinformation when making a refund provides some degree of protection againsta possible fraud where the goods have been stolen and exchanged for cash.

The Privacy Law Consulting Network (66) suggests that, in the light of thejudgment in a case decided in 2004[61], it would be desirable to define thephrase ‘functions or activities’ to provide more certainty for business.

Publicly available personal information

The Australian Finance Conference (63) recommends that the definition ofpersonal information be amended to exclude information obtained from publicsources and unsolicited information.

Options for reform

Amend NPP 1.1

NPP 1.1 limits the collection of personal information to that necessary for its‘functions or activities’. This limitation could be strengthened by making thetest of what is necessary for an organisation’s functions of activities anobjective one. The organisation itself would not be the judge of whatinformation is necessary. NPP 1.1 could be amended to make the test anobjective one. This would make it possible for an individual to challenge thecollection of particular information. However, in practice it would be difficult toimplement. Furthermore, it is not likely that the benefits of doing so wouldoutweigh the costs.

Amend NPP 5.1

NPP 5.1 requires an organisation to set out in a document clearly expressedpolicies on its management of personal information. It is, however, somewhatvague about what it requires organisations to do. Short form notices wouldimprove the quality of an organisation’s communication with its customers.NPP 5.1 could be amended to clarify the openness obligation.

Privacy notices could be dated

Privacy notices are often not dated. This makes it difficult for consumers toestablish exactly what he or she was told, or agreed to, at a particular time.Privacy notices could be dated as a matter of ‘best practice’, and the Officecould publish an advice to that effect.

Develop short form privacy notices

Privacy notices have become very long. A long privacy notice may not fulfil itspurpose of informing a consumer because the consumer may beoverwhelmed and confused because it is too long. The Office’s CommunityAttitudes Survey reports international research that shows that people do notnecessarily read privacy notices, partly because they are too long andcomplex[62].

Longer privacy notices have come about partly as a result of organisations’uncertainty as to the distinction between the primary and secondary purposesof collection and their attempt to avoid ‘bundling’ consent to a number ofpurposes of collection. There are international moves to develop short formprivacy notices. There could be provision for short form notices, followed by alonger notice that includes all the information required by NPPs 1.3 and 1.5.A consumer who is satisfied with the information provided in the short formnotice need not read the longer notice, yet all the information is available tothe consumer who wants it. This may also satisfy the Openness requirementin NPP 5.

Office could assist organisations with notices

The Office is currently working towards developing a short notice for its ownpersonal information handling practices with a view to demonstrating howsuch a notice might work in a public sector agency. It acknowledges thatgetting notices right may be difficult for some organisations, especially smallerbusinesses that do not have access to extensive legal advice. Subject to theavailability of resources, the Office could play a more active role in assistingbusinesses develop their notices by developing template notices for differentsectors, in consultation with them, and by issuing examples of bothsatisfactory and unsatisfactory notices.

Office could publish guidance on bundled consent

Bundled consent is a practice that may confuse consumers and may derogatefrom their rights under the Act. It is also an issue that confuses a lot oforganisations. The Office could play a role in working with stakeholders toclarify the issue. The Office could publish guidelines about bundled consent.

Publicly available personal information

It is clear that restricting the use of publicly available personal informationfurther than has already occurred may inhibit the operations of somebusinesses and the fundraising activities of charities. However, as currentlyapplied, it is consistent with the policy underlying the Privacy Act thatinformation provided for a purpose should be used only in accordance withthat purpose.

Office could play greater educative role to raise communityawareness

Community awareness of individuals’ privacy rights and confidence in theprotection of individuals’ rights is growing slowly but is not high. The greaterthe awareness an individual has about his or her rights, the more likely he orshe will exercise control over what is done with the information. The Officecould play a significant role in raising community awareness and confidence.Business and consumer groups alike agree that this should be so. Anenhanced educative role would have resource implications for the Office.This is discussed in more detail later in this chapter.

4.2 Recommendations: Control overpersonal information

21. The Office will develop guidance to the effect that privacy noticesshould be dated.

4.3 Direct marketing

What is direct marketing?

Direct marketing refers to the promotion and sale of goods and servicesdirectly to the consumer. Direct marketers promote their goods and servicesby mail, telephone, email or SMS. They compile lists of consumers and theircontact details from a wide variety of sources. These include public records,including the white pages, the electoral roll, registers of births, deaths andmarriages and land titles registers. They also include membership lists ofbusiness, professional and trade organisations, survey returns, mail orderpurchase information and so on. Organisations that have their own databaseof consumers to whom they supply goods or services, for example, telephonecompanies and other utilities, may also use their database for directmarketing. Direct marketers may also acquire databases from other directmarketers.

Law and policy

When can personal information be used for direct marketing

Direct marketing is directly addressed by NPP 2.1, which governs the use anddisclosure of personal information. NPP 2.1 distinguishes between theprimary and the secondary purposes of collecting personal information, andlimits the use and disclosure of information for a purpose other than theprimary purpose of collection.

Information collected for the purpose of direct marketing

An organisation that collects information for the primary purpose of directmarketing, whether directly from the individual who owns the information orfrom someone else, can use and disclose it for that purpose. The sameapplies if direct marketing is related to the purpose for which the informationwas collected (directly related in the case of sensitive information) and theperson from whom it was collected would reasonably expect the organisationthat collected it to use or disclose it for direct marketing.

Information not collected for the purpose of direct marketing

In some circumstances an organisation can use personal information fordirect marketing even if direct marketing was not the primary purpose ofcollection and direct marketing is unrelated to the purpose of collection andnot within the reasonable expectations of the person who owns theinformation. The organisation may use the information if:

the person from whom the information was collected has consented to theuse or disclosure of the information for direct marketing or
(if the information is not sensitive information) it is impracticable to getconsent before using the information and
- the direct marketing organisation gives the individual theopportunity to opt-out of receiving material (at no cost)
- the individual has not already asked the organisation not to sendmaterial
- in every communication the organisation draws the individual’sattention to the fact, or prominently display a notice, that he or shemay opt-out of receiving further material and
- each communication includes the relevant contact details of theorganisation (including electronic contact details if the material wassent by electronic means)[63].

Individual may not know that information has been collected forthe purpose of direct marketing

An individual whose information is collected by a direct marketing organisationfor the purpose of direct marketing may not necessarily know that this hasoccurred. The organisation may, for example, purchase a list from anotherorganisation. The purchasing organisation must then ‘take reasonable steps’to ensure the individual has been made aware of, among other things, thepurposes for which the information was collected[64].

Whether or not the individual is made aware hinges therefore on whatconstitutes reasonable steps to make him or her aware. It may be reasonableto do very little to ensure that all the people on the list are made aware thatthe list has been acquired for the purposes of direct marketing. Even whenthe information is collected from the individual directly he or she may notunderstand it is being collected for direct marketing purposes. For example,an organisation may run a competition for the primary purpose of collectinginformation; awarding prizes to successful entrants being a secondarypurpose. The individual, on the other hand, may assume that the purpose ofthe competition is to provide an opportunity to consumers to win prizes. Evenif he or she reads the fine print, an individual is unlikely to draw a distinctionbetween a primary and a secondary purpose and to understand theconsequences of the distinction.

Rationale

The provisions are intended to strike a balance between the businessinterests of organisations involved in direct marketing and the privacyinterests of consumers affected by the activity. The legislation acknowledgesthe commercial practice of direct marketing and the related activity ofacquiring personal information about individuals to enable organisations tomarket their products efficiently and effectively. It also recognises the privacyinterests of individuals who may find themselves the unwilling recipients ofdirect marketing material.

Community attitudes survey

The Office commissioned research into community attitudes towards privacyin 2001 and 2004[65]. Community Attitudes Towards Privacy 2004, reports thatconcerns about unsolicited marketing material have dropped slightly since the2001. Nevertheless, 61% of respondents feel either ‘angry and annoyed’, or‘concerned’ when they receive marketing material. While 77% of respondentsare opposed to the use of the electoral roll for marketing purposes,respondents are roughly evenly divided about the use of the White Pages(44% in favour and 46% against)[66].

Issues

The issues paper drew attention to the fact that the NPPs requireorganisations to give individuals the opportunity to opt-out of receivingmaterial when direct marketing is a secondary purpose of collection ofpersonal information but do not do so when direct marketing is the primarypurpose of collection. The issues paper suggested possible topics forsubmission, including:

the appropriateness of the opt-out provisions and NPP 2.1(c) generally
different protection that applies to information used for direct marketingaccording to the purpose for which it was collected, and whether theinconsistency raises issues for individuals or business
evidence of the incidence of complaints about the application of 2.1(c)
business practice in relation to opt-out and whether or not organisationsare providing it even when not required to do so and
how to address issues that arise in relation to privacy and direct marketingfor individuals or business.

What submissions say – the issues

Overview

Most submissions that address this issue focus on whether consumers shouldbe able:

to opt-in to direct marketing by an organisation, that is, be given theopportunity to elect to receive material, or not, before it is sent or
to opt-out, that is, that, on receipt of the first (or a subsequent)communication, be given the opportunity to say they do not want toreceive further material.

In general terms, consumer organisations favour opt-in and businesses,business organisations and charities favour opt-out.

Consumers

In the view of the Consumer Credit Legal Centre (NSW) Inc (62) and theConsumers’ Federation of Australia (65), the direct marketing provisions ofthe Privacy Act favour the interests of business over those of consumers. Theprovisions start with the assumption that personal information can be used fordirect marketing. Their submissions favour opt-in because it gives consumerssome control over the use or disclosure of their personal information.

The Australian Consumers’ Association (15) points out that the corollary of notneeding to seek consent (when the personal information has been collectedfor the purpose of direct marketing, whether directly or from a third party) isthat the consumer has no capacity to withdraw consent. It nominates as auseful guide to contemporary thinking the eMarketing Code of Practice[67]. Italso suggests that it would be better to adopt the approach of the Spam Actand to refer to ‘commercial messaging’, which is wider than the traditionaldirect marketing and avoids boundary issues about what marketing is directand what is not.

Electronic Frontiers Australia Inc (51) notes that the direct marketingprovisions of the Privacy Act are inconsistent with the Spam Act, whichrequires consent. (The Spam Act on the other hand exempts some sendersfrom the requirement to provide a means of opting out.)

Finally, the Australian Privacy Foundation (90) makes the point that if NPP 2is working well, then NPP 2.1(c) adds nothing but confusion.

Business

Submissions from businesses and business organisations strongly favour opt-outthat is, that it is sufficient that organisations give consumers anopportunity to opt-out of any further communication. Compvice Pty Ltd (48), asmall business providing voice broadcast services says:

‘Most people do want to receive telemarketing and marketing material.I see this every day. I have developed a simple way for people to opt-outof our voice broadcast campaign pushing the number 9 on theirphone. . . We have made 10 000s of calls using this system and foundon average less than 5% of people opt-out’.

It goes on to say that the problem is that there is no simple and effective wayfor this 5% of people to opt-out of all marketing lists and that there is no ‘DoNot Contact’ list apart from ADMA’s, which is ‘too expensive for some smallbusinesses to access.’

Opt-out works well for business

Submissions from business agree that opt-out works well. Suncorp-MetwayLtd (35), for example, provides its customers with an opportunity to opt-outfrom direct marketing when it collects personal information in the first place. Ithas had no complaints. ANZ (40) says opt-out is working well – 5% of itscustomers opt-out. The Australian Bankers Association (70) says there is alow opt-out rate across the industry (less than 10%) and that most customerswant direct marketing material.

Coles Myer (60) also says that opt-out is working well. It maintains an opt-outregister and regularly washes its direct marketing list against its own registerand against the ADMA register. It has more complaints from people notreceiving marketing material than it has complaints about junk mail. This isconsistent with the experience of Optus (98). It accepts all opt-out requests,has very few complaints and reports that customers want its marketingmaterial.

Economic considerations

A number of submissions address the economic implications of changing thelaw to require opt-in instead of opt-out. Telstra Corporation Ltd (110) saysthat amending NPP 2.1(c) would result in additional compliance costs thatwould be unwarranted and not required.

Other submissions look at the broader consequences of change. The MailingHouse (79) points out that the direct marketing industry is a major contributorto the economic health of Australia. It says that any change impeding it:

‘would have a serious effect upon the health of this sector andaccordingly the financial wellbeing of The Mailing House and the 50 orso families who rely on its financial strength and success to establishand provide their households, educate their children, and provide allthe other essentials and luxuries that help make a strong Australianeconomy’.

Credit Union Services Corporation (CUSCAL) (64) considers the competitionimplications of any change which, it says, would favour its larger competitorsin particular, the major banks.

Charitable organisations

Submissions from several charitable organisations express concern about thepossibility of a change to opt-in. The Royal Institute for Deaf and BlindChildren (24) says that direct marketing is the most effective way ofcommunicating to the public.

The Cerebral Palsy League of Queensland (44) says that opt-in would resultin a loss of income and a loss of employment.

The Fundraising Institute (52) does not support changes to NPP 2.1(c)because, in its view, the provision provides adequate and appropriate opt-outoptions for individuals

A participant in one of the stakeholder forums said that to take away the abilityof charitable organisations to market directly would impose a significantburden on the community as services provided by charities would be unableto continue.

ADMA submission

In its submission, which is supported by a number of organisations[68], theAustralian Direct Marketing Association (ADMA) (67) states that the mostimportant aspect for an individual when providing personal information to anorganisation is to understand how the organisation is going to use it. This isbased on ADMA’s own research.

It acknowledges that where an organisation indirectly collects data for theprimary purpose of direct marketing the individual may, in some instances,lose control of their personal data. It would support a recommendation thatorganisations indirectly collecting information for unsolicited direct marketpurposes be obliged to ensure that at the time of collection or as soon aspossible after collection (that is, at the first marketing approach) the individualis given an opportunity to opt-out of further direct marketing.

ADMA goes on to say that 80% of respondents to its research are comfortablewith organisations collecting and using personal information for directmarketing purposes if, within the first marketing communications and at anytime subsequently, they are given an opportunity to opt-out of futurecommunications.

ADMA reports that 68% of respondents to its research would be comfortablewith giving organisations their details for direct marketing purposes if they hada right, at any time, to ask the company to stop using it for direct marketingpurposes. ADMA says it is standard practice for its member organisations tocomply with any request received by an individual not to receive furthermarketing approaches, even when not required to do so by law.

What submissions say – addressing the issues

General right to opt-out

As discussed above, consumer groups favour opt-in as the general rule andbusinesses and charities opt-out. In its submission, ADMA states that it wouldsupport a recommendation that:

the individual should have a general right, at any time, to opt-out of futuredirect marketing approaches and
the organisation should be obliged to comply with the request within 45days of receipt.

This is consistent with the Privacy Commissioner’s submission to the SenateLegal and Constitutional Legislation Committee Inquiry into the Provisions ofthe Privacy Amendment (Private Sector) Bill 2000. The submission arguedthat all organisations using personal information for direct marketing shouldbe required to give the individual the express opportunity at the time of firstcontact to express a wish not to receive any further direct marketingcommunications. This could possibly be qualified where the use is within thereasonable expectations of the individual or consistent with the ongoingbusiness relationship of the direct marketer and individual. It would overcomethe current distinction in the NPPs between personal information collected forthe primary purpose of direct marketing from a third party and personalinformation and personal information used for the secondary purpose of directmarketing. As long as the process for opting out was not difficult and therequest acted on promptly, this would give individuals a degree of control.

On the other hand, the proposal does not go beyond what ADMA says is thecurrent practice. In the view of the Australian Privacy Foundation (APF) (90),a simple across the board requirement to offer an opt-out with everycommunication is justified by the level of irritation with direct marketing andgeneral lack of awareness and understanding of marketing methods. It goeson to say:

‘This should not be taken as surrendering our position in relation to apositive consent requirement (opt-in) for direct marketing which isoutside the reasonable expectations of individuals when theirinformation was collected’.

APF says opt-in should apply to direct marketing which is outside thereasonable expectations of individuals when their information was collected.In addition, the APF supports national ‘do not market’ registers.

Consent

In the view of Electronic Frontiers Australia Inc (51), a general right to opt-outof future communications is not enough. It says that the NPP2.1(c) exceptionpermitting secondary use of personal information for direct marketing withoutconsent is inconsistent with the recently enacted Spam Act and is totallyunacceptable and must be amended. It says personal information should onlybe used for marketing purposes with explicit consent, not by default.

Other submissions refer to the Spam Act, which requires an individual’sconsent to the use of personal information for the purpose of direct marketing.The Australian Communications Authority (94) says that an opt-out regimewas found to be unworkable in relation to the sending of commercialelectronic messages. The Law Council of Australia (36) recommends thatconsideration be given to harmonising the direct marketing provisions of theNPPs with the Spam Act.

In Canada, a note to Principle 4.3 of the Personal Information Protection andElectronic Documents Act 2000, dealing with consent, acknowledges thatseeking consent may be impractical for a charity or direct marketing firm thatwants to buy a mailing list from another organisation. It says that, in suchcases, the organisation providing the list would be expected to obtain consentbefore disclosing personal information.

More effective ‘Do Not Contact’ registers

Some submissions refer to ‘Do Not Contact’ registers. ADMA maintains sucha register. Individuals may register their name on a Do Not Contact list inrelation to mail, telephone, direct response television, the internet and mobilephones. ADMA members and other organisations can wash their lists againstthe ADMA list.

However, it is not an absolute and universal ‘Do Not Contact’ list as not alldirect marketers are ADMA members, and likewise some businesses may notmake the commercial decision to access the names on the list. In additionsome small businesses may not be able to afford to use it. Compvice Pty Ltd(48) says there needs to be a cheaper way to access the register.

The Australian Privacy Foundation (90) and Sensis (84) favour ‘Do NotContact’ registers. In Sensis’ view, the introduction of a national ‘Do NotContact’ register, could improve privacy protection for individuals.

Inform individuals where information came from

In its submission, ADMA says its experience is that informing individuals ofthe source of the data being used gives them more control over their personalinformation and reduces the number of repeat complaints about unsolicitedmarketing. It goes on to say:

‘Although ADMA would support a recommendation that NPP 5.2 beamended to require an organisation, on the request from an individual,to inform the individual where the data was sourced, there is a concernthat many small organisations, in particular charities, do not currentlyhave the technical capability to comply with such a requirement’.

That being said, ADMA believes the issue is of sufficient importance thatorganisations should be taking appropriate steps to ensure this requirementcan be met. As it is clear that some organisations will need time to makenecessary adjustments, ADMA recommends that the requirement to disclosethe source of data on request be introduced initially as a best practiceguideline with the understanding that, after a period of 18-24 months, therequirement will become mandatory through either a Code rule or legislativeamendment.

Few written submissions address this issue. In stakeholder forums, there wasconsiderable support for the idea. In Adelaide, for example, a number ofpeople were in favour of introducing a requirement for direct marketers to tellpeople from whom they got an individual’s personal information. Participantsrepresenting charitable organisations argued that to do so would be too costlyand difficult for many charities to implement.

Options for reform

General right to opt-out

It appears that most organisations give consumers a right to opt-out of futuredirect marketing approaches whether or not direct marketing is a secondarypurpose of collection. This gives consumers a degree of control over the useof their personal information they would not otherwise have. It may not addunduly to compliance costs if organisations are required to give all consumersthe right to opt-out of future direct marketing at any time and to comply withthe request within a specified timeframe.

No direct marketing without consent

A more stringent requirement would be to require direct marketingorganisations to acquire the individual’s consent before using his or herpersonal information for the purpose of direct marketing. The Spam Actprovides a precedent for this. On the other hand, requiring consent wouldincrease costs for business and for charities that are dependent on directmarketing to raise funds.

Require organisations to tell individuals where their personalinformation came from

One of the aspects of unsolicited direct marketing that appears particularly toirritate consumers is that the direct marketer has acquired his or her personalinformation without the individual’s knowledge or consent. The directmarketer is under no obligation to inform an individual where it acquired thepersonal information. If it were, the individual could then complain to theorganisation that had released the information and, if appropriate, make aformal complaint to the Office. Organisations could be required to tellindividuals, on request, the source of their personal information. Theorganisation would have to tell the individual only where it got the informationfrom, not the original source.

Establish a ‘Do Not Contact’ register

ADMA maintains a ‘Do Not Contact’ register for the use of its members andother organisations. Its existence could be more widely known in thecommunity. Membership of ADMA and the cost of accessing the register on aregular basis may be beyond the resources of some small businesses. A wellpublicised national register may reduce the level of unwelcome directmarketing. There are precedents in the United States (where 62 millionphone numbers were registered in the first year of operation) and the UnitedKingdom. Different models exist which may exempt certain organisations.

4.4 Recommendations: Direct marketing

25. The Australian Government should consider exploring options forestablishing a national ‘Do Not Contact’ register.

4.5 Awareness of, confidence in andcapacity to exercise rights

Law and policy

One of the objects of the private sector provisions is to establish a scheme forthe handling of personal information that recognises individuals’ interests inprotecting their privacy. The provisions recognise those interests by:

requiring organisations, where reasonable, to give an individualinformation about their information handling practices so he or she canmake a decision about whether or not to give their personal information
requiring organisations to get an individual’s consent to collect or disclosein certain circumstances
giving individuals the right to access information a business holds aboutthem and
enabling individuals to complain to the Office if a business does notcomply with the NPPs.

The provisions aimed to ensure that ‘Australians can be confident thatinformation held about them by private sector organisations will be stored,used and disclosed in a fair and appropriate way’[69].

Issues

The issues paper suggested a number of topics for submissions related toindividuals’ capacity to exercise their right to privacy. It asked about:

evidence of levels of awareness and the impact of this on the operation ofthe private sector provisions
effectiveness of the information provision requirements in raisingawareness, how to improve privacy notices and how to improveawareness generally
evidence of levels of community confidence that privacy rights areprotected and ways to encourage confidence, in particular confidence thatprivacy is protected online and
information about the extent of individuals’ ability to exercise their rightsand how to improve it, and the impact of the Office’s approach to handlingcomplaints.

Role of the Office

The Office plays an active role in raising awareness about individuals’ privacyrights and in addressing their concerns about possible interference with theirrights. It provides information by way of its information hotline and its website. The web site contains all the Office’s publications, answers to FrequentlyAsked Questions, media comments, media releases, speeches, case notes,an online complaint checker, multi-lingual web pages, guidelines, informationsheets, brochures and the annual report.

To the extent that the Office’s activities in raising awareness are successful,community confidence that individuals’ rights are protected is likely to beincreased. If an individual’s privacy rights are interfered with and he or shecannot resolve the issue with the organisation concerned, the Office willinvestigate the complaint, conciliate it, if appropriate, or make a determination.

Role of organisations

Organisations also play a role in raising awareness and in addressing theconcerns of individuals who fear their privacy may have been breached.Organisations collecting personal information are required to take reasonablesteps to provide NPP 1.3 or 1.5 notices and must have a privacy policyavailable to anyone who asks for it (NPP 5). This kind of information may alsoincrease confidence that individuals’ rights are protected. In the event of abreach of privacy, the individual’s first port of call to resolve it is theorganisation.

Community awareness survey

Awareness of rights

Community awareness was one of the issues canvassed by the research intocommunity attitudes towards privacy commissioned by the Office in 2001 and2004.[70]In general terms, it showed levels of awareness were low, althoughhigher in 2004 than in 2001. Only about one in four respondents claimed toknow an adequate amount or more about privacy. The number ofrespondents who were aware that federal privacy laws existed, however,increased from 43% in 2001 to 60% in 2004.

The research showed that 53% of respondents know that governmentagencies are covered by privacy law; 56% know that banks, insurers andother financial institutions are covered; and 47% that there are somerestrictions on charities, private schools and hospitals and other non-government organisations.

Confidence rights are protected

The research showed differing levels of confidence that rights are protecteddepending on the industry. Health service providers have the highest levelsof trust (89%), followed by financial organisations (66%), governmentorganisations (64%), charities (54%), retailers (39%), market researchorganisations (35%), real estate agents (26%) and mail order companies.

Only 9% of respondents trust internet companies, which were intendedparticularly to benefit from the introduction of the private sector provisions.

Individuals’ ability to exercise their rights

The research showed that 34% of respondents were aware that the FederalPrivacy Commissioner existed. (In 2001, 36% were aware.) However, 29% ofrespondents said they did not know to whom they would report the misuse oftheir personal information. Of the rest, only 7% mentioned the FederalPrivacy Commissioner, the others mentioning a number of differentorganisations.

Demographic information about complainants

As noted in the issues paper the Office had not previously collecteddemographic information about complainants. To identify which sections ofthe community were making privacy complaints to the Office, the Officeconducted a three month complainant demographic survey from December2004 to February 2005.

The Office received a very small response to the survey – 36 responses fromover 250 surveys sent. The response rate is too small to rely on as anaccurate representation of total complainants, however the Office was able toextract information from its complaint management software that suggests, atleast in respect of gender, the survey results may be representational. Thefigures suggest that it could be the case that the demographic profile ofcomplainants to the Office is not representative of the wider community.

The results of the survey are described in Appendix 13. The Office willcontinue to collect complainant demographic information.

Multicultural Tasmania (4), while commending the Office on havingmultilingual pages on its website, recommends the Office think about othersways to distribute privacy information to people from diverse languagebackgrounds.

What submissions say - issues

Awareness

Most submissions that address this issue believe that community awarenessof individuals’ privacy rights is not high[71]. In the view of the Australian DirectMarketing Association (ADMA) (67), community awareness of rights isimportant and is fundamental to the effective operation of the private sectorprovisions and the NPPs.

Business SA (92) says there is a widespread lack of understanding of privacyprovisions in the community and a significant burden on the private sector toeducate the general community about their privacy rights and responsibilities.The Australian Medical Association (29), for example, says that patients stillcomplain to it about possible breaches of privacy.

The Australian Consumers’ Association (15) narrows the issue. It argues thatthe critical issue is that the consumer is aware of his or her rights when itmatters, that is, when he or she has a problem, not at the time of signing up tothe service. Lack of awareness goes beyond awareness of consumer rights.

The Australian Compliance Institute (16) says that the obligations imposed onbusiness by privacy laws may undermine consumer expectations. Forexample, a person may believe he or she is entitled to information about aspouse’s insurance or bank accounts and may not understand why theorganisation will not give it to them.

In some areas, however, submissions express a belief that there is asatisfactory level of awareness. The Australian Finance Conference (63) saysthat in the finance sector, for example, customers are aware of their privacyrights but few exercise them. The Royal District Nursing Service (78) believesits clients are sufficiently aware, except perhaps for its elderly clients. SensisPty Ltd (84) believes there is a reasonable level of understanding in thecommunity about its activities.

Participants in stakeholder forums had a lot to say about lack of awareness.One participant, for example, said that people are unaware of their rights andare ‘mystified by multiple jurisdictions.’ Further, they do not understand thedifferences between policies, procedures and legislation. Another said theremust be more awareness raising for the NPPs to work and a better injection ofthe issues into the culture and that this has to be done by the federalgovernment as the smaller states and territories do not have the money.Some participants asked if the Office was adequately resourced to do what itwas supposed to do in raising awareness.

Confidence

Not many submissions address the issue of community confidence in theprotection of rights. The Investment and Financial Services Association(ISFA) (89), a body representing the superannuation, investmentmanagement and life insurance industries, states that low level of complaintsreceived by its members, compared to the very large level of transactions,suggests that the community is satisfied with the level of protection providedby its members. The Australian Association of Permanent Building Societies(91) says that public confidence that privacy rights are protected has beensubstantially increased as a result of the implementation of the private sectorprovisions.

The Australian Consumers’ Association (15), however, links confidence thatan individual’s rights will be protected with the speed and effectiveness of theremedy and expresses concern with the delays and queues that characterisethe Office’s complaints handling. Electronic Frontiers Australia (51) goesfurther in relation to the protection of rights online. Referring to the finding ofthe Office’s community attitudes survey that individuals trust internetcompanies less than any other sector, it says that:

‘any attempt . . . to encourage the community to believe that theirprivacy “rights” are protected online would be highly misleading at best. . . Individuals have almost no privacy “rights” in the onlineenvironment and even the few rights they allegedly have are notprotected adequately and are difficult, sometimes impossible, to haveenforced’.

The submission then goes on to report some collection and disclosurepractices of some internet companies. Optus (98), on the other hand, saysthat the community attitudes survey indicates that a significant proportion ofpeople do not have confidence in companies that do business online, ratherthan companies that provide internet services.

What submissions say – addressing the issues

Public awareness campaigns

A number of submissions suggest that there should be a campaign toincrease awareness about individual privacy rights. Business and consumersalike suggest the Office is the body best placed to conduct public awarenesscampaigns and that it should be adequately resourced to do so. AcxiomAustralia (71) says that what is needed now is a far-reaching educationprogram about rights and responsibilities under the existing law. Morespecifically, the Salvation Army (74) says that the Commissioner should givespecial attention to providing information and education and support to socialwelfare groups.

Telstra (110) suggests the Office should take steps to lift its profile and shouldoffer regular community education about its own role and the steps individualscan take to protect their privacy. On the other hand, Optus (98) suggests thecampaign should be targeted to sectors of the community who have not yetbecome aware of privacy regulations.

In the view of the Australian Compliance Institute (16), the campaign shouldfocus not only on consumer rights but should also educate consumers aboutbusiness responsibilities. In the context of health, says Australian Federationof AIDS Organisations Inc (54), plain English guides explaining all relevantlegislation, not just the Privacy Act, are needed.

Change privacy notices

Some submissions link community awareness of rights and improved privacynotices. Australia Post (109), for example, notes that obligations imposed onit and other organisations by NPP 5 have had a positive effect of creatingprivacy awareness in the community. It suggests that the content, structureand placement of NPP 1.3 notices should be standardised. Privacy noticeswere discussed earlier in this chapter (4.1).

Office should improve community confidence

Submissions generally look to the Office to take action to improve communityconfidence that rights are protected. The Fundraising Institute (52) suggestsa number of things the Office could do, including both promotional andcompliance actions. The promotional actions include:

undertaking strategic marketing to raise community awareness
authorising the use of a logo indicating commitment on the part of theorganisation to good practice and
encouraging organisations to develop and promote standards of practice.

ADMA (67) says that with its limited resources, the Office needs to developstrategies that seek partnerships with business to encourage communityconfidence that privacy rights are protected.

The Australian Consumers’ Association (15) says that one of the ways theOffice can encourage community confidence that privacy rights are protectedis by more vigorous and apparent enforcement action. The Consumers’Federation of Australia (65) agrees. It also suggests ways in whichorganisations can encourage community confidence.

Encouraging individuals to exercise their rights

The AMA (29) suggests that it would be helpful if the Office kept statistics ofcomplaints against doctors to identify where the medical profession is notcomplying (to assist in developing education programs for doctors) and wherecomplaints are unfounded (to inform community awareness campaigns).

Resources and educative role

Some submissions explicitly suggest that the Office should be betterresourced to fulfil it educative role. ADMA (67), for example, says that theeducation aspect of the Office’s role needs to be more adequately andsuitably funded, and until this is so the effectiveness of the NPPs in protectingpersonal information will be compromised.

Baycorp Advantage (86) supports an increase in resources to the regulator tosupport its functions. Finally, the Association of Market ResearchOrganisations and the Australian Market and Social Research Society (61)says that the Office should be resourced to assure the public that the lawprotects their privacy and that the Office should raise the public’s confidencein what is a good system that is in place to protect their privacy.

Options for reform

Community education and awareness programs could bedeveloped

The scheme established by the private sector provisions of the Privacy Act iscomplaints based, that is, the Privacy Commissioner primarily acts only inresponse to a complaint made by an individual. Individuals’ awareness oftheir privacy rights and how to exercise them, and individuals’ confidence thattheir rights will be upheld, is critical to the integrity of the scheme. Consumerorganisations and business alike acknowledge the importance of communityawareness of privacy rights and confidence they are protected. Businessesaround Australia have invested considerable resources into ensuring they areprivacy compliant and are calling for improved community awareness. TheOffice could form partnerships with community organisations to developeducation programs to raise community awareness about privacy, individualprivacy rights and enforcement of rights.

The Office could undertake the program

The functions of the Privacy Commissioner include, among other things:

‘for the purpose of promoting the protection of individual privacy, toundertake educational programs on the Commissioner’s own behalf orin co-operation with other persons or authorities acting on behalf of theCommissioner’[72].

The Office of the Privacy Commissioner is best placed to undertake aneducation program to raise community awareness of privacy and privacyrights. Submissions support this view.

Specifically funded program

The Office would need specific funding to allow it to engage in such aprogram. Business and consumer organisations have both called for moreresources for the Office for this purpose[73]. The Government could considerfunding the Office to undertake a systematic and comprehensive educationprogram to raise community awareness of privacy and privacy rights. This willbenefit both consumers and business, which will no longer have to use itsresources to explain to consumers why it cannot release personal information.

Office to develop promotional strategies

One way to promote awareness of privacy, and good privacy practice wouldbe to authorise the use of a logo to indicate an organisation’s commitment togood privacy practice. Submissions did not, however, reveal particularinterest in it and there is as yet no demand from consumers. Any logoscheme would need to have mechanisms to handle potential breaches of thePrivacy Act by logo users. This may have implications for the role of the Officein any logo scheme, particularly in the context of its statutory complaintshandling function.

Remove barriers preventing the making of privacy complaints

The complainant demographic survey undertaken by the Office, althoughsomewhat unreliable given the low response rate, suggests that there may bebarriers that are preventing certain groups within the community from makingprivacy complaints to the Office. The Office could take steps to ascertain ifthere are barriers, for example language barriers, preventing individuals fromknowing about and exercising their privacy rights. The Office could then seekto implement initiatives that would remove these barriers.

4.6 Recommendations: Consumereducation

4.7 Access generally

Law and policy

Introducing the private sector provisions, the then Attorney-General said:

‘It is a fundamental principle of fair information handling that individualsbe able to access and correct information about themselves’[74].

Subject to specified exceptions, an individual has a right to access personalinformation an organisation holds about him or her. If one of the exceptionsapply, the organisation must, if reasonable, consider using mutually agreedintermediaries. If the individual establishes that the information is notaccurate, complete and up-to-date, the organisation must take reasonablesteps to correct the information so that it is. An organisation may charge forproviding access (but not to lodge a request for access) but the charges mustnot be excessive (NPP 6).

NPP 6 applies to health information as well as other personal information,supporting ‘what is already good practice among many health professionals’[75].

An organisation may withhold access to health information when ‘providingaccess would pose a serious threat to the life or health of any individual’[76].

Issues

The Office receives a number of complaints about failure to provide access,especially in the health area[77]. The issues paper suggested possible topicsfor submissions:

individuals’ experiences in seeking access to personal information anorganisation holds about them
business experiences in giving individuals access to personal informationand
whether measures are needed to address any issues arising forindividuals or business in giving or gaining access to personal information.

What submissions say - issues

Overview

Most of the submissions that discuss individuals’ access to their personalinformation are concerned with health information and/or the costs of accesseither for individuals or for organisations providing it. Some submissionsdiscuss access to personal information in the context of retail, tenancy,insurance and telecommunications.

Health information

Several submissions express concern that giving patients access to theirmedical records, especially when there are mental health issues involved,may cause harm. The Australian Medical Association Ltd (AMA) (29), forexample, supports a person’s right to access information held about them butstates that there are occasions when that access can cause harm to thepatient or interfere with the therapeutic relationship. The exception inNPP 6.1(b), that providing access would pose a serious threat to the life orhealth of any individual, sets too high a threshold to overcome the harm thatmight occur to a doctor-patient relationship or the patient.

Furthermore, says the AMA, NPP 6 does not protect a doctor’s private orpreliminary views in the thinking processes required for assessment,diagnosis and formulation of a treatment program. This is of particularconcern for psychiatrists who take down facts as described, which may ormay not be true, and record their own reactions, which may include anadverse reaction to the patient. In the AMA’s view, it is not appropriate that apatient have access to such notes; even if not life threatening, it can causedisruption to the therapeutic relationship.

Other submissions agree with the AMA’s views. The Mental Health PrivacyCoalition (58) would want to ‘white out’ the practitioner’s private thoughts if apatient sought access. Similarly, members of the Australian PsychologicalSociety (103) believe clients may misinterpret what is written.

Life insurance providers have a particular concern. They assess anapplicant’s risk on the basis of medical reports but have no knowledge of whatthe health professional who wrote the report has told the client or whether theclient’s life, health or safety might be at risk if they receive the informationdirectly from the insurer[78].

On the other hand, the AMA (29) says there is not enough account taken ofthe need of a carer to know information about the person for whom they areresponsible.

Finally, a confidential submission says consumers are often confused aboutaccess when there is an Advanced Health Directive or a Power of Attorney inplace, or when seeking access to the records of a deceased person.

Health information – use of intermediaries

Some submissions state that the obligation in NPP 6.3 to ‘consider’ the use ofan intermediary is not strong enough. Privacy Law Consulting Australia (66),for example, says:

‘this principle is effectively meaningless as the requirement to‘consider’ the use of a mutually agreed intermediary does not place anyobligation on an organisation other than to ‘turn its mind’ to providingaccess through an intermediary’[79].

Furthermore, the principle does not state what should happen if the partiescannot agree on an intermediary.

Health information – fees

Submissions show a variety of views about the level of fees charged foraccess to health information.

The Private Health Insurance Ombudsman (10) has received complaintsabout unreasonable fees charged by a medical practice for access. On theother hand, the Royal District Nursing Service (78) is often left out of pocketwhen responding to a request for access to information, particularly when therecords are no longer on site. In its view the maximum fee allowed under theVictorian Health Records Act is too low. Because the Privacy Act does notinclude a schedule of fees, a confidential submission says a wide variety offees are charged giving rise to enquiries from consumers.

Finally, the Australian Physiotherapy Association (APA) (37) says that lawyersoften ask for records for use in legal proceedings even though, written for theexpress purpose of providing treatment, they are unsuitable for use in court.The APA speculates that, as some state legislation caps the amount apractice can charge, ‘some lawyers request records in order to avoid payingreasonable costs for a medico-legal report’. Further, it contends that:

‘some legal firms in Victoria and the ACT are abusing this loop-holeand requesting records under privacy legislation so as to shiftexpenses to the physiotherapist’.

Access to other records

The experience of the Tenants’ Union (ACT) (87) is that it remains verydifficult for private housing tenants to access tenant files held by real estateagents, unlike public housing tenants who can use freedom of informationlegislation. On the other hand, a large retailer, Coles Myer Ltd (60) has hadvery few requests for access, fewer than 10 since the Act commenced.

Similarly, member organisations of the Australian Direct MarketingAssociation (ADMA) (67) have received very few requests for access topersonal information. Some submissions, including, for example, ClubsAustralia and New Zealand (75) express concern about the costs of providingaccess. Vodafone Australia Ltd (112) states that it is important to be able toimplement cost recovery mechanisms for access to personal information.

What submissions say – addressing the issues

Considering the therapeutic relationship

Submissions suggest a number of ways to address these issues. Somesubmissions from health care organisations consider circumstances whenaccess should not be given. The Australian Medical Association Ltd (AMA)29 expresses concern that, in the health care context, there are occasionswhen access to records could cause harm to the patient or interfere with thetherapeutic relationship. The Mental Health Privacy Coalition (58) alsosuggests that the Privacy Act should be clarified to indicate that the threat ofdestruction to a therapeutic relationship is a serious risk.

Other aspects of access to medical records

Submissions address other aspects of access to medical records. The AMA(29) says that it is necessary to disclose information about the patient’songoing care when he or she is discharged from hospital to the patient’scarer, whether or not the patient consents.

The Investment and Financial Services Association (89) says that insurerswant to be able to give information to a patient not directly but via the healthprofessional who supplied the information in the first place, or to the patient’sGP, without having to rely on the NPP 6.1 exception, as is possible under theHealth Records and Privacy Information Act 2002 (NSW)

Finally a confidential submission says the Office should issue a fact sheetabout access to patients’ health records when there is an Advanced HealthDirective or and Enduring Power of Attorney in place.

Use of intermediaries

In the view of Privacy Law Consulting Australia (66), NPP 6.3 which providesfor consideration of the use of an intermediary when access is denied shouldbe removed altogether or else amended to impose obligations on both theorganisation and the individual.

Fees for access

As discussed above, a number of submissions consider the fees payable foraccess to health information. A confidential submission says that the PrivacyAct should set a maximum fee for access that is realistic.

The Australian Privacy Foundation (AFP) (90), on the other hand, is happywith the NPP 6.4 provision that charges for access must not be excessive. Itsconcern is that the Office considers reasonable what the AFP considersmanifestly excessive and recommends that the provision is amended to makeaccess free or to set a reasonable cap.

Consumer perspective

The Australian Privacy Foundation (90) makes a number of suggestions forchange from the point of view of consumers. These suggestions are:

NPP 6 should expressly require organisations to give access to as muchinformation as possible even when an exception applies to someinformation.
An organisation that denies access on the basis of one of the exemptionsshould be required to provide intermediary access (not merely be requiredto consider it). NPP 6 should provide for the Privacy Commissioner toinspect a record on a person’s behalf where access is denied under anexception, and to seek corrections.
There should be a requirement to consult with third party individualswhose information would be disclosed in response to an access request.
There should be a prohibition on an organisation requiring an individual toexercise their access rights with a second organisation and then providingthe first organisation with the information.
An individual should not have to ‘establish’ that personal information is notaccurate, complete and up-to-date under NPP 6.5; it should be enough forthem to have reasonable grounds to believe there is a potentialinaccuracy.
Finally, where personal information is corrected in response to a requestunder NPP 6.5, there should be an obligation to notify any third partieswho are known to have received the information that was not accurate,complete or up-to-date, as exists, ‘where appropriate’ or ‘wherepracticable’ in legislation in other jurisdictions.

Options for reform

Address concerns about access and the threat to thetherapeutic relationship

There are a number of possible ways of addressing these concerns, includingfurther limiting the circumstances in which access might be granted andproviding guidance on the existing law. There is no doubt that there arecircumstances when access to records may cause a breakdown in atherapeutic relationship and that the breakdown in the therapeutic relationshipmay constitute a serious risk to the patient’s health. However, this does notjustify changing the law. Rather, it indicates that there are good reasons foraddressing the uncertainties through guidance.

Similarly, the issue of the privacy of the therapist’s personal views may bebest addressed through guidance. The NPPs allow an organisation to denyaccess where it would have an unreasonable impact on the privacy ofsomeone else[80]. This could include a therapist’s views.

Notify others of corrections made to personal information

When inaccurate information has been passed on to others, it is of littlecomfort that it has been corrected at source but not elsewhere. When anindividual’s personal information is corrected in response to a request fromthe individual, the organisation, where practicable, could be obliged to notifythird parties that they have received the inaccurate information.

Use of intermediaries

NPP 6.3 provides that an organisation must, ‘if reasonable, consider’ the useof an intermediary where it has refused access on the grounds of one of theexceptions to access in NPP 6.1. The right is a very limited one. There is astronger right to the use of an intermediary under the proposed NationalHealth Privacy Code. An intermediary, a nominated health service provider,may, among other things, consider the validity of the refusal and, if he or shethinks it appropriate to do so, discuss the content of the health informationwith the individual. The relevant provisions are prescriptive and detailed andare not suitable for inclusion in the NPPs. The NPPs could, however, includea similar right. Alternatively, if the AHMAC code becomes a schedule to thePrivacy Act[81], the matter will be dealt with by that means.

Set fees for access

There is a significant difference in the cost of providing access to records,depending on a number of variables, including whether the records are on siteor not, the number of pages involved and the amount of scrutiny necessary. Itis not therefore appropriate to set a single fee for access. What may besuitable in one case may be wildly unsuitable in another.

It may be appropriate for the Office to offer some guidance as to what it thinksis appropriate. Alternatively, the Australian Government could introduce atable of recommended fees in a schedule to the Privacy Act. And, if theAHMAC code becomes a schedule to the Privacy Act[82], the matter may bedealt with by that means.

Office could give guidance re ‘able to establish’ in NPP 6.5

NPP 6.5 requires than an individual ‘establish’ that information is not accuratebefore the organisation needs to take reasonable steps to correct it. This maybe an unduly high standard. It is also unclear. The Office should provideguidance about ‘able to establish’ in NPP 6.5.

4.8 Recommendations: Access generally

29. The Australian Government should consider adopting the AustralianHealth Ministers’ Advisory Council (AHMAC) Code as a schedule to thePrivacy Act (see also recommendations 13, 33 and 35). This willaddress the issue of intermediaries, and the issue of fees for access.

31. The Office will develop guidance on fees for access to personalinformation.

4.9 Transfer of health records to anotherhealth service provider

Law and policy

The NPPs do not create specific obligations regarding the transfer of medicalrecords in circumstances where an individual changes from one healthservice provider to another. In some circumstances, individuals and theirproviders will simply agree for the records (or copies of them) to betransferred to the new provider. If necessary, an individual may exercise theirgeneral access right (under NPP 6) to their health information. If they obtain acopy of their record they can take this to their new provider. However, there isno specific obligation in the Privacy Act requiring a provider to transfer amedical record in full to another provider.

Other regulation may require health providers to do certain things. Forexample, the Victorian Health Records Act 2001 requires that if an individualasks, then a health service provider must provide ‘a copy or written summaryof the individual’s health information’ to another provider. Furthermore, someprofessional bodies have noted that in line with good clinical practice andrelevant codes of ethics, health service providers should ensure that anindividual’s new provider receives adequate information to provide treatment.

What submissions say

This issue did not figure prominently in submissions. However, duringconsultations it was suggested that while this issue is significant, it may bebetter addressed at the state and territory level, rather than at the AustralianGovernment level. A reason for taking this approach is that health serviceproviders are registered at the state or territory level, usually by registrationboards or similar bodies created under state legislation.

Moreover, the management and handling of patient records generally formspart of a health service providers professional responsibilities for which theyare registered. This could be a more appropriate mechanism for setting out,and addressing as necessary, health services providers obligations in thisarea.

Options for reform

Amend the NPPs – add additional principle

The NPPs could be amended to add a principle (for example, NPP 11) similarto the relevant principles in the Victorian Health Records Act (HPP 10) anddraft National Health Privacy Code (NHPP 11).

This principle would state that health service providers would have expressobligations to transfer medical records, or copies of them, to a differentprovider at the request of the individual concerned.

However, this approach introduces a greater degree of prescription to theNPPs than is currently the case. This may not sit comfortably with thehigh-level, cross-sectoral intent of the NPPs. It should be noted that if theAHMAC code becomes a schedule to the Privacy Act, the matter will be dealtwith by that means[83].

No amendment to the Privacy Act – encourage responses bystates and territories

Accepting the view that the transfer of medical records between health serviceproviders is a predominantly professional practice issue, the states andterritories (for example, through their medical registration boards) could beasked to set out providers’ obligations in this area.

Jurisdictions could determine whether to set out these obligations in statute orthrough other professional practice rules and mechanisms connected withprovider registration. There would be a need to consider how to ensurenational consistency for providers and their obligations across Australia,particularly for those operating (and sharing personal information) acrossjurisdictions regularly.

Adopt AHMAC code

It is anticipated that the draft AHMAC code will be considered by all Australianhealth minsters in 2005. Following this, the Australian Government couldadopt the AHMAC code. If so, the matter will be dealt with by that means.

No change

As this was not a high-profile issue in submissions, it may be appropriate tomake no regulatory change. Those responsible for health policy across alljurisdictions, as well as the Office, could monitor any emerging issues.

4.10 Recommendations: Transfer ofhealth records

4.11 Access to health records whenhealth service ceases to operate

Law and policy

When introducing the private sector provisions, the Australian Governmentrecognised that ‘Australians consider their personal health information to beparticularly sensitive and that they expect that it will be handled fairly andappropriately by those who come into contact with it.’[84]

One element of fair and appropriate handling of health information is thatindividuals have a right to access information that a health service providerholds about them. Also, individuals ought to have some control over how theirinformation is handled and by whom.

These choices can be difficult to exercise when a health service providerceases to operate. Under common law, a provider generally retainsownership of the medical records they create.[85]However, this should notreduce an individual’s right to access their health information should they wishto do so in the context of NPP 6, including the prescribed exceptions togranting access.

Health services ceasing to operate

The Office has become aware of a number of cases where individuals havenot been able to gain access to their health information because their healthservice provider has ceased to operate. For example, a practitioner may haveretired, they may have died, or their practice may have closed. Records maybe left with other providers, or family members or executors of the previouspractitioner, for ‘safe-keeping’. In such cases, an individual’s right of accessto their health record can be difficult to guarantee.

In some jurisdictions, specific legislative provision is made for ‘abandoned’records to be retained by a central body, such as a medical registration board.For example, in Queensland, section 260 of the Medical PractitionersRegulation Act 2001 says the Board may take possession of records itconsiders abandoned.[86]In NSW, the Medical Practice Regulations 2003impose obligations on how medical practitioners should handle health recordsin the event of the disposal of a practice.[87]

In Victoria, the Health Records Act 2001 through Health Privacy Principle(HPP) 10 sets out obligations for health service providers when they cease tooperate. These obligations include advertising the fact of ceasing operationsin local newspapers.[88]

When a health service ceases to operate, this also brings into question aprovider’s data security obligations under NPP 4. There is a risk that‘abandoned’ records may not be afforded adequate levels of storage andsecurity.

What submissions say

Similar to the transfer of medical records, this issue did not figure prominentlyin submissions. During consultations, however, it was suggested that thismatter also could be addressed at the state and territory level. Again, areason for taking this approach is the registration of health service providersat the state or territory level, usually by registration boards or similar bodiescreated under state legislation.

The Investment and Financial Services Association (89) says that:

‘occasionally, our members encounter the situation where medicalrecords are not available because the GP has retired, died or moved.From an underwriting perspective we would strongly support a nationalpolicy whereby an individual’s medical records are retained in a centralbody when this situation arises’.

The inability for an individual to get access to their medical record because ahealth service has ceased to operate can affect not only their health careneeds, but also their ability to gain other services such as insurance.

Options for reform

Amend the NPPs – add additional principle

The Privacy Act could be amended in a manner similar to the Victorian HPP10 and the proposed National Health Privacy Code’s NHPP 10, by adding asimilar principle into the NPPs. Such a principle could require providers to docertain things to ensure access arrangements are in place upon the cessationof service, as well as to make individuals aware of how they can seek accessto their records.

No amendment to the Privacy Act - encourage responses bystates and territories

Similar to the approach suggested with the transfer of medical records, it maybe reasonable to take the view that the obligations upon providers forhandling health records generally is a predominantly professional practiceissue. States and territories (for example, through their medical registrationboards) could be asked to set out providers’ obligations for securing recordsupon cessation of a service, and to ensure that access arrangements aremaintained.

Jurisdictions could be asked to create central registers for securing andmanaging ‘abandoned’ records, in a manner similar to that created under theQueensland Medical Registration Board Act.

Adopt AHMAC code

No change

4.12 Recommendations: Health serviceceases to operate

5 Enforcing individual rights and ensuringcompliance

5.1 Introduction

For the private sector provisions to be most effective in protecting individuals’privacy and in promoting the public interest in privacy, organisations subject tothe private sector provisions should be complying with them.

The private sector provisions include a complaints process to enableindividuals to complain to the Privacy Commissioner if they believe theirprivacy has been breached. The Act also gives the Office a power toinvestigate, on its own initiative, if it thinks an organisation may havebreached the private sector provisions.

The scheme does not provide for strict black letter penalties or fines; nor canthe Commissioner specify how a particular organisation should comply withthe NPPs[89].

The Office also has a role in providing information and advice to organisationsto help them to comply. This issue is discussed in Chapter 6.

5.2 Law and policy

Approach to compliance

The Office takes the approach that compliance will be best achieved byhelping organisations to comply rather than seeking out and punishing the feworganisations that do not. It assumes that most Australian organisations inthe private sector wish to comply with their legal obligations. The Office’semphasis is therefore on providing advice, assistance and information.

This approach is set out in Information Sheet 13 – The Federal PrivacyCommissioner’s Approach to Promoting Compliance with the Privacy Actwhich is in Appendix 7.

However, the Office actively pursues cases when it identifies breaches of thePrivacy Act. It seeks to ensure that organisations remedy breaches andaddress complainants’ concerns, including by compensating them where thatis warranted.

To date the Office has made limited or no use of the more formal enforcementpowers, such as making complaint determinations or seeking injunctions fromthe court, or publicly ‘naming’ and ‘shaming’[90]. This is in part due to:

the Office’s strong focus on conciliation and alternative dispute resolutionas a means of resolving individual complaints
the fact that injunctions are more likely to be relevant in situations wherethere has been no individual complaint, there is significant and immediateharm and where the respondent is recalcitrant and
the generally good level of cooperation the Office has received when itpursues issues.

Complaints process

Process

The complaint handling framework set out in the Privacy Act, and reflected inthe Office’s approach, emphasises:

resolution between the organisation and the individual if possible[91]and
investigation and conciliation where complaints are taken to the PrivacyCommissioner or a code adjudicator.

If a complaint cannot be resolved by these processes the Privacy Act givesthe Commissioner a range of powers including the power to makedeterminations.

The Office currently receives approximately 1250 complaints per year.Approximately 66% of these are complaints under the private sectorprovisions.

Typical outcomes following conciliation include:

apologies
access provided and/or records amended
change in practice or procedure
staff training and
monetary or other compensation to redress actual loss or damage.

See Appendix 8 for information about the Commissioner’s powers ofinvestigation and Appendix 9 which includes statistics on how complaints arefinalised.

Where the Commissioner formally determines that an organisation hasinterfered with the privacy of a person, there are a number of options availableto address the issue[92]. The options include:

making a declaration that the organisation should not repeat or continuethe offending conduct
requiring the performance of any reasonable act or course of conduct toredress the loss or damage suffered by the person concerned and/or
requiring the payment of a specified amount by way of compensation forany loss or damage suffered by the person concerned.

Loss or damage can include injury to the person's feelings or humiliationsuffered by that individual.

If the organisation does not comply with a determination it may be enforced bythe Federal Court or Federal Magistrates Court[93].

Information about complaints

The Office publishes de-identified[94]case notes of some of its finalisedcomplaints that are considered to be of interest to the general public. Theyillustrate the types of cases resolved by the Office and usually involve a newinterpretation of legislation, illustrate systemic issues, or illustrate theapplication of the law to a particular industry. The case notes do not identifythe parties to the complaint. The Office has published 39 case notes sincethe practice commenced in December 2002.

The Office publishes Commissioner’s determinations in full but suppressesthe names of the complainant. It also publishes a variety of complaintstatistics and case studies on its website, and in its annual reports.

Powers supporting complaints process

The Privacy Act provides a range of powers and functions to support thecomplaint handling process and to encourage compliance with the provisions.These include the power to:

seek to enforce decisions made by code adjudicators or the Commissioner
make inquiries of third parties
enter premises (with consent or a search warrant) and
require the production of information or documents[95]
initiate investigations without a complaint where there may be aninterference with privacy (own motion investigations)[96].

The Commissioner also has functions to provide advice and to undertakeeducation and awareness programs[97].

In addition, the Privacy Act also provides for the Commissioner or others toseek an injunction from the Federal Court or Magistrates Court to stop acts orpractices that may be an interference with privacy or to require action toprevent an interference with privacy[98].

This enforcement framework is essentially the same as that applying to theAustralian public sector since 1989, although with some variations, to reflectthe intention that these provisions be ‘light touch’. For example, the PrivacyCommissioner’s power to audit agencies, credit providers, credit reportingagencies and tax file number recipients is not replicated in the private sectorprovisions. Further, the Commissioner cannot report to Parliament the failureof an organisation to respond to any recommendations following aninvestigation under section 40(2) of the Privacy Act (own motioninvestigations).

Survey of complainants and respondents

The Office recently surveyed complainants and respondents seekingfeedback on the Office’s complaint handling process and suggestions forimprovements. The Office is now considering the responses and will feed thisinformation into the review of its complaint handling processes. An overviewof the survey responses is at Appendix 14. While to some extent responseswere coloured by the outcome of the complaint (that is, whether or not it wasupheld), many complainants were dissatisfied with the timeliness of theprocess.

Review rights

Commonwealth Ombudsman

The Office is subject to review by the Commonwealth Ombudsman withrespect to 'a matter of administration'. The Ombudsman often will resolve acomplaint through a process of conciliation, but when this is not possible, theOmbudsman has the capacity, through a report to the concerned agency, torequest remedies, for example, where the action:

appears to be contrary to law
was unreasonable, unjust, oppressive or improperly discriminatory
was in accordance with a rule of law but the rule is unreasonable, unjust,oppressive or improperly discriminatory
was based either wholly or partly on a mistake of law or of fact
was otherwise, in all the circumstances, wrong or
in the course of taking the action, a discretionary power had beenexercised for an improper purpose or on irrelevant grounds[99].

Administrative Decisions (Judicial Review) Act 1977

Complainants and respondents may apply to the Federal Court or the FederalMagistrates Court for a review of ‘administrative decisions’ made about aprivacy complaint under the Administrative Decisions (Judicial Review) Act1977 (ADJR Act). The ADJR Act provides quite a broad right of review.However, it is important to note that the ADJR Act reviews the processfollowed to make the decision, not the substance of the decision. The Courtcannot hear the matter afresh or substitute the decision of the Commissionerwith its own. Grounds for a review include a breach of the rules of naturaljustice, or excess of power, or error of law. If the court finds, for example, thatthere has been a misuse of power or error of law, the matter will be remittedback to the Commissioner for a reconsideration according to law.

Matters that could be the subject of an ADJR application include:

a decision that a privacy complaint will not be investigated, or investigatedfurther under section 41(1)(a)-(f)
a decision not to make a determination under section 52 and
failure to give to a person who is adversely affected by a decision thereasons for that decision.

Administrative Appeals Tribunal

There is no right of appeal to the Administrative Appeals Tribunal (AAT) inrespect of determinations about private sector organisations. The Privacy Actdoes provide a limited right of appeal to the AAT for a merits-based review ofthe Commissioner’s decisions where the respondent is a federal or ACTagency and only in relation to whether or not to make a determination that acomplainant is or is not entitled to compensation[100].

Review/enforcement by Federal Court or Federal MagistratesCourt

In addition to the above rights of review, where the Commissioner makes adetermination following an investigation of a complaint and the organisationdoes not comply with the determination, the Commissioner, code adjudicatoror complainant, may apply to the Federal Court or Federal Magistrates Courtsto have the determination enforced[101]. The courts will hear the matter afreshand apply their own decision.

However, there is no recourse to the courts if the Commissioner does notmake a determination or the respondent organisation has complied with adetermination (although, as noted above, the ADJR Act is available if theprocess by which the Commissioner made these decisions is consideredunfair or unlawful).

5.3 Issues

The issues paper suggested a number of topics for submissions related toenforcement and compliance. These included whether:

the Office’s overall approach to compliance/enforcement has beenappropriate and effective
the Office’s approach to complaint handling has been sufficientlytransparent and accountable
the Privacy Act provides appropriate rights for individuals as to how theircomplaint will be handled and the rights of review or appeal available and
the powers in the Privacy Act are sufficient, in particular to enforcecomplaint resolutions and/or deal with systemic issues, for example shouldthere be a power to make binding codes, or audit private sectororganisations[102].

5.4 What submissions say – issues

Approach to compliance

Support for approach

Many of the submissions from organisations and business or industry bodies,including Restaurant and Catering Australia (5), Promina (34), InsuranceCouncil of Australia (59), Coles Myer Ltd (60), Australian Bankers’ Association(70) and Optus (98) support the Office’s approach to compliance and arguethat it should continue. These submissions say that the Office’s approach hasenabled organisations to implement flexible policies to protect the privacy ofindividuals without hindering business development. They generally considerthat the right balance has been achieved.

In particular Restaurant and Catering Australia (5) commends the PrivacyCommissioner’s limited use of formal enforcement powers and its focus onthe cooperative resolution of issues. The Insurance Council of Australia (59)also supports the Office’s educative approach to complaint handling.

The Investment and Financial Services Association Ltd (ISFA) (89) suggeststhat:

‘the effectiveness of the current dispute resolution mechanism hasresulted in few judicial decisions on the application and the privatesector provisions… [It] strongly supports the continued resolution ofcomplaints by negotiation’.

A number of submissions say that the approach should extend to complainthandling where the focus should emphasise information/advice andconciliation over legalistic determinations[103]. One confidential businesssubmission thought that existing enforcement powers including in relation todeterminations were a ‘powerful enough incentive for organisations tocomply’.

Approach ineffective

Submissions from the consumer and privacy advocacy groups, including theConsumers’ Federation of Australia (65), the Australian Consumers’Association (15) Electronic Frontiers Australia (51) and the Australian PrivacyFoundation (90) also note the low number of complaints. While the businesssector sees this as a positive indicator (see discussion below) thesesubmissions conclude that the educative approach deters individuals fromcomplaining. They say this is because individuals see no strong action orconsequences resulting from an organisation’s poor privacy performance.

Level of compliance

Level is about right

Many submissions from organisations and business groups argue that they ortheir members have taken significant steps to comply with the Privacy Act.They say that the overall level of compliance is good and the Office’sapproach was working well.

A number of these submissions outline the compliance steps they have takenand note the expenditure involved[104]. These submissions argue for thecurrent approach to be maintained. Some also sought more emphasis oneducation and/or guidance for consumers and organisations.

Many of these submissions argue that the overall low level of privacycomplaints they or their members have experienced is positive evidence of asatisfactory level of privacy compliance. They say this is particularly so takinginto account the number of transactions processed. Submissions noting lowcomplaint levels include Coles Myers (60), Optus (98) Sensis 84, ABA (70),SuncorpMetway (35), the Financial Planning Association (85), AustralianAssociation of Permanent Building Societies (91), Australian FinanceConference (63), the ANZ Bank (40) and the Insurance Council of Australia(59). Some submissions put forward statistics supporting this view. Forexample:

SuncorpMetway (35) advises that for the period November 2003 toOctober 2004 it received 9930 complaints of which 149 or 1.5% wereprivacy related
the Private Health Insurance Ombudsman (PHIO) (10) observes that in2003/04 it received 3000 complaints of which only 14 complaints wereabout privacy
the Australian Bankers’ Association (70) notes that one of its members‘reports its analysis of privacy complaints over the past 12 months asrepresenting just .0035% of its total customer base’
Credit Union Services Corporation (Australia) Ltd (64) notes that of 347cases closed by the credit union dispute resolution centre only 9 related toprivacy issues.

Coles Myer (60) says that given the low level of complaints it considers thecurrent compliance approach (and powers) to be sufficient.

‘The best protection for a customer…is the organisation’s desire tomaintain its reputation and competitive advantage in the market’.

On the other hand the Salvation Army Australia Southern Territory (74)suggests that low levels of complaints can be attributed to lack of awarenessof complaints procedure.

Level may not be adequate

In contrast, submissions from the consumer and advocacy groups, includingthose from the Australian Consumers Association (15) and the ConsumersFederation of Australia (65) express some strong concerns about the Office’sapproach to compliance.

It was also a theme in the Office’s public consultations that while manyorganisations are trying to comply some are not worried about implications ofa breach. Some saw this as a possible indication that compliance may not beas widespread and ‘deep’ as it could be. A participant at the Adelaideconsultation suggested that if the Office was to ‘out’ poor privacy performancethis would then be a point of difference between businesses for consumers toconsider; privacy would matter more to business[105]. Another participantstated that it is difficult to talk some company boards into being privacycompliant when no schedule of penalties attach to the NPPs and commentedthat ‘if you had audit powers, we might be able to convince our boards tocomply’[106].

In a similar vein, the Consumers’ Federation of Australia (65) and theAustralian Consumers’ Association (15) assert that the Office approach tocompliance and the lack of visible enforcement of privacy rights means thatorganisations are lax about compliance with privacy obligations.

Others support the view that there is no incentive to correct system flaws andthat it is easier to simply respond when (the very few) complaints come inrather than comply in a systemic way.[107]

Comments from some submissions suggest that for smaller businesses,privacy may not be a high priority in the midst of other regulations. Forexample (83) observes that:

‘All business in Queensland currently negotiates a raft of government(local/state/federal) regulations. For smaller enterprises theseregulations are often seen as annoying diversions to the primarypurpose of the business: at times they can be very daunting andcostly’.

The Australian Chamber of Commerce and Industry (22) makes the similarpoint (in arguing against the removal of the small business exemption):

‘that privacy compliance costs would be additional to the myriad ofother compliance burdens stemming from legislative or regulatoryrequirements, be they in relation to occupational health and safety,industrial relations or, in particular, taxation’.

In general, the perceived lack of enforcement mechanisms in the Privacy Actespecially in relation to determination enforcement is a matter of strongconcern amongst the advocacy and consumer groups[108].

Office does not use existing powers

Submissions, from Professor Graham Greenleaf (47) and some consumerorganisations note the very limited use the Office makes of theCommissioner’s power to make determinations. As discussed elsewhere,submissions focus on the perceived lack of procedural fairness andtransparency flowing from the lack of determinations.

Professor Graham Greenleaf argues that the limited use of determinationsequates to a failure to visibly enforce the law with consequent impact onculture of compliance, compliance risk assessment and so on.

Systemic issues not being addressed

Incidence of systemic issues

Some submissions say that the Office has not paid enough attention to fixingsystemic issues, which are causing a large number of complaints. Thesesubmissions suggest that the Office needs to consult more regularly withconsumer groups to identify systemic issues and to formulate ways ofaddressing these issues with foresight, instead of merely dealing withcomplaints once they have arrived at the Office's door.[109]

On the other hand a few business submissions are sceptical about theincidence of systemic issues. The Australian Bankers Association (70), inreferring to a member banks’ analysis of privacy complaints states thatprivacy complaints represented 0.0035% of its total customer base and thatthe complaints had no real pattern, indicating that there were no systemicproblems. It states that many of the complaints involved ‘isolated instances ofhuman error’.

Systemic issues and complaints process

A number of submissions are concerned that the Commissioner has limitedability to address broader systemic issues as a result of the Privacy Act’sstrong focus upon individual complaints.

The Consumer Credit Legal Centre (62) and the Consumers’ Federation ofAustralia (65) state that reliance on individual or even representativecomplaints is ‘inefficient’. The Australian Consumers’ Association (15) raisesconcerns that the complaints focus disconnects the Office from systemicissues. It argues that the Commissioner should have the power to addresssystemic problems outside the context of resolving an individual complaint.

The Consumer Credit Legal Centre (62) and the Consumers’ Federation ofAustralia (65) states there is no incentive to correct systemic flaws:

‘In most cases, the worst outcome for a respondent is to amend therecords. With respect to credit reporting, the cost of dealing with asmall number of complaints is apparently less than the cost of ensuringthe data is accurate in the first place’.

The Australian Privacy Foundation (90) argues this as well.

While not specifically relating to the NPPs, the Consumer Credit Legal Centre(NSW) (62) raises particular concerns that the Commissioner is not effectivelyusing powers to deal with systemic issues in the credit reporting sector.

The Australian Consumers’ Association (15) argues that over time moreenforcement of systemic issues may lower the number of complaints.

More information when systemic issues raised

A number of submissions[110]raise concerns about the lack of informationprovided when systemic issues are raised with the Office. The ConsumerCredit Legal Centre states:

‘we are concerned about the lack of information provided to us whenwe raise issues of what we believe may be a repeated or systemicproblem. While our client’s problem may be resolved, we are rarelyadvised whether there has been any response to what might be abroader problem with a particular credit provider’.

Some also suggest that there is some failure on the part of the Commissionerto recognise the seriousness of broader systemic issues raised by consumergroups and NGOs, accompanied by the suggestion that these groups wantcloser interaction with the Commissioner.

Not enough powers to ensure compliance

A number of submissions put the view that at present the Privacy Act does notprovide sufficient powers to ensure that businesses are aware of theirobligations to protect privacy, or know how to implement them in practice andcarry through on implementation. They note the lack of audit powers in theprivate sector provisions and they comment on what they see as a fact thatthe Office cannot require organisations to comply with ‘own motioninvestigations’ the Office undertakes[111].

Ineffectiveness of determinations for compliance and systemicissues

A number of consumer and privacy advocacy groups comment on theeffectiveness of determinations in addressing systemic issues in the light ofthe Commissioner’s determinations in April 2004 following representativecomplaints about a series of issues arising from the operation of tenancydatabases.

The Tenants Union of Victoria (23) claims that evidence suggests thedeterminations have failed to achieve compliance. It notes that in order toachieve compliance an application must be made to the Federal Court, whichis both time and resource intensive.

In addition, it claims that determinations are unlikely to be effective in theawarding of small compensation payments and most importantly,determinations are only applicable to the individual complaint, not to industrywide practice.

Submissions from advocacy groups and representatives[112]are concernedabout the implications of the Privacy Commissioner’s view[113]that adetermination under section 52 cannot require a respondent to do somethingor refrain from doing something unless the activity relates to matters raised bythe complainant.

They are concerned that this view means that the Office cannot addresssystemic issues raised by a complaint. For example, the Tenants Union ofQueensland (69) states that:

‘this can, and has in our view, result in a ‘cat and mouse’ gamewhereby the respondent makes changes, but not those recommended,but still fails to meet the requirements of the NPPs. Aggrieved partiesand their advocates are left to raise new complaints and the process isperpetuated [114].’

Professor Graham Greenleaf (47) makes similar points. He notes thatrespondents are free to ignore recommendations and the only remedy forindividuals is to then make a further complaint and that:

‘this could end up in a continuing charade whereby the respondent istold what he cannot do, but cannot be giving binding directions as towhat they must do’[115].

The overall view from consumer/privacy advocate submissions is thatrepresentative complaints, whilst useful in raising systemic issues, were notviewed as being effective in addressing broader systemic issues as thePrivacy Act does not provide the Commissioner with a power to enforcesystemic remedies.

However, the Investment and Financial Services Association Ltd (89) opposesany proposal to implement systemic remedies as it sees that the currentapproach is working effectively. Telstra (110) approves of the focus of theNPPs being on interference with the privacy of individuals and submits thatthe current powers of the Commissioner are sufficient.

Complaints process

Process is not transparent

Lack of transparency in the complaints process was a major focus of manysubmissions[116].

People don’t understand the process

Professor Graham Greenleaf (47), the Consumers' Federation of Australia(65) and the Australian Privacy Foundation (90) argue that the Office’scomplaints process lacks transparency because the Office does not publish amanual which outlines the Office’s policies and procedures when itinvestigates and resolves complaints. They say that, as a result the parties tocomplaints can only infer these procedures and policies from the piecemealinformation that is publicly available.

People don’t know what decisions are made or why

A number of submissions say that people do not know enough about theoutcomes of complaints. They say the consequences of this are:

complainants and respondents do not know how the Office interprets thePrivacy Act or what remedies are attainable. Therefore, individuals do notknow what arguments to raise or whether their complaint is worth pursuingthrough the Office
it is difficult to monitor the adequacy and fairness of the Office’s decisionsand remedies; and any mistakes made in the Office’s decision makingprocesses are not exposed
legal jurisprudence is not developed in this area of the law and anydeficiencies in the law, which may require law reform, do not becomeapparent and therefore do not get addressed.

Professor Graham Greenleaf (47) observes that there is no publicly availablecriterion which reflects how the Office selects complaints for publication.

Submissions from privacy advocates and consumers,[117]observe that the lackof reported statistics on some aspects of the complaint process means thatthe nature of remedies that complainants achieve is not widely known nor is itpossible to assess the Office’s overall performance in complaint handling.The Fundraising Institute Australia Ltd (52) makes a similar observation.

Some submissions observe that while the published statistics in the2003-2004 Annual Report show the number of complaints received andclosed and the basis for closing the complaint, there is no indication of thenature of resolutions achieved.

Fairness of process

No review power

Submissions from consumer and advocacy groups, for example, ProfessorGraham Greenleaf (47), Consumer Credit Legal Centre (NSW) Inc (62), andthe Australian Privacy Foundation (90) note the lack of a right of review forcomplainants or respondents in relation to section 52 determinations made bythe Commissioner.

This issue is set out in detail by Professor Graham Greenleaf (47). Thesubmission includes the following observations.

‘In my submissions to the Government and to Parliament on the Billleading to the private sector provisions I stressed (as did othercommentators) that the lack of any right of appeal against section 52determinations (to the Federal Court, Federal Magistrates Court, or atleast to the AAT), was extremely unfair to complainants.’

The submission goes on to say that as is noted by the Office’s issues paper,one of the reasons for this unfairness is that:

‘Respondents have the possibility of having a case heard afresh byrefusing to comply with a determination and waiting for theCommissioner to seek to have the case enforced in court. However,this strategy is not available to an aggrieved complainant. Quite apartfrom the inherent bias towards respondents in the Act as it stands, it isunfair and is unnecessary that there should be no appeal fromdeterminations by the Privacy Commissioner.’

Another common concern in the submissions is the Privacy Act’s lack of amerits-based review process for decisions made under section 41.Submissions say this is particularly a concern, for example, where theCommissioner chooses not to investigate, or investigate further, a complainton the basis that the Commissioner considers that the respondent hasadequately dealt with the complaint, regardless of whether the complainant issatisfied with the respondent’s response.

A few submissions, for example from the Chamber of Commerce andIndustry, Western Australia (77) argue that the lack of an appeal rights is notunique to the Privacy Act and that it is not clear that it is problematic.

Ending partially complete investigations

Professor Greenleaf (47) submits that there is a lack of procedural fairness inthe complaints handling procedure in that the Office may complete partialinvestigations and then decline to investigate a matter further. In his viewprocedural fairness can only be ensured if the proper process is in place forthe Commissioner to make a formal determination in such cases. Indeed thesubmission asserts that individuals should be able to insist on the Officemaking a final determination on a complaint.

Process is too bureaucratic

The Consumers' Federation of Australia (65) and Australian PrivacyFoundation (90) say that the Office is overly bureaucratic in requiringindividuals to first raise the specific issues with the respondent before theOffice will handle the complaint.[118]The submissions report that, in somecases, this involved writing to the respondent, or respondents severaltimes[119].

People are confused about who to complain to

Some submissions from business, government and consumer organisationsand from individuals in the health and telecommunications sectors, outlinedthe difficulties experienced because a complaint could be pursued in anumber of forums.

In particular, Telstra (110) notes that its customers could complain to theTelecommunications Industry Ombudsman (TIO) and the AustralianCommunications Authority or the Privacy Commissioner. In its view thenumber of possible complaint bodies causes confusion and additional costs.Its preferred view is that the Privacy Commissioner should be the body of lastresort and should only get involved after the TIO had considered the matter.

The Department of Health and Ageing (99) put a similar view in relation tocomplaints in the health sector noting that there was a lack of clarity anddefinition relating to recourse when consumers feel privacy has beenbreached. It sought a more consumer friendly approach for dealing withprivacy complaints, for example it encourages the Office to develop aMemorandum of Understanding with Health Complaints Commissioners.

However, submissions from regulators with overlapping jurisdiction were morecomfortable with the operation of the current arrangements. For example theAustralian Competition and Consumer Commission (ACCC) (128) commentsthat although some complaints may fall within both jurisdictions, this has notbeen a barrier to resolution. It notes that the Office and the ACCC generallyrefer complaints to one another and the Memorandum or Understanding hasassisted in this.

The Australian Communications Authority (94) says that the lack of clarityabout jurisdictional responsibility has not been a barrier to resolution ofcomplaints as parties generally liaise closely and adopted a co-operativeapproach. However it notes:

‘from a consumer’s point of view, some confusion may arise over whichagency a person should make their initial complaint to. Additionally,this lack of jurisdictional clarity has the potential to significantly delay orcomplicate investigation of complaints and is potentially wasteful ofagency resources’.

Delays in handling complaints

A number of submissions questioned the resourcing of the Office toadequately undertake key functions, including complaint handling includingANZ (40), Coles Myer (60), Australian Finance Conference (63), AustralianBankers Association (70), and Baycorp Advantage (86). For example, ColesMyer says:

‘We are aware of consumer advocate criticism of the long delays ofmatters raised with the Commissioner. We share these concerns. . . . wewould recommend the Commissioner be sufficiently resourced to:

Ensure complaints are allocated in an expedient way and
To educate individuals that direct contact with the privacy manager atthe company involved is the preferred way to resolve an issue.’

Likewise the Australian Finance Conference (63) says:

‘…on the more specific level of complaint handling involving ourmembers individually, there has been concern expressed about thedelay in raising the complaint with the member. . . . we recognise thatthe limitation on the resources of the OFPC may have impacted.’

Other submissions are also concerned about delays in complaint handling.[120]

A confidential submission from an individual highlights the frustration they feltwhilst waiting for their complaint to be investigated. The AustralianConsumers’ Association (ACA) (15) notes it is:

‘aware of and concerned by the delays and queues that havecharacterised complaints handling by the Office over the term of thereview. These in turn may well have fed back into a public perceptionof the Office as being incapable of delivering a satisfactory outcome’.Further, the ACA states a belief that ‘the OFPC has a high rate ofdiscouraged complainants, abandoned complaints and unhappyconsumers’.

Tenants’ Union of Queensland (69) says that the ‘resource issue needs to beaddressed to allow the Office to discharge its complaint handling function andembed a ‘real respect’ for individual privacy into Australian businesses.’

Respondent organisations are also aware of the problems that have arisendue to the underperformance of the complaint handling function. The ANZ(40) says, that in one case there was a period of 12 months between the timethe Office had told an organisation that the complainant had written to theCommissioner and when the complaint was finally forwarded to therespondent.

The ANZ Bank (40) highlighted two problems caused by delay in itssubmission, in particular:

delays can have the unintended impact of undermining trust in the regimeand lead to calls for a stronger legislative approach, when all that isneeded is full use of existing powers and processes and
delays can also impact the bank’s relationship with its customer; especiallywhere we are unaware a complaint has been made.

Respondents emphasise that swift resolution of complaints is essential toensure confidence in the Office and the law.

A number of submissions highlight the fact that prolonged delays in complainthandling reduce the success of complaint resolution and make it difficult to‘mend’ the relationship with the complainant[121].

5.5 What submissions say – addressing issues

Transparency

Publish complaints manual

A number of submissions, including Professor Graham Greenleaf (47) theAustralian Privacy Foundation (90), the Consumers’ Federation of Australia(65) and the Consumer Credit Legal Centre (62) say that in order to cast morelight on the way that the Office handles complaints the Office should publishonline a comprehensive manual of its complaint resolution policies andprocedures, and keep it up-to-date.

Publish more about complaints outcomes

Submissions concerned about lack of transparency call for better reporting ofthe Office’s processes and complaint outcomes in terms of statisticalinformation and more detailed real life examples of closed complaints andhow they were resolved.

A number of submissions state that while there has been a marked increasein the number of case notes published on the Office’s website, there is still aneed for more examples of real life cases which represent the range ofcomplaints which the Office receives. In addition, these submissions seekdetailed information about how complaints are resolved to assist readers tounderstand the legal issues involved and the Commissioner’s reasoningleading to a resolution[122].

Submissions acknowledge that publication of case notes detailing aconciliated outcome may adversely affect the conciliation of a complaint.However they argue this may be overcome by de-identifying complaints or ifnot possible, considering publication of complaints on a case by caseassessment.

To achieve a more systematic approach to the publication of case notes,Professor Graham Greenleaf (47), the Australian Privacy Foundation (90),Consumer Credit Legal Centre (62), the Consumers’ Federation of Australia(65) recommend that the Office adopt a ‘Criteria of Seriousness’ and confirmits adherence to this criteria in the Office’s Annual Report. ProfessorGreenleaf (47) also recommends that the Office:

continues to publish statistics on provisions used to dispose of complaintsand to publish additional information, such as listing the laws relied uponunder section 41(1)(f) and
publishes statistics of the remedies obtained including the number ofcases in which compensation was paid and the amount.

Greater use of existing powers

More proactive

The Consumer Credit Legal Centre (62) states the Office should be moreproactive in addressing systemic issues. The Consumer Credit Legal Centre(62), and the Consumers’ Federation Australia (65) state that reliance onindividual or even representative complaints is ‘inefficient’.

More determinations

Professor Greenleaf (47) says that there would be more transparency in thecomplaints process if the Office made greater use of its power to makedeterminations.

More own motion investigations

Many advocacy and consumer groups submit that the Commissioner shouldmake greater use of available powers, including the own motion investigationpowers, to address systemic issues. The Australian Privacy Foundation (90)states that:

‘Problems that we see constantly repeated over many years are notbeing adequately addressed. It should not be necessary to keepbringing individual or even representative complaints, which are a veryinefficient way of addressing systemic problems. Instead, the OFPCshould be more pro-active in addressing systemic issues using herown-motion investigation powers’.

Fairness

More review

Professor Greenleaf says that both the complainant and the respondent to aprivacy complaint should have a right of appeal against any section 52determinations, in the form of merits review. This could be either to theFederal Court, Federal Magistrates Court, or the Administrative AppealTribunal. Other submissions also support this, for example, Consumer CreditLegal Centre (62) Australian Privacy Foundation (90), Professor GrahamGreenleaf (47) and the Electronic Frontiers Australia (51).

Right to ask for complaint to go to a determination

Professor Graham Greenleaf (47) argues that if the Commissioner dismissesa complaint under section 41(2)(a) of the Privacy Act on the grounds that theCommissioner is satisfied that the respondent has dealt adequately with thecomplaint, the complainant should be able to insist that the Commissionermake a determination under section 52 of the Privacy Act. A number of othersubmissions also support this.[123]

Professor Greenleaf says that if compensation was involved, this would givethe complainant a right to appeal the amount to the Administrative AppealsTribunal.[124]If the respondent was found in breach of the Privacy Act thecomplainant would have the satisfaction of having the breach publiclyacknowledged, even if other remedies were not awarded. He says that thePrivacy Act should be amended to clarify that the complainant has this right.

Mixed views about whether the Office should make more use of thedeterminations power were evident at the Darwin stakeholder forum andincluded that:

the fact that few determinations have been issued suggests that no morepowers are needed
more powers are not needed
the occasional ‘fright’ is needed to keep organisations in line.

More help to complainants – streamline process

The Australian Privacy Foundation (90) says there should be an expresspower for the Office to ‘sort out’ what principles have been breached and whois the appropriate respondent. The submission argues the onus should not beon the complainant as responsibilities for handling personal information canbe confusing.

Improving levels of compliance

Powers to enforce own motion investigations

The Australian Consumers’ Association (15) says that the Commissionershould ‘be able to enforce any directions given in relation to findings after anown motion investigation’ which ensures that ‘light handed’ interventions bythe Commissioner have the ‘weight of possible further action attached tothem’.

Power to audit private sector

The Australian Consumers Association (15), the Consumers’ Federation ofAustralia (65), Tenants’ Union of Queensland (69), Australian PrivacyFoundation (90), and Xamax Consultancy Pty Ltd (3) see an extended auditpower as one of a number of necessary strands to a greater level ofcompliance. Others also argue that an audit power is a necessary responseto what they perceive as a current lack of confidence in the community in theCommissioner to protect privacy.

Power to issue binding codes

The Australian Consumers’ Association (15) says that in order to be able toaddress systemic issues the Office should have the power to issue a standardor binding code.

The Australian Bankers’ Association (70) is opposed to this idea. It states thatit ‘would not support the Privacy Commissioner having an “own motion” powerto initiate a Privacy Code affecting banks.’ It argues that ‘from the ABA’sperspective the NPPs are working well and this issue is perhaps a matter forother industry sectors to address’.

Other powers to deal with system issues

The Australian Consumers’ Association (15) says that the Office should:

have the capacity to address systemic privacy problems outside thecontext of resolving an individual complaint
be able to find an organisation that breaches privacy provisions
be able to seek court enforceable undertakings.

Review of resources

A number of submissions[125]identify that funding to the Office should bereviewed by the government and increased to a level that allows the Office tocarry out its functions in an expedient and efficient manner.

The Australian Consumers Association (15) suggests the establishment of aresource stream:

‘to the dispute resolution activities…that is commensurate with andscales to meet the volume of complaints coming to the Office.Preferably this funding would be provided by a scheme wherebyorganisations complained against bear the cost’.

Are levels of compliance adequate?

Level of compliance

There are grounds for arguing that there is a satisfactory level of compliancewith the private sector provisions among organisations. For example, there isevidence that many organisations have taken substantial steps to ensure thatthey comply. There is also evidence that businesses have made some stepstowards compliance. For example, many organisations provide theircustomers with privacy notices.

Submissions also indicate that they receive very few complaints relative to thenumber of transactions they process. It may also be argued that the Officereceives few complaints considering the number of transactions taking placein the private sector.

The Office accepts these points. In particular it acknowledges that thenumber of privacy complaints received is very small given the millions oftransactions involving personal information each day. It also acknowledgesthat many organisations are taking significant steps to comply.However, it cannot be assumed that as a result of these factors, the level ofcompliance in the private sector is at an optimum level.

Complaints as an indicator of compliance

It may not be appropriate to draw definitive conclusions from the current lowlevel of privacy complaints. There are complex reasons why people do notcomplain, and low complaint numbers are not necessarily indicative of highlevels of compliance. Reasons why individuals may not complain mayinclude:

individuals are not motivated to complain for a range of reasons includingthey have not suffered significant loss or damage
individuals are not aware of the breach
although the submissions report low complaint numbers the Office is not ina position to know if this applies across the board and, more specifically,how many complaints are made direct to organisations and are resolved atthat level
difficulty in lodging a complaint with the organisation (that is, no privacycontact officer).

Some commentators’ views on this area indicate that most dissatisfiedconsumers never complain[126]. A United States program, the TechnicalAssistance Research Program (TARP) has also suggested as many as 95%of dissatisfied customers do not complain to the company concerned[127].While companies may assume that a small number of complaints means thatconsumers are satisfied and that there are no systematic problems, TARPrefers to this as the ‘tip of the iceberg’ phenomenon[128]. In addition, accordingto Hyman et al:

‘only a portion of the problems/defects that exist are actually perceived;only a portion of those perceived are voiced; only a portion of thosevoiced gain access to a complaint-resolving party; and only a portion ateach stage are resolved successfully[129].

Research shows that while some dissatisfied consumers will voice theircomplaints to the company concerned, others complain by word of mouth tofriends, family members, neighbours and their community[130]. Others, insteadof complaining, will simply change providers[131]. In that case, it could beargued that the provisions and ‘the market’ are working.

Factors such as the effort required to confront the organisation and toarticulate the problems as well as anxiety over what may happen when theorganisation is confronted have been raised as reasons why individuals wouldnot make a formal complaint to management[132].

Compliance may be uneven

It is clear that the banking and insurance sectors have paid considerableattention to privacy compliance. However, there is anecdotal evidence fromother submissions, the consultations and the Office’s own experience thatsuggests that the depth of privacy compliance is not uniform and that someorganisations may not be following up initial compliance efforts or may nothave implemented privacy requirements at all. The Office notes here thecomments in some submissions about the overall compliance environment.These include the lack of incentive in the Privacy Act and the Office’sapproach to compliance for many organisations to implement privacy in asystemic way and the complexity of the regulating environment in general.

As some submissions pointed out earlier, smaller businesses often see theraft of government, local and federal regulations, including occupational healthand safety and particularly taxation, as annoying, costly and expensivediversions to the primary purpose of business.[133]. Complying with privacyrequirements, particularly if regarded as a low risk issue, is likely to be a lowerpriority than such matters as taxation or other more immediate regulatoryconcerns.

Monitoring compliance

The Office has limited ability to objectively assess current levels ofcompliance. This is in part because the Commissioner’s monitoring powersare limited. The Office does not have the power to do random checks onorganisations to see if they are complying. The currently availableinvestigative options are the own motion power, which can be triggered wherethere may be an interference with privacy and the Commissioner considers itdesirable to investigate, or by undertaking an audit by invitation[134]. The Officecould also rely on its educative functions to seek information via surveys,consultations and the like.

Also, in line with the ‘light touch’ approach of the private sector provisions,organisations do not have any obligation to report to the Office on theircompliance.

Is change needed?

Concerns raised in submissions and from the Office’s own experiencesuggest that there is room for improving compliance and its complaintsprocess. This can be done in a way that increases the incentive forbusinesses to comply while having little impact on organisations that areactively and fully complying. These could include greater guidance andeducation and awareness programs and improving existing processes, as wellas strengthening enforcement powers.

Enforcement powers

The House of Representatives Standing Committee on Legal andConstitutional Affairs[135]noted without making a formal recommendation, thatthere appeared to be some limits to the enforcement regime in the PrivacyAct.

This is supported by the Office’s experience that more directive powers maybe desirable particularly where systemic issues arise, either in the course of acomplaint, or in the context of an own motion investigation.

The Office’s experience also indicates that while a vast majority oforganisations comply with the Offices directions when it finds a breach, thereare some that do not. Although this occurs in few cases, the failure to complydevalues the privacy scheme and reduces the incentives for others to complyand also means that organisations that do comply do not receive the fullbenefit of their conscientious behaviour in terms of level playing fields.Apparent lack of enforcement also discourages individuals from complaining.

A more active and transparent approach

The benefits that are likely to flow from a more transparent and activeapproach to compliance could include:

increase in public confidence in the Privacy Act because serious issues orrecalcitrant organisations are seen to be dealt with
businesses making serious efforts to comply would not be disadvantaged,that is the playing field would be more level
there would be more published information about how the Office appliesthe Privacy Act.

Systemic issues

The Office has a strong focus on individual complaints although it does alsorespond to systemic issues raised in complaints or identified by other meansto the extent possible. The focus on individual complaints is in part becausecomplaint investigation is a non-discretionary function.[136]

There is some evidence that the Office’s limited focus on systemic issues andits lack of power to deal with systemic issues is out of step with best practicefor complaint handlers. For example Louise Sylvan (then of the AustralianConsumers’ Association) in representing to the 2003 National DisputeResolution Advisory Council Conference[137]in identifying good practice incomplaint handling noted that:

‘A scheme must be underpinned by a comprehensive and efficientcomplaints handling mechanism. Systemic analysis is required whichseeks to eliminate systemic recurrence of issues and to achieveresolution with finality….. the addressing of systemic issues topreventing recurrence, and public reporting (or name and shame)’.

A greater focus on analysing complaints, following up leads, conducting moreown motion investigations to identify systemic issues and so on could alsofeed into education and guidance activities.

The Office has had some notable successes in encouraging organisations tomake systemic changes to systems and practices[138]. However, the Office hasexperienced difficulties in dealing with systemic issues in particular cases.For example there have been a number of cases involving the handling of oldmedical records both in terms of security and in ensuring that individuals cancontinue to access their records.

The Office has also encountered difficulty in dealing with privacy issuesarising from the operation of tenancy databases. For example, theCommissioner cannot require tenancy database operators to take a particularset of compliance actions either in the course of a determination or followingan own motion investigation.

5.6 Options for reform

More education and awareness

As outlined in Chapters 4 and 6 of this report, there is considerable room forgreater education and awareness among organisations and consumers.Better informed consumers are likely to ask that organisations comply withtheir obligations. Also, if consumers demand this, businesses are more likelyto see the business advantage in practicing good privacy. Also, it may be thatsome smaller organisations are still unaware of their need to comply with theprivate sector provisions, or even if aware, unsure how to go about complying.The recommendations in Chapter 4 and 6 relating to a new consumer andbusiness awareness program are likely to have some impact on the level ofbusiness compliance.

Increase transparency in complaints process

Publishing more information

Good reasons for publishing more information

The submissions seeking greater transparency made a number ofsuggestions for reform. In general, the objective of greater transparency,short of routinely naming both parties, in complaint handling processes andoutcomes, is likely to benefit both complainants and respondents. Individualsand organisations will be negotiating with greater knowledge of likelyoutcomes. Organisations and their advisors will have more detailedinformation about how to comply. The Office’s decisions would be more opento scrutiny. However, it does not appear to be common practice for regulatorsto publish manuals which set out in great detail their complaints processes.

Publishing Outcomes of Conciliation/Complaints in otherjurisdictions

Many complaints bodies publish de-identified case notes or similar. Howeverthese vary in length and number. Australian complaint-handling bodies thatpublish a select number of de-identified case notes include Office of theVictorian Privacy Commissioner, the Anti-Discrimination CommissionQueensland. The Office of the New South Wales Privacy Commissioner doesnot publish any case notes or report on conciliated complaints. The full textsof cases that have gone through the New South Wales AdministrativeDecisions Tribunal are publicly available.

Decisions made by the Human Rights and Equal Opportunity Commission(HREOC) between 1985 and 1999 are available on the Australian LegalInformation Institute website. From 2000, the public hearing anddetermination process was passed to the Federal Court of Australia. Thesedecisions are available online through the Federal Court of Australia’s websiteand the Federal Magistrates Service website. HREOC also maintains a de-identifiedregister on its website of all conciliated cases[139]. The complaintsummaries in this register provide information about the terms of settlementincluding the amount of compensation awarded, if any.

The New Zealand Privacy Commission and the Office of the PrivacyCommissioner for Personal Data, Hong Kong publish a number of de-identifiedcase notes on their websites. The Office of the PrivacyCommissioner of Canada publishes de-identified case notes for both settledand early resolution cases. The Canadian Commissioner has also publishedan incident summary. This is a summary of a case which is not the subject ofa complaint but has been brought to the attention of the Commissioner(similar to an own-motion investigation under the Privacy Act).

It would appear from this survey that publishing more information would bringthe Office more closely into line with other complaints handling agencies.However, it does not appear to be common practice to publish in a way thatincludes identified information.

The Office could maintain a de-identified register of the outcomes of all thecomplaints it conciliates. It could provide more information about the outcomeof all complaints or it could continue to produce case notes.

Review use of determination power

Making more determinations would address a number of concerns about thetransparency and fairness of the current approach to complaint handling. Itcould particularly address concerns expressed about situations where thecomplaint does not seem amenable to resolution by conciliation or wherethere is a public interest in proceeding to a determination. This approachcould also provide a solution to the expressed concern of some consumersand advocates that the enforcement of the Privacy Act is ‘soft’.

In addition to promoting confidence for consumers, there would be clearbenefits for organisation in terms of certainty. There would be more publisheddecisions on how the Privacy Act applies.

The possibility of finalising more complaints by determination could haveresource implications for organisations and the Office. Determinations,particularly where they involve oral hearing are potentially more costly for theOffice to administer. The Office could focus more directly on monitoringcompliance with determinations and if organisations do not comply, in seekingenforcement through the Courts.

More external review

Providing additional appeal rights may create a fairer process for individualcomplainants in areas where currently there is no review. It could creategreater transparency and scrutiny for the Office’s decisions on the privatesector provisions. Although industry based complaint handlers do not havereview rights, the lack of merits review for the Office’s key decisions,particularly determinations, appears to be out of step with other governmentbased authorities.

For example, the Privacy Act, when compared to other statutes providing for aright of complaint, is unusual both in terms of containing a power to make finaldeterminations about a complaint and in providing limited avenues of appealto judicial decision. Appendix 12 sets out the position in relation to a numberof similar statutes. The role of positions similar to the Commissioner’s is moreoften to attempt to resolve a complaint by conciliation. Where conciliation failsor is not possible the more usual process is a court hearing withaccompanying rights of appeal.

On the other hand, it might be said that creating appeal rights might result in amore legalistic and burdensome process which is not consistent with a ‘lighttouch’ scheme. It could be argued that rights of appeal that do exist have notbeen very much used, and so creating additional ones is unnecessary. Also,the Commissioner is in effect a body of appeal (from decisions made by theorganisation) and that it would be unnecessary to provide additional levels ofappeal, particularly given that the process the Commissioner uses isseparately subject to ADJR Act review. In this regard it is worth noting thatthe Parliament provided for determinations by code adjudicators to bereviewable by the Commissioner[140].

The question of appeal rights was considered by the House ofRepresentatives Standing Committee on Legal and Constitutional Affairswhich inquired into the Privacy Amendment (Private Sector) Bill 2000[141]. TheCommittee mentioned a number of issues, including concerns aboutperceived lack of appeal rights in respect of the enforcement regime in thePrivacy Act. It also noted that some witnesses expressed concerns about theappeal framework as framed in the Bill, including higher compliance costs forbusiness compared to an industry scheme with no appeal rights and thethreat of judicial review would make complaint handling bodies more formaland legalistic.

The Committee noted both set of concerns. While its report did not make arecommendation, and consequently the Government response to the reportdid not consider the issue, it did note that the enforcement and appealprovisions in the Bill appeared to need further attention[142].

As discussed in this report, the Commissioner is reviewing the Office’scomplaint handling process, including the circumstances in which complaintswill be finalised by determination. These circumstances could include wherethe complainant and respondent cannot agree on a resolution by conciliation.This change in approach, which would not require changes to the Privacy Act,and may meet one stream of concern in the submissions about lack of reviewrights.

Fairer process

Some submissions identify areas where the Office’s complaint handlingprocesses seem overly bureaucratic, for example where the complainant hasnot identified the correct respondent and is told they need to take this stepbefore the Office will respond.

There would be clear value in looking at the process to ensure that it meetsexternal standards for complaint handling and alternative dispute resolution(ADR) and to make it more user friendly for both parties where the law andresources allow.

Make better use of existing powers

Greater use of own motion powers

Existing practice

The Office undertakes own motion investigations in a range of circumstances.Typically, the Office becomes aware of these matters through reports byindividuals, or the organisation concerned or through the media. In somecases, the Office also follows up matters that have been identified throughcomplaints.

The table below shows the total number of own motion investigations loggedon the Office’s complaint handling system over the past five years. Not allincidents logged are investigated. The Office applies risk managementcriteria that include, the seriousness of the incident and the number of peopleaffected (see Appendix 10 for more details about the Office’s use of the ownmotion power).

Table: Number of own motion investigations and complaints registered

Time period	No of OMIs	Complaints (not including OMIs)
1 July 2000 – 30 June 2001	10	194
1 July 2001 – 30 June 2002	48	611
1 July 2002 – 30 June 2003	64	1090
1 July 2003 – 30 June 2004	69	1276
1 July 2004 – 1 Feb 2005	59	724

Value in more own motion investigations

Undertaking more own motion investigations would be a practical way ofaddressing systemic issues independently of complaints. However, doing thiswould have an impact on the Office’s resources. In addition, for theinvestigations to be of greater benefit, the Office would need to have thepower to direct organisations to address any issues found and then to enforcethose directions.

It may be that if the Office carried out more own motion investigations withenforceable directions, this would be sufficient to enable it to addresssystemic issues.

Power to enforce own motion investigations

Problems caused by lack of enforcement power

The Office has experienced some difficulties in dealing[143]with potential privacybreaches where there is no individual complainant and where the respondentis not cooperative or where there is a need to respond quickly to systemicpoor privacy practices, for example in relation to tenancy databases. In thisrespect it would appear that the Office’s powers may be out of step with othersimilar regulators.

Other regulatory regimes

A number of similar regulatory regimes include more directive enforcementpowers. For example, under section 48 of the Information Privacy Act 2000(Vic), an organisation must comply with a compliance notice served on it.

Under Section 44(1) of the Information Privacy Act 2000 (Vic), the VictorianPrivacy Commissioner may serve a compliance notice on an organisation ifthe organisation has done an act or engaged in a practice in contravention ofan IPP or applicable code of practice and the act or practice:

constitutes a serious or flagrant contravention or
is of a kind that has been done or engaged in by the organisation on atleast 5 separate occasions within the previous 2 years.

Section 44(5) enables the Victorian Privacy Commissioner to act on his or herown initiative. It is an offence under section 48 not to comply with acompliance notice. Section 66(1) of the Health Records Act 2001 (Vic)enables the Health Services Commissioner to serve a compliance notice onan organisation in the same way as the Information Privacy Act 2000. Section66(5) enables the Health Services Commissioner to act on his or her initiative.Failure to comply with a compliance notice is an offence under section 71 ofthe Health Records Act 2001 (Vic).

Under the Trade Practices Act 1974, the Australian Competition andConsumer Commission (ACCC) has the power to accept court-enforceableundertakings[144]. It may use this power to resolve a possible contravention ofthe Act by deciding to accept formal administrative settlements orundertakings from businesses, including in addition to or in lieu of taking legalproceedings. The ACCC advises that it does not accept offers of suchundertakings unless the undertakings are to be made public and do notcontain denial of contravention of the Act. The ACCC may enforce suchundertakings in court if they are not honoured.

Under Section 155(2) of the Anti-Discrimination Act 1991 (Qld), theQueensland Commissioner may initiate an investigation if

(a) during the course of carrying out the commission's functions, apossible case of a contravention of the Act against a group or classof people is discovered, the matter is of public concern and theMinister agrees; or

(b) an allegation is made that an offence against the Act has beencommitted; or

Under Subsection 155(4), if the Queensland Commissioner investigates undersubsection 155(2) and the matter cannot be resolved by conciliation, theQueensland Commissioner may refer the matter to the tribunal as if it were acomplaint. In such an instance, the Queensland Commissioner acts as if theywere the complainant (section 155(5)).

Power to audit private sector

Existing power

In general, the Commissioner does not have an audit power in relation to theprivate sector provisions[145]. The Commissioner can audit an organisation ifinvited by the organisation to do so, however, to date there have been noaudits under this function[146].

Benefits of audit power for private sector

Having a private sector audit power may increase community confidence inthe efficacy of the Privacy Act and give the Office an additional power toidentify systemic issues and to monitor responses.

However, if the Office were to have the power to audit the private sector, thiswould have resource implications. It currently carries out limited audits inthose areas in which it has the power. In addition, it could be argued that thisis a role that a number of private sector consultancy firms carry out, andshould not be one taken on by the Office.

A more appropriate role may be for the Office to provide information on thevalue of auditing to organisations as evidence of compliance in the event ofcomplaints. The Office could also develop and provide privacy audit trainingfor organisations. Another option could be for the Office to provide privacyaudit resources including auditors who have privacy expertise. In the lattercase the Office could consider whether some form of privacy auditoraccreditation would be useful or necessary.

Improve liaison with overlapping complaint handlers

The Office could liaise closely with these bodies to ensure that privacycomplaints are handled efficiently and to minimise confusion and costs forboth individuals and organisations. It could have a memorandum ofunderstanding to ensure that the most appropriate regulator is consideringeach complaint and to improve overall complaint-handling.

Care would be needed to ensure that any memorandum of understanding didnot limit individual’s rights under the Privacy Act. However, this is a matterthat could be addressed, for example, by agreement that bodies wouldprovide information about rights under the Privacy Act in their publications.That said, where individuals come to the Privacy Commissioner after theircomplaint has been considered by another body, the Office’s approachgenerally would be to take account of investigations by other bodies indeciding whether it should investigate a matter and has done so in a numberof cases.

The Office has had discussions with other bodies that handle privacy orprivacy related complaints, including the Telecommunications IndustryOmbudsman and the Banking and Financial Services Ombudsman. There isa common interest in ensuring that as far as possible a complaint is handledby the appropriate body. This avoids the complaint ‘merry-go-round’ and‘double-dipping’ (where consumers approach consecutive bodies seeking abetter outcome).

Advice about complaint rights

Many organisations already tell people in their privacy notices about how tocomplain to the organisation and also the Office. However, the NPPs do notcurrently require this.

This change could complement other measures to ensure individuals areaware of their rights and how to pursue them.

A partial model is found in paragraph 3.7 of the Credit Reporting Code ofConduct that requires credit reporting agencies to immediately informindividuals that they have recourse to the Privacy Commissioner, if the creditreporting agency establishes that it is unable to resolve the dispute.This could be a useful tool in the overall strategy to raise awareness andidentify and remedy systemic issues. It could be achieved by amending theNPPs or by the Office issuing an information sheet or other guidance.

Address delay in handling complaints

The issues paper highlighted that individuals who complain to the Officegenerally face a considerable delay (currently between 10 and 12 months)before the Office can handle their complaint. This is primarily due to thevolume of complaints the Office has received since the private sectorprovisions came into effect.

The Office has given priority to its complaint handling function so as tominimise delay in complaint investigations for complainants and respondents.It has diverted resources from other areas of responsibility including auditingof Commonwealth agencies, towards complaint handling on the rationale thatincreasing complaint backlogs had the potential to undermine the operation ofthe Privacy Act.

Submissions from all quarters express dissatisfaction with the length of time itcurrently takes the Office to handle complaints. It complicates businessrelationships and consumers want outcomes.

Review practices

The Office is keen to ensure that complaints are dealt with in a timely mannerand that the parties are not disadvantaged by any delay. To this end since2001 the Office has reviewed and modified its practices by employing anumber of strategies to deal with the complaint numbers. These include:

introducing a new complaints management system
implementing a more rigorous system to triage complaints received
improving workload management
more standardisation of correspondence
a system for referring certain queued complaints back to the respondentand
employing a web based tool that allows potential complainants to test if theCommissioner is likely to be able to investigate their complaint.

The following statistics give a brief overview of the extent of total complaintsand enquiries to the Commissioner[148].

	2000-2001	2001-2002	2002-2003	2003-2004	2004-2005
Enquiries to Hotline	8177	21033	21290	20208	13541
Written Enquiries	884	2700	2382	2206	1301
Complaints under section 36	194	632	1090	1276	839

The Office is concerned the complaint resolution process is impaired ifcomplainants wait a long period before their matter is investigated. As timepasses the quality of evidence deteriorates. The Office is also concerned thatthe delay may allow poor privacy practices to continue unchecked and thatsystemic problems are undiscovered.

Further review complaints practices

The Office could consider further streamlining its processes but it would needto consider the extent to which it could do so without undermining principles ofnatural justice.

Cost recovery

The Office could consider charging respondents to handle complaints aboutthem. It could also consider charging complainants. However, the Officenotes that it is not aware that other complaints handlers apart from Courtscharge applicants to handle disputes.

Power to decline to investigate and other strategies

Other options for responding to the delay could include giving theCommissioner stronger powers to decline to investigate complaints wherethere appears to be little public interest (for example, where there is minimalapparent harm, or the matter has been considered before and theorganisation has changed practice).

As discussed above, the Office could give greater emphasis to complaints orinvestigation into systemic issues with a view to preventing future harm (andprivacy complaints). However, in the short term the latter strategy may meanthat the backlog of individual complaints gets larger.

5.7 Recommendations: Complaintshandling and compliance

Approach to compliance

38. The Office will consider options for providing more feedback onsystemic issues either in advice or guidance or in some form of regularupdate to stakeholders.

Review rights for complaint decisions

40. The Australian Government should consider amending the Privacy Actto give complainants and respondents a right to have the merits ofcomplaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

43. The Office will also consider measures to increase the transparency ofits complaints processes and complaint outcomes.

Additional powers

44. The Australian Government should consider amending the Privacy Actto:

expand the remedies available following a determination under section52 to include giving the Privacy Commissioner power to require arespondent to take steps to prevent future harm arising from systemicissues
provide for enforceable remedies following own motion investigationswhere the Commissioner finds a breach of the NPPs
provide a power for the development of binding codes and/or bindingguidelines in cases where there is a strong public interest, where moredetailed guidance is warranted or complaints reveal recurrent breaches(see recommendation 7).

Resourcing implications and complaint handling

45. The Australian Government should consider the strong calls by a widerange of stakeholders for the Office to be adequately resourced tomeet its complaint handling functions.

6 Balancing individual privacy interestswith business efficiency

6.1 Introduction

Law and policy

The private sector provisions of the Privacy Act introduced what the thenAttorney-General called a ‘light touch’ approach to privacy protection. Theyestablished a co-regulatory regime which was intended to be responsive toboth business and consumer needs[149]. This was to be achieved by usinghigh level principles rather than prescriptive rules and by encouragingorganisations and industries to develop their own privacy codes.

The legislation also included a number of exemptions, including an exemptionfor employee records, on the ground this was better dealt with underworkplace relations legislation, and an exemption for small business.

Issues

The issues paper considered the balance struck by the private sectorprovisions between individual privacy interests and business efficiency. Itdiscussed, among other things, the high level principles approach, the costsof compliance, the level of compliance, industry and organisation codes andthe small business exemption.

Striking the balance

Submissions are divided on the question of whether or not the private sectorprovisions strike the right balance between individual privacy and businessefficiency. Electronic Frontiers Australia (51) and Xamax Consultancy Pty Ltd(3) suggest that the existing provisions are so inadequate that a new Act thatmakes a genuine attempt to protect individuals’ privacy is the only solution.

On the specific issue of balance, the Communications Law Centre (72) saysthere is an overwhelming imbalance between the competing interests oforganisations and individuals, where organisations’ interests such as businessefficiency clearly outweigh the privacy rights of individuals.

On the other hand, submissions from business are more likely to support theexisting regime. Promina Group (34), an insurance and financial servicescorporation, for example, supports the regime and the approach taken by thePrivacy Commissioner and says that this approach creates the right balancebetween commercial or business interests and the protection of an individual’sprivacy rights.

Similarly, Telstra Australia Ltd (110) states that the Act contains an effectivebalance between rights of the individual. In its view, this balance could beenhanced by the Office lifting its profile and providing more information aboutprivacy issues to the community.

Principles or rules

Submissions generally support principles based approach

The submissions that address the issue generally support the principlesbased approach of the private sector provisions. It is the approach that bestallows Australian businesses to adopt practices that are tailored to individualbusinesses while providing consumers with an assured level of protection[150].

It allows each business the opportunity to identify its own business practicesand to apply the principles to them[151]. It provides adequate levels of privacyprotection without imposing unnecessary compliance costs on business[152].

High level non-prescriptive principles, adequately supported by guidelines andinformation sheets are the most appropriate way to meet the needs ofindividuals and businesses. A more prescriptive approach would increasecompliance costs without necessarily delivering an improvement to theprotection of individuals’ privacy[153]. The dangers of a more prescriptivesystem are that the system may be inefficient and/or unworkable in the manybusiness circumstances in which it would apply and, needing ongoingamendment to keep up with technological change, would add to the confusionand compliance costs faced by business[154].

Some submissions offer qualified support of the principles. The AustralianChamber of Commerce and Industry (22), for example, agrees with theapproach but says that the NPPs themselves are reasonably prescriptive, andthat their content and the obligations they impose are onerous.

Principles may need some illumination

A few submissions want more than high level principles. They are concernedwith what else is in place to illuminate the principles, or to support theiroperation in practice.

The Tenants’ Union of Queensland (69), for example, believes that morespecific regulation of tenancy databases is required[155].

The members of a charitable organisation, St Vincent de Paul (117),experience a lack of certainty and need practical guidance on what ispermitted and what is not.

6.2 Approved Privacy Codes

Law and policy

Codes, both industry and organisation, were intended to be a key feature ofthe privacy regime established by the private sector provisions. The aim ofthe legislation was, in the words of the then Attorney-General:

‘to encourage private sector organisations and industries which handlepersonal information to develop privacy codes of practice’ [156].

The Privacy Commissioner may approve a code if, and only if theCommissioner is satisfied of specific matters listed in the Privacy Act. Indeciding whether to approve a privacy code, the Commissioner may considermatters specified in guidelines issued by the Commissioner, if any[157].Among the matters the Commissioner must be satisfied of is the requirementthat the code incorporates all the NPPs or set out obligations that, ‘overall areat least the equivalent’ of all the NPPs[158].

The Guidelines to the National Privacy Principles, developed by the Office,say that a code has to be reviewed every three years.

Codes are now legislative instruments under the Legislative Instruments Act2003. They are not disallowable by the Parliament. As a legislativeinstrument, the decision to approve a code is not reviewable under theAdministrative Decisions (Judicial Review) Act 1977. The decision not toapprove one may be reviewable.

Issues

The issues paper noted that, despite the expectations at the time thelegislation was passed, there have been very few applications for codeapproval. Only three codes have been approved, and three more are in thepipeline[159]. The issues paper listed possible reasons for the apparent lack ofinterest in developing codes and reasons why an industry or organisationmight want to develop one. It also noted perceived inadequacies in theapproval process. These include a lack of transparency and the failure of thePrivacy Commissioner to publish reasons for approving a code. It suggesteda number of possible topics for submission, including:

the value of codes
why there have been so few applications
the effectiveness of the code approval process and
ways of overcoming problems related to codes.

What submissions say - issues

Overview

Submissions from the three industry groups that have a code throw some lighton the code development and approval process. Submissions from otherindustry groups and organisations, which generally support codes, considerthe reasons why there are so few of them. Finally, two submissions fromconsumer groups consider them from the point of view of consumers.

Insurance Council of Australia

The Insurance Council of Australia (59) supports co-regulation throughindustry codes because it provides a desirable level of flexibility for business.It looks forward to undertaking its three yearly review of its code in 2005.However, it found the code approval process complex and highly prescriptive.This made it an expensive process, involving costs such as staff time,external legal costs for drafting, extensive consultation with industry, costs ofreviewing versions of the Code, implementing compliance systems specific tothe Code and, if applicable, fees to an independent code adjudicator.

Clubs Queensland

Clubs Queensland (96) sees its code as an important service to its members.It noted, however, that the code development process was, however,extremely complex and costly because of the generic nature of the CodeDevelopment Guidelines issued by the Office. These required ClubsQueensland to consult not only members of clubs but the public generally. Itfears that the review of its code will require a substantial administrative andfinancial commitment because of the complexity of the process and, if the costis prohibitive, may tell its members to revert to the NPPs.

Association of Market Research Organisations and theAustralian Market and Social Research Society

The Association of Market Research Organisations and the Australian Marketand Social Research Society (61) state that most major researchorganisations operate within the framework of the approved industry code. Itbelieves that, on the whole, the Privacy Act works well, providing researchparticipants with appropriate privacy safeguards and helping the industry todifferentiate itself from industries with less stringent protection practices.

Reasons why there are few codes

Business perspective

Most submissions from business support codes in principle. The Real EstateInstitute of Australia (13), however, is ambivalent. It expresses concern aboutthe multiplicity of government bodies seeking to use codes to regulatebusiness, thereby shifting a heavy cost burden from government to industry.On the other hand, it believes there are benefits in industry playing a role indeveloping a code of conduct.

Other submissions from business suggest a variety of reasons why there areonly three codes. The Australian Chamber of Commerce and Industry (22)states that the benefits to consumers of an organisation adopting a code,which it sees as a higher standard, do not outweigh the costs to theorganisation. In any case, the NPPs are adequate and codes take some timeto develop. Coles Myer (60) believes there are few codes because the NPPswork.

A number of submissions focus on the cost and complexity of developing acode. The Australian Direct Marketing Association (67) gives three reasons:

the approval process is more complex than had been anticipated
the requirement that codes embody a higher standard than the legislationdiscouraged organisations from developing and submitting codes and
advice from law firms favoured the ‘default option’ as less expensive andmore resource efficient.

Several submissions say there is little point in developing a code. PrivacyLaw Consulting Australia (66) sees little benefit in developing and maintaininga code for the majority of organisations and industries. The Royal DistrictNursing Service (78) agrees, stating that:

‘It is of little or no benefit for an organisation to seek to prepare at itsown significant cost and impose on itself a Code that must be of astandard of no less than that imposed under the current legislation.’

In the view of Telstra Corporation Ltd (110), codes will generally only beattractive to industries with specific requirements.

Consumer perspective

The Australian Privacy Foundation (90), whose submission is endorsed by theConsumers’ Federation of Australia (65), is not surprised there has beenrelatively little take up of the codes option by the private sector. In its view,there is little advantage to businesses in developing or adopting a code. Thedevelopment and approval process is long and onerous and the inclusion of acomplaints handling process effectively privatises costs that would otherwisebe borne by government. It is concerned that a proliferation of codes wouldfurther confuse the public and detract from privacy awareness building.

The Australian Consumers’ Association (ACA) (15) is also ‘not unhappy with’the lack of enthusiasm of business for developing and adopting codes havingfeared that a proliferation of poorly co-ordinated codes could fragment theregulatory landscape to an unacceptable degree. In its view, it would be farbetter to address the needs of the Office than to create a hothouseatmosphere to artificially encourage industry codes. The ACA also addressesthe potential brand argument of codes. It does not see the role of regulationand regulatory processes to confer competitive advantage.

What submissions say – addressing the issues

Although codes have not proved as popular as might have been expectedbefore the implementation of the private sector provisions, submissions showthere is support for the concept. Certainly no-one suggests they should beabolished.

Most submissions that make recommendations focus on simplifying theprocess. The Insurance Council of Australia (59), for example, recommendsthat the capacity for co-regulation provided by codes should be retained; theapproval process, however, should be made less complex and prescriptive.Australian Direct Marketing Association (67) agrees that there is a continuedrole for codes in the privacy scheme and that the approval process should besimplified. Clubs Queensland (96) recommends that the requirements inrelation to the operation and review of a privacy code be simplified.

Telstra (110) recommends, among other things, that the development ofcodes would be encouraged if the Privacy Act were amended to give theCommissioner a discretion to approve codes with privacy protections notequivalent to those under the NPPs where it was in the public interest to doso.

There was some support for the proposition that the Office should have thepower to initiate the development of a code. The Australian PrivacyFoundation (APF) (90) says that the Privacy Commissioner should be able toinitiate a code. The Australian Bankers’ Association (70), on the other hand,specifically rejects this. The Investment and Financial Services AssociationLtd (89) agrees, saying that it should rest with individual companies or therespective industry body[160].

The APF also makes a number of other suggestions:

codes should be disallowable instruments
the Privacy Commissioner should be required to make public a codeproponent’s submission dealing with its public consultation process
the courts should be deemed to have notice of codes in the register keptby the Privacy Commissioner
the Privacy Commissioner should be able to review any decision of a codeadjudicator.

Options for reform

Repeal code provisions

Since the implementation of the private sector provisions, there has been veryfew applications for approval of an industry or organisation code. Thissuggests that it may be appropriate to repeal the code provisions. On theother hand, as the value consumers place on their privacy increases and asindustry bodies and organisations become more familiar with the notion ofprivacy, codes may come into their own.

Simplify the approval and review process

The legislation gives the Privacy Commissioner the power to approve a code.The processes for developing, approving and reviewing codes are in OfficeGuidelines. The Office has now had the experience of three years of theoperation of the private sector provisions and is in a favourable position toreview the Guidelines with a view to simplifying the processes withoutreducing code standards. Ensuring a code meets the equivalence test can betime consuming and costly both for the code proponent and the Office.

Modify equivalence requirement

The law could be amended to allow an industry or organisation, in developingits code, to provide for a lower level of protection in one area and maintain‘equivalence’ by providing for a higher standard in another. This would givemore flexibility in developing a code that met the needs of the industry ororganisation while at the same time protecting the interests of consumers. Onthe other hand, it would make the Office’s oversight role more difficult andmay be confusing for consumers. It could also add to the problems arisingout of national consistency and undermine the technological neutrality of theNPPs.

Commissioner could give reasons for approving a code

The Privacy Commissioner’s discretion to approve a code is circumscribed bythe legislation. There is a broad discretion, however, not to approve one. Thelegislation does not impose on the Privacy Commissioner an obligation to givereasons for a decision to approve a code, or not to approve, although theGuidelines state that the Commissioner will give reasons for deciding not to.Improved accountability and transparency may require reconsideration of theissue. On the other hand, the scope of the Privacy Commissioner’s discretionis limited, and giving reasons for approval may well have resourceimplications for the Office.

6.3 Recommendation: Approved PrivacyCodes

47. The Office will review the Code Development Guidelines dealing withthe processes relating to code approval with a view to simplifying them.

6.4 Compliance costs

Law and policy

Compliance with the legislation involves a cost burden on organisations.There was the cost of implementing the legislation in the first place, includingdeveloping and reordering systems, developing policies and procedures andtraining staff. There are also ongoing costs. These include the costs ofcontinuous training and the costs of complying with obligations, for example,informing individuals from whom personal information has been collected,seeking consent for use and disclosure of the information for secondarypurposes and providing individuals access to their personal information.

Issues paper

The issues paper suggested possible suggestions for submissions, including:

impact on business of compliance with the provisions
whether the benefits of having a privacy law outweigh the costs tobusiness and
ways of reducing any unreasonable costs imposed.

What submissions say

Costs are important

Not surprisingly, most submissions on the issue of costs come from business.The Australian Chamber of Commerce and Industry (22) says compliancecosts are critically important to the business community and should be ofconcern to everyone because they are ultimately borne by the broadercommunity. It goes on to say that there has been no significant research onthe costs involved in complying with the private sector provisions and, as aresult, policy formulation is done in a vacuum. It suggests that an in depthstudy should be commissioned.

The Investment and Financial Services Association Ltd (89) says that itsmembers report significant disruption and cost with the originalimplementation but relatively small ongoing compliance costs.

The Australian Consumers’ Association (15) has little sympathy for complaintsabout compliance costs. It goes on to say that it is difficult to conjure a visionof a more bare-bones privacy framework:

‘There is no required reporting and no mandatory recording. The[Office] has scant investigative powers and none of audit in the privatesector . . . [The Act] sets out little more than reasonably sensible datamanagement practice. The [Office] has no power to seek anythingother than restitution and so has little capacity to impose direct cost onindustry.’

Actual costs

Some submissions outline the steps taken by organisations to comply with theprivate sector provisions initially and on an ongoing basis, and the costsinvolved in compliance. The Insurance Council of Australia (59) lists the initialcompliance steps:

developing privacy policies
incorporating the privacy policy into telephone sales scripts and ecommercesales facilities
developing staff training modules and training existing staff
incorporating privacy laws into systems for administering contracts andmanaging claims
developing roles for staff allocated to privacy and the developing theposition of privacy officer
developing procedures for handling complaints and
developing procedures for handling requests for access.

The most costly aspect of implementation was the systems changes,estimated to cost $10-15 million for its members.

The steps involved in continuous compliance are:

annual printing of privacy policies
privacy disclosure in telephone sales (that is, the extra time spent on thetelephone)
training new staff and refreshing existing staff
continuous improvement of systems
continuous employee costs of staff allocated to dealing with privacy
handling complaints and
handling access requests.

Costs include $1-2 million per annum for telephone sales, $300 000 to $500000 per annum for staff training and between $5 000 and $50 000 for thehandling of each dispute, depending on the complexity of the dispute.

One member of the Investment and Financial Services Association Ltd (ISFA)(89) spent $430 000 on initial implementation and spends $50 000 per annumon ongoing compliance costs. The company has had eight privacy complaintsin the last 3 years. Another member of ISFA (89) spent $2.248 million oninitial implementation costs.

At Coles Myer Ltd (60), more than 80 people were directly involved in theimplementation program across the Coles Myer group. Coles Myer says aconservative estimate of costs in the lead up to the commencement of theprovisions would be more than $300 000 in resource costs and systemsdevelopment.

For the Suncorp Group (35), the set up and implementation cost wasapproximately $1.2 million.

Commerce Queensland (83) reports that for the National (National AustraliaBank and MLC) the changes which, over a three year period cost about $28million, included

training
development and publication of notifications
numerous consultants
external legal advice
establishment of project team
technology changes and
establishment of the Australian Privacy Office (3 permanent full time staff).

State and territory legislation increases costs

A number of submissions focus on the additional compliance costs borne bynational organisations that are subject to new and inconsistent state andterritory health legislation.

The Australian Compliance Institute (16) and a confidential submission bothsay that the introduction of legislation by the states and territories hasincreased the compliance burden on business. As each state or territoryintroduces new legislation there is a new round of costs for businesses.

In the view of the Investment and Financial Services Association Ltd (89),State and Territory health records legislation with its inconsistencies results inincreased compliance costs for its member organisations. The ANZ (40) saysdiffering state and territory (workplace surveillance) laws add to compliancecosts and complexity.

Costs and benefits

Most submissions from business focus on the costs of compliance rather thanthe benefits; some, however, acknowledge that there are benefits. Aconfidential submission says that the benefits are not commercial, butintangible, for example, increased standing with customers who becomeconfident that the business will deal ethically with their personal information.In a similar vein, Fundraising Institute Australia Ltd (52), states that thebenefits, community confidence and trust in the industry, outweigh the costs.Telstra (110) agrees:

‘The significant financial cost to Telstra in taking steps to comply withthe Privacy Act has been offset by the value to Telstra of the improvedsystems and processes and from a brand perspective.’

Coles Myer Ltd (60) says that the costs outweigh the benefits to customers,while acknowledging that a simple cost benefits analysis fails to recognise thevalue of brand equity or public reputation, in which major companies investheavily.

Change will involve more costs

A number of submissions note that even minor changes at this stage wouldinvolve significant costs. A confidential submission says that there is notjustification for increasing the cost of compliance for business in this area.Virgin Mobile (Australia) Pty Ltd (26) wants the costs of changes to beweighed up against any perceived benefits. For Optus (98), it is importantthat the privacy regime is not changed lightly. Even seemingly minor changescan result in significant additional compliance costs for industry. Finally,Telstra (110) says that any significant changes to the NPPs are likely toincrease the cost of compliance and that any changes resulting from thereview should be kept to a minimum. Rather, the focus of the review shouldbe on improving the operation of the existing regime.

6.5 Business awareness

Issues

The issues paper acknowledged that high level principles are less amenableto specific direction than a more prescriptive, rule based regime would havebeen. It noted that the Office has not made many determinations and thatthere had been few judicial decisions about the private sector provisions. Itidentified the Office’s role in promoting awareness as an issue to beconsidered. It suggested, among other things, as possible topics forsubmissions:

evidence about current levels of awareness
strategies for increasing awareness and
effectiveness or otherwise of the information prepared by the Office.

What submissions say

Overview

Most submissions that address the issue report a relatively high level ofawareness of the private sector provisions and of compliance with them.Nevertheless, a number of submissions suggest ways of improvingawareness and compliance. Some submissions identify particular contexts inwhich problems are caused by a misunderstanding of the provisions on thepart of business.

Industry generally familiar with provisions

In the experience of Privacy Law Consulting Australia (66) there is a high levelof compliance among large organisations as they have allocated resourcesand implemented policies, procedures and systems to ensure they meetrequirements under the Act. There is a significantly lower level of compliance,however, among mid to small size organisations that are covered by the Act.Reasons for this include lack of awareness.

The Credit Union Services Corporation (64) is of the view that industrygenerally has become familiar with the NPPs and has developed relevantpolicies. Optus (98) states that Australian industry is committed to addressingprivacy issues positively.

On the other hand, the Victorian Automobile Chamber of Commerce (113)found, in a survey of its members in 2002, that knowledge and understandingof information privacy laws was not as thorough as it would have liked. Therewas confusion as to which law (Commonwealth or State) applied to thebusiness and whether privacy laws conflicted with other obligations, forexample, occupational health and safety obligations.

Some problem areas

Bankruptcy

Submissions identify particular areas where a lack of knowledge of theprovisions or a misunderstanding of the obligations they impose give rise toproblems. The Insolvency and Trustee Service Australia (25) says that areview of Part X of the Bankruptcy Act conducted in 2003 revealed asubstantial level of misunderstanding about privacy obligations.

Some creditors suggested that the Privacy Act prevented them from givinginformation to the Trustee in Bankruptcy even though it might assist theTrustee’s administration of the estate. It recommends that more should bedone to educate the private sector about appropriately using and disclosingpersonal information. In addition, public confidence in the personal insolvencysystem should be recognised as an important social interest to be balancedagainst an individual right to privacy.

Medical research

The National Health and Medical Research Council (32) also identifiesmisunderstanding of the provisions, rather than the provisions themselves, asa cause of confusion in the complex regulatory framework of medicalresearch. It suggests that the Office should design and implement astructured education and communication campaign with the objective ofimproving stakeholder understanding.

Dealing with people with a disability

The experience of the Australian Guardianship and Administration Committee(114) is that there is significant room for improvement in how serviceproviders interpret and apply privacy legislation, especially in relation topeople with a disability and their families. It believes that frontline staffimplement inflexible policies as to how the provisions should be interpretedand applied and that this gives rise to nonsensical and frustrating situationswhere common sense solutions should apply. The committee recommendsthat the Office should divert a significantly greater resource commitment toeducation and training and that it should publish an information sheet or goodpractice guide that emphasises the need for a common sense approach,particularly in situations that involve relatively minor issues.

Other

The Police Association (Victoria) (116) states that organisations are not fullyconversant with the exemptions to the Act, in particular the law enforcementexemption[161].

How the Office could assist business

Some submissions suggest ways the Office could assist business incomplying with its obligations. The Australian Direct Market Association (67),for example, suggests that the Office should review its communicationsstrategies, particularly with key stakeholder organisations. Business wouldlike to see, it says, effective and comprehensive reporting of rulings completewith the reasoning behind decisions[162].

The St Vincent de Paul Society (117) says that charities need clear, practicalguidelines.

The Australian Privacy Foundation (90) takes a different approach. It saysconsideration should be given to requiring:

significant personal data users to maintain a publicly availablemanagement plan
larger organisations at least to nominate a designated privacy contactofficer for contact by the regulator and to publicise contact details and
larger or significant organisations to have to conduct and report onperiodic audits.

Options for reform

Office should conduct a community awareness campaignabout business obligations

There is no doubt that there is a degree of misunderstanding and confusionabout the private sector provisions among some business sectors, especiallysmall business. It is not only businesses that are covered by the Privacy Act,but businesses that are not, that are uncertain of their obligations. Manybusinesses including those who are not covered by the Privacy Act, err on theside of caution in not disclosing personal information in circumstances whereit is appropriate that is should be, for example, the amount owing on a utilitybill to a carer who wants to pay the bill. The Office could address this gap inawareness.

Review Office information sheets

The Office has published a series of information sheets on a range of topicsincluding codes, privacy obligations for Australian Government contractorsand the application of the NPPs to due diligence and completion when buyingand selling a business. The consultation process has identified ways in whichsome of them could be made more useful. There could be a thorough reviewof the Office’s information sheets with a view to amending them.

Review strategies for communication with stakeholders

The Commissioner takes advice from the Privacy Advisory Committee[163].The Commissioner also invites people to participate in ad hoc consultativebodies for particular purposes. There is, for example, a reference group forthis review. There are, however, other measures the Office could take toensure it communicates effectively with stakeholders. One such measurecould be to establish a privacy contact officer network for the private sectoralong the lines of the privacy contact officer network in the public sector.

Impose obligations on organisations to keep records andreport

One way to ensure that organisations continue to fulfil their obligations underthe NPPs is to impose obligations on them to appoint a contact officer forcontact by the Office, to keep records and to report on their compliance. Thiscould ensure more effective oversight of organisations by the Office. On theother hand, it is not consistent with the principles based approach of theprivate sector provisions.

6.6 Recommendations: Business awareness

49. The Office will review existing information sheets and developinformation sheets on key issues identified in submissions.

50. The Office will develop strategies for communication with stakeholders,including establishing a privacy contact officer network for privatesector organisations.

6.7 Small business exemption

Law and policy

Current law

Generally speaking, a ‘small business operator’, that is, a business that hasan annual turnover of $3 million or less is exempt from the operation of theprivate sector provisions. Some small businesses, however, must complywith the provisions. They are small business that:

are related to a business that has an annual turnover of more than $3million
provide health services to people and hold health information about them
trade in personal information, for example, by buying or selling names andaddresses for inclusion on a database, unless it does so with the person’sconsent or
are contracted to provide services to the Australian Government.

In addition, a small business may voluntarily opt-in to be covered by theprovisions. Currently 130 small businesses have opted in to coverage.

Finally, the Government may prescribe small business operators, or acts orpractices of small business operators, bringing them within the operation ofthe Act. To date this provision has not been used.

Rationale for the exemption

There are two main reasons for the small business exemption. First, manysmall businesses do not have significant holdings of personal information.They may have customer records used for their own business purposes;however, they do not sell or otherwise deal with customer information in a waythat poses a high risk to the privacy interests of those customers[164].

Secondly, it is necessary to balance privacy protection against the need toavoid unnecessary cost on small business[165].

Issues

The issues paper considered the operation of the small business exemptionand suggested possible topics for submissions:

whether the exemption reduces the compliance burden on small business
whether the benefits of the exemption outweigh the disadvantages forbusiness and for individual
whether the provisions are clear about to whom the exemptions applies
whether the $3 million or less threshold is still appropriate and
any other issues raised by the exemption and ways of overcoming them.

What submissions say

Overview

Submissions are roughly evenly divided between retention of the smallbusiness exemption and repeal. Submissions favouring retention generallycome from businesses and business organisations. Submissions favouringrepeal come from consumer groups and also from some businesses and acharity organisation. Some submissions that favour retention suggest that thedefinition should be changed.

Repeal the exemption

A number of submissions that favour repealing the exemption focus on thepotential for confusing consumers. The Australian Consumers’ Association(15) says it raises serious practical difficulties for consumers who do notusually know what the annual turnover of a business is and therefore if theycan make a complaint or not. Electronic Frontiers (51) notes that individualsare rarely in a position to know whether or not the business they are dealingwith is a small business for the purposes of the Privacy Act since annualturnover is not usually published. As the Australian Privacy Foundation (90)says, there is no easy way for consumers to know the turnover of a businessand therefore whether or not it is subject to the Privacy Act.

Fundraising Institute Australia Ltd (52) notes that not only is the exemptionconfusing it has the potential to undermine public confidence about theprotection of personal information. The Australian Direct MarketingAssociation (67) opposes exemptions that cause confusion in the minds ofconsumers and undermine confidence in the effectiveness of privacyprotection.

Some submissions claim that some of the most privacy intrusive activities areperformed by small businesses, even sole traders, including privatedetectives, debt collectors, internet service providers and dating agencies.[166]They also claim some, for example internet service providers, may holdsignificant personal information, including sensitive information[167].

Fundraising Institute Australia Ltd (52) says the costs argument is not enoughto justify retention; and, in any case, says the Australian Consumers’Association (15), the cost burden of compliance is not significant.

At the very least, in the view of the Australian Privacy Foundation (APF) (90),the core requirements should apply to all businesses, large and small:

‘The core requirements of the NPPs - being open about the use ofpersonal information, handling it in accordance with reasonableexpectations, and keeping it secure, should apply to all organisations. Itwould however be reasonable to exempt many smaller businessesfrom any formal requirements to take particular actions, in advance ofenquiries’.

In the APF’s view, small businesses that collect and handle personalinformation for a purpose that is or should be obvious should not have to givespecific notices under NPPs 1.3 and 1.5. They should, however, be requiredto answer enquiries (NPP 5) and give access and make corrections onrequest (NPP6). They should be able to be held accountable after the eventfor their collection and use of personal information and for any data quality orsecurity breaches.

Finally, the exemption costs the members of at least one industryorganisation. The Australian Collectors Association, Institute of MercantileAgents, Australian Institute of Credit Management (115) say that debtcollectors who are contractually bound by their clients not to outsource to noncompliantcompanies must send city based staff to service regional areas. Intheir view, this forces up their costs to unreasonably high levels.

Retain the exemption

Most submissions that favour retaining the exemption do so on the basis ofthe costs arguments, that is, that the costs of compliance would be too greatfor small business to bear.

Regulatory ‘red tape’ and compliance costs have a major detrimental effect onthe viability of small businesses in Australia, according to the Real EstateInstitute of Australia (13). The Victorian Automobile Chamber of Commerce(113) says that small businesses would be greatly disadvantaged if they hadto comply with the private sector provisions as their competitiveness andprofitability would be reduced. The Housing Industry Association Ltd (106)says that removing or diluting the exemption would impose unnecessarysignificant costs on small businesses in the housing sector, including the morethan 350 000 independent contractors that work in the residential buildingsector.

Certainly there should be no change in the absence of a substantial body ofevidence suggesting there is a problem, in the view of the Chamber ofCommerce and Industry of WA (Inc) (77).

The Australian Chamber of Commerce and Industry (22) estimates that thereare about one million businesses in Australia currently exempt and that thebare minimum costs of their establishing a simple privacy regime wouldamount to a total of $2.4 billion, or about 0.3 per cent of gross domesticproduct.

Change the definition of small business

Some submissions suggest changing the definition of small business for thepurpose of the exemption. The Australian Information Industry Association(43) suggests changing it to that used by all governments to describe smalland medium enterprises. The Association of Market Research Organisationsand the Australian Market and Social Research Society (61) notes that thecurrent definition is at odds with that used by the Australian Bureau ofStatistics and the Australian Taxation Office.

A number of submissions favour retaining turnover as the basis of thedefinition but say it should be increased to $5 million[168].

Other submissions consider focussing on the level of risk. TheCommunications Law Centre (72) suggests including within the operation ofthe Act industries that pose a particular risk. It identifies the internet/ecommerceas one where small internet businesses are able through the useof privacy invasive technologies to collect efficiently and easily a large amountof personal information about many individuals.

The Consumer Credit Legal Centre (NSW) Inc (62) and the Consumers’Federation of Australia (65) nominate telecommunications and finance asindustries once dominated by large companies but now including many smallbusinesses.

In the view of Electronic Frontiers Australia Inc (51), at the very least, all smallbusinesses involved in the telecommunications and internet services sectormust be required to comply with the NPPs. It says there are two reasons forthis. First, the limited privacy protection provisions of the TelecommunicationsAct do not cover the collection of personal information at all. Secondly,individuals have less control and rights in relation to the collection, use anddisclosure of their personal information by small businesses in thetelecommunications sector than they did before December 2001 when theACIF industry code, containing substantially the same provisions as the NPPsand enforceable by the Australian Communications Authority, wasderegistered by the Authority. That code did not contain a small businessexemption.

Other issues

Some submissions raise other issues relating to the small businessexemption. The Consumer Credit Legal Centre (NSW) Inc (62) points out thata debtor who borrows money from a large financial institution that is coveredby the private sector provisions may find himself or herself dealing with a debtcollector who, being a small business, is not. The privacy protection he or shemay have expected when entering the loan may no longer exist.

Privacy Law Consulting Australia (66) fears that it is possible that smallbusinesses that are not bound by the Act may give the impression that theyare by having a privacy statement, perhaps on their website, to the effect that:‘We comply with the Privacy Act’. To avoid confusion, it may be desirable torequire the business to state that is not bound by the Act, but that it choosesto do so.

In the view of Telstra Australia Ltd (110), which ensures compliance on thepart of its small business contractors by contract, the voluntary opt-in for smallbusiness should be better promoted.

Options for reform

Retain the exemption as is

The main argument in favour of retaining the exemption is that the cost ofcompliance for small business would be too great if the exemption wereabolished. It could also be argued that any change is likely to result inincreased compliance costs. There does not appear to be evidence of largescale misuse of personal information by small businesses as a whole suchthat would warrant the removal of the exemption.

Abolish the exemption

The main reasons for abolishing the exemption are its capacity to confuseconsumers and the fact that it does not differentiate adequately betweenthose businesses that hold significant personal information and those that donot. On the other hand, as many small businesses do not hold much personalinformation it would in fact make little difference to them. Nevertheless, smallbusiness may find the costs of implementation and the additional red tapeunduly burdensome. Finally, the exemption is a barrier to EU adequacy.

Retain the exemption and change the threshold

There is no apparent reason why the threshold should be a turnover of $3million. Similarly, there are no compelling policy reasons why it should beincreased or decreased. The turnover criterion has been criticised as beingmeaningless for consumers and as an irrational indicator of size. It is notcommonly used as a way to define small business.

Retain the exemption and change the definition

A business’s annual turnover is not generally known. The Australian Bureauof Statistics (ABS) defines small business (excluding agricultural businesses)as businesses with less than 20 employees. Although arbitrary, a definition ofsmall business in terms of the number of employees rather than annualturnover may be more easily understood by consumers and other interestedparties. If the definition is expressed in terms not of the particular number ofemployees but the definitions used by the ABS, from time to time, the need toamend the Act each time the ABS definition is changed is avoided.

Impose core requirements of NPPs on small businesses

A small business holding very little personal information is able to use ordisclose it in a way that causes significant damage to an individual. Theexemption could be modified to impose the core requirements of the NPPs onall businesses and to exempt them from others. They would be accountablefor their actions only in the event of a complaint. This would add to thecompliance burden of small businesses, but it would not be as onerous as ifthe exemption were to be removed completely.

Retain the exemption and include high risk sectors within theoperation of the Act

It is sensible and consistent with the policy underlying the Act to include withinthe operation of the private sector provisions small businesses that belong tohigh risk sectors in that they handle a lot of personal information, includingsensitive information, and give rise to a lot of complaints. To date, theevidence suggests telecommunication service providers and tenancydatabases are such sectors.

There are two means by which small businesses that are in a high risk sectorcould be included: by amending section 6D (4), or by the Attorney-Generalusing the power to prescribe the sectors under section 6E.

The use of the power to prescribe by regulation avoids amending the Act andsets a precedent for the inclusion of other sectors that may become high risk.The power has always existed. It has not yet been used but it was envisagedthat the Attorney-General would use it in appropriate circumstances to bringinto coverage under the Act industries and organisations that collect and usea lot of personal information.

Remove the consent provision

Small businesses that trade in personal information are not exempt from theoperation of the Privacy Act. If, however, the individual consents to thecollection or disclosure of the personal information then the business remainsa small business and is exempt[169]. This is clumsy and complicated. There isa considerable lack of certainty for small businesses who trade in personalinformation because it is not clear whether only a single failure to gainconsent would change the status of the organisation. The provision could beremoved.

6.8 Recommendations: Small businessexemption

53. The Australian Government should consider amending the Privacy Actto remove the consent provisions (sections 6D(7) and 6D(8)).

6.9 Private sector contracting

Law and policy

Many organisations outsource some of their functions or activities. Some ofthese may involve handling personal information, including sensitiveinformation, collected by the organisation. It might, for example, include healthinformation. There is no clear obligation in the NPPs (unlike the IPPs) thatwould require the organisation to ensure that the contractor uses the personalinformation only for the purposes for which it is given and to keep it secure.

The contractor may not itself be bound, for example, if it is a small business. Itmay not be clear to consumers that they are dealing with a contractorbecause organisations often prefer the contractor to identify itself under theorganisation’s corporate name. The Privacy Act does not make any specificprovision for a contractor to be regarded as acting as an agent for theorganisation it is providing services for. It is generally regarded as a separateentity. This means the contractor collects personal information from theorganisation, which discloses it to the contractor.

Issues

The issues paper noted that as the Privacy Act does not provide for theexistence of an agency relationship between an organisation and a contractor,the contractor needs the consent of each individual to collect sensitiveinformation, for example, health information, from the organisation. Similarly,a contractor that is collecting information for an organisation to whom it hascontracted its services may need to identify itself under NPP 1.3 as being aseparate organisation, and may need to get the consent of the individual fromwhom it collecting sensitive information to disclose the information to theorganisation on whose behalf it is collecting it. The issues paper suggestedpossible topics for submissions:

adequacy of the private sector provisions in protecting individual privacywhere organisations contract out their functions or activities
impact of the provisions on businesses when they contract out functions oractivities that involve handling personal information, particularly sensitiveinformation and
ways that issues that arise might be resolved.

What submissions say

Existing regime is working

Some submissions say that the existing regime is working and that noamendment is needed. Telstra Corporation Ltd (110), for example, says thatany uncertainty has been addressed through guidelines and informationsheets. Vodafone Australia Ltd (112) says that potential problems are dealtwith by using contracts to bind service providers to comply with privacy law. Itdoes not want this way of ensuring privacy obligations are complied withrestricted in any way.

Distinction between data controllers and data processors

A number of submissions outline the ways they use contractors. TheAustralian Direct Marketing Association (ADMA) (67) says, for example, that itis extremely common place in nearly all industry sectors for organisations toengage a third party service provider or outsource agency to conduct abusiness operation on its behalf. It is also commonplace for a third partycontractor or outsource agency to require access to an organisation’scustomer records and other personal information in order to perform suchoperations. The outsourced activities may include:

engaging a mailing house, call centre or email/SMS service provider todistribute communications
engaging data quality, data enhancement or analytical services and
contracting a company to undertake data storage functions.

In ADMA’s view, it is unduly onerous to impose the collection and disclosurerequirements on both the organisation and the service provider. It is alsounnecessary because one is merely performing an operation or processingdata on behalf of the other. They should not continue to be regarded as twoseparate entities for the purposes of the NPPs. Instead, the European Unionapproach, which recognises the distinction between an organisation, a ‘datacontroller’, and a third party service provider, a data processor, should beadopted.

This distinction is made by a number of submissions, including the LawCouncil of Australia (36) and the Australian Information Industry Association(43). A confidential submission notes that there is confusion as to whethereach contractor, as well as the principal organisation, should disclose itsname and function to an individual who is providing personal information. Allthree submissions recommend that the distinction should be recognised toallow business to achieve its objectives efficiently.

Relationship of principal and agent

Some submissions approach the issue from an agency law perspective.These include the Australian Finance Conference (63) and Optus (98). TheAustralian Finance Conference, for example, takes the view that the law ofagency makes unjustifiable the conclusion that when an organisationdiscloses information to a third party contractor it is ‘disclosing’ to a separate‘organisation’. In its view the reference in the Office’s Information Sheet 8 -Contractors to a ‘particularly close relationship’ encompasses theprincipal/agent relationship. In any case, its members have established theircompliance programs on this basis and would oppose moves to change thisaccepted understanding. On that basis, it recommends that there be nochange to Information Sheet 8.

Promina (34) takes a narrow view of Information Sheet 8 – Contractors. Itdescribes the circumstance where an insurer paying claims may decide tooutsource its cheque printing process to a third party. Strict contractualprovisions prohibit the contractor from using the personal information for anyother purpose than to produce the cheques. In Promina’s view, InformationSheet 8 – Contractors should be amended to support the position that thereneed be no further privacy disclosure in such a case.

Options for reform

Amend NPP 4

NPP 4 requires an organisation to take reasonable steps to protect personalinformation it holds. It does not deal specifically with what should happenwhen information is given to a contractor. IPP 4 does. It requires theorganisation to ensure ‘everything reasonably within the power of the record-keeperis done to prevent unauthorised use or disclosure’. NPP 4 could beamended to strengthen it in line with IPP 4. This puts the obligation on thecontractor. It addresses the problems that arise when a contractorsubcontracts to a small business that is not covered by the Act.

Business should ensure contact imposes relevant obligationson contractors

One way an organisation can ensure that a contractor protects the personalinformation the organisation has given it for the purposes of performing anoperation on behalf of the organisation is to impose the obligations bycontract. The Office could amend its Guidelines to this effect.

Amend Information Sheet 8

There seems to be some confusion as to what exactly Information Sheet 8 –Contractors means. The Office should amend it to clarify issues relating toprivate sector contracting.

Distinguish data controller and data processor

The private sector provisions could be amended to distinguish between datacontrollers and data processors and to amend the NPPs accordingly. Thiswould overcome the particular issue but would have an impact on theoperation of the Privacy Act.

6.10 Recommendations: Private sectorcontracting

54. The Australian Government should consider amending NPP 4 toimpose an obligation on an organisation to ensure personal informationit discloses to a contractor is protected.

6.11 Due diligence on sale or purchase ofbusiness

What is due diligence?

‘Due diligence' is the term used to describe the process that a prospectivepurchaser of a business undertakes to assess the value of a business’ assetsand liabilities. The due diligence process may involve the disclosure andcollection of a number of different types of personal information including:

employee information
customer information
information about trading partners and business associates and;
marketing files.

Information Sheet 16

As a result of inquires from organisations buying and selling businesses andengaging in due diligence processes, the Office published Information Sheet16 Application of key NPPs to due diligence and completion when buying andselling a business. Information Sheet 16 advises buyers and sellers aboutcomplying with their obligations under the Privacy Act.

A vendor organisation:

cannot disclose personal information unless the disclosure is permittedunder NPP 2 and
must consider the requirements of NPP 4 (data security) when personalinformation is disclosed and conduct the sale in a way that reasonablyprotects the privacy of the individuals whose personal information hasbeen disclosed.

A prospective purchaser organisation:

must consider its obligations in relation to the collection of personal andsensitive information (NPP 1 and NPP 10) and
must be aware that there may be limitations on how it can use anddisclose that information (NPP 2) and that it may need to comply withreasonable restrictions imposed by the vendor organisation.

Issues

The issues paper suggested that it may be difficult to determine how theNPPs apply to the disclosure of personal information during the course of duediligence.

‘Depending upon the nature of the business being sold, due diligencemay involve disclosure of personal information about key employees oreven sensitive information, for example, health information, aboutemployees or clients’.

What submissions say

Few submissions address the issue of due diligence in the buying and sellingof a business. There have been no complaints to the Office about a breach ofprivacy during a due diligence process. Two submissions address the contentof Information Sheet 16. The Insurance Council of Australia (ICA) (59) notesthat the relationship between the vendor and the purchaser in the InformationSheet is somewhat artificial and that, in reality, business practice requiresextensive amounts of information, including personal information, to bedivulged between the parties.

The ICA suggests that Information Sheet 16 consider and address thefollowing issues:

the requirements for the transfer of personal information which arerequired or authorised by law during a sale and purchase of a businessand
the disclosure of large amounts of personal information is vital for apurchaser to make a decision on price and financial viability.

A confidential submission suggests that Information Sheet 16 should considerthe issues one would consider when transferring (as opposed to buying) aportfolio of business, such as when a portfolio of insurance business istransferred from one insurer to another.

Options for reform

Amend NPPs to take account of due diligence

Businesses are bought and sold. Businesses that hold sensitive personalinformation are bought and sold. Due diligence occurs. It may be technicallya breach of the NPPs. The key NPPs are NPPs 1, 2 and 10. The buying andselling of medical practices or insurance companies, for instance, whichrequires the transfer of sensitive health information would require consentunder NPP 10, unless one of the other exceptions in NPP 10.1 applied, forexample, the transfer is required by law. It is not practical, and may not bepossible, to require an organisation in the process of due diligence to gain theconsent of everyone whose personal information is transferred. The relevantNPPs could be amended to take onto account the practical realities of duediligence.

Amend Information Sheet 16

Some submissions have made suggestions as to how Information Sheet 16might be clarified. The issue is complex and the information published by theOffice should be as clear and as comprehensive as possible.

6.12 Recommendation: Due diligence

57. The Australian Government should consider amending the NPPs totake into account the practice of due diligence.

7 Balancing individual rights and othersocial interests

7.1 Media exemption

Introduction

One of the competing social interests identified in the private sector provisionsis the free flow of information. One of the ways the legislation promotes thefree flow of information is to exempt the acts and practices of mediaorganisations in the course of journalism from the application of theprovisions[170]. This exemption applies where such a media organisation ispublicly committed to observing published standards that deal with privacy inthe context of the activities of a media organisation.

Law and policy

Privacy Act

‘Media organisation’ is defined under section 6(1) of the Privacy Act. Theterm refers generally to organisations whose activities consist of or include thecollection, preparation for dissemination or dissemination of news, currentaffairs, information or documentaries.

The media exemption is outlined in section 7(B)(4) of the Privacy Act:

(4) An act done, or practice engaged in, by a media organisation isexempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practiceis engaged in:

(a) by the organisation in the course of journalism; and

(b) at a time when the organisation is publicly committed to observestandards that:

(i) deal with privacy in the context of the activities of a mediaorganisation (whether or not the standards also deal with othermatters); and

(ii) have been published in writing by the organisation or a personor body representing a class of media organisations.

Although, it is not strictly part of the media exemption, it is worth noting thatjournalists are also exempt from revealing their confidential sources. Section66(1A) states:

For the purposes of subsection (1B), a journalist has a reasonable excuse ifgiving the information, answering the question or producing the document orrecord would tend to reveal the identity of a person who gave information or adocument or record to the journalist in confidence.

Broadcast Media

Under the Broadcasting Services Act 1992), the industry group representinglicensees in each section of the broadcasting industry is responsible fordeveloping a code of practice applicable to that section. Privacy provisionsare included in these codes of practice[171]. The Australian BroadcastingAuthority (ABA) (19) submits:

‘while the privacy provisions vary somewhat across the variousbroadcasting codes, all reflect the core principle which underlays mediaregulation in Australia and internationally, i.e. that use of private materialin broadcasts has to be warranted in the public interest’.

The industry codes are developed in consultation with the AustralianBroadcasting Authority (ABA) and, once approved, are included on the ABA’sRegister of Codes. The ABA includes on this Register codes that areendorsed by a majority of industry, provide adequate community safeguardsand provide adequate opportunity for public comment.

The ABA has created a draft set of guidelines dealing with privacy issues. Anumber of other privacy related laws which broadcast media organisationsmust adhere to is provided in Attachment A Appendix 1 to the AustralianBroadcasting Authority submission (19).

Enforcement

The ABA may impose a licence condition requiring a broadcaster to complywith a code of practice[172]. Failure to comply with a licence condition is anoffence under section 139 of the Broadcasting Services Act 1992. In additionto this, the ABA can impose program standards that apply to all broadcastersin a sector where the code of practice has failed to provide appropriatecommunity safeguards[173].

Print media

Print media in Australia is regulated by the Australian Press Council. TheAustralian Press Council is a self-regulatory body that deals with print media,including all commercially available newspapers and magazines and theinternet sites of its publisher members within Australia. It was established in1976 with two main aims:

to preserve the traditional freedom of speech, and of the press, withinAustralia by keeping a watch on developments which could threaten suchfreedoms and
to ensure that the free press acts responsibly and ethically, by providing aforum to which anyone may take a complaint concerning the press.

The Australian Press Council consists of 21 members, representing thepublishers, journalists and members of the public, and is chaired by anindependent Chairman.

Principle number three of the Australian Press Council principles deals withprivacy. It states:

‘Readers of publications are entitled to have news and commentpresented to them honestly and fairly, and with respect for the privacyand sensibilities of individuals. However, the right to privacy should notprevent publication of matters of public record or obvious or significantpublic interest’[174].

Enforcement

The Secretariat of the Australian Press Council takes a mediative approach todealing with complaints with a focus on non-legalistic, accessible and informalprocesses. If asked to adjudicate, the Australian Press Council holds ahearing of its Complaints Committee, which always has a majority of PublicMembers, and which makes a recommendation to the Council. TheAustralian Press Council has no punitive power beyond that of announcing itsfindings. Its authority stems from the willingness of publications to admitmistakes publicly by printing all adjudications arising from complaints againstthem. The Australian Press Council’s website states:

‘The industry takes the Council seriously. The proprietors voluntarilyfinance the Council’s operations and co-operate with it in mediatingand processing complaints. An overwhelming majority of adjudicationsis published prominently’[175].

Issues

The issues paper noted that the wording of the media exemption is broad andundefined, is unspecific in relation to the level of standards to which a mediaorganisation must commit itself, and has no requirement that there be ameans of enforcing such standards. Another concern raised was that theterms ‘in the course of journalism’ and ‘media organisation’ are yet to be thesubject of judicial consideration. The issues paper noted, however, that theOffice has received few enquiries or complaints involving media organisationsor journalistic activities and suggested that the current exemption maytherefore strike an appropriate balance between privacy and the desirablefree flow of information.

In particular, the issues paper asked:

whether the operation of the media exemption is striking the appropriatebalance between the free flow of information and individual privacy
whether the current formulation of the media exemption covers the rightorganisations and the right activities and
measures to address any issues that are arising in relation to the mediaexemption.

What submissions say – issues

A small number of submissions comment on the media exemption. Of theseabout half report that they either support the exemption or are comfortablewith it[176]. The majority of submissions that raise concerns about the mediaexemption are from health organisations.

Inappropriate reporting of health information

The Australian Medical Association (AMA) (29) argues that the media has asignificant capacity to violate privacy and cause harm to patients and shouldbe regulated in a stronger way. It cites a real example of a privacy violationcaused by a media organisation reporting on the admission of a person tohospital for psychiatric care:

‘The media invasion of a particular (psychiatric) facility in Sydneyseverely disrupted the delivery of clinical care and resulted in otherpatients avoiding admission because they were concerned about therisk of being photographed by reporters covering the story’.

The AMA argues that an appropriate balance is not met by the currentexemption. The AMA argues that at present, public curiosity is affordedgreater protection than an individual’s right to privacy.

The Mental Health Privacy Coalition (58) echoes the concerns raised by theAMA and requests that media be able to report only limited information aboutan individual’s healthcare. The Mental Health Privacy Coalition argues that ifan individual’s information is of importance to the public interest, the mediashould apply for permission from the Privacy Commissioner to report on suchmatters.

St John’s Ambulance Service Australia (97), while acknowledging the balancebetween informing the public and respecting privacy is difficult to achieve,expresses its concerns with the media’s access to, and reporting of,information from coronial hearings. It states that occasionally inaccuratereporting causes unnecessary distress to people involved in coronial hearingsas well as raising ‘undue alarm amongst the public’.

Inadequate enforcement

The ABA (19) submission states that it lacks appropriate sanctions (what itcalls middle range sanctions) that would allow it to actively enforce the privacyprovisions in broadcasting codes of practice. When a breach occurs, the ABAis limited to informing the media organisation and extracting commitmentsfrom broadcasters about code training and disseminating the ABA’s breachfindings amongst staff. The ABA (19) also states it has found a pattern ofrepeat offending privacy related breaches in commercial television (though nopattern existed in radio).

The Australian Privacy Foundation (90) criticises the Australian Press Counciland Broadcast Media codes. The Australian Privacy Foundation (90) arguesthat the codes only pay ‘lip service’ to privacy and are ‘widely regarded asineffectual’.

FreeTV Australia (46) argues that the industry codes of practice arespecifically designed to balance the media’s role of informing the public aboutmatters of public interest and protecting individual privacy. FreeTV Australia(46) actively argues in favour of maintaining the media exemption. It states:

‘the Australian media are subject to a wide range of Federal and Statelaws which provide protection against inappropriate or unfair means ofgathering or disclosing personal information and images. Theseinclude the laws of trespass, nuisance, breach of confidence,defamation, malicious falsehood, contempt, the use of listening devicesand the myriad of laws restricting reporting of specific matters such asnational security, adoption, juries, and particular court proceedings’.

Exemption is too broad

The Australian Privacy Foundation (APF) (90) argues that the mediaexemption is too broad and could effectively be claimed in relation to anyinformation that is ‘published’. While the activity must be ‘in the course ofjournalism’ to qualify for the exemption, the fact that ‘journalism’ is not definedadds to this criticism. It goes on to argue that the exemption should benarrowed to focus on the public interest role of news and current affairs andthat the media exemption should only apply when:

(a) the privacy standard is a ‘a bona fide attempt to protect privacyfrom media intrusions (assessed as such by an independent arbiter)

(b) is enforced in some effective way and

Criticism is also levelled at the requirement in the exemption for a mediaorganisation to commit to a published media code of practice. The APF (90)expresses dissatisfaction with this provision arguing:

‘As there are no criteria for these standards, or provision for review ofthem, the condition is effectively worthless…Current industry selfregulation – including the Press Council and broadcast media codes ofpractice, only pay lip service to privacy and are widely regarded asineffectual’.

The APF (90) disputes the fact that the low level of complaints and enquiriesreceived by the Office indicates a general satisfaction with the mediaexemption, suggesting instead that the low level of complaints and enquiriesis better explained by:

‘a widespread and correct view that media are effectively above the lawin relation to privacy – unless individuals have the resources to pursuedefamation or other common law actions’.

Other issues

The exemption applies if a media organisation is publicly committed toobserve standards that deal with privacy (section 7B(4)(b)(i)). In interpretingthis provision, it is uncertain whether the Privacy Act enables theCommissioner to determine whether a code provides adequate protection ornot.

Options for reform

Remove exemption

Although there are concerns that the media can be intrusive, there is ageneral recognition that sometimes these intrusions may be justified in thepublic interest. All submissions recognise that the media has an importantrole to play in informing the public. The Office also notes that it receives veryfew enquiries and complaints about media organisations. There is a strongpublic interest in having a free flow of information. Given there is no strongevidence that there are major concerns about the way the exemption isoperating, removing the exemption would appear to be unnecessary.

Clarify whether the Privacy Commissioner can decidewhether or not a standard deals adequately with privacy

The media exemption applies when a media organisation ‘is publiclycommitted to observe standards that deal with privacy in the context of theactivities of a media organisation’[177]. It is not clear if this section enables theCommissioner to decide whether or not the standard deals with privacy in anadequate way in the course of establishing whether or not a mediaorganisation is publicly committed to a standard.

This provision could be amended to establish criteria by which the PrivacyCommissioner could measure whether the standards adequately ‘deal with’privacy.

Define the meaning of ‘in the course of journalism’, andclarify the meaning of ‘media organisation’

The media exemption applies ‘if the act is done, or the practice is engaged inby the organisation in the course of journalism’[178]. The Privacy Act does notdefine the meaning of the term ‘in the course of journalism’. In order toensure the exemption focuses on news and current affairs, as is in the publicinterest, the term ‘in the course of journalism’ could be defined and thebroadly defined term ‘media organisation’ could be clarified.

Greater guidance

The Office could work with the ABA and media bodies to provide moredefinitive guidance to media organisations on appropriate levels of privacyprotection in privacy standards for media organisations, and how to implementsuch standards. Greater guidance could be given to ensure that the mediasector is aware that the media exemption is not a blanket exemption. Rather,the exemption applies only if the media organisation is publicly committed toobserving a privacy code that is published in writing by the organisation.

Require media bodies to consult with Privacy Commissionerwhen developing codes

Currently, it is not clear that the privacy standards developed for the mediaare adequate or whether the standards are being implemented. Concernshave also been raised in relation to how health information and especiallymental health information is reported. There is particular concern thatpatients will avoid seeking mental health treatment for fear of the mediaattention they may attract. It is far less likely that the public interest in havinga free flow of information will outweigh a person’s right to privacy when itcomes to the reporting of health information.

The Privacy Act (and/or the Broadcasting Services Act) could be amended torequire the ABA and media bodies to consult with the Privacy Commissionerwhen developing a code or guidelines dealing with privacy. Requiring mediaregulators such as the ABA, and media bodies, to work with the Office whendeveloping codes would ensure that media organisations are committed tostandards that adequately deal with privacy. Such codes could provideguidance on how media organisations report on matters such as healthinformation.

7.2 Recommendations: Media exemption

58. The Australian Government should consider amending the Privacy Actso that:

the Australian Broadcasting Authority (ABA) and media bodies mustconsult with the Privacy Commissioner when developing codes thatdeal with privacy and
the term ‘in the course of journalism’ is defined and the term ‘mediaorganisation’ is clarified.

7.3 Medical research

Law and Policy

There is a social interest in enabling medical researchers to have access tohealth information in certain circumstances. The Privacy Act is not intendedto restrict important medical research. While health information, beingsensitive information, is generally afforded extra protection under NPPs 2 and10, the NPPs recognise the desirability of medical research by enabling healthinformation to be collected, used and disclosed in certain circumstanceswithout consent. Where health information is being collected, used anddisclosed for the purpose of research, provided certain criteria are met, theNPPs enable such research to proceed.

NPPs

The relevant NPPs in this context are NPP 2.1(d), NPP 10.3 and NPP 10.4.In limited circumstances, NPP 2.1(d) allows uses or disclosures of healthinformation for research purposes, or for the compilation or analysis ofstatistics, without consent, where these activities are relevant to public healthor public safety. That is, the research must be about, or the statistics relatedto, public health or safety. Health information may be used or disclosedwithout consent for these purposes, only if:

the activities cannot be undertaken with de-identified information and theyare relevant to public health and safety
seeking consent is impracticable
the activities are carried out in accordance with guidelines that aredeveloped by the National Health and Medical Research Council (or aprescribed authority) and are approved by the Privacy Commissioner, and
for disclosure - the health service provider reasonably believes that theorganisation to which they disclose will not further disclose the healthinformation or any personal information derived from it.

Under NPP 10.3, an organisation may collect health information about anindividual if the collection is necessary for:

research relevant to public health and safety or
the compilation or analysis of statistics relevant to public health or safety
the management, funding or monitoring of a health service and
where collection of information that does not identify the individual cannotbe obtained.

In such instances, the information must be collected:

as required by law or
in accordance with rules established by competent health or medicalbodies that deal with obligations of professional confidentiality which bindthe organisation or
in accordance with guidelines approved by the Commissioner undersection 95A.

If an organisation collects information under NPP 10.3, then it must takereasonable steps to permanently de-identify the information before it disclosesit (NPP 10.4).

The Office has an information sheet on handling health information forresearch and management[179].

Section 95A guidelines

Guidelines approved by the Privacy Commissioner under s 95A of the PrivacyAct 1988 have been developed by the National Health and Medical ResearchCouncil (NHMRC)[180]. In approving the guidelines the Commissioner mustapply a public interest test[181].

The guidelines provide a framework to ensure privacy protection of healthinformation that is collected (under NPP 10.3), or used or disclosed (underNPP 2.1(d)) in the conduct of research and the compilation or analysis ofstatistics, relevant to public health or public safety, and in the conduct ofhealth service management activities. Under the guidelines, HumanResearch Ethics Committees (HRECs) are required to approve research orstatistical activities that involve the collection, use or disclosure of identifyinghealth information, and health service management activities that involve thecollection of identifying health information.

In line with NPP 10.3, the guidelines only require HREC approval where theactivity is to be conducted without consent from the individual concerned. AHREC may only approve such research where it determines that the publicinterest in the proposed research, statistical or health service managementactivity substantially outweighs the public interest in the protection of privacy.

The NHMRC has also developed a National Statement on Ethical Conduct inResearch Involving Humans (1999) which it is currently reviewing.

What submissions say - issues

Complexity of privacy regime

Submissions, including the Australian Department of Health and Ageing (99),the National Health and Medical Research Council (NHMRC) (32), theAustralian Academy of Science (119) and University of Adelaide (28) point tothe complexity of the privacy regime in Australia including both within thePrivacy Act and between Commonwealth and state legislation and the impactthis is having on health and medical research. They say, for example, that theco-existence of the NHMRC’s section 95 (public sector) and section 95A(private sector) guidelines and the interaction between the IPPs and the NPPshas created some confusion for researchers and consumers. Also they saythat that interpretation and implementation of Commonwealth and stateprivacy legislation is compromising individually and publicly beneficialresearch and health care. Problems include that private sector organisationsare making incorrect decisions and adopting a highly conservative approachto privacy compliance[182]. The NHMRC (32) says:

‘There is evidence that legitimate and ethical activities (which in somecases are vital to the quality provision of health care or the conduct ofimportant health and medical research) are being delayed orproscribed because some key decision-making bodies are unable todetermine, with sufficient confidence, whether specific collections, usesand/or disclosures of information accord with legislative requirements.The adoption of a highly conservative approach is resulting inexcessive administrative effort and a reluctance to approve thelegitimate use and disclosure of health information for the purposes ofhealth care, as well as health and medical research.’

The Australian Nursing Federation (127) says that collection of data for healthdata registries, including the national asbestosis registry, is being impeded byindividual organisations’ interpretation of the Privacy Act.

On the issue of the interaction between section 95 and section 95Aguidelines, the NHMRC (32) says:

‘In particular, the differing requirements of Sections 95 and 95A areinconsistent and confusing. Their application to similar projects indifferent settings can result in different outcomes, without any apparentpolicy rationale’.

Inconsistencies between the two sets of guidelines include that while section95 guidelines apply to proposals by an agency to collect use and disclose for‘medical research’, the section 95A guidelines which apply to private sectororganisations, refer to:

proposals by and organisation for the collection, use and disclosure ofhealth information for the purposes of research or the compilation oranalysis of statistics, relevant to public health or public safety and
proposals for collection by an organisation of health information for thepurposes of management, funding or monitoring of a health service.

The NHMRC (32) says that there is no obvious rationale for these differencesto exclude non-medical research by agencies from consideration undersection 95 guidelines and medical research that is not relevant to publichealth or public safety from consideration under the section 95A guidelines.

The Department of Health WA (101) raises another inconsistency in relationto quality assurance and audit activities. It says that NPP 10.3(a) (iii) providesfor collection, but not disclosure for management, funding or monitoringactivities and that it should allow for disclosure for this purpose as well.

University of Adelaide (28) comments on the need to involve up to 10national, state and other ethics research committees in national researchproposals.

When consent needed

The NHMRC (32) points to the inconsistency between the NHMRC NationalStatement on Ethical Conduct of Research Involving Humans and the PrivacyAct (the Statement), particularly in relation to when it might be appropriate todispense with consent. The NPPs appear to be narrower in that they confinethe circumstances in which consent can be dispensed with to when it is‘impractical’ to obtain it. The Statement permits epidemiological research inbroader circumstances, including where getting consent would cause‘unnecessary anxiety’ or where the scientific value of the research would beprejudiced.

A number of other submissions also say that the circumstances whereconsent can be dispensed with are too narrow.[183]

Gaps and problems within NPPs

Slow up research

A number of submissions, for example, University of Adelaide (28) and theAustralian Psychological Society (103) say that the private sector provisionshave made the process of undertaking research more difficult. They say thatthey slow down the approval process and have an impact on gaining accessto, and collecting, data.

General research

The AMA (29) and the South Australian Department of Health (95) point to theneed to broaden the kind of research the NPPs cover. For example, theSouth Australian Department of Health says the NPPs do not cover non-healthinformation. As a consequence, the Australian Compliance Institute(16) says that research that can have considerable public benefit has beenhampered by the Privacy Act. It says that, on the basis that it may bepossible to re-identify consumption data, organisations cannot provide thisinformation (to universities, or government agencies, for example) without anindividual’s consent.

Data linkage and registries

The South Australian Department of Health (95) and the Department of HealthWestern Australia (101) say that the NPPs do not seem to provide for datalinkage and there is a need revamp NPP 10 to provide for this. Issues theyraise include that the NPPs do not explicitly allow for flow of information forthe development of Australia’s National Minimum Data Sets. The Departmentof Health Western Australia (101) says that while the information for these isnominally de-identified it does include date of birth, sex and postcode.

The NHMRC (32) is concerned that the Privacy Act directly impairs theestablishment of registries. It says that use or disclosure of health informationfor this purpose is unlikely to be a directly related secondary purpose withinthe reasonable expectations of individuals under NPP 2 and so would appearto require approval by a HREC. However the NHMRC (32) considers thatsuch activities may be regarded as preliminary to research, rather than actualresearch, for the purposes of the NPP 2 exceptions to the need to getconsent.

On the question of data linkage, the NHMRC (32) reports that someresearchers have advised it that some HRECs appear to have discountedcompletely the potential to conduct research projects involving data linkage ofhealth information without consent, and have rejected such applications out ofhand, apparently in the ‘mistaken belief that such linkage is not ethically orlegally acceptable’. It cites research it carried out which indicates that therewas considerable support among the general public (66%) and healthconsumers (64%) for approved researchers to match information fromdifferent databases.

Likewise, it reports that there was an even higher level of support forapproved researchers to access health information from databases whererecords are identified by a unique number rather than a name (general public82%; health consumers 86%). It says its research also showed that nearly allhealth providers, data custodians, HREC members and peak bodyrepresentatives who participated in their stakeholder surveys acknowledgedthe importance of data linkage in improving effectiveness of treatment andconsequently of public health.

On the other hand, in some stakeholder forums, it was said that many peopledo not know that their health information is, or might be used for researchwithout their consent, or understand the value of such research.

Complexity of reporting obligations

Submissions say, for example, the University of Western Australia HumanResearch Ethics Committee (1) and NHMRC (32), that the reportingobligations under the section 95A Guidelines are onerous and detailed. Inparticular they are concerned that the requirement to list the NPPs and thesub-sections referred to in reaching decisions is difficult to complete.

HREC decision making

An epidemiologist from the University of Adelaide (28) is concerned that whatis in the public interest is being resolved by ethics committees who do notnecessarily determine this issue on the basis of ethics considerations. TheAustralasian Epidemiology Association (30) is concerned about decisionmaking on what is in the public interest being subject to opinions of individualson HRECS. For example, it says that legal liability may override ethical orpublic interest matters in an ethics committee’s decision about whether on notto approve a research proposal that involves collection, use or disclosure ofpersonal medical information without consent.

University of Adelaide (28) considers that the current approach to communityrepresentation on HRECS may not be appropriate. Other submissions, forexample, the South Australian Department of Health (95), says there areinconsistencies in the way HRECS are weighing up the benefit of a researchproposal versus the threat to individual privacy.

De-identification and medical research

The Australian Consumers Association (15) says that the whole issue of de-identifieddata needs to be re-examined. The Australian Institute of Healthand Welfare (100) also points to problems with determining what isde-identified data, and, says there is a need for more guidance. TheAustralian Consumers Association (15) is concerned that:

‘as soon as something is deemed to be de-identified it no longer fallsunder the Privacy Act or the NPPs, but there is a vaguenesssurrounding the term. . . Indeed it seems that once a record is definedas ‘de-identified’ it is open slather, there is no need for consumerconsent of ethics committee approval even though we have no goodworking definition of what de-identification means’.

The NHMRC (32) also says that stakeholders are experiencing difficulty indetermining whether a person’s identity is ‘apparent or can be reasonablyascertained’. The Australian Nursing Federation (127) agrees that greaterclarity is needed around the de-identification of electronic data and the pointat which it is de-identified as well as the definition of de-identification itself.

There are mixed views among submissions about what people think aboutuse of de-identified health information by third parties. The AustralianConsumers’ Association (15) says that when people go to the doctor, they aregiving information on the basis that it will be used only in their clinical care.They do not expect that third parties will be trawling through their healthrecords; even if it is in de-identified form. It says that in this sense third partyaccess to data without the consumers’ knowledge is something of a breach oftrust.

On the other hand, the Australian Department of Health and Ageing (99) saysthat consumers have very definite opinions about health information. On thebasis of research it has carried out it says that consumers express strongreservations about identified personal information being made available forpurposes other than their own clinical care on the one hand, but are generallyvery accepting of the notion of sharing de-identified personal healthinformation amongst health planners and researchers[184].

What submissions say – addressing the issues

Consistency within the Privacy Act

The NHMRC (32) suggests combining the IPPs and NPPs into a single set ofNational Privacy Principles that apply to all relevant public sector and privatesector agencies. It also recommends having a single set of researchguidelines that apply to the collection, use and disclosure of health informationwithout consent to apply to all health and medical research to which thePrivacy Act applies. It says consistency could also be achieved by makingthe definition of ‘research’ consistent across all provisions of the Privacy Actand encompassing all health and medical research. The Australian Academyof Science (119) supports these kinds of measures.

National consistency

A number of submissions say that a single, simplified, national health privacyregulatory regime to replace, rather than supplement, the existing regulationshould be pursued[185]. University of Adelaide (28) and the AustralianEpidemiological Association (30) suggest that the states could refer matters tothe Commonwealth.

Broadening research provisions to non-medical research

The Australian Compliance Institute (16) says that the Privacy Commissionershould agree to the need to expand the research category to meetgovernment, environmental and community benefits. The Commissionershould have powers to exempt Privacy Act provisions and principles based onset criteria for research projects where there is government, community orenvironmental benefits.

Broadening circumstances in which consent not needed

The AMA (29) suggests that all medical research should be regarded asrelevant to ‘public health and public safety’. Further, it suggests that thereshould be a broader construction of what is ‘public health and public safety’.

Submissions also suggest a number of ways that the provisions providing forwhen consent is not needed could be broadened. The AMA (29) says that theexemption from the need to get consent for collection or disclosure of healthinformation for research purposes should be extended from when it is‘impracticable’ to include when it is so inconvenient or unprofitable that theresearch would be hindered.

The NHMRC (32) says that the NPPs should be brought into line with itsStandards to include to allow consent to be dispensed with where it wouldcause ‘unnecessary anxiety’ or where the scientific value of the researchwould be prejudiced. However, in line with contemporary legal approaches tothe concept of therapeutic privilege, it says the concept should be furtherdefined to only encompass circumstances in which the procedures necessaryto gain consent ‘are likely to seriously and adversely affect the well being(which includes the psychological health) of the person from whom consentwould be sought’.

University of Adelaide (28) suggests that consent might be dispensed with incases where inclusion in the research causes no physical or psychologicalharm to the individual. The Australian Epidemiological Association (30) saysthat most people think that consent should not be needed for access to‘medical records for non-commercial medical research that has no effect onthe individuals being studied and has been approved by an accreditedresearch ethics committee’.

The Australian Compliance Institute (16) suggests that as for health andmedical research, there should be special provisions to allow organisations todisclose personal information for research that will benefit government,environment and the community. Further, it says that the PrivacyCommissioner should develop criteria for exempting, and have the power toexempt, such research from the Privacy Act.

Further work to clarify when consent is needed

Australian Consumers’ Association (15) recommends that the Office dofurther work on the sort of data-usage that requires consumer consent orethics committee approval in the public and private spheres. It also says thatthe Office should do further work on the challenges involved in protectingconsumer privacy in the face of numerous databases that could be used to re-identifyrecords.

Ensure NPPs allow data linkage

A number of submissions suggest that the NPPs need to be either clarified orrevamped to ensure that the great public benefit that can achieved from datalinkage and data registries can be achieved. The Department of HealthWestern Australia (101) says that NPP 10.4 needs to be revamped as it doesnot permit the approach to data linkage in Western Australia, which allows adata custodian to retain data in identifiable form to enable the custodian tocheck the data. The Telethon Institute for Child Health Research (55) saysthat it is important that the privacy legislation understands the public goodwhich results from the epidemiological analysis of existing data collected onthe population which has been linked together.

Clarify meaning of de-identification

The NHMRC (32) recommends that the Office clarifies the meaning of ‘de-identified’,to make it clearer what information is and is not subject to thePrivacy Act and ethics approval processes. The Australian Consumers’Association (15) says that the Office should provide guidelines that set out aclear working definition of ‘de-identified’ data.

Simplify HREC approval process

A number of submissions agree that the procedure for gaining ethics approvalto undertake linkage or record assessment research should be straightforwardand streamlined[186].

HREC reporting requirements

Submissions, including a Human Research Ethics Committee (1), theNHMRC (32) and the Australian Academy of Science (119) support measuresto streamline the reporting requirements of Health Research EthicsCommittees.

Legal protection for HRECS

University of Adelaide (28) and the Australian Epidemiological Association(30) say the law should be changed to protect ethics committees when theymake reasonable decisions.

Raising awareness and acceptance

Submissions suggest a number of measures to increase public awarenessand acceptance of use of health information for research, and in particularepidemiological research. These include the careful publishing of researchfindings and public health outcomes in the popular media and holding forumsthat highlight the need for this kind of research[187]. In some of the stakeholderforums it was said that there should be public debate and raising ofcommunity awareness on the issue of use of health information withoutindividual consent.

The Health Consumers’ Council, Perth[188]says there needs to be greaterregard for consent when health information is used for research, or at aminimum there should be notice of what information is being collected andhow it is to be used and/or disclosed and whether the use, disclosure orcollection is required or authorised by or under law.

Options for reform

Consistency in approach to research between private sector andCommonwealth public sector

It has been recommended (see recommendation 1) that there be a widerreview of the Privacy Act. This wider review could include how to make theIPPs and the NPPs consistent. This would include considering the questionof what guidelines were needed. The same guidelines could apply to thesame kind of research, regardless of whether it involves private sector orpublic sector. However, the wider review would need to consider whetherseparate guidelines might be needed for non-medical research that does notinvolve health information. It could also include reaching a definition of‘research’ that applies across both sectors.

Broaden NPPs to include research on humans, not justmedical research

For non-health information this would involve amending NPP 2 whichcurrently only has provision to allow for disclosure of health information forspecified research purposes without consent. To ensure there is appropriateprotection, there would need to be a process that would include a HRECapproval process appropriate to non-medical research.

A possible reference is the Information Privacy Principles 10(f) and 11(h) ofthe Privacy Act 1993 (NZ), which allow personal information to be used ordisclosed if the agency believes on reasonable grounds that the information isto be used for statistical or research purposes and will not be published in aform that could reasonably be expected to identify the individual concerned.This principle currently applies un-modified to non-health information.However, New Zealand has a health information privacy code which regulatesthe handling of health information, including for research purposes[189].

It may not necessarily be appropriate to adopt the New Zealand approach toresearch involving non-health information without examining further whetherthe environment has changed sufficiently (for example, the increased ability tolink data) to require a more strict approach, such as requiring there to be aHREC approach for research involving non-health information.

Nationally consistency in approach to protecting privacy inresearch, including health and medical research

This report has made recommendations in Chapter 1 on how greater nationalconsistency could be pursued. Having a national health privacy code whichincludes provisions for research could be of help in this respect. There wouldhave to be consideration of how the IPPs fit into this scheme. However, thiswould not help to achieve consistency in the case of research that does notinvolve health information.

Clarify disclosure for the purpose of the management, funding ormonitoring of a health service without consent

This could be done by:

amending NPP 2.1(d) to include that organisations can discloseinformation for the purpose of the management, funding or monitoring of ahealth service without consent. (This would require them to go through asection 95A process.)
adding an additional exception to NPP 2.1 that allows organisations todisclose information for the purpose of the management, funding ormonitoring of a health service without consent. (This means they can do itwithout having to go through the section 95A process.)
conducting an education campaign with HRECS and other key bodies, and private sector organisations generally, to ensure that they know that theOffice’s guidelines say that disclosure for management, funding andmonitoring is related to the primary purpose of collection and withinpeople’s reasonable expectations and so does not require consent.

Inquiry into use of personal information for research

There could be an inquiry to determine with appropriate consultation andpublic debate:

the appropriate balance between facilitating research for public benefit andindividual privacy and right of consent
whether special protections are needed for research for commercialpurposes
the privacy protections necessary if the balance is shifted towards datalinking and more access without consent
what public education is needed to ensure the community is aware of theuses made of their personal information and the protections in place toprotect it when it is collected without consent

There is considerable evidence that key researchers, especiallyepidemiological researchers, consider that the current balance betweenprivacy and the public benefit of research is too heavily weighted in favour ofindividual privacy to the detriment of research. By gaining access topopulation data and data linkage, the research might considerably benefitdisadvantaged groups that are currently under researched.

There is evidence that taking an opt-in approach to participation in researchsignificantly reduces the participation rate and therefore the scientific integrityof research. In a study conducted by the University of Sydney[190], it was foundthat:

‘opt-in requirements significantly reduce the proportion of peopleultimately recruited into a trial compared with an opt-out approach thatwas once commonplace. It has also shown that by increasing thenumber of eligible people approached to opt-in, a demographicallysimilar study sample can be obtained. Furthermore, a study samplerecruited by opt-in is more likely to include active, p

Site Changes

Types

Getting in on the Act: the Review of the Private Sector Provisions of the Privacy Act 1988

Getting in on the Act:

The Review of the Private Sector Provisions ofthe Privacy Act 1988

Table of Contents

Foreword

Overview and Executive Summary

Approach to the review

Terms of reference

Participants in the review

Timing of the review

Provisions work well on balance

Overview

No fundamental flaw

Provisions have generally worked well for business

Consumers are less satisfied

International concerns

Approved NPP Codes

A single national scheme

There is significant inconsistency

Reasons for the inconsistency

Approach to recommendations

Resourcing implications of reform

Main recommendations

Recommendations:

Recommendation: Wider review of Privacy Act

Recommendations: National consistency

Recommendations: Telecommunicationsconsistency

Recommendations: Health consistency

Recommendations: Residential tenancy databases

Recommendation: EU ‘adequacy’ and APEC

Recommendation: NPP 9

Recommendations: Control over personalinformation

Recommendations: Direct marketing

Recommendations: Consumer education

Recommendations: Access generally

Recommendations: Transfer of health records

Recommendations: Health service ceases tooperate

Recommendations: Complaints handling andcompliance

Approach to compliance

Review rights for complaint decisions

Fair and transparent complaint processes and resolution

Additional powers

Resourcing implications and complaint handling

Recommendation: Approved privacy codes

Recommendations: Business awareness

Recommendations: Small business exemption

Recommendations: Private sector contracting

Recommendation: Due diligence

Recommendations: Media exemption

Recommendations: Research

Recommendations: Decision-making wherecapacity is impaired

Recommendation: Law enforcement

Recommendation: Private investigations

Recommendations: Alternative dispute resolutionschemes

Recommendations: Large scale emergencies

Recommendations: New technologies

Recommendation: NPP 1.3(d)

Recommendation: Reasonable steps for NPP 1.3 and1.5

Recommendation: NPP 1.5 – ‘Someone’

Recommendations: Primary purpose and healthinformation

Recommendation: NPP 3 – Data quality

Recommendation: NPP 7 - Identifiers

Recommendations: NPP 10 – Public InterestDeterminations

Recommendations: NPP 10.2(b)

Recommendations: Deceased persons

1. Background

1.1 This Inquiry

Background to the review

Terms of Reference

Matters not included in the review

Other relevant privacy related reviews and processes

Research

Framework for assessing issues

Conduct of the review- overview of consultation

Issues Paper

Consultation Meetings

Written Submissions

Structure of report