Privacy Law and Policy Reporter
Increasing technological advancements, the power of information as a valuable asset and resource, and the speed and cost efficiency with which computers nowadays process, sort, transfer and record information, has increased the privacy awareness of the Australian public.
One of the growing privacy concerns in Australia is about the protection of confidential information in the hands of non-government entities. This has culminated in the Australian Government's 'Innovate Australia' statement (6 December 1995) on its intention to develop a comprehensive scheme to protect personal privacy. Presumably, this means extending Australia's privacy laws, in some shape or form, into the private sector.
That is a most significant development given the adjustments that will be required and the implications of extending personal privacy laws to cover the private sector. Initial concerns will no doubt focus on the possible increase in the costs of administration and the fear that more bureaucracy will impede the efficiencies being achieved by all organisations, including business.
In NZ, we have a privacy law (The Privacy Act 1993) which covers all sectors: state sector, local government, public registries, and of course, all the private sector. The NZ experience and adjustment over the past two years has been fascinating to watch. My work in this area, across a wide variety of industries and sectors, lead to the observation that there are definitely some 'do's and 'don'ts' when it comes to implementing privacy laws for non-government agencies.
For example, most organisations should be able to continue their activities without having to make significant adverse changes to their business practices. For those that have an exposure under the law due to the amount of personal information being processed, privacy compliance programmes are a must. There are many practical steps and tasks which can be undertaken to ensure a smooth transition to coverage in the private sector.
It is to be expected that there will be a fair degree of 'hype' and over-reaction to the proposal that the collection, use and disclosure of personal information by the Australian private sector should be regulated. On the positive side, quite apart from any civil libertarian responsibilities, the privacy principles merely reinforce good personnel and records-management practices; for example, by allowing individuals to access their personal files, and by ensuring the accuracy and confidentiality of personal information.
One of the concerns in NZ over extending the privacy legislation into the private sector was the lack of precision and uncertainty created by the application of generic privacy principles to very specific industry conditions, histories and business practices. The trade-off was to develop a mechanism which would protect personal information privacy and yet not unduly burden the private sector with inflexible and inappropriate rules. It had to allow for the many differences existing across the diverse range of activities in the private sector, including commercial, charitable and cultural activities. The extension of the information privacy principles into the private sector established overriding guidelines for data protection. In NZ, this now provides some consistency to the different information management policies which may have existed in the private sector.
A key feature of the NZ privacy law was the introduction of statutory privacy codes of practice. This is a form of self-regulation but comes with a 'sting in its tail". It is unique to the NZ environment as an industry or class of agencies can work together with the Office of the Privacy Commissioner to develop a set of principles tailored to their requirements which are enforceable at law. These statutory codes may modify the application of the information privacy principles from the legislation. Therefore, this mechanism achieves a large measure of flexibility and industry input into information privacy issues. This is because the statutory code then becomes a substitute for the principles in the Privacy Act to the extent that a failure to comply with a privacy code will be treated as a breach of an information privacy principle. This would then trigger the complaints and enforcement procedures in the NZ legislation.
In NZ, there was no need for a 'national privacy code' or 'charter' because this function is fulfilled by the principles in the Act. Instead, if approved by the Privacy Commissioner, sectors, industries, associations or classes of activities may apply for a code, which will only be applicable to their particular industry, sector or activity. The Commissioner's Office insists on a consistent style and structure, to reflect the 'legal' status of our privacy codes.
The NZ legislation has detailed procedures for issuing a privacy code. These include the approvals process of the Privacy Commissioner, who must issue the code, and extensive consultation among interested parties. The role of the Privacy Commissioner in this process is most significant. That office ensures that there are no inconsistencies (other than deliberate modifications) with the privacy principles, or as between codes, and that the scope of the code is wide enough to cover the activities which are at issue. The NZ Privacy Commissioner may play an active role in terms of recommending a code of practice for organisations or industries which demonstrate that they need to develop better information management practices. The Commissioner may issue a code on his own initiative or on the application of any person representing a group.
Voluntary codes of practice may be effective provided there are meaningful sanctions or remedies for any breach of the code. Self-regulation, in the form of a voluntary code of practice, leaves room to escalate the response to problem areas, depending on the way these areas develop and the effectiveness of any consumer awareness campaign. In NZ, one of the examples of an industry operating by a code of practice (but not a statutory privacy code) is the banking industry. It provides an enforcement regime with its own Banking Ombudsman.
One of the key reasons that voluntary codes of practice fall into disrepute is because there may be some individuals or organisations in the industry who are not willing to subject themselves to self-regulation and there are no sanctions or remedies provided under that regime. Therefore, an essential component of an effective code of practice is that it must be enforceable. This should apply whether or not the controls for privacy are internal (such as operational procedures within an organisation) or external (such as industry or sectoral codes).
Although there may be potential for inconsistencies between the way in which different organisations or industries approach the issue of data protection, a national standard (such as in the form of the Privacy Charter or based on the information privacy principles in the Federal law) could provide the base for a set of consistent principles designed to protect the individual's privacy. The aim of most privacy laws is not to dictate a rigid and inflexible approach to privacy protection. Instead, one of the reasons for the broadly-worded information privacy principles (originating with the OECD guidelines) is that the drafters recognised the need to accommodate the different national (and in NZ, private sector) approaches to complying with the law.Australian initiatives
The European Union Directive on Privacy and Free Flow of Personal Data prohibits the transfer of personal data from European Union countries to countries which do not have 'adequate' data protection laws. This will place significant pressure for increased data protection in the private sector. The directive defines 'adequate level of protection' as including the rules of law - both general and sectoral - in force in the country in question and the professional rules and security measures which are applied within the country. Therefore, the application of a code of practice may be most significant when dealing with a European Union country.
The Office of the Privacy Commissioner issued the Health Information Privacy Code in 1994 after extensive consultation with the various members in the health sector. It recognises the sensitivity of health information and the different agencies which need access to that information. The Health Code is also significant for addressing Maori and other cultural concerns in operating procedures established by these agencies in order to promote a more effective and direct response to those concerns. This code is currently functioning smoothly although there has been a tendency for health privacy issues (in particular what is and is not allowed under the Health Code) to become confused with the political agenda of those opponents of the NZ health restructuring.The GCS Code
The GCS Code is another code issued by the Office of the Privacy Commissioner. This code deals with personal information that used to be held by a government computer bureau which was then sold into the private sector. It supplies computer processing services to a number of important departments of state. These include the Department of Social Welfare, the Justice Department, the Inland Revenue Department and the NZ Police. This code applies to certain personal information that is supplied to GCS and its related companies by public sector agencies which were clients at the commencement date of the code. There is a very limited application of the code to those public sector agencies to ensure that a remedy will be available to individuals whose data is now being processed in the private sector.The Superannuation Scheme Code
The Superannuation Scheme Code was developed in conjunction with the Association of Superannuation Funds of NZ. This involved a minor issue in respect of a principle which is unique to the NZ legislation. This principle constrains the assignment of unique identifiers to an individual. This was the NZ response to the Australian identity card debate. One of the constraints is that the principle prohibits the assignment of the same unique identifier unless the agencies are associated persons as defined under NZ tax law. In this case, the employer and the super scheme were not associated persons. Therefore, the Privacy Commissioner was asked to clarify that issue and also to consider any other issues arising under super schemes.Draft codes
There are a number of other codes under development such as the draft Telecommunications Privacy Code, Credit Reporting and Debt Collection, and Law Enforcement. In keeping with the deregulated flavour of the NZ marketplace, there is little enthusiasm for a heavily prescriptive approach to code content. The Office of the Privacy Commissioner is actively involved in the development of these codes with the various parties.
The Commissioner plays a sort of 'devils advocate' game as his office insists on maintaining a high standard of privacy protection within these codes. That is the 'sting' in the tail of self-regulation. It also ensures that these legally-binding documents can sit beneath the umbrella of the Act as offspring out of the same privacy mould as the parent Act. But, it is also the means to ensure a meaningful law (and its acceptance), and uniform standards, when trying to apply general principles to the multitude of uses for personal information by private sector companies. There are other benefits of the code development process. The consultation and lengthy development phase ensure that the agencies requesting the codes are well-versed in their privacy obligations and responsibilities by the time the applicable standard has been reflected within their code.
As well as offering the mechanism of codes of practice, the drafters of the NZ law offered another 'trade off' when implementing the Privacy Act. This was the provision of a three-year 'period of grace' before the full force of the enforcement remedies could apply to a privacy infringement. This transitional period has allowed the private sector time to consider the need for a tailored privacy code within each industry or for various activities.
The following points are practical issues to consider and address in the development of a privacy code or charter:
The following observations may be pertinent to the present privacy debate in Australia:
Privacy will not be taken seriously, nor will the obligation to comply be 'owned' by the agency or company, unless all levels affected by the new laws can appreciate the need for personal privacy protection and recognise the beneficial spin-offs for those organisations who know how to approach its implementation proactively and capitalise on this need. This is the point at which you will start to 'win hearts and minds' on extending the coverage of your privacy laws. v
Elizabeth Longworth, Principal, Longworth Associates, Auckland. ph: (+64 9) 356-2640
Based on a paper presented at Recent Developments in Information Privacy (IIR Conferences), Sydney,
7 December 1995