Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Williams, Daryl --- "Privacy and the private sector" [1996] PrivLawPRpr 46; (1996) 3(5) Privacy Law & Policy Reporter 81

Privacy and the private sector

Daryl Williams, Commonwealth Attorney-General, outlines the Federal Government's new proposals to extend the Privacy Act.

It is a pleasure to outline the direction of the Government's reform agenda for privacy in the private sector. The issues that I will raise will, in many ways, form the basis of a blueprint for privacy protection into the next century. This is a much needed step and one that has been called for by many Australian companies and consumers.

The reform agenda has also been driven by the demands of an increasingly complex technological world. While it is certain that developments in technology bring with them many benefits -- and we have seen this with the introduction of the Internet and smart cards -- they also have their problems and raise issues that need modern day solutions.

While the community is rapidly embracing new technologies and incorporating them into their every day lives, they need reassurance that information held about them is not being misused.

They are rightly concerned about the centralised storage of information. Personal information is now routinely being used and re-used, often for purposes than for which it was originally supplied.

I have no doubts that the upgrade of technology has led to significant improvements in service delivery. However, individual privacy must not be traded off to maximise administrative and business efficiencies.

This area of concern was strongly debated in the Commonwealth Government arena in the 1980s and led to the introduction of the Privacy Act in 1988. In 1990, the Act was then extended to cover the credit reporting industry.

As the Government explores the viability of contracting services out to the private sector, privacy concerns are one of the paramount issues which need to be addressed.

I must stress that we are committed to providing real protection for personal freedoms such as an individual's right to privacy. However, it also must be acknowledged that privacy, while a major issue, is not the sole issue of public concern.

Any privacy regime must also take into account other competing public interests. And as with all Government responses, striking the right balance is vital. The relevant balance is between, on the one hand, community demands for guarantees that individual privacy rights will be protected and, on the other, community interest in efficient provision of goods and services and the protection of other public interests such as law enforcement.

As we set about to examine privacy in the private sector, wide ranging consultations will be fundamental to this process.

I believe that government and business share a common goal in ensuring that there is appropriate privacy protections in place. Many companies already have taken the lead and introduced privacy guidelines in their work practices.

A recent survey conducted by Price Waterhouse of 120 large businesses showed that two-thirds of respondents favoured the introduction of comprehensive national privacy legislation.

I would like to begin an extensive consultation process to develop an effective and workable privacy regime in the private sector. And your input is critical to its success. Through the consultation process, we will come up with a blueprint that strikes the right balance between ensuring adequate privacy protection and advancing the competitive interests of Australian companies.

As a first step, my Department has prepared a discussion paper as a basis for consultations. It suggests a co-regulatory approach to privacy protection in the private sector.

While acknowledging the role and work of my state colleagues in addressing privacy concerns in the private sector, the Government believes that a unified and national approach is needed.

Clearly, a patchwork of different regulatory regimes could considerably impede the effective operations of business. I understand that this has been a concern for members of the business community in recent times.

The discussion paper does not address the issue of privacy protections in relation to the activities of the media. This issue raises special considerations. The media has the important task of keeping the public informed of local, national and international affairs as well as ensuring that important issues are subject to public scrutiny. A balance needs to be struck between the public interest in freedom of expression and the protection of privacy. Separate consideration will therefore be given to privacy issues in relation to the media.

Before I go into greater detail on the discussion paper today, I would like to outline how other countries have tackled privacy issues.

International situation

In 1993, NZ enacted privacy legislation for the public and private sectors which sets down a broad set of Information Privacy Principles. The legislation also provides for Codes of Practice to be developed for specific industries, professions, organisations, activities or types of information.

In Asia, Hong Kong introduced similar legislation in July last year. Taiwan also introduced privacy legislation in mid-1995 with information privacy principles for the public and private sectors.

Further, in October 1995 the European Union passed a Directive on data protection. The Directive has received considerable coverage in the Australian financial press. The terms of the Directive restrict transborder flows of personal data to non-European Community nations without an adequate level of data protection, with some exceptions.

Australia is fortunate in being able to reflect upon the approach taken to privacy issues by our trading partners as a starting point for developing our response to these complex issues. However, I am not advocating for one moment that it is appropriate or acceptable to simply import a privacy regime from overseas.

The challenge ahead is to develop a regime which is appropriate for Australian conditions while at the same time remaining comparable with best international practice.

Discussion paper -- general approach

Overall, there is widespread international acceptance of these standards. They are reflected in the 1980 OECD Guidelines governing the protection of privacy and the recent European Union Directive on data protection.

The standards are also reflected in the national privacy legislation of other countries such as in NZ and Hong Kong. The standards relate to each stage of the collection and use of personal information.

Broadly, they state that --

• information should only be collected by lawful and fair means, and that people should be informed of the purpose for which the information is being collected;
• only relevant information should be collected and it should be up-to-date and complete; and
• the manner of collection should not unreasonably intrude upon the person's personal affairs.

Once the information has been collected --

• reasonable security safeguards should be provided to protect against loss and unauthorised access, use, modification and disclosure; and
• people should be able to access their own records and obtain correction where they contain information which is irrelevant, inaccurate, out-of-date or incomplete. The right to know what information is held about oneself and to ensure that such information is correct is a fundamental privacy principle.

To use information, the following principles apply --

• reasonable steps should be taken before using information to ensure that it is accurate, up-to-date and complete;
• information should only be used for purposes for which it is relevant; and
• information should only be used for the purposes for which it was collected, unless the person concerned consented to another use.

• a person's information should not be disclosed to other parties without the consent of the person concerned.

Regarding the use and disclosure of information, some exceptions to these general principles are necessary to protect other community interests. Thus other uses and disclosures which are required or authorised by law are permitted, as are uses and disclosures for enforcement of the criminal law, or to respond to serious or imminent threats on life or health.

These principles all reflect a general principle of openness about personal information practices. Apart from being good privacy principles, they would also appear to be good management principles.

Codes of practice

A code could be developed to elaborate upon the principles and provide concrete details on issues of relevance to a particular part of the private sector. A code would also be able to tailor the principles to the particular circumstances of the sector. I believe that this type of approach has the advantage of providing the level of flexibility required to apply to the private sector.

Codes of practice would be issued by the Privacy Commissioner. They would be subject to tabling in and disallowance by Parliament. While codes could be developed on the Commissioner's own initiative, they would usually be developed at the initiative of a particular part of the private sector. Irrespective of the impetus for the development of a code, the development process would include public consultation. Where a code was not issued the principles would apply.

This approach would provide a consistent framework for the entire private sector while at the same time providing flexibility to the private sector.

Transborder data flows

Scope of regime

Any regime may also need to include transitional arrangements and possibly a delayed enforcement mechanism. This is so as to distinguish between information collected before and after the commencement of the regime, and then to allow time where necessary, for codes of practice to be developed.

Role of the Privacy Commissioner

The functions and powers of the office of Privacy Commissioner would be adapted to cover the regime for privacy protection in the private sector generally. As in the current regime regarding the Commonwealth public sector and the credit reporting industry, I would envisage that the Commissioner would have an important function in promoting an understanding and acceptance of the objects of the privacy regime.

A broad educative function would be essential to the establishment of a privacy culture in the private sector and more particularly, the establishment of good systems and work practices.

This process would be assisted by the Commissioner also having an audit function, so that where necessary, the Commissioner could ascertain compliance with any regime. Auditing enables such assistance to be provided before problems arise.

In particular, I believe that part of the reason for the success of the Privacy Commissioner's role in the public sector and the credit reporting industry has been the pragmatic approach adopted in assisting agencies to comply with their obligations under the regime.

I believe that a similar approach would be an important part of the development of a privacy culture in the private sector.

Complaints mechanism

Procedures would need to be flexible and informal. An individual could make a complaint to the Privacy Commissioner about an act or practice that might be a breach of the principles or a code of practice.

The individual or organisation complained about would be informed by the Privacy Commissioner of any investigation and able to put their case to the Privacy Commissioner. Where the Privacy Commissioner considered that a complaint had substance, he or she would endeavour to secure a settlement between the parties concerned.

I would anticipate that as part of this process, the Commissioner would make constructive suggestions with a view to resolving complaints. For example, in some cases it may be possible to resolve the matter by recommending systemic improvements to organisation information practices.

It might be appropriate to seek an assurance against repetition of any act or practice that was the subject matter of the complaint or the doing of further acts or practices of a similar kind by the individual or organisation concerned.

Settlements might include an agreement to pay compensation. Where the Privacy Commissioner had been unable to secure a settlement, or he or she considered that the matter raised public interest concerns, or was not suitable for settlement, the complainant would be able to commence proceedings in the Federal Court.

Any Federal Court action would not involve a review of the Commissioner's assessment or enforce any settlement agreed to, but would consider the matter afresh. The Federal Court would be able to order individuals and organisations to pay compensation or to refrain from acts which would constitute a breach of the information privacy principles or a code of practice.

There would also be provision for significant civil penalties where there had been unauthorised disclosure of personal information for profit or where personal information had been obtained by false pretenses.

Other privacy intrusions

Physical intrusion is also of concern. Optical surveillance, for example, has attracted considerable attention, as has the intrusiveness of some telemarketing practices.

To address these concerns, in addition to the protections afforded to personal information under this regime, the Privacy Commissioner would have the power to prepare and publish guidelines for the avoidance of acts and practices that might have other adverse effects on the privacy of individuals. This would mean that the Privacy Commissioner would be able to issue guidelines regarding matters such as telemarketing and optical surveillance, even where no record of personal information was involved.

I would envisage that the Privacy Commissioner would be able to receive complaints about breaches of these guidelines, investigate them and, where appropriate make recommendations to resolve the complaints. A complainant would not, however, be able to bring proceedings in the Federal Court regarding these matters.

The non-binding nature of the guidelines would reflect their potential scope as going beyond the basic information privacy principles.

Conclusion

I have drawn key elements in the discussion paper to your attention. It is a detailed document, which sets out as far as possible, all the possible elements of a private sector privacy regime. However, it should not be taken as an indication that the Government has taken a firm view on how these matters should be dealt with. Rather, it is a basis for discussion.

The paper is available.¹ Your comments are sought on all of the issues raised in the Discussion paper, or for that matter, any issues that you believe should be considered as part of this process.

Comments should be submitted to the International Civil and Privacy Branch of my Department by the 29 November.²

I believe that through this consultative process, the Government will be better placed to understand the wide range of community issues that need to be resolved, so that a workable and effective privacy regime can be established.

With this input, I hope to be in a position to develop legislation for introduction next year which provides a privacy regime for all Australians which is comparable, if not better, than international best practice.

Daryl Williams, Commonwealth Attorney-General.

1. The discussion paper, `Privacy Protection in the Private Sector', is inserted in this issue.

2. The mailing address for submissions is detailed in the discussion paper.