Privacy Law and Policy Reporter
Commonwealth Attorney-General, Daryl Williams, has received over 100 submissions on the Discussion Paper Privacy Protection in the Private Sector (September 1996), proposing the extension of the Privacy Act 1988 (Cth) to the Australian private sector (outlined by the Attorney-General in < 3 PLPR 81>). A full list of non-confidential submissions received is included in this issue.
This is the first of two special issues consisting of extracts from submissions on the Discussion Paper. The submissions, which often go beyond what is proposed in the Discussion Paper, represent the most extensive and considered debate to date concerning the future, limits and effectiveness of Australia's Privacy Act, and therefore deserve general publication. The submissions extracted in these two issues are intended to provide a cross-section of views from key industry organisations (direct marketing, finance and credit reporting, insurance), administrators (the Privacy Commissioner, NSW Privacy Committee), and privacy advocates. Other submissions will be extracted in later issues as debate on the future of the legislation proceeds.
There is also a high degree of support for what the Discussion Paper describes as a `co-regulatory approach', which here just means a capacity to modify the IPPs through industry-based or subject-specific Codes of Practice issued by the Privacy Commissioner and disallowable by Parliament. This approach, most successfully implemented in NZ's Privacy Act 1993, is seen as providing consultation, cooperation and flexibility (see CRAA's submission). Some private sector submissions are nervous about the amount of discretion this Code-making power gives to the Privacy Commissioner and want a lot of industry-specific content in the legislation (see extracts from the insurance industry submission in this issue).
The Discussion Paper does not propose any changes to the 11 existing Information Privacy Principles (except for proposing exceptions for the private sector to access under IPP 6), although it does propose a new `destruction principle'. It says the current IPPs would be `the basis' of the standards for the private sector. However, many submissions do propose extensive changes and additions to the IPPs.
The Privacy Commissioner proposes extensive changes (see extract in this issue), including: requirements for more specific definition by organisations of the purposes for which they collect information; a requirement to inform people what happens if they do not disclose personal information; ending the ability of organisations to disclose information to anyone provided they simply give notice when collecting the information; and narrowing the law enforcement exemptions for disclosure. The Commissioner also proposes new IPPs concerning controls on `reference databases' (`bureaus' for exchange of insurance, rental or other information), data matching, public registers and unique identifiers. The former Privacy Commissioner's last significant public document is certainly one of his strongest!
The Communications Law Centre (see extracts this issue) and privacy advocates like the Australian Privacy Charter Council take a similar approach to proposing new IPPs, usually basing them on the Australian Privacy Charter.
There is strong disagreement about aspects of the IPPs which impose substantive limits on the surveillance capacities of organisations, such as more specific purposes at time of collection, limitation on within-organisation uses, public registers, and limitations of collections and disclosures despite consent. As noted in < 3 PLPR 154> in relation to positive reporting, these issues will be among the main litmus tests of whether the government intends to protect privacy or provide a mechanism for legitimising extended surveillance by the private sector.
Graham Greenleaf, General Editor.