	Home \| Databases \| WorldLII \| Search \| Feedback Privacy Law and Policy Reporter

Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

You are here: AustLII >> Databases >> Privacy Law and Policy Reporter >> 1997 >> [1997] PrivLawPRpr 11

O'Connor, Kevin --- "Commissioner supports flexible implementation" [1997] PrivLawPRpr 11; (1997) 3(10) Privacy Law & Policy Reporter 184

Commissioner supports flexible implementation

Extracts from the submission of the Australian Privacy Commissioner

The Commissioner's arguments for changes to the IPPs were included in (1997) 3 PLPR 163. The following extracts from the Commissioner's submission address implementation issues. Some headings have been edited (General Editor).

Individuals, wherever they live in Australia, and business, wherever it operates in Australia, both benefit from consistency in privacy regulation between the different Australian jurisdictions and, so far as possible, between Australian jurisdictions and those of our major trading partners. I agree with the paper that a primary objective must be to establish an effective and consistent national approach.

...

Jurisdictional boundaries

Residual private sector coverage

Whichever heads of [Commonwealth] power are applied, there is still likely to be an element of private sector activity that would lie outside the scope of the new law and would remain the responsibility of the States. It is essential that any system of privacy protection covering that element is entirely consistent with the main system. Inconsistent systems of privacy protection are likely to be costly and ineffective, invite criticism of the new law and bring it into disrepute.

First, firms covered by different systems could be in competition so that one competitor could be subject to different requirements from another. This cuts across the principle of competitive neutrality and is unlikely to promote efficient economic outcomes.
Second, administration of the different regimes would almost certainly have to be undertaken by different bodies and this would create expensive duplication of effort, reducing the value extracted from the limited resources available to the administration of information privacy protection nationally.
Third, different systems in the private sector would throw up clear anomalies -- for example, it would clearly be absurd if one set of privacy standards applied to a medical practice operating as a partnership (an area possibly beyond Commonwealth power) and a significantly different set to the same practice, engaging in exactly the same operations, after incorporation (corporations are within Commonwealth power).
Fourth, since the requirements to which one firm would be subject could change with a change to legal form or the nature of the firms operations, different regimes would increase compliance costs for business and reduce levels of compliance overall.
States should be encouraged to give responsibility for this residual element to the Commonwealth. Appropriate mechanisms for achieving that end should be explored, such as a referral of powers or the use of complementary or mirror legislation.

Coverage of state, territory and local government

The information handling practices of State, Territory and local government agencies will remain the responsibility of individual State and Territory Governments.

...

The increasingly extensive interface between the public and private sectors -- a consequence of trends such as the contracting out of public services and the privatisation or corporatisation of public trading enterprises -- supports consistency of regulation between the private sector and the public sectors of the various Australian jurisdictions. The greater the differences, the more complicated, costly and inaccessible will privacy protection be.

Handling complaints

States and Territories will need to provide for the handling of complaints within their public sectors. The institutional arrangements for this function are, of course, a matter for each State and Territory Government. Existing State functionaries that could possibly handle this responsibility include Ombudsmen's offices and Equal Opportunity Commissions or, in the case of NSW and SA, the relevant Privacy Committees.

In line with the approach taken in the discussion paper, the Federal Commonwealth Privacy Commissioner should be responsible for all complaints under the proposed extended Privacy Act and also for complaints under corresponding State and Territory legislation applying to residual private sector activity.

...

Staged implementation

In relation to IPPs 1 to 3 and 8 to 11, the discussion paper proposes that there be a phase-in period during which a complainant would not be able to take an unresolved complaint to the Federal Court unless a code of practice was already in place. I broadly support this staged proposal. Such a period should give organisations a chance to review their personal information handling practices before they face the prospect of financial loss arising from breaches of the IPPs. As well, it will allow the Privacy Commissioner and his or her office to develop administrative expertise in relation to new sectors as early as possible.

The discussion paper does not make a suggestion about how long the phase-in period should be. I note that the NZ Privacy Act had a three-year phase-in period. But there are a number of considerations that argue for a shorter period in the Australian context:

We have the benefit of eight years' experience with the Australian Privacy Act and the ability to draw on NZ experience with a similar regime.
The EU's Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data comes into full effect in mid-1998. The extension of the Privacy Act to the private sector is likely to provide Australia with data protection laws that would be assessed as adequate by the European Commission. If such laws are not in place, Australian businesses will have to work within the derogations contained in art 26 of the directive if they are to receive transfers of personal information from member states of the EU. This is likely to be a lengthy and costly process that will need to be undertaken for each data transfer activity.
The rapidly increasing use of electronic commerce, through the Internet and other communications media, also argues for a speedy phase-in of an extended Act.
The likelihood that the proposed NSW privacy law will be passed in the first session of 1997, and commence six months later.

I consider that a one-year phase-in after assent would give sufficient time for organisations intent on complying with the law to review their handling of personal information while not unduly delaying the introduction of enforceable remedies for individuals whose personal information has been mishandled. If the likely date of commencement of an extended Act were announced at the time of introduction of the Bill, a year or more would effectively be added to the one year to which I have referred. This is because it is likely that it will take two sittings for the Bill to be dealt with.

Codes of practice

Codes appear to provide a flexible, but accountable, means of filling the gap between the general statements of principle in the IPPs and the nuts and bolts of day-to-day decision making in particular organisations.

...

I note that the NZ experience suggests that it will be necessary for the Privacy Commissioner to issue only a few codes of practice.

...

Existing guidelines and codes

The Privacy Act currently provides for the issue of special codes or guidelines with legal effect for some particular activities: [the s 95 NH&MRC guidelines re medical research, the s 17 tax file number guidelines, and the Medicare and Pharmaceutical Benefits Programs Privacy Guidelines under s 135AA of the National Health Act 1953 are then listed].

These appear to be the sort of matters that could be dealt with through the codes ... Nevertheless, I take the view that the amendments ... should not interfere with these established arrangements, which are in the main working effectively. If the coverage of the Act is extended, the first priority must be to implement successfully the application of the IPPs to the private sector ...

In the longer term it may be appropriate to consider whether some or all of these arrangements should be replaced by codes of practice of the type proposed in the discussion paper.

Credit reporting -- Pt IIIA

Part IIIA of the Privacy Act and the Credit Reporting Code of Conduct made under s 18A of the Act, regulate the conduct of consumer credit reporting. This specific legislation, dealing with a particular type of predominantly private sector activity, covers an area that could perhaps be addressed by a code issued by the Privacy Commissioner under the proposed regime.

However, since the introduction of Pt IIIA in 1990, considerable effort has gone into implementation. Systems have been established across the industry, which appear to be operating smoothly. The level of compliance by the industry is generally good. Further change in the credit reporting requirements would be likely to cause considerable inconvenience and divert the resources of the Privacy Commissioner from more urgent tasks.

Part IIIA should be retained in its present form.

Access -- exemptions

I strongly support the institution of an access and correction regime along the lines of that outlined in the discussion paper. My reservations about the discussion paper model relate largely to the exemptions from the obligation to give people access to personal information about them.

All but one of the exemptions set out in the discussion paper have a counterpart in the Commonwealth Freedom of Information Act. The exemption that does not is that for `evaluative material' and it is this -- judged unnecessary in the FOI context -- about which I am most concerned.

Assuming that the meaning of `evaluative material' in the NZ Privacy Act is intended, this refers to evaluative or opinion material compiled solely for determining suitability for: employment; promotion; continuation in employment; termination of employment; the granting, continuation or termination of awards, scholarships etc; or the provision or continuation of insurance cover.

This is a broad class of material and, in practice, it will be exactly this sort of material that individuals will be most concerned to gain access to. I doubt that in most cases it would be justified for an organisation to withhold personal information from a person solely on the grounds that it evaluates that person in some way. There may be instances where giving access to the information could adversely affect the commercial position of the firm, the supplier of the information, or the progress of a decision-making process that is still going on. In such circumstances it may be justified for access to be withheld, either temporarily or permanently. But in the main, I see no reason why people should not be able to access personal information used to make important decisions about them whether or not that information is `evaluative' in character.

In the NZ legislation on which the discussion paper is largely based, the exception for evaluative material applies only where making the material available would breach an express or implied promise made to the person who supplied the information that the information or the identity of the person who supplied it would be held in confidence. If an `evaluative material' exemption is incorporated, such a limitation is essential. Otherwise the value of the access right will be negated in situations where it is most needed.

Access -- procedures, charges

Questions may also be raised about the appropriateness of the procedural requirements proposed by the discussion paper for a request for access to personal information. Given the prevalence of electronic communications -- such as fax and e-mail -- it may not be necessary to restrict valid requests to those transmitted by post.

The discussion paper proposes that organisations would be able to charge fees for making available information pursuant to IPP 5, as well as for access and correction under IPPs 6 and 7. Charging has been a controversial topic over many years in the FOI area. Care needs to be taken to avoid developing a charging policy which effectively curtails the value of the right of access. Organisations and individuals should be encouraged to provide access and correction without charge but it should not be impossible to impose a charge which seeks to recover direct costs for more complex requests.

I oppose charging for information under IPP 5, that is, for access to the record required to be kept by IPP 5.3 that sets out information on the classes of records containing personal information that the organisation holds. Since access to this record will in many cases be sought as the first step in making a request for access to specific records under IPP 6, allowing charges for access to the IPP 5.3 record will in some cases be tantamount to charging for making an access request, which the discussion paper proposes not be permitted. (See under The existing Information Privacy Principles for my comments on the suitability of IPP 5 for application to the private sector in general.)

Transborder data flow

I support the thrust of the discussion paper's proposals in relation to transborder data flows. The transfer of information overseas for processing of various sorts is increasingly cheap and easy to accomplish. Like many overseas information privacy laws, Australian law should seek to ensure that protections equivalent to those an Australian enjoys in Australia apply to overseas use of the data.

The only point I wish to make at this time is that the assessment by regulation that a country has adequate levels of privacy protection should not be too permissive. The discussion paper suggests that such an assessment could be `where it was believed that there was in force in that country a law which was substantially similar to, or served the same purpose as, the Australian privacy regime'.

Merely having in place a law that serves the same purpose as the Australian regime may not be sufficient to ensure that personal information transferred to that country receives in practice an adequate level of privacy protection.

Kevin O'Connor, Privacy Commissioner, December 1996.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1997/11.html