Privacy Law and Policy Reporter
The Commissioner's arguments for changes to the IPPs were included in (1997) 3 PLPR 163. The following extracts from the Commissioner's submission address implementation issues. Some headings have been edited (General Editor).
Individuals, wherever they live in Australia, and business, wherever it operates in Australia, both benefit from consistency in privacy regulation between the different Australian jurisdictions and, so far as possible, between Australian jurisdictions and those of our major trading partners. I agree with the paper that a primary objective must be to establish an effective and consistent national approach.
Whichever heads of [Commonwealth] power are applied, there is still likely to be an element of private sector activity that would lie outside the scope of the new law and would remain the responsibility of the States. It is essential that any system of privacy protection covering that element is entirely consistent with the main system. Inconsistent systems of privacy protection are likely to be costly and ineffective, invite criticism of the new law and bring it into disrepute.
The increasingly extensive interface between the public and private sectors -- a consequence of trends such as the contracting out of public services and the privatisation or corporatisation of public trading enterprises -- supports consistency of regulation between the private sector and the public sectors of the various Australian jurisdictions. The greater the differences, the more complicated, costly and inaccessible will privacy protection be.
States and Territories will need to provide for the handling of complaints within their public sectors. The institutional arrangements for this function are, of course, a matter for each State and Territory Government. Existing State functionaries that could possibly handle this responsibility include Ombudsmen's offices and Equal Opportunity Commissions or, in the case of NSW and SA, the relevant Privacy Committees.
In line with the approach taken in the discussion paper, the Federal Commonwealth Privacy Commissioner should be responsible for all complaints under the proposed extended Privacy Act and also for complaints under corresponding State and Territory legislation applying to residual private sector activity.
The discussion paper does not make a suggestion about how long the phase-in period should be. I note that the NZ Privacy Act had a three-year phase-in period. But there are a number of considerations that argue for a shorter period in the Australian context:
I consider that a one-year phase-in after assent would give sufficient time for organisations intent on complying with the law to review their handling of personal information while not unduly delaying the introduction of enforceable remedies for individuals whose personal information has been mishandled. If the likely date of commencement of an extended Act were announced at the time of introduction of the Bill, a year or more would effectively be added to the one year to which I have referred. This is because it is likely that it will take two sittings for the Bill to be dealt with.
I note that the NZ experience suggests that it will be necessary for the Privacy Commissioner to issue only a few codes of practice.
These appear to be the sort of matters that could be dealt with through the codes ... Nevertheless, I take the view that the amendments ... should not interfere with these established arrangements, which are in the main working effectively. If the coverage of the Act is extended, the first priority must be to implement successfully the application of the IPPs to the private sector ...
In the longer term it may be appropriate to consider whether some or all of these arrangements should be replaced by codes of practice of the type proposed in the discussion paper.
However, since the introduction of Pt IIIA in 1990, considerable effort has gone into implementation. Systems have been established across the industry, which appear to be operating smoothly. The level of compliance by the industry is generally good. Further change in the credit reporting requirements would be likely to cause considerable inconvenience and divert the resources of the Privacy Commissioner from more urgent tasks.
Part IIIA should be retained in its present form.
All but one of the exemptions set out in the discussion paper have a counterpart in the Commonwealth Freedom of Information Act. The exemption that does not is that for `evaluative material' and it is this -- judged unnecessary in the FOI context -- about which I am most concerned.
Assuming that the meaning of `evaluative material' in the NZ Privacy Act is intended, this refers to evaluative or opinion material compiled solely for determining suitability for: employment; promotion; continuation in employment; termination of employment; the granting, continuation or termination of awards, scholarships etc; or the provision or continuation of insurance cover.
This is a broad class of material and, in practice, it will be exactly this sort of material that individuals will be most concerned to gain access to. I doubt that in most cases it would be justified for an organisation to withhold personal information from a person solely on the grounds that it evaluates that person in some way. There may be instances where giving access to the information could adversely affect the commercial position of the firm, the supplier of the information, or the progress of a decision-making process that is still going on. In such circumstances it may be justified for access to be withheld, either temporarily or permanently. But in the main, I see no reason why people should not be able to access personal information used to make important decisions about them whether or not that information is `evaluative' in character.
In the NZ legislation on which the discussion paper is largely based, the exception for evaluative material applies only where making the material available would breach an express or implied promise made to the person who supplied the information that the information or the identity of the person who supplied it would be held in confidence. If an `evaluative material' exemption is incorporated, such a limitation is essential. Otherwise the value of the access right will be negated in situations where it is most needed.
The discussion paper proposes that organisations would be able to charge fees for making available information pursuant to IPP 5, as well as for access and correction under IPPs 6 and 7. Charging has been a controversial topic over many years in the FOI area. Care needs to be taken to avoid developing a charging policy which effectively curtails the value of the right of access. Organisations and individuals should be encouraged to provide access and correction without charge but it should not be impossible to impose a charge which seeks to recover direct costs for more complex requests.
I oppose charging for information under IPP 5, that is, for access to the record required to be kept by IPP 5.3 that sets out information on the classes of records containing personal information that the organisation holds. Since access to this record will in many cases be sought as the first step in making a request for access to specific records under IPP 6, allowing charges for access to the IPP 5.3 record will in some cases be tantamount to charging for making an access request, which the discussion paper proposes not be permitted. (See under The existing Information Privacy Principles for my comments on the suitability of IPP 5 for application to the private sector in general.)
The only point I wish to make at this time is that the assessment by regulation that a country has adequate levels of privacy protection should not be too permissive. The discussion paper suggests that such an assessment could be `where it was believed that there was in force in that country a law which was substantially similar to, or served the same purpose as, the Australian privacy regime'.
Merely having in place a law that serves the same purpose as the Australian regime may not be sufficient to ensure that personal information transferred to that country receives in practice an adequate level of privacy protection.
Kevin O'Connor, Privacy Commissioner, December 1996.