Privacy Law and Policy Reporter
Sub-headings have been altered in this extract (General Editor).
The Australian Direct Marketing Association (ADMA) is an association with 400 corporate members including all of the major banks, financial institutions, insurance companies, airlines, motor vehicle manufacturers, oil companies, the hospitality industry, traditional direct marketers such as Reader's Digest and Time Life as well as the wide range of companies and agencies which supply the direct marketing sector. Every ADMA member has a significant interest in the ongoing use of their marketing databases, a core issue in any future private sector privacy regime.
... Regulation relating to data protection and privacy in Australia was heading towards duplication and inconsistency. The enactment of uniform national privacy legislation applying to the private sector will be an important part but not the only part of an appropriate regulatory regime for direct marketing in the 21st century.
Notwithstanding a position in favour of uniform national privacy legislation, ADMA has a number of comments to make in relation to the discussion paper ...
ADMA asserts that the balanced approach taken in the above reflects the broad nature of its authorship by a working group on which government, consumers and industry are represented. ADMA's recommends a regulatory structure which incorporates the same approach.
In its review of official reports it omits the March 1995 report to the Federal Minister for Finance by the Information Technology Review Group, Client first: the challenge for government information technology, which suggested that rather than extending the standards of privacy protection reflected in the Privacy Act to the wider community, they should be reduced.
The discussion paper also fails to mention that the level of complaint is very low.
In the 7th annual report of the Privacy Commissioner 1994-95, 793 written inquires were received ranging from general privacy concerns to specific Privacy Act complaints -- `These are very similar figures to those of the previous year and indicate that the level of complaints and inquiries has now stabilised'.
In the Commissioner's 8th annual report, it was stated `During the year (1995-1996) 516 written inquiries were received ...' This represents a drop in inquires of more than 20 per cent.
Similarly the Telecommunications Industry Ombudsman reported a decrease of three per cent in privacy-related cases between 1994-1995 and 1995-1996. Austel's 1996 annual report lists `a steady flow' of 328 privacy complaints or inquires, 24 of these related to telemarketing complaints, which is hardly significant given the millions of telemarketing calls made each year.
ADMA in no way wishes to downplay the importance of the privacy issue. However ADMA strongly recommends that in all future public statements the Attorney-General, the Attorney-General's Department and the Privacy Commissioner adopt a more balanced approach than that of the discussion paper.
ADMA's comments are also based on the definition of consent in the Privacy Act 1988: `consent' means express consent or implied consent. This definition underpins ADMA's assertion that `opt out' or the right to object is the Australian standard for direct marketing practice and must remain so if Australia is to achieve an approach `comparable with the best international practice', the stated aim in the discussion paper.
Principle 1 -- Manner and purpose of collection of personal information
ADMA believes the wording `directly related' is too narrow, and recommends the NZ version `connected with'.
Principle 2 -- Solicitation of personal information from individual concerned
ADMA believes that business-to-business communication should be specifically excluded from this Principle. In communication between businesses, the name of the person concerned is merely an aid to identifying the required function. For instance, the aim of a communication to `the marketing manager' may or may not include the name of the person concerned; the use of the actual name and its collection are secondary and not `personal information' in the usual sense. Implied inclusion of business-to-business communication could unnecessarily impede normal commercial activity.
Principle 3 -- Solicitation of personal information generally
3(a): ADMA recommends the deletion of the words `or in a generally available publication'. This would then have the same affect as 2(a) of NZ Principle 2 to exclude `publicly available information'.
Principle 10 -- Limits on use of personal information
ADMA recommends two amendments drawn from NZ.
The inclusion of a new 1(a) in line with NZ Principle 2 (2)(a): `That the information is publicly available information'.
In 1(e) ADMA recommends the replacement of `directly related' to the NZ `connected with'.
While ADMA believes the phase in period should be three years, it recommends that what is contained in discussion paper Principles 1 to 8 should apply from the commencement of the regime.
In relation to what is contained in discussion paper Principles 9 to 11, however, implementation should be delayed to allow businesses and other enterprises sufficient time to contact all data subjects and change stationery and other relevant documentation and advertising material.
Of particular concern is the proposal that the Privacy Commissioner would be able to issue Guidelines in relation to any action which amounted to an intrusion of privacy even though personal information was not involved. While this may cover matters such as optical surveillance, it would give the Privacy Commissioner enormous powers beyond the scope of the intent of this legislation.
The Privacy Commissioner could issue guidelines on his own initiative without application from any other party. There is no intrusion input into the guidelines or any period for public discussion. An infringement of the guidelines will not lead to a Federal Court action. However, it can be investigated by the Privacy Commissioner. The Privacy Commissioner would have extensive powers in relation to the conduct of investigations including the power to obtain any relevant information and documents and to examine witnesses. The Privacy Commissioner would also be able to make recommendations with regard to any remedy the Commissioner felt was appropriate including payment of compensation.
This is of particular concern to ADMA members because the discussion paper specifically foreshadows the issue of guidelines on telemarketing which the industry would not be able to change or control in any substantial manner and may be in conflict with the Codes that have been developed elsewhere and adopted by industry.
In ADMA's view the role of the privacy administration should be to investigate abuses, prosecute breaches, educate and advise rather than proactively seek to examine proposals that `could' involve an interference with the privacy of individuals.
Codes of practice
The Privacy Commissioner's power to issue codes of practice under the Privacy Act would also be very wide. The Commissioner would be able to issue codes on the application of any person as well as on the Commissioner's own initiative.
The mechanism for issuing codes of practice has the potential to be either too short for proper consultation or too long to represent a quick response to perceived problems. There are three periods of public notice and it is at the discretion of the Commissioner how quickly or slowly the process happens.
The codes will also need to be considered by both Houses of Parliament as they will be considered disallowable instruments under the Acts Interpretation Act and either House of Parliament will have the power to disallow the code.
The procedure to amend the codes is the same as for issuing a code and has the potential to be equally as cumbersome.
Urgent codes of practice
Also of concern is the fact that the Privacy Commissioner could issue a new code or amend or revoke an existing code without public notice or public consultation. This can be done if the Privacy Commissioner considered that the issue, amendment or revocation of the code was urgent. Codes issued under this process would remain in force for up to a year and during that time the Privacy Commissioner may, but is not obliged to, consult with interest groups. There is no appeal process available to force the Privacy Commissioner to revoke codes issued in a perceived case of urgency within less than a year.
Transborder data flows
Many ADMA members are either international companies or large Australian corporations which transfer data across international borders as a normal course of their business. ADMA believes that whatever provisions relate to transborder data flows should be incorporated into the principles themselves and there should be no requirements for separate codes or additional requirements.
The Privacy Commissioner is given a number of functions under the new Act. These include the Commissioner's power to:
Investigate an act or practice of any individual or organisation that, while not involving a breach of an IPP or a Code Practice, could have an adverse affect on the privacy of an individual and, where the Commissioner considered it appropriate to do so, to endeavour to effect a settlement of the matters that gave rise to the investigation.This gives the Commissioner power to investigate perceived intrusions into the privacy of an individual where no personal information was concerned and no guideline has been issued. Presumably, the Commissioner's wide powers to make recommendations regarding any remedy including a monetary sum which was appropriate in the opinion of the Commissioner will apply here.
The Commissioner also has the power to examine proposals for data matching or data linkage that could `involve an interference with the privacy of individuals'. This will be of concern for all companies who collect and cross match several categories of data about their customers or who buy data from other companies and match it against their own.
ADMA is suggesting a model along the lines of recently established regulatory bodies such as the National Registration Authority and the National Food Authority. The NRA has a seven-member part-time board and is administered by a CEO who is not a board member. The NFA has a five-member board with a full-time chair who is also CEO. ADMA prefers the NRA model which allows for more outside representation on the board.
A larger board would also enable the establishment of a private sector board sub-committee to approve matters such as codes of practice to eliminate the necessity for formal gazettal. One of the advantages of codes is flexibility. This will be lost with a formal process involving the Governor-General-in-Council. An additional problem will be the Legislative Instruments Bill when it becomes law next year. This legislation provides an additional six months for `legislative instruments' to be disallowed by either House of Parliament which would introduce an unacceptable level of uncertainty in relation to codes of practice.
The NPA's focus and strategic direction would be determined by a board of directors provided for under the Privacy Act. The board would comprise one part-time chair and six part-time Directors who could be selected for their experience in privacy matters relating to health, financial services, marketing, consumer affairs, State/Territory administration and the academic sector.
This need not add unduly to the cost of the Authority. In the case of the National Registration Authority, directors fees amount to only $101,000 out of a total budget of more than $13 million in 1995-1996.
ADMA recommends that State and Territory Governments undertake to introduce complementary privacy legislation to come into affect at the same time as the extension of the Commonwealth Privacy Act in relation to the private sector.