AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1997 >> [1997] PrivLawPRpr 14

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Clarke, Roger --- "Dangers in exceptions, modifications" [1997] PrivLawPRpr 14; (1997) 3(10) Privacy Law & Policy Reporter 191

Dangers in exceptions, modifications

Extracts from Roger Clarke's comments

The full text of Roger Clarke's comments, which were made on 17 September 1996 just after the discussion paper was released, can be found at people/Roger.Clarke/DV. The comments here emphasise his concerns, but his approach is generally `highly favourable' (General Editor).

IPPs a bad place to start

The manifold deficiencies of the Information Privacy Principles (IPPs) contained within the Privacy Act 19881 ... are yet more problematical when read in the context of the private sector. The areas of weakness include: their shortfalls in reference to the OECD's 1980s Guidelines (although one of the many elements of the problem, failure to cater for retention and destruction of data, is to be addressed); their shortfalls in reference to more modern documents such as the Australian Privacy Charter (1994) and the EU Directive (1995); their legalistic nature and lengthiness ... which conflict with the need for a clear and simple set of Principles that can be easily explained to corporate executives and managers; the inclusion of elements that are specific to the public sector; the bureaucracy and costs inherent in IPP 5(3) regarding the establishment, maintenance and periodic reporting by each organisation of a record of personal data records.

Delays in implementation

In addition to the delays foreseen as being appropriate for some Principles, I believe that enforcement of the Access and the Storage and Security Principles may also need to be subject to some delay or some other form of mitigation; otherwise there is a risk of undue costs and difficulties for companies and professionals to adapt their existing procedures, software, files and databases to comply with the requirements.

Advisers and software providers need time to learn their way into the new scheme, and user-organisations need time to implement changes in their procedures and to install new, compliant versions of software and file-layouts.

This matter needs to be juxtaposed against the mooted exemptions to access and correction rights discussed ... below. The public interest is much better served by having a long lead-in period than by implementing a scheme that risks being seen as unnecessarily expensive, or which embodies unnecessary loopholes.

Modification by codes

It is mooted that a code would be able to modify the Principles, as distinct from merely expressing the manner of their implementation in a particular context. This is a highly dangerous provision. The powerful lobbyists are organisations, not individuals; and hence such modifications will inevitably result in the undermining of the Principles and hence of the whole privacy-protective regime.

My strong preference is that no such mechanism be permitted. The means are available to industry associations to lobby for legislation to provide express statutory authority for particular exceptions if they believe they are justified. The Privacy Commissioner has the power to submit to the Minister and to publish reports which recommend such measures, if he or she sees fit.

If such a loophole were to be embodied in the legislation, then it would need to be subject to very significant controls, much more than the limited requirements of consultation that apply to normal Code development activities.


Access exemptions

A long list of exemptions is mooted to the access and correction rights under IPPs 6 and 7. These represent a most serious compromise to the stated intention of providing Australians with privacy protections, because public confidence in the fairness of personal data systems is entirely dependent on the preparedness of institutions and professionals to be honest about the data they hold.

The following observations are made:


Access procedures, costs

The requirement that all requests be in writing is bureaucratic, expensive, and, particularly in the case of simple matters, impractical and unnecessary. Mitigation of the responsibility to respond to requests could be provided relating to `requests that the data subject unreasonably declines to express in writing'.

The provisions relating to charges are not reasonable: like environmental standards and occupational health and safety, subject access is a cost of doing business, and should be gratis to the data subject. Mitigation of the responsibility could be provided relating to `unreasonably frequent accesses by a data subject', along the lines of the p 17 proposal. Generally, second and subsequent accesses per year would probably be `unreasonably frequent'; but not where, for example, the data subject had grounds for suspecting errors in the handling of subsequent transactions.

No provision appears to be made at present for failure by the data-holder to make a decision whether or not to grant access, or whether or not to agree to correct data. Such failure should be interpreted as a denial, thereby enabling the provisions relating to complaints to be invoked.


Law enforcement exemptions


Even if these gross exemptions were appropriate in their existing context, they are entirely inappropriate in this one. Non-governmental organisations have no business making decisions of this nature, and Parliaments should not impose such responsibilities on them. Appropriate mechanisms such as judicially-issued search warrants are available, or should be made available by the Parliament, to address such needs.

Personal Information Digest

The existing Personal Information Digest is a huge, unnecessary and wasteful exercise. To extend it to more than 100,000 non-governmental ... would risk discrediting the entire initiative. ... IPP 5 (3) provides little value in return for high costs, and should be dispensed with.

The phrasing of the Public Access Principle (currently approximated by IPP 5 (1)) needs to be such that organisations have a clear responsibility to provide the kinds of data needed to enable a member of the public to understand the nature of the organisation's personal data holdings; but whether the information is maintained on a permanent basis is a decision for the organisation itself.



Clarke R, (1996) `Privacy and Dataveillance, and Organisational Strategy', Proc EDPAC'96, Perth, May 1996, at:

1. Clarke R, (1989) `The Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines', Working Paper, Department of Commerce, Australian National University, 25 June 1989, Abstract at

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback