Privacy Law and Policy Reporter
A wide-ranging review of the need for reform of Queensland laws concerning privacy in both the public and private sectors has been commenced by the Legal, Constitutional and Administrative Review Committee (LCARC) of Queensland’s Legislative Assembly.
The Committee’s Issues Paper No. 2 Privacy In Queensland, released in May 1997 (available at http://www.parliament.qld.gov.au/committees/legalrev_issues_paper_2.html) requests submissions on 22 privacy issues (see the accompanying full list), with submissions due by 1 August. However, the Committee has decided ‘not to precisely define the scope of its inquiry until after submissions have been received’, and says it ‘may well decide to stagger its inquiry and consider and report in stages on the various issues raised by this paper and those identified by submissions’.
The Committee comprises the following Members of the Legislative Assembly (MLAs): Judy Gamin (Burleigh), Chairman; Darryl Briskey (Cleveland), Deputy Chairman; Frank Carroll (Mansfield); Ken McElligott (Thuringowa); Glen Milliner (Ferny Grove); and Fiona Simpson (Maroochydore).
The Committee’s Research Staff is Neil Laurie (Research Director), Kerryn Newton, (Principal Research Officer), David Thannhauser (Senior Research Officer) and Maree Lane, (Executive Assistant).
Section 4 of the Parliamentary Committees Act 1995 establishes the LCARC as a statutory committee of the Legislative Assembly, with broad areas of responsibility including administrative review reform, constitutional reform, electoral reform and legal reform (s 9). Within this scope it is for the committee to determine which issues it will consider. In December 1996 it resolved to conduct an inquiry into the protection of privacy in Queensland.
The Issues Paper contains a useful review of privacy laws throughout Australia and overseas. In discussing international developments it notes that ‘the predominant view is that Australia’s current privacy laws are ‘inadequate’ for the purposes of the European Directive’ and that ‘this has given rise to many commercial concerns’. It also notes, in relation to the OECD’s Cryptography Policy Guidelines released earlier this year that the OECD recommended that ‘governments should not use restrictive cryptography policies to impede the free flow of data across borders, and that ‘if adopted this could have ramifications for law enforcement agencies in their control of the level of encryption used on data transmitted through Australia’. The OECD recommendation that users of cryptography should be free, subject to applicable law, to select and implement a key management system that suits their needs, ‘if adopted ... may restrict government control of key management systems whereby it holds in escrow copies of keys used to scramble and unscramble data’.
Further, it was recommended that governments should encourage and co-operate with businesses and the research community in the development of cryptographic methods and that development of technical standards for cryptography should be ‘market driven’.
The Committee reviews what it considers to be the four main options for privacy protection.
It says a statutory tort of privacy has been introduced in British Columbia and Manitoba although there are few reported decisions as to the use of those rights. It notes quite a few reasons not to introduce such a tort, and none in favour:
On the establishment of a privacy committee or privacy commissioner, it notes that:
... the advantages of a privacy committee as opposed to a privacy commissioner would be that, to ensure a balanced approach, members could be drawn from both the public and private sectors. Members could also be selected for their expertise in information technology, an area in which an increasing number of privacy concerns are arising.
Queensland had a Privacy Committee from 1984-1990 when it ceased to exist under a sunset clause in the Privacy Committee Act 1984 (Qld). Although the Committee does not say this, no one ever noticed its existence or demise.
Information privacy principles (IPPs) such as in the Commonwealth Privacy Act 1988 have advantages, according to the Committee:
... their ability to be continually reviewed and, if necessary, updated to meet privacy issues as they emerge; their potential to be drafted broadly to extend beyond solely information privacy issues; and the possibility of adaptation to cover specific activities, industries or professions.
While IPPs could be implemented administratively (in which case they would only cover the public sector), ‘the disadvantage ... lies in the fact that they are unenforceable’. The Committee says that ‘administrative costs would also be a consideration including costs associated with implementing new systems and practices, and possibly the appointment of privacy officers in all agencies and/or organisations’.
Concerning self-regulation by industry codes, the Committee notes that:
Whilst the advantages of self-regulated industry or sector-specific codes include flexibility, opportunity for community consultation, government involvement and constant review, again the major disadvantage lies in their ability to be enforced.
After noting that implementation of the proposals in the Commonwealth’s Discussion Paper would have meant that ‘state privacy legislation covering the private sector would not be necessary’, but that the Prime Minister had reversed the Commonwealth’s approach, the Committee states that ‘it will now be a question for each state to determine the manner in which it will regulate privacy protection in the private sector’. The Prime Minister’s call to the States not to so legislate, and his claim that Queensland had acceded to his request, are not mentioned in the Issues Paper.
While noting that ‘a number of industries have themselves introduced privacy codes of practice’, the Committee concludes:
Consistency in requirements and standards between the states has been argued as highly desirable. This is because a state-by-state approach is not only potentially administratively cumbersome and expensive, but could be to the detriment of interstate trade and, given the 1995 European Directive, also to international transactions. Additionally, claims of discrimination and/or competitive disadvantage could be made by businesses if their home state introduced privacy legislation whilst their competitors’ home states did not.
The Committee summarises the current privacy policies of the Queensland parties as follows:
The former Goss government had apparently also directed in June 1995 that an interdepartmental working group be formed to give consideration to certain privacy matters. Whilst it is understood that that group forwarded its report to the then Attorney-General in December 1995, the change in state government occurred before that report was considered. Since that time there has not been any publicly released policy in relation to privacy by the Opposition.
While the Committee is investigating the whole range of privacy issues, it singles out the following as matters of special concern: visual and aural surveillance, both in public and private places (and ‘the limited protection’ of the Invasion of Privacy Act 1971 (Qld)); telemarketing and direct marketing; the workplace including surveillance, privacy of employment records and requirements for employees to undergo drug, medical and genetic testing; medical records and rights of access to them; and genetics including the use of genetic tests for purposes such as health care, medical research, insurance, determination of paternity and identity, employment and law enforcement.
The Committee also devotes considerable attention to smart cards and the NSW Privacy Committee’s report Smart Cards: Big Brother’s Little Helpers (1995). It notes that:
Since the release of that report there have been a number of efforts by private industry sectors and groups to implement codes of practice with respect to the use of smart cards. However, there have been comments that these self-regulatory codes will not be effective without legislative backing such as that initially proposed for the private sector at the commonwealth level.
No doubt it will be a challenge to develop policies or legislation which can accommodate the entire spectrum of smart card applications. As noted by the NSW Privacy Committee, the ‘borderless’ nature of smart cards would also make it desirable that there is a measure of uniformity across the states.
Consideration must also be given to other electronic payment schemes. At least one such scheme concerning electronic funds transfer is currently regulated by a voluntary code of practice which was first implemented in 1989. It has been suggested that this should be extended to incorporate smart cards with similar applications. Suggestions have also been made that in order to regulate the use of other forms of electronic cash, a similar but suitably adapted code of practice may be appropriate.
If the serious nature of this Queensland enquiry is any indication, there is little chance that State legislators will simply vacate the field of privacy regulation in relation to the private sector, and leave it to voluntary codes of conduct.
Further, as indicated in the ‘Twenty two questions from Queensland’ attached, business and consumer organisations are starting to face the prospect that most say they dread: serious and complex privacy enquiries in various States and Territories which are potentially leading toward a plethora of regional or subject-specific privacy laws.
Graham Greenleaf, General Editor.
Submissions should be forwarded to The Research Director, Legal, Constitutional and Administrative Review Committee, Parliament House, Brisbane, Qld 4000; tel (07) 3406 7167; fax: (07) 3406 7691; email: email@example.com The closing date for submissions is 1 August 1997. Submissions may be tabled by the committee in the Legislative Assembly or otherwise be publicly released. Therefore, all requests for confidentiality should be clearly marked. All submissions to the committee become the property of the committee and cannot be released without the committee’s authorisation.