Privacy Law and Policy Reporter
The Privacy Commissioner's submission opens with the statement that `I very much welcome this initiative which will, when implemented, bring Australia into line with the position in most modern democratic states. I agree with the broad outline of the regulatory regime proposed in the discussion paper. Information privacy protection should be based on a set of general principles supplemented as necessary with binding codes. This approach is likely to provide a relatively simple but adequately flexible framework.'
Although the Commissioner's submission generally follows the order of the Discussion Paper, the edited extract below deals with reforms to the IPPs. The next issue of PLPR will include extracts from the submission dealing with other next issue of PLPR will include extracts from the submission dealing with other aspects of the Discussion Paper. Some headings have been edited for publication purposes (General Editor).
In the main, the existing IPPs in the Privacy Act could be effectively applied with little amendment to the private sector. I do not support two sets of privacy principles, one for the private sector and one for the public sector. There is an increasingly strong case for a universal approach because:
There may be some areas where the way the IPPs would apply to the private sector requires a distinction to be drawn. In these places some measures will need to be taken to clarify the application of the principles, either by way of legislative amendment or by administrative interpretation.
The requirement in IPP 1.1(a) that the purpose of collection be directly related to a function or activity of the collector provides more of a discipline in the public sector than in the private sector. The functions and activities of government agencies are often limited by legislation, which often sets them out in considerable detail. But since private sector collectors of personal information are able to decide for themselves what their functions and activities are, this requirement will be satisfied almost as a matter of tautology. It is difficult to imagine that a private sector organisation could ever be found to have collected information for a purpose not directly related to one of its activities, however undesirable that collection might be.
Moreover, it needs to be considered what `lawful purpose' means in relation to a private sector organisation. `Lawful purpose' can mean little more than `a purpose not prohibited by law'. IPP 1.1(a) is therefore unlikely to constrain the purposes for which private firms may collect personal information, unless further guidance is given as to how specifically purpose must be defined.
IPPs 1.1(b) and 1.2 can be applied satisfactorily to the private sector. IPP 1.1(b) appropriately requires a strong link between the collection and its purpose. The meaning of `unfair' in IPP 1.2 will require interpretation. In guidelines to IPPs 1 to 3, I have referred to deceptive or intimidatory collection practices. This has proved to be a workable interpretation aimed at clear abuses.2
The thinking behind this principle is made clear in the Law Reform Commission's 1983 report Privacy, which notes:
In general, the person from whom information is collected should be given enough information about the consequences of providing the information to the collector to allow him to make a considered judgment on whether or not to provide the information.3IPP 2(c) and 2(e) together make it likely that a person will have a fairly good appreciation of what may happen if he or she does provide the information requested. But a considered judgment about whether or not to provide the information also requires that the person knows what may happen if he or she does not provide the information. This is not a requirement of IPP 2 in its current form. By contrast, the corresponding principle in the NZ Privacy Act requires a collector to take reasonable steps to ensure that the person is aware of `the consequences (if any) for that individual if all or any part of the requested information is not provided'.4
The absence of such a provision is a significant gap in the existing IPPs. I support inclusion of such a provision, to apply both to the private sector and to government agencies.
If someone wants to find out what categories of records of personal information a business holds, they should be able to do so but, depending on the scale and type of the business, this may not always require the maintenance of a documentary description. For many businesses, especially the 800,000 small businesses in Australia, such a requirement would constitute an additional compliance task which is likely to be of limited if any benefit. Only rarely would someone wish to see a description of the records of personal information held by a motor repair business or a hairdressing salon.
Options that could be considered include:
The effects of extending IPP 5.4 to the private sector should also be carefully considered before the Act is extended. The underlying objective of IPP 5.4(a) -- that a member of the public should be able, on request, to find out in general terms what sort of personal information is held by an organisation -- is satisfied by IPP 5.1. To the extent that a private sector organisation is required to keep a record under IPP 5.3, that record should be available for inspection, and IPP 5.4(a) should be retained. But I do not believe that it would be appropriate to retain in their present form --
For the Privacy Commissioner to collect each year and store records from each organisation covered by an extended Privacy Act, or even a small subset of such organisations, would be an unrealistically large administrative task. It is unlikely that any achievable level of resources would be sufficient for its accomplishment. Similarly, publishing a compilation of such records would be an impractically large task. Even if sufficient resources were available, it is very doubtful whether fulfilling these requirements would be an effective allocation of resources.
There will be need for corresponding provisions for the private sector and other detailed provisions to deal with other aspects of the application of the principle to the private sector. It is important that IPP 6 be expressed in broad, simple terms with a separate part of the Privacy Act dealing with detailed law in relation to the private sector.
Comments on the exceptions and procedures proposed are in the next part of this article (General Editor).
A record-keeper ... shall not disclose ... information ... unless ... the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency.The effect of this exception is that, currently, agencies can make disclosures of personal information that are unrelated to the purpose for which the information is held, and which may go well beyond the reasonable expectation of the individuals concerned, simply by telling them that disclosures of that type are `usual'. An agency could also seek to argue that even without specific notice, individuals could be assumed to be `reasonably likely to be aware'.
The availability of this exception represents a significant qualification to the idea that informed consent (exception (b)) should normally be obtained for secondary disclosures, other than where the other specific public interest exceptions ((c)-(e)) apply. In making this observation, I should indicate that there have been complaints against federal agencies which I have resolved in favour of the agency relying on this ground.6
In practice, I have had some success in encouraging agencies not to rely on the notice element of exception (a) as a the sole basis for disclosure. Where I have not succeeded, it has proved difficult to explain or justify why simply notifying individuals offers any meaningful privacy protection, particularly where they have no choice but to give their information to an agency.
If the notice facility provided by exception (a) to IPP 11.1 becomes available to the private sector, a Commissioner would find it difficult to prevent its widespread use as a basis for disclosure practices which went beyond the reasonable expectations of individuals, for such activities as building reference databases and direct marketing. Although in theory, individual consumers should be able to decline to do business with an organisation that offered them no real choice, this is unlikely to be an option in reality, particularly if all the main service providers in a market followed similar practices.
My suggestion would be to remove the notice element, at least, of the current exception (a). It would then remain open for organisations to justify the inclusion of a `notice only' exception in a code of practice for a particular sector or activity.
IPP 11.1(e) reads:
1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless: ...First, responsibility for abiding by this principle currently rests with the agency disclosing the information. If the Privacy Act is extended to cover the private sector and a similar arrangement holds, it will be left up to the judgment of each organisation, when approached by law enforcement bodies seeking personal information under these exceptions, to judge whether it is `reasonably necessary' to disclose the information. In most cases the information an organisation needs to make this judgement will simply not be available and a likely default response is to disclose the personal information on an assurance from a law enforcement agency that the disclosure is indeed `reasonably necessary'.
(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.
Second, I have long been concerned about the use of IPP 11.1(e) to legitimate bulk disclosures of personal information for use in data-matching exercises, as was the House of Representatives Standing Committee on Legislative and Constitutional Affairs when it recommended in its report In Confidence that -- uniform controls for data-matching carried out by Commonwealth Government agencies should be made a legal obligation and be incorporated into the Privacy Act 1988.7
Such data-matching involves the disclosure and automated scrutiny of the personal information of many thousands of people whose activities are entirely legitimate. I am strongly of the view that disclosure of personal information for such exercises should take place only as required or specifically authorised by law and I support amendment of the IPPs to reflect this view.
The discussion paper proposes the adoption of an additional IPP to ensure that an organisation does not retain personal information for longer than necessary for purposes for which the information may lawfully be used.
A principle that explicitly addresses the question of how long personal information may be retained would make it much clearer that appropriate disposal of records is an integral part of responsible information management. It would also add to the coherence of the IPPs by explicitly including the last stage of the information life cycle -- collection, retention (including access, use and disclosure) and destruction.
I support the inclusion of a principle along the lines suggested in the discussion paper.
Such databases raise a number of important privacy issues.
First, personal information is compiled, not from the individual directly, but from an organisation with which the person has had dealings, and usually involves the compilation of personal information negative to the individual.
Second, people often do not know that the database exists. There is no obligation -- on the keeper of the database, the suppliers of the information or its users -- to inform the subjects of the information that the database exists. The extension of the existing IPPs to the private sector will not alter this situation -- IPP 2 requires agencies to provide the subjects of a collection of personal information with certain information, but only when the information is solicited directly from the subject. Access and correction rights are worthless if there is no way for a person to find out that his or her personal information has been collected in the first place.
Third, people currently have no access and correction rights. This would change if the Privacy Act were extended to cover the private sector.
Fourth, data quality is often poor. Information appears to be entered on some databases without checks of its accuracy. It is not certain that the existing IPPs will adequately redress this problem. IPP 8 reads:
A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.But this provision may not apply to a business that accesses a reference database and makes a decision about service provision based on the information it finds there. If no copy of the information were made, such a business could be regarded as not being in `possession or control' of the record.
Fifth, comments of a subjective nature are often recorded, such as opinions about a person's behaviour or character. Irrelevant information can easily be recorded, leading to unfair or discriminatory outcomes. IPP 3(c) imposes an obligation to collect only relevant information, but this applies only where an organisation is collecting directly from the information subject which is not the case with reference databases. The relevance requirement in IPP 8 is subject to the same doubts as the accuracy requirement.
Sixth, decisions may be made about people without them having any opportunity to know the basis of the decision.
While I acknowledge that there is often an industry need served by reference databases, there is a clear need for privacy issues to be addressed.
I believe that an extended Privacy Act should contain a principle aimed at the regulation of all such databases. An alternative would be specific controls -- of the same nature as those in the existing Pt IIIA of the Privacy Act, though not in such detail -- applying to all reference databases. If the Act is extended to cover the private sector without either of these options being taken up, I would suggest that reference databases be addressed by the Privacy Commissioner in a code of practice as a matter of some urgency.
It is, therefore, an inherently privacy-intrusive practice. This has been recognised:
There are a number of principles that could serve to minimise the risk to personal privacy posed by data-matching activities, including:
In line with the NZ model, I would support a proposal explicitly to address data-matching in the Commonwealth Privacy Act.
If the Act is extended to cover the private sector without this being done, I consider that it would be appropriate for the Privacy Commissioner to address data-matching issues in a code of practice.
There are a number of privacy issues raised by the keeping of public registers.
Information from a public register may be accessed in bulk and combined with information from other public registers or other sources to develop a more detailed `dossier' on a particular person or set of people. Individuals are often surprised and alarmed to find that information about them obtained from public registers is used for purposes far removed from the original objective of the register. Examples include:
Sensitive information may be inappropriately made publicly available on a public register, for instance, name and address information in relation to jury members, judges, lawyers, public figures and victims or potential victims of domestic violence.
The main challenge is to restrict the use of the register information to that necessary to achieving its public purpose.
The number of inquiries, most of them out of jurisdiction, received by the office of the Privacy Commissioner about the use of public register information suggests that it would be appropriate to consider a response to the issues set out above. The House of Representatives Standing Committee on Legislative and Constitutional Affairs report, In Confidence, also recommended that the Privacy Commissioner co-ordinate a review of the reasons for allowing access to public registers, particularly where technology permits the information contained on public registers to be used for purposes in addition to that for which it was collected. The review should also consider whether any limits need to be imposed on access to public register information or on the purpose for which such information can be used.13
Appropriate limitations on the re-use of public register information, such as are already contained in some statutes, would have the effect of prescribing the purposes for which private organisations or individuals could lawfully collect the information under IPP 1, and thus flow through into the operation of the other IPPs.
I take the view that the possibility of introducing public register principles should be considered in the process of developing an extended Privacy Act. If the Act is extended without public register issues being addressed, I consider that it would be appropriate for the Privacy Commissioner to address [public register] issues in a code of practice (provided that it is possible for a code to apply to personal information contained in a generally available publication).
Unique identifiers are perhaps the single most potent tool for bringing together information about a single individual from a number of different sources. As such they represent a major privacy concern, as the Australia card debate vividly demonstrated only ten years ago. Of course, organisations must be able to use unique identifiers to manage their affairs and identify their clients. But there is no reason why unrelated organisations should be able to use a consistent person-numbering system, and a powerful privacy reason why they should not. I believe that the second and fourth of the NZ principles are the most important and I would support the inclusion of principles along those lines in an extended Australian Privacy Act.
Kevin O'Connor, (then) Commonwealth Privacy Commissioner.
1. Law Reform Commission, Privacy (Report number 22), Canberra, 1983, vol 2, pp 265-266.
2. Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1 to 3, Sydney, 1994., pp 9-10.
3. Law Reform Commission, Privacy (Report No. 22), Canberra, 1983, para 1210.
4. Privacy Act (NZ), s 6, Information Privacy Principle 3(1)(f).
5. Retained on p 22 of the discussion paper.
6. One related to a complaint about on-forwarding of a personnel file (containing some negative material) when an officer changed agencies. Another related to the making of public comments by a Minister after a complainant had gone public with certain aspects of the complaint.
7. Recommendation 23.
8. Privacy Commissioner, Eighth Annual Report on the Operation of the Privacy Act, Sydney, 1996, pp 34-35.
9. Privacy Commissioner, Guidelines for the Use of Data-matching in Commonwealth Administration, 1995.
10. House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: a report of the inquiry into the protection of confidential personal and commercial information held by the Commonwealth, Canberra, June 1995.
11. Part X of the Privacy Act 1993.
12. Section 59.
13. House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: a report of the inquiry into the protection of confidential personal and commercial information held by the Commonwealth, Canberra, June 1995. Recommendation 34.
14. Information Privacy Principle 12.