Privacy Law and Policy Reporter
This speech by the Commonwealth Privacy Commissioner was delivered to the Commonwealth Heads of Agencies Meeting in the NT on 21 May 1997, adapted from a presentation to the IIR ‘Privacy and Data Protection’ Conference in Sydney on 13 May.
Some sub-headings have been added to and amended from the original text (General Editor).
On the night of 13 May the Treasurer announced in the Budget that [funding for] the Human Rights and Equal Opportunity Commission is to be cut by about 40 per cent. There will need to be a complete review of all of the Commission’s functions to assess where the cuts will fall. I imagine that no area will be immune from some level of cuts.
The speech that follows will need to be seen in the light of those cuts. The extra tasks which the Government has given me will now be even more problematic. When we had thought the Privacy Act would be extended to cover the private sector, we were expecting extra resources. Rather, we are now faced with significant cuts. Further, to the review of our functions I will be announcing which of the following tasks I will no longer be doing.
I have been Privacy Commissioner for 14 weeks now and I would say it has been a bit of a roller coaster ride. I have experienced:
The ride hasn’t always been smooth and I didn’t expect it to be. But neither did I expect when I took up the job that my idea of what lay ahead in my role as Privacy Commissioner — and just about everyone else’s idea as well — should change so quickly and significantly.
Nonetheless, its only the expectations that have changed. The role itself is pretty much the same. I will talk about that role and how I am approaching it generally. But as I am now operating with different expectations to those of the conference organisers when they put together this program, I think I should focus in particular on my priorities and tasks following the shift in the Government’s policy on protecting privacy.
The functions of the Privacy Commissioner are set out in the Privacy Act in a four-page list that ranges from the very specific to the remarkably general. Having studied that list carefully, I can assure you that you are lucky that the subtitle of this talk is ‘in her own words’. So, in my own words, I would summarise the functions as essentially covering six areas of responsibility:
In many respects, I intend to build on the good work of my predecessor, Kevin O’Connor, in undertaking these functions. My approach can probably best be described as having a ‘people focus’. If you handle people, relationship, involvement and consultation issues, you can’t go far wrong.
So what are my particular priorities as they relate to the functions I am appointed to perform?
So, when it comes to dealing with complaints, for example, I’m building on the consultative approach that has worked so well in the past. I think it’s appropriate that all but a couple of complaints under the Privacy Act have been handled by conciliation rather than needing the parties to go through the expense and delay of court proceedings.
As far as I’m aware, the main down-side of handling complaints in this way is that there have not been regular reports to the wider community about how the law is being interpreted by my office. A similar observation could be made about the policy advice that my office provides. I know that Kevin O’Connor’s annual reports aimed to provide a full account of developments in this regard and I will be looking at ways to build on this.
When it comes to my role in auditing how well organisations comply with the requirements of the Privacy Act, I intend to continue the practice of using the audit process as primarily an educative tool. It may be of interest to you that last year I was the member of the Management Improvement Advisory Committee who spoke at the launch of a publication called the Guidelines for managing risk in the APS produced by the Committee and the Management Advisory Board. I was on the speaking platform with Max Moore Wilton (Secretary of Prime Minister and Cabinet) and Pat Barratt (Federal Auditor-General). Just so you don’t think I have the fervour of the newly converted, I will tell you what I said back then.
I was commenting that:
A ‘gotcha’ approach to audits of taxpayers is not appropriate ... an ideal in the tax system would be for us to work with taxpayers so that audits are either unnecessary or at least there are no surprises.
I also congratulated the approach of the Australian National Audit Office in recent times. I argued that using audits as an educative tool would assist agencies to become ‘learning organisations’.
Similarly, now, in the privacy context, if agencies or businesses can be encouraged to incorporate privacy principles and the associated work practices as part of their system of corporate governance, it just makes good business sense. I would like one day to be able to publish what could be called ‘best practice’ reports as guides on how to be privacy sensitive and efficient as well.
In the short term, a major challenge for my office is in meeting the auditing responsibilities conferred by the new telecommunications laws that come into effect on 1 July. From that date, a new arrangement will be set in place for the disclosure of information by telecommunications carriers and service providers to law enforcement agencies and revenue protection authorities. Essentially, if those authorities certify that it is reasonably necessary for them to gain access to the information, they can get it, but the carriers and the carriage service providers have to keep a record. I have been given the task of monitoring those records and reporting to the Minister as necessary. This could be quite a responsibility — I have been told that Telstra gets about 150,000 requests a year from law enforcement agencies for information about its customers.
Perhaps the biggest challenge for me will be in promoting the development and implementation of good privacy practices in the wider community without the certainty and consistency of standards that a national privacy law could have provided. The reasons why so many people have been calling for the introduction of a nationally consistent and enforceable privacy regime are still valid. I remain of the view that a legislatively based ‘co-regulatory’ approach would best meet the needs of both business and consumers.
This is not to say that I was in complete agreement with everything in the discussion paper prepared by the Attorney-General’s Department, even though it proposed a co-regulatory approach. I, like my predecessor (and probably like everyone else who responded to that paper) felt that it is not appropriate to apply the Information Privacy Principles, as they currently appear in the Privacy Act, holus bolus to the private sector. But I believe it should be possible to devise a statutory regime that can achieve best international practice in protecting privacy while being neither onerous nor costly.
While the Government has decided against what we might call ‘omnibus’ legislation to cover the private sector, I still see a possibility of moving forward on privacy protection which is more tailored to different needs in different sectors. I have not ruled out the prospect that there will ultimately be legislation, because people generally will want it, at least for some segments. This is to some extent already happening.
For example, while it is one thing to not extend privacy law to the private sector, it is another thing completely for there to be a watering down of the existing system of protection of information held by the Government. A major issue for the Government, therefore, has been to ensure that privacy protections are not watered down as a result of the contracting out of government services.
This has gained media attention in recent weeks, but the last Government faced a similar challenge. In December 1994, private sector and community organisations began providing case management services on behalf of the Commonwealth to the long-term unemployed. A variety of mechanisms were put in place to ensure that privacy continued to be protected. Contractors have to comply with detailed agreements under the Employment Services Act, and with information management rules issued by the Employment Services Regulatory Authority. In addition, the Privacy Act was amended to require them to comply with the Information Privacy Principles in respect of their work for the Commonwealth.
The current Government is taking a similar approach in this area. As part of its labour market reform initiatives, the existing case management system is to be replaced with one designed to establish a fully competitive market for employment assistance. It will be built on elements of the previous arrangements, and the role of the contracted case managers under the old scheme will be performed by ‘employment placement enterprises’ which will also be subject to the Privacy Act.
In addition, the Parliament also currently has before it the Hearing Services and AGHS Reform Bill 1997. This proposed legislation brings both the new company replacing the Australian Government Health Service, and the accredited hearing service providers engaged under the Hearing Services Administration Act, within the ambit of the Privacy Act in a similar way to the employment case managers.
Also, it appears that the coverage of the Privacy Act is likely to be extended again following the government’s decision to outsource information technology services. The Minister for Finance has announced that privacy would be protected using contractual guarantees and through an amendment to existing privacy legislation. I am uncertain about whether this decision is about outsourcing generally, or only the outsourcing of information technology services. I am seeking clarification on this issue, though I have had no signal from the Government that it wishes to weaken the existing privacy system.
You may be aware that two separate reviews of the administrative law implications of the contracting out of government services are currently underway. One is by the Administrative Review Council, which has issued a discussion paper on the subject, and the other is by the Senate Finance and Public Administration Committee. I contributed to both reviews and you are welcome to contact my office if you would like a copy of my comments.
A quite different approach to protecting privacy was taken by the Government when devising the Private Health Insurance Incentive Scheme. In legislation that was passed by Parliament last month, the Health Minister now has the power to specify principles that the health funds must comply with regarding the acquisition, storage, security, use and disclosure of personal information for the purposes of the Private Health Insurance Incentive Scheme Act. We will be involved in discussions about how this might work.
However, concerning medical records generally, the Government has proposed developing a voluntary code that embraces privacy principles similar to those in the Privacy Act. I have put the view that a legislative solution is necessary. Health is special. I won’t go into the arguments here, but if you are interested, my office can give you a copy of a submission I made on the subject to the Senate Community Affairs Committee last month. (The US sees the priorities in privacy protection as being in the health area and in the targeting of children through, for example, the Internet.)
In the new telecommunications regime, privacy will be protected through a combination of voluntary codes and black letter rules. The rules apply to the use and disclosure of personal information by carriers and carriage service provides. They are an expanded and somewhat modified version of the rules in the old Telecommunications Act. In addition, there is provisions for codes which address both personal information privacy and intrusion issues. These codes are voluntary in the first instance, which means it is up to the industry to come forward with them. But if a code is not developed in an area where the Australian Communications Authority, as the new regulator, thinks there should be one, of if the code is considered deficient, the Authority can issue legally-binding standards. The Privacy Commissioner has to be consulted in the development of privacy codes under this regime. The industry sees the development of privacy codes as a priority — particularly in the absence of a comprehensive privacy law — and discussions to this end have already begun.
As far as my ongoing work with the private sector is concerned, the most constructive way forward is to work with business and others in the community. Over the years, my office has devoted considerable effort to assisting business and industry sectors which have taken steps to introduce good privacy practices on a voluntary basis. There have been some successes, which I would like to build on. While there are concerns about compliance costs for business, I would like to explore this issue further. There are already companies implementing good privacy practices, both here and overseas, for whom benefits are seen to outweigh any costs incurred.
However, there have been cases in which the results have fallen short of the standards which individuals should be able to expect. The process has been piecemeal, slow, and resource-intensive, as for each case there is a need to identify appropriate standards, training requirements and dispute resolution mechanisms. Concerns also remain about whether it is possible to achieve industry-wide compliance with a voluntary code.
While I am happy to continue to assist in the development of voluntary privacy practices, I am acutely aware of the concern within the private sector about the need for consistency. I must also be realistic about what resources I can allocate to this activity. Accordingly, I have been considering the desirability of framing some privacy principles that could be applicable across the private sector.
The Attorney-General’s Departments’ discussion paper generated a lot of discussion and thought about what these principles could look like and it would be a shame to start again from scratch. So, I have asked my staff to have a look at the responses to that paper to identify the points of agreement and disagreement. Depending on the level of support for the exercise, I would be prepared to work with stakeholders to formulate some agreed principles.
I am confident we could develop a scheme which both achieves adequate privacy standards and minimises red tape for business. We will be reliant on goodwill on all sides to achieve this. While the scheme would be developed for voluntary application and self regulation in the first instance, it must, in my view, be of a standard equivalent to international best practice (including being able to meet the terms of the European Union’s Directive), and be able to be given statutory effect if, and when, the Government decides to pursue this route. This approach would also ensure a level of national consistency which has been requested by business and which is clearly desirable for consumers.
Of course, it is one thing to get agreement on a set of principles, and I think we could do that without too much angst. But what will be the mechanisms for complaints and enforcement? This is the most problematic part with voluntary codes. In a self-regulatory regime, it is possible for, say, industry associations to set up complaint mechanisms that do have bite. They can also set up processes for independent audits of compliance. But how do you control the mavericks, the ones who stay outside the system? And how does it work in areas not covered by such associations?
The Attorney-General’s discussion paper suggested a legislated approach in which I would have had the role of handling complaints and audits. Alternative models could provide for maximum levels of self regulation with only a last resort being to an independent person such as myself or an industry body, which included consumer representatives, which fulfills this role. Canada appears to be suggesting a very light handed legislative approach of this kind.
Or there’s the Government’s approach of total self-regulation, without any legislated mechanisms, for the private sector generally, though some from industry have warned that if they are to comply with voluntary codes, they will want those who don’t comply to be brought into line in some way. This will require considerable discussion to find a way through this.
As a starting point, in the development of voluntary codes or standards, I have initiated a series of meetings with both business and consumer groups. I have found these meetings to be very informative, interesting and productive and I would like to keep the lines of communication open.
I also recently attended a meeting of a committee set up under the auspices of the International Standards Association (ISO) to look into the desirability and practicality of the ISO developing international standards relevant to the protection of personal information. The Committee is interested in particular in the Model Privacy Code issued by the Canadian Standards Association.
I do not yet have a settled view on this. On the one hand, the existence of international standards could provide some certainty for companies involved in international trade. On the other hand, internationally agreed privacy standards have existed since 1980 in the form of the OECD guidelines on the protection of privacy and transborder flows of personal data. I also feel that it is desirable to promote consistency within Australia. For example, if companies working under contract to the Commonwealth have to comply with the principles under the Privacy Act in respect of the services they are delivering pursuant to those contracts, it makes sense to ensure that the privacy protections they have in place for the rest of their operations are of a similar standard.
In any case, I want to keep consulting with industry, consumers, privacy advocates and the Government on improving privacy protection and maybe together we can find a way to make all the pieces of the jigsaw fit.
In the meantime, as far as my role in advising Government on the privacy implications of proposed policies and legislation, in many respects it’s back to business as usual. In effect, this involves taking a case-by-case approach and monitoring incremental changes. I will be doing my best to encourage consistency in the way that privacy issues are addressed but at the end of the day there is a risk that the results will be a collection of the different outcomes of different negotiations with different stakeholders at different points in time.
The Privacy Branch has always been able to find resources to conduct research into a range of privacy related issues in order to assist the process of public education and public debate. Research papers, or research done to be delivered as speeches, have been produced on topics as diverse as genetic testing, smart cards, access to medical records and video surveillance.
It is certainly my hope that this effort will continue — though resource pressures are likely to impact on this essential area of activity.
The publishing of guidelines is also an area where there is essential work to be done, such as the data matching guidelines, and there is voluntary work to be done. The creation of guidelines is of course an effective way of bringing practical application to the law.
So you can see that, despite the fact that my role as Privacy Commissioner is not as I thought is would be at the time I was appointed, it still is a challenging and interesting area of work. It is, in fact, more of a challenge that, rather than simply implementing a new piece of legislation, I am having to call on a range of consultation and negotiation skills. The way forward is to bring people together, listen to different people’s perspectives, address perceived or real problems and design for Australia a privacy system which is as good as international best practice.
Recently the people in my Privacy Office worked on a vision for privacy in Australia. This was after the Government’s decision not to legislate for the private sector at this time.
Though the exercise is not yet completed, we were generally of the view that the following elements of the vision were important:
It is my hope and my aim that through the activities I have described above, we will work our way towards that vision for privacy protection in Australia.
Moira Scollay, Commonwealth Privacy Commissioner.