Privacy Law and Policy Reporter
A national scheme for fair information practices in the private sector
There is increasing awareness, both in Australia and overseas, of the privacy implications of new information technologies. This has led to mounting pressure to ensure that those technologies are introduced in ways which respect the expectations of individuals in relation to the handling of their personal information.
Consumers want to know how the information they give to business will be used, and they want to be confident that their personal information will be protected against misuse. Businesses want to build loyalty and trust with their customers by assuring them that their information will be handled fairly. They also want to be certain that their competitors will not either undermine the image of their industry, or put them at a commercial disadvantage, by misusing personal information.
Australian businesses also want to be sure that there can be a free flow of information in the international trade setting, which requires that our trading partners have confidence that Australia has adequate practices for handling personal information. Businesses and governments wanting to encourage their customers to use electronic commerce and electronic service delivery need to assure them that their information privacy will be protected.
There is now a broad consensus that this issue needs to be resolved urgently as part of the essential enabling framework for the new information economy.
Over the past 25 years, many countries have introduced privacy and data protection laws. In Australia, the Privacy Act already covers some private sector activities, with special rules in relation to credit reporting and tax file numbers. The Act also applies to Commonwealth and ACT Government agencies and some private contractors handling personal information on behalf of government. It is soon be extended to all contractors.
In September 1996, the Attorney-General’s Department released a discussion paper on a possible approach to privacy protection in the private sector more generally. Over a hundred submissions were received, many making valuable suggestions about how the existing Privacy Act could be adapted to apply to the private sector.
In March 1997, the Federal Government announced that it preferred voluntary self-regulation to address this issue because of concerns about the costs of compliance with a legislatively based scheme.
The scheme presented in this consultation paper attempts to provide a viable self-regulatory option, but it is designed to be compatible with existing Commonwealth privacy laws and any further legislation which might be considered necessary in particular sectors, States or Territories. There is a national interest in resolving the uncertainty over what standards will be required as soon as possible, and it is essential for our future as an advanced information based economy that these standards are as consistent as possible across all sectors, and throughout Australia. Therefore, a central aim is for this scheme to be the Australian scheme for the private sector, to avoid a patchwork of approaches which would add unnecessary uncertainty, complexity and cost.
The Scheme deals with the fair and responsible handling of personal information. Put simply, this means:
The National Scheme for Fair Information Practices in the Private Sector put forward in this paper is about giving individuals more control over the way in which their personal information is handled, and ensuring they are treated fairly. It also sets out the opportunities for businesses and the responsibilities they carry and addresses a possible role for government in setting the necessary enabling policy framework.
The scheme consists of three components:
The paper actively confronts and addresses the issue of costs to business. The scheme aims to ensure adequate protection for individuals with minimal red tape.
The scheme seeks to use existing self-regulatory codes and complaint mechanisms where they exist. Where business sectors already have ways of ensuring compliance with codes of behaviour, they are to be used. In sectors where no complaint or compliance mechanisms currently exist, the paper suggests some choices for how to proceed. The choices involve either purely business based solutions, or some involvement for government. These choices require further debate.
The paper draws on an analysis of the many valuable responses to the discussion paper Privacy Protection in the Private Sector, issued by the Federal Attorney-General’s Department in September 1996, and on subsequent consultations with many different businesses and peak organisations, as well as consumer and privacy groups.
The paper recognises, and attempts to deal with, the legitimate concerns and criticisms that have been raised about the practical application of information privacy principles to commercial activities and business administration. But it also seeks to reassure and remind business that all of these concerns have already been adequately addressed elsewhere in the world, and within government administration in Australia. Some of the concerns raised have been based on a misunderstanding of information privacy principles and how they work in practice.
Agreement on a National Scheme for Fair Information Practices will build consumer confidence and release a significant brake on the adoption of new technologies.
The Overview may well be sufficient for some readers, as it provides a summary of what the scheme is trying to achieve and the essence of how it will work.
For readers who ask the question ‘Why do we need a fair information practices scheme?’, Part 1 What is Information Privacy and How can We Protect It? has been included. It explains the background to the current state of privacy law and policy in Australia, and makes the case for fair information practices to apply in the private sector. It explains why there is a general consensus that market processes require some assistance to deal adequately with business and consumer concerns.
Part 1 also explains how compliance costs can be minimised, by a sensible timetable for phasing in any new requirements, and by piggy-backing on other communications with customers, existing staff training etc. At the same time, it must be recognised that there will be some initial compliance costs associated with the scheme, and modest continuing costs. But these will be proportional to the scale of information handling — only major information intensive businesses could face significant costs, and only if they have neglected security and other standards in the past. For many businesses, compliance with the standards will often yield direct benefits and savings to compensate. For most small and medium sized enterprises, overseas experience shows that the compliance cost is minimal.
Those who have already been part of the debate about private sector information privacy protection and are familiar with the background to the issues may wish to go straight to Part 2 How Would a National Scheme for Fair Information Practices Work?, and Part 3 What Should the Scheme Contain? Parts 2 and 3 draw on the responses to the discussion paper, Privacy Protection in the Private Sector, released by the Attorney-General’s Department in September 1996 and address many of the comments made about the co-regulatory scheme it proposed. They also include input from the consultations that have taken place since March 1997, and draw on the significant body of experience and debate about self regulation and codes of practice more generally.
Part 2 explains how a National Scheme for Fair Information Practices could work — how it would cover all relevant areas of information handling; how to ensure compliance with best practice standards; and the relationship to other existing and proposed self-regulatory and statutory schemes. It sets out minimum specifications for scheme administration; complaint handling and dispute resolution; and compliance monitoring. Without these elements, a scheme would not be credible, either within Australia or to our international trading partners.
Part 3 discusses the principles and standards of fair information handling which would be needed as the foundation of the scheme. Following a general consensus, the Information Privacy Principles of the Privacy Act are used as the starting point, but criticisms of their relevance to the private sector have been heeded, and revised principles are put forward as a basis for discussion. It is acknowledged that the principles, and exceptions to them, will need to be thoroughly debated and tested against a wide range of practical situations, to ensure that they are workable in a business environment. Some suggestions are made about how some of the key issues might be resolved. These include:
Use of information for related purposes — business concerns about unrealistic constraints are acknowledged and balanced against the objective of meeting consumers’ reasonable expectations.
Giving individuals a right of access — this is a key principle, but business fears about unfettered access to evaluative material and opinions, and unreasonable demands by individuals, are addressed. There are many precedents for how a reasonable balance can be struck, and the volume of access requests under similar schemes elsewhere is generally very modest.
Retrospectivity — it is explained that the principles will only be applied to information already collected where it is sensible and easy to do so — for instance reasonable security measures should apply to all personal information.
All the features of the scheme canvassed in this paper are open for discussion; it is offered simply as a starting point for further work by a representative working group. How such a group might be constituted and operate, and on what timetable, is discussed in Part 4 Developing the Scheme — a Proposed Consultation Process.
Part 4 explains how it is proposed to progress the development of the Scheme, with a timetable for consultation over the next few months. The timetable beyond the end of 1997 is deliberately left open, in recognition of the volatile policy environment. State or Territory legislation, sectoral regulation in areas such as health and telecommunications or electronic commerce, and other self-regulatory initiatives may necessitate a modification of the current approach. The international context is also changeable, with the European Union likely to firm up its position on the ‘adequacy’ of privacy protection in other countries, and the US Government considering information privacy issues, especially in the electronic environment.
Further explanation and discussion of the case for a scheme is included as Appendix A, and more detailed discussion of some of the proposed principles in Appendix B. Appendices are not included in this issue of PLPR. (Editor)
Some of Part 1 has been omitted (Editor)
Some argue that, in the private sector, people can choose an organisation that provides a level of privacy protection they find acceptable; so competition between businesses will provide the right level of protection without regulation. Good privacy protection for customer and employee information often makes good business sense. It is useful in building trust and loyalty between customer and firm and in minimising complaints. These commercial incentives have already convinced some firms to pay close attention to information privacy.
However, in order to choose an organisation that will protect their information privacy, consumers need good information about what will be done with the personal information they provide. If they do not have it, they cannot make informed decisions about this aspect of the transaction. There are other factors which suggest that the right conditions need to be established for market forces to be able to deliver satisfactory outcomes in relation to information privacy.
First, for some businesses, the commercial advantage to be gained from unconstrained collection, use or disclosure of personal information seems to be greater than the customer relations benefits of good privacy protection. For example, a direct selling campaign may be prepared to irritate thousands of people approached by mail or phone, provided just a few sales are made.
Second, while many markets in Australia approximate the competitive model, many do not. In some industries, businesses dominate particular geographical areas. In others, information handling practices are common across an industry, offering consumers no real choice.
There is an emerging consensus, in relation to the new information economy in general, that government needs to foster a policy management framework, and promote markets for consumer control, confidence and choice. A recent report to the Clinton administration in the US suggests, as a principle for international discussion and agreement, that:
where governmental involvement is needed, its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce.
Fair information practices would seem to be an area where business would benefit from government involvement to facilitate the establishment of a consistent and predictable framework, even if there is no need for actual legislative action.
The level of compliance costs that attach to a scheme of privacy protection will depend on the way the scheme is formulated. Low cost schemes have been designed elsewhere. However, if Australia is to adopt a scheme which delivers best practice in information privacy, there will be some costs.
Information privacy principles require organisations to provide people with information about how their personal information will be handled. Some firms may need to redesign forms or change the way they collect personal information over the telephone. Provided there is an adequate phase-in period, the costs should be small.
Another principle is that people should have access to their own personal information. Experience in the public sector and overseas indicates that most requests will be simple and easily met. This paper suggests that businesses should be able to charge reasonable fees to cover the location and copying of personal information, and to decline unreasonable requests.
The principles in this paper would put some limits on how an organisation can use personal information. If a business currently relies on uses that are inconsistent with privacy principles, compliance could mean a loss of revenue. It is hard to estimate the size of this effect. The use limitations in this paper do not aim to deny business reasonable latitude. Revenue loss should be limited to firms engaged in plainly unacceptable practices.
If organisations need to change their practices there may be extra training costs. If there is an adequate phase in period, training in fair information practices should be able to be included in standard training for customer relations and other functions at little additional cost. If a single set of principles is widely agreed to, generic training materials should also reduce costs.
Any scheme will involve costs to cover the development of specific industry standards, the monitoring of complaints, education activities etc. If the scheme is well designed and accepted, costs should not be high and no single organisation should have to bear a heavy burden. It would be expected in a self-regulatory scheme that the organisations covered would contribute to these costs. The extent to which governments may contribute is a matter for further discussion.
For a small business with uncomplicated holdings of personal information, compliance costs would be practically nil. Very rarely someone might ask to see payroll or invoice records that relate to them. Apart from that there would be no impact. Responsible businesses in personal information intensive industries already pay attention to privacy issues and, provided there is an adequate phase-in period, compliance costs should be quite manageable; for example, no business would be obliged to reprint millions of forms. The only businesses likely to feel a significant impact are the small minority that are currently handling large amounts of personal information in an irresponsible way, without regard for individuals’ wishes or expectations.
In some cases the adoption of information privacy principles will improve business performance. There are numerous examples of organisations making significant cost savings by addressing issues of data quality and security, and reviewing the need for personal information, for the first time as a result of having to comply with fair information practices. Neglect of information privacy can also mean lost revenue — a 1996 survey indicates that 45 per cent of Australians have been asked, in connection with purchase of a good or service, for personal information that they regard as excessive; of these 61 per cent discontinued the transaction.
It is desirable that public policy in relation to the new information economy is clearly informed by an international perspective, and linked to positions adopted by international forums. A recent US Federal Government paper outlines a range of options for the protection of information privacy in electronic environment.
In 1995 the European Parliament adopted a policy that European Union countries should not allow personal data to be transferred to a non-EU country that does not ensure an adequate level of privacy protection. Transfers may be allowed to countries without an adequate overall level of protection, provided other conditions (like detailed clauses in contracts) are met. The recent US Government paper acknowledges:
No discussion of [on-line] privacy can be complete without appropriate consideration of the EU Directive and its implications for international trade in the Information Age.
The Hong Kong data protection law of 1995 also restricts the transfer of personal information to jurisdictions without a comparable degree of protection.
Adoption of a robust information privacy scheme by Australian businesses would make it easier to convince overseas authorities that personal information will be protected in Australia.
The Australian common law recognises no general right to privacy. Defamation law and actions for breach of a duty of confidence can apply in a limited range of circumstances, but litigation is slow and expensive and not a realistic option for most people affected by privacy intrusions.
Some statute law offers limited privacy protection: Part IIIA of the Privacy Act protects personal information used by credit reporting agencies; there are prohibitions on telecommunications interception; listening devices laws limit the use of ‘bugs’; telecommunications laws provides for binding codes of practice regarding privacy. But the coverage is patchy and many of the laws focus on the security of personal information, which is only one part of the information privacy package.
There are already many industry codes of practice in Australia, some containing an information privacy element. None deals with the full range of information privacy issues. This is not to say that the information privacy parts of existing codes are not useful or that they should be abandoned in favour of specialised privacy codes, but it does suggest that more consistent protection could be achieved if benchmark standards were accepted in all sectors. These standards could then be picked up in existing sectoral codes or guidelines. Other sectors where information privacy is clearly an issue operate without agreed guidelines, for example, mercantile agents and private investigators have rules of thumb for acceptable practice but these are nowhere written down. This does not mean that these sectors are privacy black spots, but it suggests that a more proactive approach is needed to satisfy concerns and provide remedies for abuses.
There is a general domestic and international consensus that information privacy concerns must be addressed urgently as part of a framework to facilitate the growth of the new information economy and to ensure consumer confidence in electronic commerce and electronic service delivery.
There are a variety of views about the most appropriate response, but no-one is arguing that nothing needs to be done, and there are clear demands for consistency and the avoidance of a patchwork of different requirements. The Federal Government has invited the Privacy Commissioner to assist business in the development of voluntary codes of conduct to meet privacy standards. The remainder of this paper sets out a proposal for a National Scheme for Fair Information Practices in the private sector.
Concerns have been raised both by business organisations and by consumer groups that any self-regulatory information privacy scheme may be fraught with difficulties. These concerns are not, however, unique to an information privacy scheme, but are frequently raised in relation to all self-regulatory schemes.
Both Federal and State Government fair trading and consumer protection organisations have examined these concerns and have responded with detailed guidelines that attempt to build into self-regulatory schemes various checks and balances to ensure that such schemes are workable and effective.
It is not the purpose of this Part to re-visit all these general concerns, but rather to make use of previous experience and discussion in designing a self-regulatory National Scheme for Fair Information Practices. We have drawn in particular on the guide prepared by Commonwealth, State and Territory Consumer Affairs Agencies in October 1996 entitled Fair Trading — Codes of Conduct and a Department of Industry Science and Tourism symposium on codes held in November 1996 entitled Industry Codes of Conduct — The Way Forward.
The process of developing the scheme — including who should be involved directly and who else consulted and when — is dealt with in Part 4 of this paper. This part deals with an appropriate structure for the scheme, what organisations would be covered by the scheme, what would be the relationship between the scheme and other regulatory regimes and what commitments would be sought from participants to the scheme.
It can be argued that some types of activity are much more likely to infringe on people’s information privacy than others.
Some industries are by nature ‘personal information intensive’. For example, direct marketing depends for its effectiveness on being able to send marketing material to people likely to be interested in it; in order to identify such people, companies must have relevant information about particular individuals. Another example is business reference databases — like credit bureaus (already regulated by the Privacy Act); tenant databases or video hire databases — which make available to other businesses information about potential customers that is used to assess commercial risk. Such databases clearly depend for their effectiveness on comprehensive and accurate personal information.
By contrast, many businesses hold very little personal information. For example, a clothes shop might hold payroll records containing personal information about its employees (who it employed, how much it paid them and when) and invoice records about some of its customers (who it billed for what, how much, when and whether they paid). Most such businesses use that personal information only for internal accounting and management purposes, which would clearly be within the expectations of the subjects of the information.
Any scheme should be sensitive to the different levels of information privacy risk posed by different industries or activities. A clothes shop will very rarely be in a position to handle personal information in a way likely to raise privacy concerns. But that does not mean that it is inappropriate for any self-regulatory information privacy scheme to apply to businesses that handle comparatively little personal information. First, any firm can be in the personal information business. For example, today’s information technology means that any firm can analyse, use and rent out its customer database to other organisations. Second, although some categories of business handle much less personal information than others, every business may be in a position where it has to make delicate judgments about the personal information it holds. For example, a man might approach a retailer trying to find out his ex-wife’s expenditure. It may not happen often, but it will happen sometimes.
This suggests that it would be best to have a scheme that can be applied to any organisation, even though in practice some businesses would be very little affected. Provided there is no onerous requirement for businesses to spend time or money simply because they subscribe to the scheme, there is no reason to exclude any particular sector or individual business. There are many advantages of an all-inclusive scheme, particularly in terms of consistency and certainty for businesses and consumers. Having different schemes for different industries is also clumsy and difficult when so many businesses are operating across traditional industry boundaries.
Some business peak organisations are in any case opposed to the idea of general ‘small business’ exemptions, partly because of the difficulty and arbitrary nature of any size threshold, and partly because it unfairly penalises businesses just above the threshold, to the extent that they have to bear any compliance cost or administrative burden.
It is sometimes suggested that charities and other not-for-profit organisations are a special case and should not be subject to rules or regulations applying to commercial businesses. It is hard to see a reason to exclude not-for-profit organisations — charities, religious organisations, political parties, public advocacy groups and the like — from the coverage of a self-regulatory fair information practices scheme. Such organisations hold and use large amounts of personal information. Indeed charities are some of the biggest and most sophisticated users of direct marketing, using personal information gathered from a variety of sources to identify potential supporters. Many are closely involved in providing support to the disadvantaged or people in crisis and in that role collect and exchange sensitive personal information about their clients.
There may be a case for providing special assistance to some not-for-profit organisations to help them understand and comply with the scheme, but small businesses and others will also need guidance and support. An important part of any scheme would be the production and dissemination of easy to read guidance material.
An important question is whether fair information handling principles should apply to individual legal entities. In legal terms, many large organisations are structured as a set of separate companies, even though they share a common ownership and operate under a single brand name. As the Australian Bankers Association said in its submission in response to the Attorney-General’s Department’s discussion paper:
Another important distinction between public and private sector bodies is that in the vast majority of cases, public sector bodies are single entity structures. This is not the case in the private sector where extensive group corporate structures are developed on holding company and subsidiary company relationships.
It would seem artificial to treat related companies as separate entities where customers regard them as the one organisation. On the other hand, a highly diversified conglomerate could include in one corporate structure companies operating in different markets and under different brands. Treating such a group as a single entity could lead to handling of personal information well outside the expectations or control of the customer.
On balance it would appear that a strict ‘legal entity’ basis for applying fair information handling principles would not be best but that the grounds for aggregating different legal entities should take account of the reasonable expectations of the customer. These will be influenced by the trading names under which different legal entities operate, whether they are related entities, and by the markets in which they compete.
One of the difficulties in a flexible approach to related entities is the issue of liability — even in a self-regulatory scheme, there will need to be some degree of certainty about who it is that accepts responsibility for compliance with the terms of the scheme, and with the rulings of any complaint determination process. It would not be acceptable for businesses to use a generous and flexible definition to avoid or frustrate the exercise by individuals of their rights under the scheme.
It may be that this issue can be dealt with by a self-identification approach — related groups of companies could declare themselves as a single entity for the purposes of applying the principles, on condition that they also undertook to provide a single point of contact for individuals and the scheme administrator, and to accept collective responsibility for any compliance issues or breaches of the code. It would however follow from a self-identification approach that the relationships involved would need to be clearly communicated to information subjects such as customers or employees, so that they know who they are dealing with. In many cases, brand or trading names which are widely recognised and understood may serve this purpose.
There is a need to ensure that any scheme adopts a unified national approach with minimal inconsistency between sectors or industries. It was very clear from the responses to the September 1996 discussion paper from the Attorney-General’s Department that all of the interested parties wanted to ensure that there is a consistent national framework. For example, Optus commented:
Electronic storage of information within centralised or interconnected databases by companies operating national businesses makes compliance with eight sets of State or Territory laws difficult and expensive.
In order to provide consistency, it will be necessary to ensure that any national privacy standards and principles prevail over privacy related provisions in any existing codes of practice. On the other hand, the administrative, monitoring and dispute resolution mechanisms required by a national privacy scheme can potentially be provided by existing self-regulatory or statutory mechanisms.
Examples of existing schemes which include some privacy protection provisions are:
It is anticipated that these provisions, already discussed in Part 1 of this paper, would be reviewed against any agreed set of information privacy principles emerging as part of the national privacy scheme. They would either be updated to be consistent with the national principles, or deleted and replaced in their entirety by a commitment to meet the national principles. Similarly, the mechanisms of the existing schemes would need to be reviewed, although these may be found to be sufficient once the national principles have been adopted.
Another major variable is the possibility of State and Territory regulatory initiatives, which may include privacy legislation. The Victorian and NSW Governments have already indicated they may bring forward data protection legislation which could have some coverage of the private sector, and the ACT Government has committed itself to statutory privacy protection for health records.
The development of a National Fair Information Practices Scheme, as proposed in this paper, can and should be compatible with State and Territory legislative initiatives. Any such laws are likely to take as their starting point commonly accepted principles such as those in the OECD Guidelines, which will then need to be customised to fit the circumstances of public and/or private sectors.
In customising information privacy principles for the private sector, States or Territories would have to undertake the same work as is envisaged in the national scheme process, and the outcome is likely to be similar, if only because the parties involved in those development processes would likely be the same parties involved in the development of a National Fair Information Practices Scheme. The main differences, if any, will lie in the monitoring, enforcement and complaint handling mechanisms, which can be considered separately from the actual information privacy standards.
Depending on the timing of any State or Territory initiatives, it may be that the work on a National Scheme for Fair Information Practices would be completed in time for its content to be incorporated in any sub-national or sectoral legislation, thereby avoiding the problem of inconsistency.
The boundaries between private and public sectors in Australia are increasingly blurred. Partnerships between government and business, contracting out by government agencies, corporatisation and privatisation of government business enterprises, all bring the public and private sectors into a close and interdependent relationship. Some of the functions that used to be performed directly by the Commonwealth Government are now performed by private sector organisations and in some of these cases (such as employment services case managers), the organisations have been made subject to the Commonwealth Privacy Act in order to ensure that the information privacy of clients is not jeopardised.
The Government has indicated that the Privacy Act is to be amended to cover contractors supplying services to the Commonwealth in relation to personal information held by them on behalf of the Commonwealth. This means that many private sector organisations will be required to comply with the Privacy Act, in relation to some of their business activities, irrespective of any voluntary National Scheme for Fair Information Practices. A case can be made for differential standards, in that with public sector functions, issues of compulsory powers and public accountability come into play. It may also be that contractors could readily quarantine their handling of personal information for government and apply the different, and in some cases higher standards that would be required by the Privacy Act without undue difficulty.
Consistency should not be an end in itself, and should not be used to justify the imposition of a ‘government’ standard on business where it is not applicable. On the other hand, consumers and citizens are likely to be confused if standards they can expect vary too much without obvious justification. In order to ensure national fair information handling standards that are consistent where that is appropriate, and bearing in mind the possibility of State, Territory or sectoral legislation, it will be desirable to draft standards that are, as far as is possible, compatible with the existing Information Privacy Principles. Part 3 of this paper makes a start on this task.
Any scheme for Fair Information Practices will need to include a set of recommendations directed to organisations about how they should handle the information they hold about individual, identifiable people.
In a self-regulatory scheme, there are a number of ways of trying to ensure the implementation of such recommendations. Some options are:
A. The development and publication of guidelines on an advisory basis only, with commitment by individual organisations or peak bodies on a ‘self-declaration’ basis.
B. Guidelines or standards, but with reporting to or monitoring by an independent scheme administrator, possibly including formal accreditation, but no provision for remedies for breaches.
C. A voluntary scheme, including agreed standards, monitoring by an independent scheme administrator, and possibly including accreditation; but also provisions for binding directions to comply, including remedies, in the event of breaches of the standards.
Options A and B risk a lack of support from the various stakeholders. Consumer and privacy advocacy groups would be concerned if there was no way to ensure that the scheme or guidelines would be effective, and business would argue that there was little incentive to ensure sufficient support to make the scheme viable. There seems little point in establishing rules or principles for privacy protection if there is no way of ensuring that they are followed in practice and that there are adequate mechanisms for supervision and sanctions. The aim of any scheme is to improve or maintain high standards of fair information handling, and it must therefore encourage and reward good practice and penalise poor practice.
It is significant that the European Data Protection Commissioners, in their preliminary thoughts on implementing the data transfer provisions of the EU Directive, have identified procedural mechanisms, and ‘means for ensuring the effective implementation (of rules)’ as essential components of any ‘adequate protection’.
From feedback to date, Option C would be problematic for most consumer and privacy groups which have reservations about the independence and effectiveness of similar existing schemes of this type. However, if Option C is accepted by most businesses and they actively take up the self-regulatory role defined within it, then this could provide confidence to consumers that their information was being handled fairly.
Option C is clearly the best option of the three, although its prospects for success will depend on overcoming the reservations of consumer groups as well as gaining commitment from business. The scheme outlined in this paper has therefore been designed for implementation in accordance with Option C.
Pursuit of Option C will also require recognition of the substantial areas of the private sector which will already be covered by a statutorily backed scheme. Many businesses, such as retailers and financial institutions, in their capacity as service providers, will be subject to the privacy codes to be developed under the Telecommunications Act. Private companies undertaking work for government which involves handling personal information will be subject to the existing Privacy Act. Clearly, any general fair information practices scheme should seek to complement these statutorily backed regimes, and it will be desirable to ensure maximum consistency to avoid a patchwork of different requirements.
It is generally recognised that a self-regulatory scheme is unlikely to be effective without an independent administrator to undertake administrative, coordination and monitoring functions. The administrator would, for example, monitor whether the objectives of the scheme are being met, whether it is cost effective, whether the members are complying with all aspects of the code and whether the scheme is sufficiently adaptable to meet the ongoing needs of its members.
The administrator would also be responsible for the collection of data such as complaint statistics relating to how many complaints were received and what percentage were upheld, what was the nature of the resolution of the complaints and were complaints processed in a timely manner.
To be effective, a privacy scheme would need to be transparent, so that interested parties could gain access to much of the data and material collected or produced by the administrator. It is suggested that the administrator should print and distribute material about the scheme including the production of pamphlets relating to the complaint process including bench marking standards. As well, the administrator should be required to produce (at least) an annual report on the operation of the scheme.
On the assumption that good privacy practices will give private sector organisations a market advantage, it should follow that there will be a high take-up rate of the national privacy scheme by industry organisations and their members. In recognition of industry concern that the take-up rate may not be significant, it is suggested that the scheme administrator, or some other body, should monitor the rate of adoption of the scheme.
One of the main weaknesses of many voluntary schemes concerns the inability of the scheme to deal effectively with ‘free riders’, that is, organisations which choose not to commit themselves to either the standards or the mechanisms, but which gain a benefit from the public perception that a scheme is in place. In some cases, organisations may follow some or all of the standards, but not subject themselves to the monitoring or dispute resolution processes, and may not contribute financially to the cost of the scheme.
One role for an independent scheme administrator would be to apply, or recommend the application of, sanctions or penalties against any ‘free rider’. Sanctions and penalties could include, for example, adverse publicity or recommendations that members of the scheme, and consumers, do not trade with the non-member.
A more formalised process would involve accreditation of organisations which commit themselves to the scheme, and this could also involve some form of symbol or logo that could be actively promoted as indicating that commitment. There is considerable experience of various forms of accreditation and quality marks which can be drawn on in the design of a national privacy scheme. Some form of independent monitoring or auditing would probably need to form part of any such accreditation. The scheme administrator could be expected to supervise both accreditation and auditing, although both processes could potentially be ‘sub-contracted’ to a range of other organisations.
There are two issues that need to be addressed in relation to sanctions and penalties in a self-regulatory scheme. First, a non-member which is the subject of adverse publicity could possibly bring an action for defamation against the scheme administrator unless the published material was very carefully worded. Second, any action against the offending organisation may be seen to be anti-competitive and may breach the Trade Practices Act. (This is discussed later in this Part.)
An independent scheme administrator is a significant step in ensuring that the scheme is robust and effective and does not become a token process controlled by the organisations it covers. In the case of industry codes, the administrator is usually funded, but not directly controlled, by the members of the industry association. Apart from the appointment of an independent chair, such scheme administrators usually have industry and consumer representatives, and may include a government regulator. Examples of such independent industry administrators include the Council of the Telecommunications Industry Ombudsman and the Council of the Banking Industry Ombudsman.
In the case of a national privacy scheme, the scheme administrator would need to represent a diverse range of interests. It is envisaged that if an independent administrator were to be created, it would hopefully evolve from the working group of interested parties that would develop the initial scheme (see Part 4).
Consideration would need to be given to appropriate cost-sharing arrangements not only for the actual operation of the scheme administrator, but also for participation in the governing body — particularly the funding of consumer representation.
Consideration will also need to be given to the relationship between the scheme administrator and the Privacy Commissioner. The Privacy Commissioner is initiating and facilitating the development of a national privacy scheme. It is expected that the Commissioner, and her staff, would be involved in some way in the ongoing administration of a national privacy code, and at the very least would expect to be represented on the governing body of any privacy scheme administrator. This is a matter that will require further consideration.
As the scheme would not be confined to any one specific industry, it may be a complex and difficult task to raise sufficient funding for the administration of the scheme. This is also a matter that will require further consideration.
The credibility of any voluntary self-regulatory scheme depends significantly on the provision of accessible, low cost and effective complaint and dispute resolution procedures. In the first instance, the individual organisation should be given an opportunity to deal with complaints and disputes. Responses to complaints should be fair, equitable, timely and objective. In order to achieve these objectives, complaint benchmarks should be established, and to this end, the Australian Standard for complaint handling (AS 4269) could be used for guidance.
Where a complaint is not upheld, reasons should be provided in writing so that the complainant can pursue any appeal mechanisms. Normally, an appeal mechanism should be provided by the organisation itself, although care needs to be taken to ensure that such a mechanism constitutes a swift unbiased review of the complaint and not just an endorsement of the decision of a subordinate employee. Too many layers of internal appeal can act as a deterrent, and contribute to ‘appeal fatigue’.
If the organisation is not able to resolve a complaint, consideration will need to be given to providing an appeal mechanism through an independent body. The scheme administrator could be used for this function, but this may give rise to conflicts of interest, for instance if the administrator was required to report on the efficacy of its own complaint handling procedures. Most self-regulatory schemes of any size have found it appropriate to separate the functions of scheme administration and dispute resolution.
It is envisaged that the existing industry complaint mechanisms could be used as appeal mechanisms, provided that they are sufficiently independent and adhere to the minimum dispute resolution benchmarks set by the national privacy scheme. The various statutory and industry ombudsmen already have arrangements for referring complaints to the most appropriate point, and this helps to prevent unnecessary forum-shopping. These arrangements would apply to privacy complaints, and could be extended to any new complaint handling bodies for other sectors. There would of course be agreements between dispute resolution schemes to prevent complainants seeking and receiving multiple remedies for the same complaint.
Where no independent industry complaint mechanism exists, consideration will need to be given to identifying or establishing a body that can independently investigate privacy complaints and has the necessary authority to enforce any adverse decisions. As the Privacy Commissioner already has a complaint handling function in relation to federal government agencies and credit providers, it may be appropriate to give her that function under the scheme.
The dispute resolution body would need to be able to apply sanctions such as:
Compensation would mean just that — it is not proposed that punitive financial damages would form part of a privacy scheme. But harm or damage should not be confined to demonstrated financial loss, and should include distress (as it does under the Privacy Act), where this can be clearly established.
In determining liability for financial compensation, it has been suggested that a due diligence defence should be recognised — such that an organisation would not be vicariously liable for actions of employees provided it had taken all reasonable steps to make staff aware of the principles and put in place systems and practices to comply. It is argued that this defence would provide an incentive for organisations, particularly small and medium sized enterprises, to be proactive about compliance and training.
The contrary argument is that individuals should not miss out on remedies simply because their privacy was breached by the rogue actions of individual employees. Organisations should accept liability for the actions of employees whether or not they are acting within authority. Otherwise, it is argued, less scrupulous organisations could routinely hide behind a defence of due diligence, particularly where there is no prospect of criminal or other sanctions against individual employees.
In considering this issue further, it should be recognised that the number of cases where financial compensation for privacy breaches is likely to come into play would be very limited, if domestic and overseas experience is anything to go by — most privacy complaints do not involve financial claims.
It may be necessary to apply to have compliance with the scheme authorised by the Australian Competition and Consumer Commission. If authorisation is granted by the Commission, the scheme participants would have immunity from action under the competition provisions of the Trade Practices Act, on grounds of anti-competitive arrangements contained in the scheme. For such an application to be successful, it would need to be argued that the scheme produces benefits for the public that justify its impact on competition. This should not be difficult given the weight of arguments in favour of fair information practices and the international precedents.
Many businesses are concerned about the issue of how any scheme would apply to personal information already collected and held. It is easier to discuss this in relation to specific information privacy principles, and this is done at the end of Part 3. The general approach, however, will be a common sense one — only those principles which can be readily and fairly applied to existing information should do so.
There are around one million businesses in Australia, as well as thousands of non-profit organisations, and, depending on the definitions used, several hundred different industries or sectors. The information privacy issues that arise are naturally very diverse. Nevertheless, experience overseas suggests that it should be possible to devise principles that can be followed in most sectors without modification. They could be supplemented by more specific standards, where necessary, for particular sectors or activities.
The Information Privacy Principles (IPPs) in the existing Federal Privacy Act are the only set of privacy principles currently in any Australian law (see Appendix D). They were the centrepiece of the legislative option discussed in the September 1996 discussion paper from the Attorney-General’s Department and, although the Government has announced that it does not intend to develop a legislatively based scheme for the private sector, they still constitute a natural starting point for discussion.
A constant theme in the responses to the September 1996 discussion paper from the Attorney-General’s Department was that the language of the Information Privacy Principles in the Australian Privacy Act is complex, legalistic and too detailed. Two particular issues are the use of technical terms — ‘collector’, ‘record keeper’, ‘generally available publication’, ‘record’, ‘solicit’ etc — and attempts in the IPPs to list obligations in detail, where a more general formulation might be preferable, for example, IPPs 2(c)-(e), 5.1(b), 5.3(a)-(f) and 7.1. This paper aims for clearer and simpler, but still effective, standards which can be easily understood and applied by businesses.
In broad terms the aim is to ensure that an organisation collects personal information only where doing so serves a legitimate purpose and that an organisation uses the information only for that purpose, unless one of a number of exceptions — such as consent, related purpose, imminent harm, legal authorisation — applies. These exceptions are discussed below.
The primary difficulty is defining what is meant by the purpose of collection. It is easier to do this in the public sector where the purposes for which most agencies hold information are relatively well defined by legislation. Private sector organisations may have many different purposes for collecting information.
Even so, it should still be possible to identify an original purpose of collection. Where the information is collected direct from the individual, we can refer to the context: when people provide information to a private sector organisation, they almost always do so for a particular purpose — to buy a particular product or enter a competition or make a donation or get a discount. This is the original purpose of collecting the information. Where the information is not collected from the subject, the organisation usually uses the information soon after it collects it and it seems reasonable to take this as a guide to the original purpose of collection. For example, if a business asks a previous employer about a job applicant and then decides to hire them, it seems clear that it collected the information to make a hiring decision.
There can be more than one original purpose for collecting personal information, even if they are unrelated. If a person provides information on the understanding that it will be used for two different purposes, it is reasonable to say that both of these are purposes of collection.
A legitimate purpose must be lawful, and should be openly acknowledged by the organisation, although that does not mean that the organisation has to state its purpose every time it collects information (see below What should organisations tell the people they are collecting information about?) Organisations must be able to collect the information they need to run their business but people’s privacy is put at risk if information about them is stockpiled on the off-chance that it may be useful in future. Requiring organisations to collect information only where that is ‘necessary’ may be too restrictive: it is often reasonable to collect information which is relevant but not strictly necessary.
A possible form of words for this principle is:
An organisation should only collect personal information that makes a direct contribution to one of its legitimate purposes.
If people are to have any control over what happens to information about them in the hands of others, there must be some limits on what organisations can do with the information.
The present Privacy Act distinguishes between ‘use’ (primarily internal) and ‘disclosure’ (primarily external release). There is some advantage in this — people are usually more concerned about disclosure to third parties than they are about internal uses. But it also causes some difficulties in the application of the principles. The exceptions in the IPPs are very similar for use and disclosure — where they differ it is not easy to see why. The distinction is not a critical part of a privacy scheme — internationally, some privacy principles treat disclosures as just another ‘use’. In the interests of a simple and easily understood set of rules, it is suggested that the starting point for discussion should be a single ‘use limitation’ principle, which would apply to all uses of personal information, including publication and disclosure outside the organisation, and which would be subject to a single set of exceptions.
A possible form of words for the use limitation principle is:
An organisation should only use personal information: for the purpose for which it was collected [or ...]
Other acceptable uses are discussed below.
The IPPs in the Australian Privacy Act allow other uses where:
the purpose for which the information is used is directly related to the purpose for which the information was obtained.
Some secondary uses of personal information are clearly within people’s reasonable expectations. For example, if a company collects information for the original purpose of selling a product, most people would expect that it could also use the information to judge the profitability of that product, or to offer them a related product (unless they had asked not to receive offers).
In assessing whether a secondary use is within people’s reasonable expectations, the sensitivity of the information will also be relevant. For example, banks are diversifying into areas such as health insurance. It is doubtful if people would expect that information about their medical treatment would be used to offer (or refuse) them life insurance.
A related use may be within most people’s reasonable expectations even though it is made without the consent of the individual in the particular case. As long as most reasonable people would regard the purpose of the use as related to the original purpose, it will pass the test.
There needs to be some reasonably clear link between the use of the information and the original purpose of collection. Otherwise, the principle would achieve nothing — a person who provides personal information would be leaving its use entirely to the discretion of the organisation.
A possible form of words is:
An organisation should only use personal information: ... [or] if the purpose of that use is reasonably related to the original purpose of collection.
Since the aim of information privacy is to give people some control over the handling of their information by others, there should be no objection to the use of personal information with the free and informed consent of the information subject.
Many of the responses to the September 1996 discussion paper from the Attorney-General’s Department argued that a person should be regarded as having consented when they have been given a chance to deny their consent and have not taken it; in other words, if they have not ‘opted out’ of a particular use. This would often be enough to satisfy a consent test, provided the option has been clearly presented and the person has been given enough information to make an informed decision and a reasonable time to respond. But there will be circumstances, where sensitive information or uses are involved, where explicit opt-in consent would be preferable. Exactly which contexts demand an opt-in approach is a matter for further consultation, though uses of detailed medical records would be an obvious possibility.
A possible form of words for this sort of use is:
An organisation should only use personal information: ... [or] if the subject of the information has consented to the use.
While it will not happen very often, it is sometimes necessary for private sector organisations to use personal information about their customers in emergency situations. For example, an airline might be asked to release information about passengers on a flight which carried a person infected with cholera. The present IPPs limit emergency uses to cases where there is a ‘serious and imminent’ threat to the life or health of any person, not just the subject of the information. It may be that this is too strict a test, and that a broader discretion should be allowed, provided organisations are able to justify the use of this exception after the event.
A possible form of words for this sort of use is:
An organisation should only use personal information: ... if the organisation has reasonable grounds for believing that the use will reduce a threat to the life or health of any person.
The existing Australian IPPs say that personal information may be used for a purpose other than the purpose of collection or disclosed where that ‘is required or authorised by or under law’. Private sector organisations will often be required to compile certain records, for passing on to authorities; for example, employers and financial institutions are obliged to report individuals’ income to the Tax Office. They are also subject to statutory and common law demands on a case by case basis, for instance where police produce a search warrant or subpoena, or through the discovery process in civil litigation. There is no suggestion that privacy principles should interfere with the operation of these important processes.
Few private sector organisations will be authorised by statute law to use information in particular ways. Some professional associations may be authorised to publish details about their registered members. Common law obligations like a duty of care may sometimes authorise a particular use of personal information.
A possible form of words for this sort of use is:
An organisation should only use personal information: ... [or] if the use is required or authorised by law.
The Privacy Act provides that government agencies can use personal information for a purpose other than that for which it was collected and can disclose personal information, where that is reasonably necessary for the enforcement of the criminal law or the protection of the public revenue. Such an exception makes little sense in the private sector context: private organisations are rarely going to be in a position to judge what is ‘reasonably necessary’.
It is sometimes appropriate for organisations to assist law enforcement investigations by providing personal information, even if there is no formal legal obligation and the subject of the information has not consented. But the 1992 revelations by the New South Wales Independent Commission against Corruption about an extensive unauthorised trade in personal information — an informal ‘mates club’ — illustrate the risks of an overly casual attitude to official requests.
A possible form of words for this sort of use is:
An organisation should only use personal information: ... [or]
if a person or body involved in the investigation of criminal offences asks the organisation to use personal information; the organisation has reasonable grounds for believing that the person or body is making the request in connection with a legitimate investigation of criminal offences; and the personal information is provided by a statement recorded in writing; or
if the organisation has reasonable grounds for believing that an offence has been committed and the organisation uses the personal information to report the offence to the relevant authorities.
There are two additional reasons why some further discussion of this exception may be desirable. First, the privatisation or contracting out of government functions is now reaching into areas such as prisons and security. Second, private businesses also have interests in fraud control and security, with the police and other government authorities increasingly unable to pursue minor crimes for lack of resources. The principles should be able to accommodate reasonable use of personal information in this context.
The answer to these two trends may not lie in a general law enforcement exception to the ‘purpose limitation’ principle. A sensible interpretation of the ‘related purpose’ exception, together with appropriate extension of statutory powers and safeguards to contractors, may suffice.
Information Privacy Principle 1.2 in the Commonwealth Privacy Act requires that ‘personal information shall not be collected by a collector by ... unfair means’. It is almost a tautology to say that the collection of personal information should be fair. The problem is to determine what ‘unfair’ means. In a public sector context, the Privacy Commissioner has generally taken this to mean collection by deception or intimidation.
One area where ‘unfair’ will need fleshing out in practical terms is the use of inherently intrusive practices like covert video surveillance. Such collection of information is not unlawful, but is it fair? For example, if an employer suspects that an employee is stealing goods, is it fair to install hidden video cameras in the workplace? It seems likely that many people would accept that it is, on certain conditions: for example, if the thefts are serious, if other methods have been tried and failed, if the tapes are used only to identify the culprit, and if those covered by the surveillance are told what has been done. The circumstances in which covert collection is fair will need to be further discussed.
Information privacy principles generally contain a requirement that personal information be collected by lawful means. It is hard to see an argument against such a requirement — responsible information handling must be within the law.
Even if collection is lawful and fair it may still significantly intrude on a person’s privacy, for example, asking probing questions of someone whose relative has just died, making repeated requests for the same information or making phone calls to collect information late at night. All these may be justified in some circumstances but their intrusiveness suggests there should be a high standard of justification for their use. The IPPs in the Privacy Act say that when a government agency is collecting personal information directly from the individual it should take reasonable steps to make sure that:
the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.
There are two problems with this wording. First, it introduces the concept of ‘personal affairs’, which is hard to define. Second, the organisation will not always be able to know whether collection intrudes unreasonably — it may not have enough information about the individual’s circumstances to know that the collection is unreasonably intrusive. One way of dealing with these problems would be to eliminate ‘personal affairs’ from the wording and to confine the reach of the principle to the means of collection.
A possible form of words would be:
An organisation should not collect personal information by unlawful, unfair or unreasonably intrusive means.
The fundamental idea behind information privacy is that people should be able to exercise some control over the way that information about them is collected, stored, used, disclosed and so on. They cannot do this if they have no way of finding out how their information is used. The Australian IPPs express this idea by requiring that individuals are made aware of certain matters, including the purpose for which the information is being collected; if the collection of the information is authorised or required by or under law; and any person, body or agency to whom the information is usually disclosed.
The matters listed go some way to providing the person with the information they need to make an informed choice about whether or not to provide personal information about themselves, but not the whole way. In particular, they do not require the person to be told the consequences of choosing to provide or not to provide the information; this is clearly important to people’s decisions and could reasonably be added to the requirement.
Often the organisation will not know exactly which organisations it will be disclosing personal information to. In providing individuals with this sort of information, organisations should be able to describe a range of possible disclosures in generic terms; for example, referring to ‘State compensation authorities’ or ‘debt collectors’ rather than naming all the possibilities. This is the approach the Privacy Commissioner has taken to the principle in a public sector context.
There must be some exceptions to this principle. First, the context in which the individual provides the information may make it clear that some particular disclosure may be made. For example, if a company offers to pass on a person’s details to other firms which it recommends, the person automatically knows that their personal information will be disclosed to a range of other organisations. Second, when the person has recently had a reasonable opportunity to acquaint themselves with these matters, it may be reasonable to excuse the organisation from going through the same process again. Third, there may be other situations where giving detailed information is inappropriate. For example, where a company that suspects an employee of theft asks the person where they were at a certain time; to tell the person ‘we are asking you this for the purpose of finding out whether or not you have been stealing’ would defeat the whole purpose of the exercise.
These exceptions would all be covered by an appropriate interpretation of ‘reasonable steps’ and it may not be necessary to list them in the principle itself.
A possible form of words for this principle would be:
When collecting personal information from the subject of the information, an organisation should take reasonable steps to let the person know how it will use the information and the consequences for the person of providing and of not providing the information.
Most private sector organisations readily accept that they should protect any personal information they hold against unauthorised access. This principle appears in almost all information privacy schemes internationally. The Australian IPPs say:
A record-keeper ... shall ensure: (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; ...
Not all personal information is equally sensitive. Some personal information — like psychiatric reports or a person’s HIV status — is very sensitive and unauthorised access to that information nearly always brings a risk of harm to the person. Other personal information, like address, is not sensitive for most people, though it can be sensitive for judges or police officers or victims of domestic violence.
It may be appropriate to associate with the principle some factors that should be taken into account in assessing what steps are reasonable, for example, the sensitivity of the information; special consideration for information about such things as race, sexual life, political affiliations, religious beliefs and medical history; the consequences for the individual and the organisation if the information is mishandled; and the likelihood of deliberate attempts to breach security safeguards.
A possible form of words for the security principle would be:
An organisation should take reasonable steps to protect the personal information it holds from unauthorised access.
Related to the collection limitation principle is the principle that personal information should not be retained unless it is reasonable to do so. Such a principle should not prevent organisations from keeping personal information when it still has a legitimate use. For example, it should allow organisations to keep information long enough to be sure that it will not be necessary for legal proceedings. And they should be able to comply with genuine archival requirements.
One possible form of words would be:
An organisation should take reasonable steps to destroy personal information if:
the information is no longer used for the purpose for which it was collected or any related purpose, and
there is no legal reason to retain it.
Since the use of low quality personal information can impose serious disadvantage on the subject of the information, organisations have a responsibility to take reasonable measures to ensure the quality of the personal information that they hold. This idea appears in a number of places in the existing Australian IPPs: IPPs 3(c), 7.1, 8 and 9. There is really only a single obligation here: an organisation should take reasonable measures to ensure that the personal information it handles is of good quality, given what it is to be used for. This should apply when the organisation is collecting information, while it holds the information (including when it is challenged by the subject of the information — see Allowing individuals to correct their own personal information below) and when it uses the information.
Any scheme must recognise that the costs of checking must be weighed against the risk of the information being of low quality and the likely consequences if it is. The inclusion of the ‘reasonable steps’ qualification may accommodate these concerns.
A possible form of words would be:
An organisation should take reasonable steps to make sure that the personal information it collects, holds or uses is of good quality.
A precondition for giving people some control over personal information about them is to let them know that it is there in the first place. The Australian IPPs express this idea in IPP 5.1 and 5.3 (see Appendix D). Appendices are not included in this issue of PLPR (Editor).
‘Reasonable steps’ to satisfy an openness principle could include making brochures available, providing general information online, mailing information to customers, or establishing a well publicised telephone enquiry number. In most cases, this obligation would really be no more than normal good customer service practice.
A possible form of words would be:
An organisation should take reasonable steps to let people find out what sort of personal information it holds and how it uses the information.
Two further provisions of the existing Australian IPP 5 that would not appear to fit comfortably in a self-regulatory privacy scheme for the private sector are:
Neither of these requirements would achieve much if applied to the private sector. It is suggested that they could be dropped.
Allowing individuals to gain access to their personal information
Allowing people access to their personal information, subject to appropriate exemptions, is a fundamental principle of fair information handling. It is also a good way of making sure that the information is accurate. In the responses to the Attorney-General’s Department’s discussion paper, an access principle received strong support from consumer and privacy groups. Many businesses and business groups also supported the principle, though with a range of concerns about the circumstances in which it would be legitimate to deny access.
A possible form of words for the general principle is:
An organisation should take reasonable steps to provide a person with the personal information it holds about them.
The terms of reasonable exceptions to the access principle will need to be developed in consultation with stakeholders.
There are clearly a number of situations in which it is not reasonable to expect an organisation to provide an individual access to personal information that it holds about them. The Attorney-General’s Department’s 1996 discussion paper identified a number of areas where exceptions might be appropriate:
Debate about exceptions to the access principle will be vigorous, but acceptable compromises have been struck both in public sector FOI laws and in information privacy laws overseas. The following section discusses one particularly contentious possible exception. Others are discussed in Appendix B.
In the responses to the September 1996 discussion paper from the Attorney-General’s Department, a number of business groups proposed an exemption for ‘opinion or evaluative material’. Some argue that there is a much stronger case for access to this sort of information in the public sector, where statutory powers are being exercised, consequences for individuals are often serious, and principles of natural justice are required by law. It is suggested that it is inappropriate to import an administrative law approach to ‘reasons’ for decisions into a commercial environment where individuals are contracting voluntarily for goods or services.
There are some difficulties with these arguments. First, opinion or evaluative material is exactly the sort of information that has the greatest impact on individuals. To exclude it from an access provision would greatly reduce the ability of individuals to challenge inaccurate or incomplete information the use of which may have an important impact on their lives, even in commercial transactions. For example, business reference databases may include opinion about the reliability of customers and employment records may include subjective assessments of character or competence. If people cannot gain access to such information they have no way of disputing its accuracy. Second, it is not always easy to say when fact shades into opinion; a blanket exemption for ‘opinion’ would require a delicate line-drawing exercise.
Business concerns about access to evaluative material also appear partly based on a belief that it would apply to personal notes, and make many of the day to day practices of most people in the workplace impossible. Any access principle should be drafted in such a way as to make a clear distinction between personal working documents and notes, which would be exempt (as they are in Freedom of Information laws) and information on organisational records which, subject to other exemptions, would be accessible. The objective of an access principle is to give individuals rights in relation mainly to information which forms part of a permanent record which may be accessed by many people, and used over a period of time. It is not to give access to personal notes or jottings of a transient nature made in the course of people’s work.
The NZ Privacy Act has a narrower exemption for evaluative material from the obligation to give access:
[if] the disclosure of the information or of information identifying the person who supplied it, being evaluative material, would breach an express or implied promise —
(i) which was made to the person who supplied the information; and
(ii) which was to the effect that the information or the identity of the person who supplied it or both would be held in confidence.
Such an exception would allow employment references and other performance reports to be provided to organisations in confidence.
There should be considerable flexibility in both the form in which requests for access may be made and the form in which access to information may be given.
Most Freedom of Information legislation (which applies to all public sectors in Australia except in the NT) requires requests to be made in writing, but given that there is now widespread access to telephones, faxes and emails, this may not be necessary for the private sector.
There are a number of ways of providing access to information. Photocopying relevant documents is the most obvious but sometimes it will be easier to provide access by inspection, on a screen or even over the phone. The important point is that an organisation should not be able to avoid its responsibilities by imposing an inconvenient form of access that acts as a barrier to people who want access to the information the organisation holds about them.
Giving people access to personal information that an organisation holds about them imposes some costs on the organisation. It involves, at least, locating the information and making it accessible, in one way or another.
In many cases, these costs will be very low. If all the organisation has to do is look up a file in alphabetical order and photocopy a sheet of paper, access could be provided free of charge. If meeting an access request involves considerable effort the organisation should be able to charge reasonable fees. But no organisation should be able to impose artificially high charges as a way of avoiding its obligations under the scheme. One option would be to put a cap on access charges.
To charge people just for making a request would undermine the access principle and act as a deterrent. Those on low incomes in particular could be prevented from exercising their rights.
If an individual can establish that the personal information an organisation holds about them is of low quality, they should be able to have it corrected. IPP 7 in the Privacy Act expresses the principle this way:
A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record: (a) is accurate; and (b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.
Most organisations regard this as good practice in any case — it is not in the organisation’s interest to be making decisions on the basis of poor quality information. But there are some practical issues. ‘Accuracy’ is not the only dimension of information quality that needs to be addressed. The use of incomplete information can also have serious effects. For example, a person may be denied a job because the employer finds out that they have been convicted of an offence; if the employer does not also find out that the conviction was quashed and the police involved convicted of perjury, an injustice may be done. Similarly, irrelevant and out of date information can have harmful effects. For these reasons, individuals should be able to mount reasonable challenges to the overall quality of personal information about them, as well as to the accuracy of any factual details.
This right must however be balanced against organisations’ freedom to make judgment and assessments, and to record information received in good faith. If the organisation is convinced the information is of sufficient quality for the intended purposes and the individual disagrees, the compromise that appears in Freedom of Information legislation is for the organisation to attach to its records a statement from the person disputing the quality of the information. Such cases are rare and a similar approach may work in the private sector.
A possible form of words for the correction right would be:
If an organisation holds personal information about a person and the person is able to establish that the information is not of good quality, the organisation should take reasonable steps to amend the information so that it is of good quality.
If the person and the organisation disagree about the quality of the information and the person asks the organisation to associate with the information a statement disputing its quality, the organisation should take reasonable steps to do so.
A number of the responses to the discussion paper from the Attorney-General’s Department expressed concern that it would be impractical to try to apply the principles to information that organisations already hold. The scheme will have to take a common sense approach to this question. The guiding idea should be that the principles apply as far as possible to all personal information except where that is clearly impractical or unfair to the organisation.
The collection limitation and notification principles clearly cannot operate retrospectively. The use limitation principle should apply as far as it can to existing information although this may not always be feasible, for example, where an organisation collected information in the expectation of using it for a secondary purpose but did not need at that time to seek people’s consent. The security and openness principles could probably apply to all personal information. The destruction and quality principles could apply to all personal information but organisations obviously cannot be expected immediately to review all the personal information they hold. The access and correction principles could apply to all factual information but there would need to be some exceptions to cover opinion or evaluative material information collected on the assumption that it would not be accessible to the individual.
The discussion in this paper is based on the IPPs in the Federal Privacy Act but a number of other privacy principles have been proposed, partly in response to technological changes. They include principles about the use of publicly available information, the ability to conduct transactions anonymously, charging for the exercise of privacy rights, the primacy of individual consent, the matching of data from different sources and the use of identification numbers. These proposed principles are discussed in the final section of Appendix B. Appendices are not included in this issue of PLPR (Editor).
Ideally, the scheme should be developed by a group that is representative of all types of organisations that handle personal information, and of consumers, employees and the general public. The extent to which representatives of government agencies (Federal, State and Territory) should be involved is less clear. Most of these interested parties could perhaps be included in a larger circle of organisations to which periodic reports of progress and drafts can be sent.
The Canadian Standards Association process which developed a Model Privacy Code released in 1996 was based on a committee with around 40 members from industry, academia, consumer and employee groups, and government agencies. Sticking points were resolved by dividing into small but representative sub-committees. The intention in Australia is to be as inclusive as possible by seeking input from all interested parties, but there will need to be some way of confining the membership of the scheme development committee to a manageable size.
One issue is whether members of any scheme development committee should participate as delegates of particular organisations, with responsibilities to consult with their constituencies as work proceeds. It is suggested that this would not be desirable, and could lead to the exercise losing momentum. Peak organisations and groups could be asked to nominate suitable members, but on the clear understanding that they would participate as individuals. It should be recognised that some peak organisations may have difficulty with this approach.
At appropriate stages in the process, drafts could be circulated to interested organisations for the normal process of consultation with their membership or governing bodies, although it would be preferable to limit the number of such stages, given the delays inherent in many internal processes.
The private sector organisations that participate in the development of the scheme may not be the same as those that ultimately agree to be bound by the scheme, although it is expected that there would be a significant overlap.
To initiate the process, the Privacy Commissioner could invite nominations for membership of a scheme development committee, and could, perhaps together with one or two others, sift through the nominations and propose an initial composition — perhaps with alternates and a second list of people who could be called on to participate in specific sub-committees if and when they become necessary. Where no nominees were forthcoming spontaneously from an important sector or group, the Privacy Commissioner would undertake to approach relevant organisations to find a suitable member.
The Privacy Commissioner has had extensive consultations, since April, with a range of organisations about the general approach now brought together and presented in this paper. It is necessary to recognise that some groups have had significant reservations about becoming involved in a process designed to bring about a national privacy scheme on a self-regulatory basis. Consumer groups and privacy advocates have generally felt that participation could relieve the pressure for the legislation which they consider necessary. Some of them have taken the view to date that they would prefer to remain outside the process, and concentrate their limited resources on lobbying for statutory protection and on other priorities.
Some business groups and individual businesses are also non-committal. They fear that participation will lock them into a process which may lead to unacceptable standards or mechanisms, and while they need not sign up to a self-regulatory scheme they feel that they could be setting themselves up for public criticism if they withdrew at any stage, without any obvious compensatory benefits. Some business groups have also stated that they see little point in participating unless consumer groups are also involved.
All of these reactions have simply confirmed that gaining commitment to the process, even before the attempt to build a consensus, will not be easy. However, it is hoped that the arguments put forward in this paper, and the way in which it addresses previous criticisms, may help to persuade key interests to become involved.
The Commissioner also hopes that, whatever their reservations, interested parties will think seriously about the consequences if there is no general commitment to proceed with the process. The alternative is continuing uncertainty, the almost certain imposition of a variety of different standards in different sectors or jurisdictions, and a continued growth of public concern and pressure for government action. In this environment, electronic commerce and electronic service delivery initiatives are likely to be held up, either by public resistance to adoption, or by an unwillingness on the part of business to make significant investment decisions without greater certainty about the information handling rules that will apply.
The Privacy Commissioner would be able to provide the secretariat for the scheme development committee, but could not be expected to pay expenses. Representatives of commercial sectors and professional bodies could reasonably be expected to meet their own expenses. Consumer organisations may find this difficult, given their limited funding, and the fact that many consumer and privacy advocates are unpaid volunteers. Case-by-case negotiation of financial support for particular nominees would seem appropriate.
It is assumed that, in accordance with the Prime Minister’s request, the Privacy Commissioner will continue to lead the process of developing a national privacy scheme.
It will be important for participants to agree on some ground rules, for instance about the balance between publicity and confidentiality in the work of the scheme development committee, responsibility for media comment if any, implications of withdrawal from participation (hopefully not needed), etc. Views on these issues are invited at any time, but will also be appropriate for discussion at the first formal meeting.
Initial comments on this paper are requested, either in writing, by electronic mail, or orally, by 15 September 1997.
In the meantime, the Commissioner will convene two further meetings, one with consumer and privacy advocates, and one with business/professional interests, in early September. These will provide an opportunity to assess the level of support for the suggested process, and to receive preliminary feedback on the suggested principles and mechanisms.
The Commissioner would then convene a series of forums, to be held in each State/Territory capital in October, to explain the proposal to a much broader range of potentially interested parties, and to invite nominations for membership of the scheme development committee. The Privacy Commissioner would consult widely about nominations and, where necessary, recruit additional members; and would seek agreement from all interested parties on an initial composition.
The Privacy Commissioner will then convene the first meeting of a provisional scheme development committee later in the year, to commence work on the detailed development of the scheme, according to a process and timetable to be set by the committee.
It would be important for there to be a clear timetable and deadline, and milestones for the development of the scheme. While it would be premature to set these in advance of the early meetings, there is a clear sense of urgency about this task, and the Commissioner sees a need for substantial progress during the first half of 1998.
Moira Scollay, Privacy Commissioner.