Privacy Law and Policy Reporter
An earlier version of this paper was presented by the Privacy Commissioner under the title ‘The Future Of Privacy And Data Protection In The Private Sector: Now Who’s Got A Crystal Ball?’ to the 1997 Australian Privacy Summit, hosted by IBC Conferences on 21 & 22 October 1997 in Sydney. It has been expanded slightly by the Commissioner, and edited for publication, including the insertion of some sub-headings and cross-references. This is the most comprehensive statement to date by the Commissioner on progress in her consultation process concerning private sector self-regulation. (General Editor)
By now you will have already heard that I am embarking on a process of consultation about a national privacy scheme for Australia. I issued a discussion paper in August, after the Prime Minister announced in March that the Federal Government would not be proceeding with legislation to cover the private sector. The document is called Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector (see (1997) 4 PLPR 41).
Before I go into that document, what it is trying to achieve, and the consultation process I have embarked upon, let me give you some more context and let me draw together for you some of the developments you may already know are happening.
When the Federal Privacy Act was passed in 1988, it was in the context of the Australia card debate. The major fear which was being addressed at that time concerned the notions of ‘big brother’ — a Government knowing everything about you. While the Act broadly picked up the OECD guidelines in its 11 IPPs — the Act did not at that time pick up the private sector.
Certainly, the private sector was not at the centre of the debate, but the arguments that existed then for privacy in the private sector are of course still relevant today. If nothing else had changed, I would still have been arguing for a legislated right to privacy for Australians. It seems to me irrelevant where information about a person is held. We all want some measure of control over that information. We want information about ourselves collected in a fair way, it should be securely held and should not be used for other purposes without our knowledge and consent. We should be able to see it and correct it if it is wrong. It should not matter whether that information is held by our doctor, our bank or the Tax Office.
But in addition, things have not stayed the same. First, developments in new technology now mean that it is cheap and easy to develop ‘cradle-to-grave’ databases about people. Many independent surveys (both in Australia and overseas) demonstrate heightened concern. People sense a significant loss in knowledge and control of personal information about themselves. There is a sense of a shift of power away from the consumer. Some companies such as AAMI are doing it well. They have privacy codes and monitoring and dispute resolution mechanisms. But most do not.
The second way in which the situation has changed in the nearly ten years since the Privacy Act, is through the creation of the online economy. New areas of economic and social activity such as the Internet, electronic commerce and electronic service delivery are providing new economic arguments to strengthen the case for privacy protection. If Australia is to be part of the global information economy, it must act quickly to put in place the necessary frameworks or infrastructure to enable swift take up by both business and consumers. Lack of a privacy protection framework does not make good business sense in this fledgling industry.
Australia is quickly becoming a single economy. Many enterprises now operate nationally. Many operate internationally. State and even national borders are becoming irrelevant. Many are asking, are national laws becoming irrelevant? The unprecedented growth in information and communications technology is allowing businesses of any size to market their goods and services directly to customers around the world — and vice versa.
These technologies offer great promise for Australia. We are a small nation, geographically isolated. New technology offers great promise across our own tyranny of distance (telemedicine in the bush) and internationally, if we as a community are prepared to bear the investment cost of the appropriate infrastructure.
Australians have a high take up rate for new technologies. Videos, home computers, mobile phones, answering machines. Until now most of these technologies have allowed us to operate anonymously. This is not so with the Internet and electronic commerce. And this is where people seem to have real concerns. How can businesses convince their customers that their information will be safe in this brave new world?
Concerns about privacy and security cannot easily be addressed by individual firms. Lack of confidence in the information economy needs broader intervention. It will need some form of united action. For the fledgling information economy the need for enabling protection is not a sign of market failure. New technology is generating a need for a new piece of institutional infrastructure to allow people and businesses to conduct their affairs with confidence. This framework can be provided by Government, by businesses, by technology, by court systems or a combination of all of these.
Robust and enforceable Information Privacy Standards fulfil just this sort of function. They give businesses and consumers certainty in their day to day activities. Whether they are enforced by Government or the private sector is coming to the fore as the central matter for ongoing discussion.
As the Prime Minister said last month:
The Government is committed to bringing all Australians together in this new information age, to offer security as well as choice for families and overcome disparities between the bush and the cities. The challenge for the national Government is to improve the co-ordination and management of policies which will encourage the community and business to embrace technological improvements and take maximum advantage of new opportunities.
My view is that privacy protection is one such challenge.
In September last year, the Attorney-General launched a discussion paper suggesting a legislative approach to cover privacy in the private sector (see (1996) 3 PLPR 81). There were over 100 responses, and while many important issues were raised and discussed, all agreed and strongly argued for a nationally consistent approach to setting standards for information privacy (see (1997) 3 PLPR 161).
In March this year, the Prime Minister announced that the Government no longer intended to legislate for privacy for the private sector. He gave compliance costs to business as the reason and called on the States and Territories not to separately legislate for the private sector because of concerns about a patchwork of responses. He also said that the Privacy Commissioner would be available to assist business with voluntary codes and standards.
Despite this announcement by the Prime Minister, there has in fact been considerable activity around privacy protection in the private sector.
In April this year, the Government announced its intention to outsource all its IT activity. In this context it announced it would extend the existing Privacy Act to cover contractors who were handling personal information on behalf of Government. Later the Government clarified that this would apply to all contractors, not just those in the IT outsourcing context. The Government has recognised that this would be the means by which the new Employment Placement Enterprises (EPEs) would be covered, now that the Government has decided to establish the EPEs by administrative action, not legislation.
On 1 July the new telecommunications legislation came into force. Under that legislation there is the capacity for the development of industry codes of practice which can take on the force of binding codes. The first such code which is being developed by the Australian Communications Industry Forum (ACIF) is a privacy code. Given that the new telecommunications industry is rapidly expanding across different industry sectors, it is imperative that any code in the telecommunications sector is harmonised with other sectors. I would argue that it should be the same.
The Victorian Government has foreshadowed that it will be legislating for privacy for the public and private sectors shortly and ACT has foreshadowed that it will introduce legislation this year to cover the private and public sectors in respect of health records.
Clearly, achieving national consistency for privacy standards will be no easy task, despite the fact that it is what everybody wants. Consistency too has many different dimensions.
Privacy standards applying to different firms will never all be the same, nor should they be. There is a need to articulate a minimum standard of privacy protection for the consumer and then I would expect competitive advantage issues to dictate which way different firms chose to operate above those minimum standards.
There is a need for caution also in how to handle issues of privacy protection between industry sectors. The Wallis inquiry pointed to the need to understand the changes taking place in the banking, finance and insurance industries as traditional boundaries melt. Wallis wanted to encourage the sharing of data within corporate conglomerates. This issue is not so simple and is addressed in some detail in our paper. But we are very alert to the need not to create boundaries between industry sectors. NZ provides an interesting model for us, with only two codes having been seen as necessary to this time.
There is also a need to guard against creating barriers between different sorts of activity (direct marketing/ video surveillance), Retailers, banks, service industries — all use direct marketing. Pubs, casinos, warehouses, insurance companies, retailers — use video surveillance. We do not want the standards applying to particular industries to clash with those applying to activities.
In any exercise looking at the need for consistency, there is a need to look at the links between privacy standards and other regulatory standards — these might be standards spelled out in retailing, industrial law, banking law or codes etc.
Another need for consistency is between private and public sectors. While some have argued strongly that the private sector is not like the public sector and needs different rules, other have argued that the pace of outsourcing makes any distinction redundant. The Government’s outsourcing legislation will apply the existing public sector standards to the private sector and I have welcomed this move by the Government. I certainly did not want to see any watering down of existing standards. However, in the longer term I would like to see more generic legislation which is better adapted to the whole private sector with perhaps a code for specific public sector activities. This would imply a review of the existing Act, with the possibility at that time of bringing the credit reporting provisions more into line with the rest of the private sector. However, while there is no legislation for the private sector more generally, I would not be wanting to embark on any review of the Act.
Some have argued that there need to be distinctions drawn between personal information which covers different levels of sensitivity. I think this probably a good idea. I have particular concerns about the urgent need for Federal legislation in the health sector. However, others argue that the sensitivity of data depends more on its context than the nature of the information itself. Names and addresses could be publicly available information in any telephone directory, or could be highly sensitive data in the context of domestic violence.
There must be no distinction drawn between paper-based and electronic records. A few people are arguing that there is a need for action in relation to the electronic environment, but trying to draw technological distinctions would be madness.
The most obvious area of concern about lack of consistency exists between State and Territory jurisdictions. Many argue that if States are going to legislate separately, then the Federal Government must act to avoid the patchwork approach. States of course must take care of their own jurisdictions, at both State and Local Government level. Local Governments are also renowned for their selling of lists of local residents for pool or pet ownership or housing renovations.
For the private sector which is potentially trying to operate nationally or internationally, different State and Territory laws would be an administrative nightmare. However, as I understand it, the initiative in Victoria is designed to achieve both legislative backing and national consistency. Alan Stockdale, the Victorian Minister for Multimedia, has foreshadowed that he wishes to work on national privacy principles which could be enshrined in legislation in Victoria, thus meeting the objective of national consistency of privacy standards.
So protection of information privacy is not a Commonwealth issue. It is a national issue.
It is interesting to note that Alan Stockdale, the Victorian Minister for Multimedia, was party to the 12 Sept Online Council statement which said: ‘Ministers recognise the desirability of a national approach to privacy and agreed, as a priority, to the establishment of an Online Council working party, working in conjunction with the Federal Privacy Commissioner, to develop the underlying principles of a data protection regime for the online economy.’
On 16 September the Prime Minister also announced that Senator Alston would be the Minister for Communications, the Information Economy and the Arts. He announced the establishment of the National Office of the Information Economy (NOIE) and a Ministerial Council with the view to coordination of the development of the online economy in Australia. Of course, Government also has before it the Mortimer, Goldsworthy and IPAC reports which all address the online economy.
The Standing Committee of Attorneys General (SCAG) also has privacy on its agenda.
So we need consistency and flexibility. One national scheme while avoiding the criticism of a ‘one size fits all’ approach. How do we achieve both things? NZ provides an interesting case study here. After the NZ principles were enacted, it was expected that a whole range of industry codes would also be an outcome. At this stage, there are only two sectoral codes (telecommunications and health) with most industries now finding that they can work comfortably within the existing principles and would find specific industry codes too restricting. A similar approach is open to us here. From my consultations to date, I have not heard that any industry wants its own codes except in the health area, and that pressure is coming from the consumer side.
What about international pressures? Where are we on the EU Directive? Debate is raging between the US and the EU. Both sides are taking this issue very seriously. Europe, the UK, Korea, Taiwan, Hong Kong and NZ already have privacy laws covering the private sector. In addition, Canada and Malaysia have foreshadowed legislation.
The US wants self-regulation (but they do already have significant coverage by some specific Federal privacy law and through State laws, though there is no omnibus law). The EU wants ‘Evidence of effective privacy schemes.’ That is:
An independent body seems to be an essential point for them.
In the paper we issued in August for a ‘self-regulatory’ scheme we tried to include all the criteria outlined by the EU. It may well be that if industry were to seize this challenge and implement the suggestions in a robust way — they may meet the test of adequacy. The debate still rages on this. Law would be simpler, and in my view cheaper, for companies operating in this EU context. But I have never made my position a secret. My position is for a light-handed co-regulatory approach.
The International Standards Organisation is also looking at whether or not there should be an international standard for privacy much like the ISO9000 series on quality.
Where are we with the process I am running? The paper was issued in August. I have been conducting forums Australia wide throughout October and early November. Written submissions are being accepted until 7 November.
The paper consists of three components:
What is coming out of the forums and the submissions? At most of the sessions we have tried to have a business person make a few remarks and have a consumer or privacy advocate also make a few remarks. Not surprisingly, there are issues which have arisen at every forum. They arose also in response to the Attorney-General’s discussion paper and they are contained in written submissions in response to my paper.
What are the common issues? I have tried to highlight some but it is not an exhaustive list. The issues are as follows: At each of the forums I have tried to provoke discussion by saying that the principles are not in contention — except at the margins. This is probably correct however, there will need to be some negotiations around some issues:
However, I have the view that if a reasonably representative group of us were to lock ourselves away for a week — and we looked at the solutions that have already been found internationally for these problems (NZ, Hong Kong, Canada, EU) we could actually find some ground on which all the players were close enough to be able to live with the outcome.
From my perspective it has to be international best practice both for privacy and for business. As I understand it, most business people are saying that they are in agreement with a large proportion of what is being proposed here. Many business people have queried whether the privacy interests of business and the consumer are as divergent as they are made out to be. Some argue that there needs to be work done to find where the divergences occur — and we need to sit down and resolve them.
There are a range of transitional issues — such as retrospectivity, what about existing records etc, what about redesign of IT systems? which again, I believe can be dealt with through a dose of common sense.
The main area of contention is of course with the ‘mechanisms’. To legislate or not to legislate — that is the question. In response to the Government’s position — my paper faces the question: ‘OK, if we are to have voluntary codes and standards, how could they really work?’ This is where the real debate is going on.
In a self-regulatory process many questions arise, and are arising, in the forums. How to ensure that companies are abiding by the agreed standards? Who will monitor? Who will audit? What kinds of redress will be available to consumers? What incentives will there be for companies to buy in? How much of an industry has to sign up to the code or standards for it to work? How many industries need to sign up before we can say we have a ‘robust, effective national scheme’ for privacy protection in Australia? How do we bring in the free riders? How can those companies that sign up ensure that there is a level playing field and rogues are not undermining the system? What redress will there be for companies doing the right thing if others make profits from playing fast and loose with our personal data?
Certainly business does not want the cost of compliance with a voluntary code only to have to comply with legislation at a later time, or in a specific State. They argue that there is a need for certainty about the longer term future of any privacy scheme. These issues are being raised by both business and advocacy groups.
These problems are not just specific to privacy. They apply to any self-regulatory regime and these are problems which are difficult to address. We have tried to address them in our paper.
Flowing from all these questions is the question of costs to business which was the reason given by Prime Minister for no legislation. There is the question of the cost of the principles and there is the question of the cost of the mechanisms. When discussing costs I think it is sensible to distinguish between these.
In terms of implementing privacy principles — some argue great benefits, both in terms of improved customer relations and in better management of personal data. Others are concerned about compliance costs. Cost of access comes up at every session — though public sector and international experience indicated these fears are not real. There were, initially, also fears about the existing IPPs in relation to ‘the Digest’, which requires Commonwealth agencies to report on what records they hold. This was perceived to be very bureaucratic for businesses, and I agree with that view.
In addition, in my view, most small businesses would be untouched by privacy law. They may hold some employee records and some customer information, but they would be minimally impacted unless they wished to sell their lists on to someone else. If they were to sell their lists then at that time the privacy law would impact, but that would be necessary if all of businesses were to get the ‘level playing field’ they desire.
There will be costs associated with printing of new notices. These can be addressed by sensible phasing in. New words can be used when forms are due for reprinting. There are concerns about training costs. These are real, though again, the training in privacy is a cultural issue which could be integrated into existing training schemes. There are also concerns about the need for systems changes. Industry argues that all their resources are tied up with the millennium problem. Sensible phasing in could also address this issue. This has been the experience in NZ and Hong Kong and in the Commonwealth Government sector.
I think the bigger question is, what will be the costs to business of setting up and administering the necessary framework for making this self-regulatory system work?
Is there the will to do it? There are many who are arguing that this is a very expensive way forward.
Do we have any choice? Perhaps our choices starkly painted are:
Doing nothing is of course a real possibility out of this whole process, but if that is the outcome it is my view that Australian consumers will be being treated with contempt — but just as importantly, Australian businesses will be major losers in terms of lost opportunity — and we will get the chaos we deserve.
Many of the advocacy and consumer groups are boycotting the consultation process around the paper. I understand where they are coming from. They want law — they don’t want self-regulation. To participate in any consultation process around self-regulation is, as they have articulated it, a ‘no win’ situation for them. Advocacy groups see themselves as better spending their limited resources attending to serious proposals for legislation. In this context, State initiatives are to be encouraged by consumer groups, both because of the protection provided to data subjects, and to maximise pressure on the Federal Government to legislate. I do however, regret that I will not have the benefit of their input, except in Victoria, where some groups are suggesting that because Victoria is discussing law, they can be part of that process.
I finished my consultations in Brisbane on 5 November. I have accepted written submissions up to 7 November. I am now undertaking an evaluation of where we have got to.
At each of the forums, and in some of the submissions, people, companies, industries have said they want to be part of further consultation. Some are keen to push the process forward. I need to work out who is out and who is in — and on the basis of this, whether it is viable to go forward. Of those who are in, can we agree on principles? To do this quickly would provide the necessary urgent response to some of the issues of patchwork.
The nature of the enforcement can then be tackled — perhaps State by State, industry by industry — or nationally.
I will be meeting almost immediately with the Online Council working party —which also wants to know about reactions to my proposals. I will be staying in close touch with the States especially through this Online Council process. Also through SCAG.
My intention is to have something to report back to everyone, including Government, before Christmas. It may be a progress report, it may be an agreed position. I may also be providing confidential advice to Government.
I am concerned to move fast — because I don’t want my process to be used as an excuse for no action on other fronts. ‘Lets wait and see what comes out of Moira’s process’ cannot be allowed to go on past this round of consultations.
My own position, at this stage, is that if we are to achieve one national approach we will have to move fast. I still hold the view that we need light-handed back-stop legislation to support and enable self-regulation. Where self-regulation is working it can be allowed to work except for some umbrella monitoring and reporting. Where self-regulation does not exist, or is failing, there need to be backstop provisions to protect both data subjects and businesses who are doing the right thing. Enabling framework legislation for the information economy is an essential and integral part of that.
Ultimately we will need to use all of the mechanisms at our disposal — law, self-regulation, codes of conduct, model contracts, contracts, privacy enhancing technologies (PETs) and laws around PETs. All of these can take many different forms — we have lots of choices.
The best outcome would be for the players to be able to reach consensus about how to balance all these different approaches. We shall see what we shall see.
Moira Scollay, Federal Privacy Commissioner.