Privacy Law and Policy Reporter
Australian Bankers’ Association has welcomed the release of the National Principles for the Fair Handling of Personal Information by the Privacy Commissioner and the Commonwealth Attorney-General, Daryl Williams on 20 February 1998. ABA actively participated in the Privacy Commissioner’s working party which was set up to produce a set of national principles acceptable to all stakeholders. ABA sees the principles as a valuable guide for all businesses in balancing the legitimate and responsible use of personal information about their customers with the reasonable expectations of those customers.
The guiding nature of the principles was reinforced by the Attorney-General when he described them as not ‘legalistic rules’ but rather as intended to provide ‘practical assistance to business’. If they were otherwise, there would be some concerns about their application to financial services.
The principal approach taken by ABA to the development of the principles was the change dynamic currently at work in the financial services sector. Of course, the Wallis Report made a whole range of recommendations for reform of the financial services sector based on the changing nature and face of the industry. The underlying trends in the development of the financial system identified by Wallis are leading to the formation of financial conglomerates where products and services are not necessarily identified with their traditionally recognised suppliers. The range of products and services is broadening and packaging or bundling of products and services is common.
Therefore, as the principles were being debated and developed we tested them against this backdrop of change. The principle dealing with the use and disclosure of personal information caused us some concern because of its potential limitation on the ability of a financial conglomerate to effectively share and then use personal information across the group. Wallis recommended (Recommendation 100) that sharing of information among entities within a group should be specifically allowed unless the customer signifies that he or she does not consent. Also, Wallis recommended that in developing codes of practice they should apply to the function of financial service provision rather than to financial institutions themselves (Recommendation 101).
While the meaning of ‘organisation’ under the principles includes a group of related companies, the notion of a ‘primary purpose’ and a ‘secondary purpose’ under use and disclosure principle 2.1 coupled with the requirement that the secondary purpose must be consistent with the reasonable expectation of the customer is difficult to fit into the Wallis approach. ABA submitted that the use and disclosure of personal information under 2.1(a) need only be consistent with the reasonable expectation of the individual concerned. ‘Secondary purpose’ connotes a purpose which is a derivative of the primary purpose and, if read that way, it limits the ability of an organisation to use and disclose personal information even where the individual concerned expects it. Arguments that the consent of the individual could reasonably be implied in these circumstances are tenuous. Even if those arguments hold good, why then is it necessary to distinguish between primary and secondary purposes? If the individual could be taken to reasonably expect that a particular use or disclosure of his or her personal information will occur and this is tantamount to implied consent then para 2.1(a) is unnecessary. At present, the way the principle is drafted, the concept of implied consent would seem to be something different from the tacit expectation of the individual concerned.
This type of difficulty in interpreting the principles demonstrates the significance of the Attorney-General’s statement at the launch of the principles that they are not intended to be legalistic rules.
Another issue which concerned ABA arose under principle 6.1 which deals with the access and correction arrangements for the customer. Unlike public sector bodies which are creatures of statute and have their powers, functions and obligations to the community set by statute, private sector bodies compete and do not administer public entitlements. If a customer of a private sector body is dissatisfied, the customer has the choice to deal with a competitor organisation.
ABA agrees that an individual should be able to access and, where appropriate, correct personal information about that individual. Exceptions to the access and correction arrangements should provide for commercially sensitive and proprietary material. In their current state, paras 6.2 and 6.3 do not effectively exclude all commercially sensitive and proprietary material from the access regime. In Canada, under the Model Code for the Protection of Personal Information, commercially proprietary information is exempt. Under the proposed UK Data Protection Bill (14 January 1998), personal data processed for the purposes of management forecasting or management planning to assist the organisation in the conduct of any business or other activity are exempt where access would be likely to prejudice the conduct of that business or other activity. Of course, the UK is bound by the European Directive 95/46/EC and the Bill is to give effect to the requirements of the Directive.
ABA would have preferred to see all evaluative and opinion material exempt from access because that sort of information is commercially proprietary to the organisation. The principles go some way towards this position by exempting material which could reveal the intentions of the organisation before it engages in negotiations with the customer and by providing for an explanation for a decision to be given instead of giving access which could reveal evaluative information in connection with a commercially sensitive decision making process.
The Privacy Commissioner is to review the principles after six to 12 months which should give organisations time to test where changes are required including the matters mentioned above.
Member banks are presently looking at the principles to determine the extent to which their current practices and procedures are consistent or otherwise with the principles. This is the first step in a process by banks to bring their data collection and management arrangements into conformity with the principles.
ABA is looking forward to the next round of consultations with the Privacy Commissioner on implementation issues which presumably will involve a similar process with representatives of sectional interests debating the issues in a working group format. This process was successful in developing the principles and fostered a better appreciation by those involved of other representatives’ positions. ABA congratulates the Privacy Commissioner in her bringing together a range of views into a single document in a short space of time.
The issues presented by implementation of the principles are complex. ABA is strongly opposed to the principles applying retrospectively to existing data. If an organisation has to ascertain what data it holds, what the primary purposes and the reasonable expectations of customers were when it was collected and whether to make fresh contact with customers because consent may be necessary, it is inevitably going to be a time consuming and costly exercise.
Over time, the governments of Victoria and NSW have expressed the intention to introduce privacy legislation covering the private sector. ABA and all other private sector associations which got behind the national principles project did so because there was a need to ensure that, to use the Privacy Commissioner’s words, ‘a patchwork of different standards applying across industries, technologies and State and Territory boundaries’ is avoided. Now that the principles have been launched with the strong encouragement of the Attorney-General and the Privacy Commissioner for the private sector to take them up, not as legalistic rules but as a practical guide to business to self-regulate, it would be quite inconsistent and unnecessary if a government were to legislate. ABA and other key industry associations would be strongly opposed to their doing so.
In concluding, it is timely to mention the business compliance cost assessment carried out by the UK Home Office as part of the regulatory impact assessment for the Data Protection Bill. The Explanatory and Financial Memorandum to the Bill states ‘This Bill has cost implications for the private and voluntary sectors. The start-up costs for business are estimated at (Stg) 836m and the recurring costs at (Stg) 630m. For the voluntary sector the estimated costs are (Stg) 120m for start-up and (Stg) 37m recurring.’
In the implementation work ahead, proper attention has to be paid to the compliance cost perspective.
Ian Gilbert, Director, Legal, Australian Bankers Association. Ian represented the ABA in the Privacy Commissioner’s consultation process.