AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1998 >> [1998] PrivLawPRpr 24

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Clarke, Roger --- "Serious flaws in the National Privacy Principles" [1998] PrivLawPRpr 24; (1998) 4(9) Privacy Law & Policy Reporter 176

Serious flaws in the National Privacy Principles

Roger Clarke

On 20 February 1998, the Australian Privacy Commissioner released a document entitled ‘National Principles for the Fair Handling of Personal Information’ (hereafter NPP).

The Principles are, at least at this stage, no more than that. It is entirely unclear to what extent they will be even nominally adopted by companies, and to what extent even the loosest of industry association complaints and compliance mechanisms will be established. The government’s present policy is to not provide any form of legally enforceable complaints or compliance mechanism. On the evidence of other ‘self-regulatory’ arrangements, the most reasonable assumption is that the Principles will be honoured only in the breach. This paper accordingly views the NPP as an empty statement.

It is, nonetheless, worth analysing. This is because it joins only a small number of such statements that are directly relevant to the Australian debate, namely the OECD Guidelines, the Privacy Act IPPs, the Australian Privacy Charter, and the EU Directive.

This paper commences with specific criticisms of particular aspects of the NPP’s contents. Further observations are made about the political process that led to its publication. Finally, it is silhouetted against the broad sweep of change in the privacy protection arena.

Defects in the content

At present, the private sector in Australia is subject to only very limited privacy regulation, much of it accidental, or incidental to other purposes. Many aspects of the NPP could represent a significant improvement on the present parlous situation, if only there were grounds for believing that the principles will actually be effectively applied.

The NPP contains, however, some flaws so serious as to demand active opposition from the privacy advocacy lobby. This paper focuses exclusively on NPP’s key weaknesses, without reference to its many positive elements.

Privacy of personal data is only part of the need

Focus on data protection to the exclusion of the other dimensions of privacy is too limited (Clarke 1997-). The Australian Privacy Charter (available at at expressly set out to address that deficiency (Dixon 1995). It has provided a valuable framework for discussions since its publication in 1994 (see, for example, (1997) 3 PLPR 171). It is therefore a great pity that the NPP failed to apply, or even refer to, the Charter.

As a result, the NPP fails to address the questions of:

Missing personal data principles

NPP does adopt one of the additional principles identified in the Charter, namely that which relates to anonymity (NPP 8). Unfortunately it fails to even mention pseudonymity as an option, which would have been entirely feasible in the Guidance Notes, if not in the Principle itself (see Clarke 1996d).

NPP entirely fails, however, to address two other very important needs:

Workplace privacy

The Introduction leaves entirely open the question as to whether employment data is within the NPP’s scope. This is a serious weakness. In the 1970s, it was excusable to tread carefully in this area, because of the substantial amount of existing law, policy and practice, and the sensitivities involved. A quarter-century later, the framework, the policies and the practices in this area are much better understood (see Nolan 1995). They should be codified, and they should be codified within the context of (an appropriate set of) national principles.

Use and disclosure

The Use and Disclosure Principle (NPP2) is a rabbit’s warren of special pleadings accepted and promulgated.

The direct marketing industry

Direct Marketing has been a battlefield for years. It is currently a battlefield, with so-called ‘outbound tele-marketing’ reaching epidemic proportions, and Calling Number Display (CND) (see Whittle 1996) recently imposed by Telstra using its market power, with the connivance of a Government intent on reaping a rich dividend from the sale of the corporation (see (1997) 4 PLPR Special Issue 6 and (1997) 4 PLPR 128). Moreover, it will be a battlefield for years to come, with marketer privacy intrusions on the Internet already a very serious problem (Clarke 1997b). Privacy aspects of Direct Marketing are examined in Clarke (1998), which was in preparation at the same time as NPP was being written.

It is astonishing to find that NPP2.1(c) purports to legitimise the direct marketing industry’s existing, hitherto unauthorised practices. This represents not just de facto, but arguably de jure, approval, not just for unsolicited mail, but also for unsolicited telephone calls, and even for unsolicited Internet communications. The Privacy Commissioner and staff received a bid for special treatment put to them by a special interest group, failed to undertake appropriate research, and aligned themselves with the big battalions.

Evidencing the hurried manner in which the clause was drafted, NPP 2.1(c) fails to even go so far as to require organisations to actually take any notice of a person’s request to have their details inserted on the envisaged off-list! Such detailed matters were to have been the subject of detailed industry codes negotiated among all parties, not deals done between an industry association and the Privacy Commissioner.

The credit reporting industry was subject to lengthy investigation over a period of 15 years (1975-1989). Once the nature of the business was understood, it was authorised to do much of what it had been doing, but subject to regulatory measures under Pt IIIA of the Privacy Act 1988 (Cth) (see Much the same must happen in respect of the direct marketing industry, except that the urgency of regulation is much greater, and the evidence supporting many of the practices is much less strong than was the case with credit reporting.

Law enforcement exemption

The Principles attempt to enshrine criminal law, pecuniary penalty and public revenue exceptions (NPP2.1(g)). These would authorise every organisation to provide almost any personal data to any policeman under virtually any circumstances.

This represents the legitimisation of practices that are uncontrolled, and demand justification. The Guidance Notes recognise that there is no obligation ‘to release information without the exercise of a formal power’, and that the matter is contentious; yet the Privacy Commissioner has legitimated voluntary provision, in an uncontrolled manner, without regard to prior research and complaints experience, and without consultation concerning the impacts such a measure would have.

National security exemption

The Principles also seek to enshrine a national security exemption (NPP2.1(h); see also 6.1(j)). The Privacy Act provides absolutely no controls over such organisations, because they are entirely exempt. In the post-Cold War era, it is appalling to discover that the Privacy Commissioner remains in the thrall of the national security sacred cow.

The appropriate position for the Privacy Commissioner to take is to demand measures to bring the national security and law enforcement communities within the privacy regulatory regime. It is clear that some special provisions are needed, because high levels of security are involved. It is impossible to believe, however, that some appropriate balancing of powers cannot be constructed involving interaction between the Privacy Commissioner and other statutory appointees and agencies such as the Inspector-General of Security (

Logging of disclosures

The Principles fail to require conformance with the standard expectation that disclosures under exigencies such as emergencies involving threat to human life should be logged, to ensure that a trace of the activities of privacy-abusers is retained (NPP2.1(d), 2.2).

Multiple use of identifiers

A great deal of research has been conducted into the risks involved in multiple use of identifiers, and a substantial literature exists. The preclusion of multiple use of identifiers is a fundamental protection against widespread data surveillance and the emergence of a ‘dossier society’ (Clarke 1994). Reflecting this, there is an express statutory prohibition on unauthorised uses of the Tax File Number (see

It is very pleasing that the Privacy Commissioner has included requirements that would limit the use of government identifiers in the private sector (NPP 7).

Unfortunately, this Principle incorporates serious loopholes created in the Use and Disclosure Principle (NPP2). In any case, it falls far short of the real need, which is the freedom to adopt multiple, uncorrelated identities to reflect multiple roles (Clarke 1997c).

Defects in the political process

In their platforms for the March 1996 election, both the Labor Party and the Coalition committed to legislate privacy protective regulation for the private sector. The Coalition’s promise, which was sensibly described as ‘co-regulatory’ in nature, was enlarged upon in September 1996 (see Clarke 1996b and Clarke 1996c). Public submissions arising from that Discussion Paper were published in 3 PLPR issues 9 and 10).

It transpired, however, that the undertaking was a ‘non-core promise’, and it was duly reneged on in March 1997, by Prime Ministerial fiat (see (1997) 4 PLPR 1).

Instead, the Privacy Commissioner, who is a statutory appointee under s 19 of the Privacy Act 1988, was told by the Prime Minister to offer her services to help Australian businesses to develop voluntary codes of conduct to meet privacy standards. This instruction followed a 40 per cent reduction in the budget for her Office, and was not accompanied by any offer of targeted funding.

I may be readily charged with political naiveté, but I do not believe that the Privacy Commissioner should have accepted the proposition, at least in the form in which it was addressed to her. The Privacy Commissioner’s functions include ‘to undertake educational programs’ (s 27(m)), and ‘to encourage corporations to develop programs for the handling of records of personal information that are consistent with the [OECD Guidelines]’ (s 27(n)). They do not extend to diverting a substantial segment of a substantially reduced budget to work of this nature.

Nonetheless, the Privacy Commissioner commenced a consultative process. The privacy advocacy lobby at first declined to participate, on the grounds that voluntary guidelines are not an adequate mechanism, and the promised ‘co-regulatory’ model, including legislative backing, was what was needed and wanted by the private sector and the public alike.

After representations from the Privacy Commissioner, advocates agreed to take part in the development of a set of principles, provided that they were designed in such a manner that they were capable of being supported by legislation at the earliest opportunity. The Privacy Commissioner has failed to reflect in the document that important aspect of the consultative process that preceded her promulgation of the Principles. Moreover, the document is structured in such a manner that there is absolutely no momentum provided towards a mechanism that will have regulatory teeth behind such corporation and industry-association layers as may come into existence.

A further concern is that the consultative process was characterised by imbalance between the weight given to submissions from government agencies and industry associations, in comparison to those from representatives of the public interest. Exceptions that were embodied in the final version reflected a series of special pleadings from vested interests, including some submitted behind closed doors, and some submitted after the mainstream consultative processes had been completed.

The Privacy Commissioner’s capitulation is all the more disappointing in view of the significant momentum that exists towards legislation, including large numbers of corporations and associations that recognise the benefits of an appropriate statutory framework for privacy protections, and the Government’s own acknowledgement that the outsourcing of government data processing requires the imposition of regulation on contractors, and has embodied this in a Government Bill introduced in April 1998 (see

The long term view

In 1967, American academic Alan Westin proposed that a limited official response was sufficient to address privacy concerns. Administrative convenience and efficiency were the paramount concerns. The legislation of the 1970s, and its codification in the OECD’s 1980 Guidelines, reflected the Westin model, which has come to be known as the ‘Fair Information Practices’ approach.

The Privacy Act 1988 was a late addition to the pool of such laws. Its great weaknesses were catalogued in Clarke (1997a). Technology and administrative practices have both greatly developed during the last 30 years. A near-future paper will argue the urgency of moving well beyond the Fair Information Practices model.

The Australian Privacy Commissioner’s 1998 ‘National Principles’ document is merely a very late addition to the substantial pool of 1970’s documents. A document based on 30-year-old precepts, and which contains additional exemptions based on special pleading, is utterly inadequate as a means of addressing the ever-growing public concerns about the privacy invasiveness of business practices.


The result of a flawed process is a flawed document. The ‘National Principles’ have many mainstream and worthwhile features, but contain carefully crafted loopholes that seriously undermine some of its most important features. In particular, the exceptions to the use and disclosure principle essentially gut the critical protections that this principle is supposed to provide. They attempt to legitimise practices that demand public justification.

Far from being greeted with any kind of celebration, the document should be regarded as an attempt by the federal government, exploiting the Privacy Commissioner’s limited resources, to divert attention away from its failure to deliver what the country demands, which is effective privacy protections. It is merely a stage in a process, not an outcome.

State governments are seeking to ensure public confidence in the use of electronic commerce and electronic services delivery. If the federal government persists in its failure to act, those governments will be forced to enact legislation binding corporations operating within their States.

Moreover, the private sector recognises the harbingers of change, and the public demand for effective privacy protections (Clarke 1996a). The ‘National Privacy Principles’ document is not what the private sector needs if it is to gain public confidence in the manner in which it handles personal data.

Roger Clarke, Principal, Xamax Consultancy Pty Ltd, Canberra and Visiting Fellow, Department of Computer Science, Australian National University. This document is at

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback