Privacy Law and Policy Reporter
Nigel Waters & Graham Greenleaf
In the last few months Australia has moved to within sight of binding laws applying to the bulk of personal information handling in the country in both the public and private sectors.
In this special issue, we focus on the three major legislative initiatives — in New South Wales, Victoria and the Commonwealth. The general welcome we give these initiatives is tempered with some serious reservations. We also report on amendments to the Privacy Commissioner’s ‘National Principles’, and on the voluntary General Insurance Industry scheme which is the first serious implementation of those Principles.
The NSW Privacy and Personal Information Protection Act 1998 has major flaws and omissions which make it a poor model for public sector privacy laws in other jurisdictions. It is privacy legislation for the less important (that is, non-exempt) parts of what remains of the NSW public sector after corporatisation and privatisation. However, it does have provisions which are worth emulating, including some of its privacy principles (which are not based on the Privacy Commissioner’s ‘National Principles’), and its strong remedies.
The Victorian government’s draft Data Protection Bill offers a flexible method of balancing legislative privacy principles with more tailored industry-specific codes of practice, while maintaining high privacy standards in codes and providing for non-reducible remedies and a strong Privacy Commissioner. It is the best and fairest legislative benchmark for privacy protection yet set in Australia, and should be the starting point for negotiations about the shape of any national legislation. The draft Bill has room for improvement on some technical issues, but its main weaknesses are simply those of the the Privacy Commissioner’s Principles around which it is based. If enacted without major changes or exemptions, it will be a better model for State public sector laws than the NSW Act.
The Commonwealth’s new-found commitment to legislate for the private sector is still vague and sketchy, and the much needed extension of the Privacy Act to outsourcing of government activities is still in abeyance. It is not clear whether the Commonwealth proposes to replace the whole of the existing Privacy Act with a new Act, or to add a new Part (including the Commissioner’s Principles) to the existing Act so that it can apply to the private sector. The Commonwealth Attorney-General’s Department is proposing to start discussions with business and consumer organisations in March, but with no legislative timetable yet suggested.
If the Commonwealth drags its feet or advocates a lesser standard, Victoria should stick to its promise and apply its legislation to the private sector. It may still come to that.
The other States and the Northern Territory remain without any serious privacy protection, despite some good official recommendations and valuable initiatives by specific government departments. Which model each chooses for public sector privacy protection (Victoria, NSW, Commonwealth or a hybrid), will be an important question.
There is a long way to go before we can be confident that this somewhat optimistic view of privacy with which we start 1999 is not just another mirage, and that the landscape really has changed for the better.
One significant stimulus for the new initiatives has been the desire to avoid any restrictions on international data transfers, and all three legislative initiatives address this issue in a way that could make Australia the leading country outside Europe to deal with the problem of international harmonisation of privacy laws. However, the way in which each jurisdiction is handling data exports has sufficient loopholes for it still to be quite uncertain.
Chris Puplick has been appointed as the new NSW Privacy Commissioner. The former Chairman of the NSW Privacy Committee will combine the office of Commissioner with his position as President of the Anti-Discrimination Board. The Victorian Bill also provides for a State Privacy Commissioner. A new Commonwealth Commissioner has not yet been appointed.
The NSW Act and the Victorian Bill each provide for the State’s Privacy Commissioner to act as a ‘privacy ombudsman’ to investigate and conciliate complaints of interference with privacy where those complaints go beyond ‘information privacy’ in such areas as surveillance and intrusion. This may become part of the ‘Australian model’ for privacy protection, and would be an important and desirable development.
On her last day in office — 11 January — Privacy Commissioner Moira Scollay issued a revised version of her National Principles for the Fair Handling of Personal Information. This follows extensive consultation with both industry, consumer and government representatives over the last six months. The main changes are to the law enforcement exceptions to the use and disclosure, and access and correction principles (Principles 2 and 6 respectively), with some other minor changes to clarify the meaning of particular provisions, particularly in light of informal comments from the European Commission. The revised Principles are at http://www.privacy.gov.au, and the revisions will be included in a later issue of PLPR.
The Commissioner did not make the more substantial changes requested by privacy and consumer organisations (see (1998) 5 PLPR 41), and whether they will give any limited endorsement to her Principles or reject them in toto remains to be seen. She rejected changing Principle 2 concerning direct marketing other than some minor clarification. The ‘onward transfer’ (data export) principle (Principle 9) has been changed to apply to all onward transfers, including within Australia and not just those to foreign jurisdictions.
Given that the Commissioner’s Principles are intended by both the Victorian and Commonwealth governments to form the basis of legislation for the private sector (and in Victoria also for the public sector), this latest attempt by the Privacy Commissioner to satisfy a range of different interests is very significant. While Ms Scollay clearly hoped that the January 1999 version will be accepted unchanged, this seems unlikely as legislation passes through the Victorian and Commonwealth parliaments. Industry groups, consumer and privacy advocates and government agencies can all be expected to lobby for what they see as necessary or desirable improvements. These Principles are not yet a matter of consensus.
Following Moira Scollay’s departure on 11 January, Deputy Privacy Commissioner Timothy Pilgrim has been appointed Acting Commissioner by the Attorney-General for the period until a new Commissioner is appointed or 11 July, whichever is the earlier.
The federal government has appointed new members to the Privacy Advisory Committee (PAC), established under s 82 of the Privacy Act 1988 to advise the Privacy Commissioner on a range of matters. The new members, announced on 29 January, are Mara Bun, Policy & Public Affairs Manager of the Australian Consumers Association (ACA); Peter Upton, Executive Director of the Australian Information Industries Association (AIIA); John Martin, Executive Director of the Australian Chamber of Commerce and Industry (ACCI) and Richard Moss, Deputy Secretary of the Attorney-General’s Department. They join existing member John Godwin, from the Kingsford Legal Centre in Sydney.
The four positions that have just been filled have been vacant for more than a year, after the terms of previous members expired and other members left because of changes in their employment. The irony is that after so long with a Commissioner but no fully functioning PAC, there is now a complete Advisory Committee but no Commissioner! It will be interesting to see what attitude a new Commissioner takes to the PAC, which has been grossly underused in the past, leading to some frustration amongst the past members.
On 9 December, the Attorney General introduced the Privacy Amendment (Office of the Privacy Commissioner) Bill 1998 into the House of Representatives. This Bill implements the government’s decision, announced in 1997, to establish an Office of the Privacy Commissioner separate from the Human Rights and Equal Opportunity Commission (HREOC). This clarification of an ambiguous, and at times difficult, relationship had been recommended by the first Commissioner Kevin O’Connor, and by the joint HREOC-Attorney General’s Department-Finance Department Review of HREOC which reported in 1996. The amendments were originally introduced in April 1998 as a Schedule to the Human Rights Legislation Amendment Bill (No. 2) 1998, but due to lack of progress with that Bill were split off into the new Bill in December.
The amendments create a separate statutory office comprising the Privacy Commissioner and his or her staff, established as a department under the Public Service Act 1922 (which itself is subject to amendments currently in Parliament). It is expected that the Privacy Commissioner will in future receive a separate appropriation in the Commonwealth budget, although at least in the short term the office will continue to be co-located, and share overheads, with HREOC.
In the second reading speech the Attorney-General suggested that one reason for the change was to give the Privacy Commissioner a higher profile and therefore effectiveness, and bring the office in line with the situation in other countries.