Privacy Law and Policy Reporter
The Commonwealth Attorney-General’s Department has issued a consultation paper, The Government’s proposed legislation for the protection of privacy in the private sector (September 1999). Extracts from the paper are reproduced below. The full paper is available from the Department’s web site at <http://law.gov.au> or from (02) 6250 6211 or by emailing <email@example.com>. Submissions are invited by 30 September.
The only excisions from the text are the contents list, an introduction, a brief history/background section and details of the public consultation meetings to be held in September — Editor.
Briefly, the legislation will allow for the recognition of self-regulatory privacy codes backed by default legislative principles and a complaint handling regime that will apply where there is no applicable privacy code. The self-regulatory codes and the default legislative regime will provide alternatives that are intended to provide equivalent standards of protection for individuals in their dealings with the private sector. This will provide an essentially level playing field for private sector organisations and individuals, irrespective of whether an organisation is covered by a code or by the default legislative provisions.
The Privacy Commissioner will have a major role in the scheme. He or she will have an overall promotion and oversight role in relation to the private sector, whether covered by a code or not. The Privacy Commissioner will be responsible for approving privacy codes, providing assistance and advice to organisations, handling some complaints, and generally promoting an awareness and understanding of the scheme.
The legislation will contain standards for handling personal information and will require privacy codes also to contain such standards. Breach of those standards will constitute an interference with an individual’s privacy. An individual who considers that an organisation has breached the privacy standards in relation to their personal information will have the right to make a complaint that their privacy has been breached.
The legislation will also allow for privacy codes to set up their own complaint handling scheme with its own code complaint body. The Privacy Commissioner will be responsible for handling complaints about breaches of the legislative regime where there is no applicable privacy code or where there is a privacy code but that code does not provide a complaint handling scheme with a code complaint body. Where a privacy code establishes a complaint handling scheme with a code complaint body that body will be able to determine a complaint. As is currently the case in the Privacy Commissioner’s limited private sector coverage, a determination of a complaint by the Privacy Commissioner or by a code complaint body will be enforceable in the Federal Court of Australia.
No. The amendments will be introduced in the Privacy (Private Sector) Bill 1999, which will amend the Privacy Act. When enacted the private sector amendments will form a new separate Part of the Privacy Act.
Appropriate transitional arrangements will be built into the legislation to allow organisations sufficient time to make any adjustments to their practices and procedures.
In summary, it is proposed that the obligation to comply with the standards for handling personal information should arise on 1 July 2001 or 12 months after initial commencement of some provisions, whichever is the later.
Effectively the legislation will come into effect in two stages:
The only provisions that will commence in this initial stage will be some of those dealing with extending the Privacy Commissioner’s functions, such as providing education, guidance and advice, and approval of codes, together with any necessary mechanical provisions.
During this phase-in period, the standards for handling personal information will not have any legislative effect. All of the standards for handling personal information will apply to the acts and practices of organisations in relation to personal information collected from the end of the phase-in period.
During this time, codes can be developed and approved by the Privacy Commissioner, but will not have any effect under the legislation. Similarly, Public Interest Determinations for the private sector can be made, but will not have any effect.
The Privacy Commissioner will not be able to investigate possible breaches of the standards for handling personal information during this time.
The balance of the provisions, including the application of the standards for handling personal information, and the legislative backing for codes of conduct, will commence after a further 12 months or on 1 July 2001, whichever is the later.
This timeframe allows sufficient lead time for any implementation issues to be addressed before the provisions are binding. It also provides time for the Privacy Commissioner to conduct the education programs for which he or she has been resourced, targeting particularly small business, and to develop guidelines to assist business with implementation.
The Privacy Amendment Bill 1998 was introduced in 1998 to extend privacy protection where the delivery of services by the Commonwealth is outsourced. That Bill lapsed when the Parliament was dissolved prior to the last federal election. This legislation will now provide appropriate privacy protection across the private sector, including organisations providing outsourced services, and so supersedes the previous Bill.
The legislation will apply broadly across the private sector to bodies corporate or unincorporated and to individuals, such as sole traders or consultants, operating in their business capacity.
The legislation will also apply to Commonwealth bodies and government business enterprises that are not, because of their commercial nature, covered by the existing public sector application of the Privacy Act. This is consistent with the Government’s general position that such bodies should operate within the commercial environment.
In developing the legislative scheme, the question of compliance costs for small business will be closely considered. The Government is committed to ensuring that unnecessary costs are not imposed on small business, while at the same time providing a nationally consistent and effective framework for privacy protection in the private sector.
The Privacy Act currently applies to bodies such as agencies and credit providers, rather than to individuals. The National Privacy Principles (NPPs) to be set out in the legislation will similarly apply to the acts and practices of organisations.
Thus it will be the private sector entity that will be subject to the legislation (or a privacy code with which it agrees to be bound). For example, this may include an incorporated body, a partnership, an unincorporated body, a charitable organisation or a community organisation. Individuals may be covered if they are sole traders.
Yes. Section 8(1) of the Privacy Act currently provides that, for the purposes of the Act, anything done by a person employed by or in the service of an agency, a tax file number recipient, a credit reporting agency or a credit provider in the performance of the duties of the person’s employment is treated as if done by the employer. Similar provision will be made for the acts and practices of employees and people in the service of organisations.
No. The Government has identified a number of areas that will not be covered by the legislation. These include:
The Government is aware that there are particular sensitivities surrounding personal health information. That is why the Attorney-General asked the federal Privacy Commissioner to consult widely and advise him on the application of the National Principles to personal health information.
The Privacy Commissioner has recently advised the Attorney-General that the National Principles can appropriately apply to personal health information, with some modifications. The Attorney-General is currently considering the modifications recommended by the Privacy Commissioner, and therefore this paper does not discuss the application of the National Principles to personal health information.
Employee records are records collected or held by an employer about an individual employee which pertain to or arise out of their employment relationship.
They include the following: letters, resumes, referee reports and other material relating to engagement, variation of the terms of engagement, disciplinary matters, termination or resignation; personal and financial details; performance or conduct notes; time and wage records; payslip information; tax records; and leave records.
The Government has decided that employee records will be exempted from the coverage of the legislation. The Government considers that employee records should be dealt with as part of workplace relations arrangements. This exemption will also help to address the regulatory impact on small business. An organisation would not be required to comply with the NPPs, or Code Privacy Principles (CPPs), in relation to its acts and practices with respect to employee records.
No. This legislation will not apply to State or Territory public sector agencies (including local government bodies). How each State or Territory deals with protection of personal information in their own public sectors is a matter for them. It is not intended that the federal legislation would override specific provisions in State legislation where the State legislation is capable of operating concurrently. In relation to privacy protection in the private sector, there is general support by the States and Territories for a national approach.
Some States have taken steps to introduce privacy legislation within their own jurisdictions.
New South Wales: In NSW the Privacy and Personal Information Protection Act 1998 regulates privacy and protection of personal information in the NSW public sector. This legislation does not apply to the private sector in NSW.
Australian Capital Territory: The Privacy Act (as modified by the Australian Capital Territory Government Service (Consequential Provisions)Act 1994) has applied to the ACT public sector since 1 July 1994. The ACT also has separate legislation dealing with privacy and confidentiality of all personal health information held by public or private sector bodies in the ACT. This legislation is the Health Records (Privacy and Access) Act 1997.
Victoria: The Data Protection Bill 1999 was introduced into the Victorian Parliament by Victoria’s Minister for Multimedia, Mr Alan Stockdale, on 26 May 1999. The Bill is based on the federal Privacy Commissioner’s National Principles and addresses both public and private sector privacy. The Bill has yet to be debated. The Victorian Government has stated that it supports a national approach to private sector privacy and the Victorian Bill has been drafted to include a clearly separable division relating to the private sector in order to allow Victoria to take account of developments at the national level.
Northern Territory: On 22 April 1999 the NT Chief Minister issued a Ministerial Statement to the NT Legislative Assembly on Access to Information and Privacy. In that Statement, he said that in view of the Commonwealth Government’s decision to introduce light touch privacy legislation for the private sector he intended to introduce legislation to cover the NT public sector and thereby ‘complement the Commonwealth legislation and create a seamless framework of privacy protection’.
Yes. The legislation will set out NPPs specifically for the private sector in the same way that s 14 of the Privacy Act sets out the IPPs for the Commonwealth public sector. The NPPs will be based on the Privacy Commissioner’s National Principles.
In addition the legislation will allow a privacy code to include its own CPPs which must replace or incorporate all the NPPs, and provide at least the same level of protection. The CPPs will apply to private sector organisations that agree to be bound by a particular approved code.
The legislation will specify that an organisation that is bound by a privacy code should not do an act or engage in a practice that breaches a CPP in that code and, in the event that it does so, that act or practice will be an interference with privacy. It will also provide that an organisation not covered by an approved code should not do an act or engage in a practice that breaches an NPP and, in the event that it does so, that act or practice will be an interference with privacy.
Yes, essentially they will be the same, subject to any modification that may apply to personal health information as a result of the Commissioner’s advice to the Attorney-General on this question.
[The paper here includes a summary of the National Principles — which can be found in full on either the Attorney-General’s web site or the Privacy Commissioner’s site at <http://www. privacy.gov.au/>.]
The Privacy Commissioner will have a major role in relation to the NPPs. This role will include:
Some matters covered in the guidance notes may need to be included in the legislation. In general, though, they provide an explanation of the Commissioner’s approach to implementing the National Principles. As such they would best be issued by the Privacy Commissioner, as guidelines to assist in understanding or applying NPPs.
‘Existing information’ is information collected by the organisation before the end of the phase-in period of the legislation. The legislation will specify whether the NPPs (and equivalents in privacy codes) apply to existing information. How existing information will be treated under each NPP is set out below:
NPP 1 — Collection
This principle is inapplicable to collections that have occurred prior to commencement.
NPP 2 — Use and Disclosure
The restrictions on use and disclosure of personal information will not apply to existing information.
NPP 3 — Data Quality, NPP 4 — Data Security and NPP 5 — Openness
These principles will apply to existing information. It is expected that this should have little or no effect on compliance costs for business, as the NPPs have an inbuilt reference to reasonableness in the circumstances.
NPP 6 — Access and Correction
This principle will not apply to existing information as it is considered unlikely that the benefits of providing access to existing information would justify the additional compliance costs.
NPP 7 — Unique Identifiers
This principle will apply to existing information. The principle does not prevent organisations recording a government assigned identifier, but rather prevents them adopting such an identifier as their own. Accordingly, it is unlikely to impact widely on current information holdings.
NPP 8 — Anonymity
This principle is also inapplicable to existing information, as it relates to the provision of an opportunity to interact with an organisation anonymously. It is proposed that it should not apply to existing information.
NPP 9 — Transborder Data Flows
As the operation of the principle is not directly related to collection practices, this principle will apply to existing information.
NPP 10 — Sensitive Information
This Principle limits collection of sensitive information and has no equivalent in the IPPs. As with Principle 1, it is inapplicable to existing information.
act or engage in a practice that would breach an NPP?
The Privacy Act currently provides a mechanism that has the effect in certain circumstances of permitting an agency to do an act or engage in a practice that would otherwise be in breach of an IPP. Under s 72 of the Privacy Act, the Privacy Commissioner is able to take account of the public interest in an agency doing an act or engaging in a practice that breaches or may breach an IPP. If that public interest outweighs to a substantial degree the public interest in adhering to the IPP, the Privacy Commissioner may make a determination that effectively allows that act or practice. These are called Public Interest Determinations (PIDs) and are disallowable instruments. This means that they are subject to the scrutiny of Parliament.
The Privacy Commissioner has formulated guidelines in relation to the procedures for applying for a PID.
To date the Privacy Commissioner has issued seven PIDs. All concern IPP 11 and authorise disclosure of personal information by a particular government agency in specific circumstances or to specified bodies.
The proposed legislation will include a similar mechanism in relation to the NPPs and CPPs. The Privacy Commissioner will be able to make PIDs to permit an act or practice that would otherwise breach the NPPs or an approved code. The public interest test will apply, together with consultation requirements, depending on the breadth of application of the proposed determination. As with the existing PIDs, the determinations would be disallowable, as they could vary the standard set by Parliament in the legislation.
The proposed legislation will also include the availability of a simpler, speedier process for the making of PIDs to deal with urgent situations. To ensure proper public scrutiny, such determinations will only be temporary, providing holding cover until the full process can be completed.
A privacy code may be developed by:
Where an industry already has a code that covers various aspects of that industry, the privacy code may be made part of that wider code providing that the part forming the privacy code is clearly identifiable. Only that part of the wider code approved as a privacy code would have effect for the purposes of this legislation.
A privacy code may be developed to apply to:
The approved code will apply to the activities of an organisation so as to override the default legislative NPPs (and if the code provides for complaint handling, the legislative complaint mechanisms) from the time at which the organisation is bound by the approved code (as provided for by the code). Where an organisation is bound by a code before the code is approved, the code will only override the default legislative provisions from the time of approval.
In some cases it may depend on the contents of the relevant code. For example, a code may provide that an individual has the option of having a complaint about something that occurred before the organisation was bound by the approved code handled either under the code, or under the default legislation. If so, an individual must be informed of this option by the organisation or the body to whom it complains, at the time they become aware of a complaint by the individual. The Privacy Commissioner must not investigate a complaint where the individual has opted to have it dealt with by a code complaint body.
The Privacy Commissioner will have responsibility for approving privacy codes. He or she will also have responsibility for approving variations to approved privacy codes, and in appropriate circumstances, for revoking approval of a privacy code.
The legislation will provide that, in considering whether to approve a privacy code or a variation of a code, the Privacy Commissioner may consult any person or body that he or she considers it appropriate to consult, and must be satisfied that members of the public have been given adequate opportunity to comment on the code or variation. This will allow the Privacy Commissioner and the organisation developing a code to agree on appropriate consultation requirements to suit the particular circumstances.
Similar provision will be made so that, before deciding whether or not to revoke an approval, the Privacy Commissioner must consult the organisation or body that sought approval of the code, may consult any person or body that he or she considers it appropriate to consult, and must be satisfied that members of the public have been given adequate opportunity to comment on the proposed revocation.
The approval of a code by the Privacy Commissioner will be a disallowable instrument and therefore subject to the scrutiny of the Parliament. In effect, approval of a code replaces the legislative provisions and renders the code enforceable. It alters rights and obligations.
The legislation will require the Privacy Commissioner to maintain and make publicly available a register of approved codes. The Privacy Commissioner will determine the form of the register.
Who is covered by the code
A privacy code must include provisions regarding which organisations it binds, and must not purport to bind an organisation that has not consented to be bound. A code could provide alternatively:
Where compliance with a code is a condition of membership of an industry body, membership of that body would be taken to be consent.
A privacy code should set out the period for which it will operate, or the circumstances in which it will expire.
A code must include CPPs that are consistent as a whole with the NPPs. The CPP may provide additional protection and/or elaborate as to how one or more of the CPPs are to be applied or complied with.
A code may include a complaint handling process. If a complaint handling process is included, that process and in particular the standards set in relation to that process must embody an equivalent standard of dispute resolution to that provided by the Privacy Commissioner. The following criteria are relevant to that standard:
A complaint handling process approved as part of a privacy code must include a code complaint body. Complaints about breaches of the code’s Privacy Principles must be able to be made to the relevant code complaint body.
A privacy code may establish a new complaint body and set out procedures for handling and resolving complaints. Alternatively, where there is an existing industry complaint body, that body may be designated as able to handle privacy complaints under existing procedures providing that the existing scheme meets the criteria for approval by the Privacy Commissioner.
A privacy code may be part of a wider code but those parts forming the privacy code would need to be identifiable and only those parts approved as a privacy code would have effect for the purposes of the legislation.
Consistency will be assured through the role of the Privacy Commissioner who will be able to approve and revoke codes. Also, the Commissioner’s approval of a code will be a disallowable instrument and as such subject to scrutiny by the federal Parliament.
The criteria for approval are aimed at ensuring a consistent standard for privacy protection across organisations, whether covered by a code or by the NPPs.
Most complaint handling schemes encourage the parties to resolve the complaint themselves in the first instance. The Privacy Commissioner’s current practice is to refer individuals to the body about which they have a complaint in the first instance. The same approach will apply under the new provisions.
Whether an organisation has committed an act that breaches an individual’s privacy will be determined by reference to the Privacy Principles embodied in a privacy code, or, where the organisation is not bound by a code, by reference to the NPPs.
Where an organisation is bound by an approved privacy code an act or practice by that organisation that breaches the relevant CPP will be an interference with privacy.
Where an organisation is not bound by an approved code, an act or practice by that organisation that breaches an NPP will be an interference with privacy.
The individual will be able to make a complaint as follows:
Notwithstanding the above, a code complaint body will be able to refer a complaint to the Privacy Commissioner if it considers that the complaint would be more appropriately handled by the Commissioner. In this case the complaint would be dealt with by the Privacy Commissioner under the legislative provisions but applying the relevant CPPs. The ability to refer such complaint in this way will be subject to the Privacy Commissioner’s agreement.
This referral power will also address concerns about circumstances where there may be overlaps between codes, or a code complaint body is unable to deal with the entire complaint, because it also deals with matters not covered by the code.
Industry based dispute resolution schemes are funded by industry in a range of ways. The legislation will allow for the development by the Privacy Commissioner of a charging system for handling complaints that takes into account both the desirability of complaints being resolved by conciliation, rather than determination, and the appropriate balance between the Government, organisations, and individuals in bearing costs.
The Privacy Commissioner handles complaints in a conciliatory manner, seeking to reach a settlement between the parties. To date, all complaints regarding private sector coverage have been settled, and only a small number of public sector complaints have required determination by the Privacy Commissioner.
This conciliatory approach will also apply in respect of complaints about a private sector organisation regardless of whether the complaint is handled by the Privacy Commissioner or a code complaint body.
Under the Privacy Act the Privacy Commissioner has a range of powers available in the conduct of investigations, though they are rarely used. These include the power to obtain information and documents, the power to examine witnesses under oath or affirmation, the power to direct a person (including a person not a party to the complaint) to attend a conference and the power seek to enter premises and inspect documents. These powers are accompanied by penalty provisions if there is a refusal to comply.
It is intended that privacy codes should require participants to co-operate with and provide requested information to code complaint bodies. However, this will not fully substitute for the Privacy Commissioner’s statutory powers, particularly in relation to obtaining information from third parties.
Yes. The Privacy Commissioner may make determinations under s 52 of the Privacy Act. A code complaint body set up under a privacy code must have the same ability as the Privacy Commissioner to make determinations. This includes the ability to make a declaration that the respondent has interfered with privacy and should not repeat or continue conduct, that the respondent should perform any reasonable act to redress loss or damage, that the complainant is entitled to a specified amount as compensation for loss or damage (which includes injury to feelings or humiliation), or that it is inappropriate to take further action.
A code complaint body will be required to provide the Privacy Commissioner with a copy of an annual report that includes a report on the operation of the code, including the volume, nature and resolution of complaints.
The current ‘enforcement’ provisions in the Privacy Act will apply to a determination by the Privacy Commissioner of a complaint under the new provisions, or by a code complaint body under a privacy code.
That is, ‘enforceability’ will be through the Federal Court. This approach provides a parallel system of ‘enforceability’, so that a complainant has access to the same remedies and ability to ‘enforce’ a decision irrespective of whether it is made by the Privacy Commissioner or a code complaint body.
Application for enforcement will be able to be made by the complainant, or by whichever body made the determination — the Privacy Commissioner or the code complaint body.
As is currently the case under s 55 of the Privacy Act, any enforcement proceedings in the Federal Court will be by way of a hearing de novo (anew).
A determination will be prima facie evidence of the facts upon which the determination is based. It will be possible, however, for those facts to be challenged. This is similar to the approach under Pt 9 of the Telecomm-unications Act 1997 in relation to certain findings of the Telecommunications Industry Ombudsman.
Decisions of the Privacy Commissioner under the Privacy Act are reviewable under the federal Administrative Decisions (Judicial Review) Act 1977 (ADJR Act). Under the legislation, decisions of code complaint bodies will be similarly reviewable. This will be effected by deeming decisions of code complaint bodies to be decisions under an enactment for the purposes of the ADJR Act.
Yes. In addition to the approval mechanisms, the functions of the Privacy Commissioner, set out in s 27 of the Privacy Act, will be relevant to oversight of the private sector privacy codes.
The Commissioner will be required to include in his or her annual report a report on the operation of the private sector provisions, including the operation of approved codes. This will include a report on the action taken by code bodies to monitor compliance, and the volume, nature and resolution of complaints.
Yes. The current provisions regarding investigation without complaint will apply to organisations in the same way that they apply to the Commissioner’s current jurisdiction. They will apply regardless of whether an organisation is subject to a privacy code or the default legislation. The current jurisdiction is explained below.
Section 40(2) of the Privacy Act currently allows the Privacy Commissioner to investigate an act or practice that may be an interference with privacy if the Commissioner thinks it is desirable to do so, without a complaint having been lodged. This covers breaches of the IPPs, Tax File Number Guidelines and Credit Reporting Provisions and Credit Reporting Code of Conduct. Currently, there is no differentiation made between the public and private sectors in this regard.
While the wording of s 40(2) is quite open as to when the power can be exercised, the practice has been that this power is rarely used. It has been used in circumstances where a matter has raised significant public attention and concern, but no formal complaint has been lodged. It is also an efficient way of dealing with some matters where an act or practice affects a large number of individuals without significant loss or damage to them, and a representative complaint is not pursued.
The Privacy Commissioner’s powers under the Privacy Act to obtain information and documents, to enter premises and to require a person to attend and answer questions apply to such an investigation. In the case of premises occupied by a private sector organisation such as a credit provider,this power may be exercised only with the consent of the occupier, or under a warrant issued by a magistrate on the basis that he or she is satisfied that entry to the premises is reasonably necessary for the performance of the Commissioner’s functions under the Act.
Section 30 of the Privacy Act permits the Privacy Commissioner to report to the Minister following an own motion investigation, and requires him or her to do so if the Minister requests or if the Commissioner thinks that an act or practice is an interference with privacy, and a settlement of the matter (for example by agreeing on remedial action to be taken, or changes to be made to practices) has not been achieved. In the latter case, the Commissioner’s report must set out findings and reasons for them and may include any recommendations by the Commissioner, including for the payment of compensation or other action to remedy or reduce loss or damage suffered as a result of the act or practice. A copy must be served on the relevant agency or body, and the Minister responsible (if any). If after 60 days the Commissioner is not satisfied that reasonable steps have been taken to prevent the interference with privacy recurring, the Commissioner may make a further report to the Minister who must table it in Parliament.