Privacy Law and Policy Reporter
Judge Kevin O’Connor
The Commonwealth initiative dealing with protecting privacy in relation to personal data occurred in the highly charged atmosphere of the Australia Card debate. While the Australia Card proposal failed, the element of the package relating to privacy survived, ultimately in the form of the Privacy Act 1988 (Cth). That Act came into operation on 1 January 1989 and I had the honour of being the first federal Privacy Commissioner, a position I occupied until 31 December 1996.
In the early days there was a considerable focus on the tax file number system. The proposition that there should be a high integrity unique tax file number was one to survive from the Australia Card debate. The contexts in which that number could be demanded or quoted were strictly limited, essentially to the tax setting and some government payment settings. There was some expansion in these categories later. The number was not issued in the form of a card, necessarily there was no photograph, and there were no periodic renewal points. Consequently there was no practical ability for other parts of the community to turn the tax file number into a de facto national identifier. The offence provisions surrounding the tax file number are strong, and I am not aware of any trend towards it becoming a de facto national identifier.
I regard that situation as a victory for the privacy of Australians, as compared to the position that prevails in many countries. The opportunities for the wider government sector and the private sector to link data, and build up profiles about us, have been constrained to that extent.
But that is not to say that there are not many other opportunities open for the building up of behaviour, lifestyle or historical profiles. Privacy rights are often traded away by people when entering competitions or signing up to loyalty programs offering rewards (such as shop discounts or frequent flyer points). The activities that people engage in to get the benefit of these programs can be tracked. They can have their names and addresses made available to mailing houses or direct marketers.
Profiling in government is most efficiently achieved by data matching techniques. Early in the life of the federal Privacy Act I gave close attention to that practice in federal government. The use of the Australia Card for that purpose had been referred to during the Australia Card debate, and both major parties went to the 1990 federal election with platform commitments to increased data matching to detect social security overpayments and tax underpayments. The rhetoric was in terms of identifying social security and tax cheats, though experience later showed (as was known at that time to be the case overseas where the technique had been used) that a significant percentage of errors were due to administrative factors rather than fraud or deceit.
The Data Matching Program Act (Assistance and Tax) 1990 (Cth) was an important milestone in privacy protection. It introduced strict procedural standards about how Commonwealth data matching programs were to be conducted when they relied on the tax file number as a common identifier. They had important procedural fairness rules, designed to ensure that persons identified as possibly being in receipt of more than one payment or not declaring social security income for tax purposes were given an opportunity to respond before having their payments cut off.
My advocacy of the need for procedural protections of this kind led the Attorney General’s Department to examine whether I was exceeding my powers as Privacy Commissioner. An advice was obtained as to whether I had the power to make public statements, and the question was also raised with me as to whether it was open to me to canvass the adoption of rules (as to data matching protocols, fair procedures and the like) which lay outside the strict scope of the Information Privacy Principles set down in the Privacy Act. That inquiry led me to advise policymakers in other jurisdictions developing privacy laws to address the point squarely, and explains the presence in the New Zealand privacy legislation of an express provision to the effect that the Privacy Commissioner in that country can make public statements, one I notice is now also found in the Privacy and Personal Information Act 1998 (NSW) and the Victorian Bill of 1999, both discussed in more detail later.
The Department’s view was that the federal Privacy Commissioner’s advocacy role was restricted to that necessary to perform the function related to educational programs and did not extend to discussion of matters of current controversy. I ignored the advice and continued to seek to articulate (in a measured way) the case for appropriate privacy protections in relation to the management of personal data in Commonwealth administration, especially where the existing Information Privacy Principles might not provide a good fit.
But those events show something of the difficulty Commonwealth administration had with the case for privacy being articulated beyond the formal parameters of the Privacy Act. Now data matching standards in broadly similar terms to those contained in the Act of 1990 are in place across the Commonwealth administration in relation to the many programs that do not depend on the tax file number as a unique identifier.
Later a major issue was the need to maintain separation between the Medicare database and the Pharmaceutical Benefits database, leading to statutorily based guidelines on that subject.
Increasingly I turned my attention to emerging issues. One was the outsourcing of Commonwealth data management and data processing functions. The Privacy Act was inadequate at that time in ensuring that the privacy protections given by the Act continued to apply if processing functions were outsourced. Citizens were left to whatever protections could be procured by contract between the agency and the service provider under the outsourcing arrangement. In 1994 my office issued a document entitled Advice for Commonwealth Agencies considering Contracting Out (Outsourcing) Information Technology and Other Functions, being guidelines prepared by the Privacy Advisory Committee which included draft provisions for incorporation into contracts. Despite promises to act, amendments have yet to be made to the Privacy Act to cover outsourcing.
The other area to which I turned my attention was telecommunications privacy. The Privacy Commissioner’s office was significantly involved in policy development relating to Calling Number Display (or Caller ID). That product is now being rolled out, with the option being given to consumers to block ID being transmitted by their telephones or to use selective suppression of Caller ID through a special number sequence. But when I changed addresses a year ago and took my old number to the new address, I found that my Caller ID block had been lifted without my knowledge. I discovered that one had to request its retention if the number followed you to new premises. I complained strongly, and received a small amount by way of compensation under the Service Guarantee!
Later in my term as Privacy Commissioner my priority was to advocate extension of the Information Privacy Principles to the private sector. By the time of the 1996 federal election both major parties were committed to the extension of privacy principles to the private sector and strict enforcement requirements.
The new Coalition Government proceeded with the initiative, with a discussion paper issued in September 1996 outlining detailed proposals. While there was widespread private sector support for an extension, there were some key opponents, in particular the Australian Bankers’ Association, and this opposition led to a major reversal of policy in March 1997, announced in a statement by the Prime Minister.
Since that time, the Privacy Commissioner’s office has been engaged in the formulation and encouragement of the adoption of voluntary principles for the private sector known as the National Principles for the Fair Handling of Personal Information. The National Principles were issued in February 1998 for discussion. They were re-issued in revised form in January 1999. The Principles contained a number of departures from the Information Privacy Principles. These are most apparent in relation to the treatment of direct marketing uses of information, the relationship with law enforcement agencies, and in the complexity of the provisions surrounding access and correction. One positive inclusion is the attention given to placing limits on the collection of sensitive information.
The proposals do not recommend or specify any implementation mechanism. The introduction states:
The way these principles will work in practice depends on a number of issues that this document does not address such as: which organisations adopt the principles; what mechanisms are put in place for dealing with complaints, compliance and disputes; whether the principles are applied to personal information about employees; and whether they are applied, in part or in whole, to information collected before they are adopted ... The Federal Government’s December 1998 decision to put in place a light-touch legislative regime for information privacy protection in the Australian private sector will impact on these implementation issues.
As mentioned in those comments, on 16 December 1998 the Federal Government announced that it intended to legislate to support and strengthen self-regulatory privacy protection in the private sector, and that a ‘light touch’ legislative regime would be introduced, based on the National Principles. Within this framework, the federal Privacy Commissioner’s office has continued to be active in promoting private sector adoption of good privacy practice, calling for comment on 25 May 1999 on the application of the National Principles to health information.
The Principles are likely to be incorporated as a new Part of the federal Privacy Act, leading to a situation where the Privacy Act will have three separate sets of legislative principles on privacy — the original Information Privacy Principles binding the Commonwealth public sector, the new National Principles for use by the private sector, and the detailed rules based on the Information Privacy Principles and contained in Pt 3A which bind credit reference services, banks, financial institutions and others who are permitted to collect and use consumer credit history information.
Pending such a development, other compliance vehicles are emerging. For example, on 20 August 1999 the Australian Competition and Consumer Commission announced that it has conditionally authorised the Australian Direct Marketing Association’s Direct Marketing Code of Practice. Part E of the Code contains the Privacy Commissioner’s National Principles. The Code contains a complaint handling process, provision for an independent decision-making body, enforcement provisions and remedies.
The complexities in Australia’s privacy regulation so far discussed are those governed by federal law.
There are also important developments occurring at State level. New South Wales has become the first State to pass a comprehensive State personal data privacy law, in the form of the Privacy and Personal Information Act 1998, No 133. Its core is a series of Information Protection Principles. It applies the Principles by law to the public sector, and gives the private sector the right to enter into privacy codes. An office of Privacy Commissioner is created. Government agencies are required to have privacy management plans. If they wish, they can seek to have the application of the Principles to their operations varied, following consultation and agreement with the Privacy Commissioner, and adopt an approved code of practice. This is a strong scheme in outline, with the requirements of a privacy management plan and the option of a privacy code being important advances on the federal model.
But it is evident on scrutinising the Act closely that it contains numerous exclusions and modifications in relation to adherence to the Information Protection Principles. For example, the police force, the Independent Commission Against Corruption, the Police Integrity Commission and the Crime Commission are not required to comply with the Principles except in relation to their administrative and educative functions — so adherence is a voluntary option for most of the law enforcement community. In relation to the impact of the specific Principles on the law enforcement activities of agencies which are otherwise bound, frequently they are affected by an exception stating that they do not apply to collection and use of data for law enforcement purposes.
The issue of the interaction of the access and amendment rights given by the new Act with those found under the Freedom of Information Act 1989 (FOI Act) is addressed. The omission of a clear reference to this issue in the federal Privacy Act was a source of possible difficulty. I took the view from the beginning as federal Privacy Commissioner that my office should defer to the regime established under the FOI Act in relation to access and amendment applications and disputes. But as there were Information Privacy Principles going to this subject, some argued that it was appropriate for access applicants to use that regime, especially as no fees attached to privacy applications at agency level and there was the possibility, in the event of someone being successful in proving a contravention, that monetary compensation might be available, a remedy not available under the FOI Act. I administered the Privacy Act on the basis that access and amendment issues should first be dealt with under FOI machinery, without preventing an applicant bringing a complaint to me if the matter remained unresolved or monetary compensation was sought. I do not recall any case where this second step was ever taken.
In the NSW Act there are clear provisions indicating that the relevant Principles do not override the FOI Act.
The Information Protection Principles are also at several points disapplied in relation to the activities of several complaints investigation agencies in the NSW government. These include the office of Ombudsman, the Health Care Complaints Commission, the Anti-Discrimination Board, the Guardianship Board and the Community Services Commissioner.
Several of the Information Privacy Principles are also declared to be inapplicable if non-compliance is lawful. This will mean that careful attention will have to be given to other legislation, especially the primary legislation under which agencies operate, to ascertain whether the non-compliant conduct has been declared to be lawful.
The exclusions and modifications to which I have referred are not contained in the Principles themselves, and it is necessary to explore other parts of the Act to discover them.
Complaints of an interference with privacy may be made to the Privacy Commissioner. But equally, an individual can seek review by the agency of a privacy complaint. The Privacy Commissioner may make a submission to the agency in that regard. Any such application must be made known by the agency to the Privacy Commissioner, to enable that office to maintain a watching brief. If the review is not completed within 60 days the individual can make an application to the Administrative Decisions Tribunal for a review of the conduct concerned.
Any application to the Tribunal may go to the findings of the agency review or to the action proposed to be taken by the agency. The Tribunal may decide not to take any action following review. If it considers that action is warranted it may make one or more of the following orders:
The complaint can relate to the contravention of an Information Protection Principle by a public sector agency, the contravention of a privacy code of practice by such an agency or the disclosure by such an agency of personal information kept in a public register.
The Data Protection Bill 1999 received its Second Reading in the Victorian Parliament on 28 May 1999. The indication at the time was that it would lie over for the Winter Recess and be passed in the Spring Session. An earlier Exposure Draft of the Bill, released in November 1998, was the subject of a detailed discussion paper prepared by Multimedia Victoria in the Department of State Development. More explicitly than has been the case in NSW, the development of data protection legislation has been seen as part of the State’s excellence-in-IT and multimedia strategy.
This resonates with a government motive often seen in relation to information privacy initiatives. In the UK the Thatcher Government proceeded with data protection legislation when it sensed a risk to the ability of UK businesses to compete for major data processing jobs due to concerns on the part of data processors that laws in the UK were not of a sufficient standard to meet their requirements in relation to the protection of individual rights. Similarly, I understand that Australia’s signature to the OECD Guidelines on Protection of the Privacy of Personal Information and Transborder Data Flows was given by the Government in 1984 after direct representations from banks desirous of participating in an international cheque payments system (SWIFT) where Australia’s non-adoption of the OECD Guidelines had been raised as a concern.
The Victorian Bill has the following features. There are a series of Information Privacy Principles with many differences in their text from those applicable under the federal and NSW laws. They are based broadly on the federal Privacy Commissioner’s National Principles. Notably, both public and private sector organisations are bound by the Principles, although they can seek to vary the application of the Principles by developing a code of practice in consultation with the Privacy Commi-ssioner. Codes may apply to an industry or a class of information or activity.
In relation to the office of Privacy Commissioner, the legislation makes provision for the possibility that the role might be performed under agreement by the federal Privacy Commissioner. This is a sensible approach, recognising the desirability of avoiding the unnecessary duplication of similar services in the Australian regulatory framework. Complaints concerning contravention of the Principles or of a code of practice may be made to the Privacy Commissioner.
The legislation has a strong emphasis on the desirability of the Commissioner seeking to conciliate complaints. If that fails then the matter can be referred to an external tribunal, the Victorian Civil and Administrative Tribunal (VCAT). VCAT’s powers are similar to those exerciseable by the NSW Tribunal, but compensation orders may be made up to $100,000.
One of the enforcement powers vested in the Privacy Commissioner enables him or her to serve a compliance notice on an organisation directing it to comply with a Principle or Principles. Such a notice may only be issued where the criteria specified in the Act are met; namely, the act or practice in issue constitutes a serious and flagrant contravention and has been engaged in by the organisation on at least five separate occasions in the last two years. Non-compliance with such a notice is a serious criminal offence, being indictable with a maximum penalty (in the case of bodies corporate) of 3000 penalty units.
While there are significant qualifications of the Principles in relation to law enforcement, those qualifications are expressed in functional terms rather than in the terms of agency-wide exclusions. While I have not done a close analysis, the result would appear to be that the law enforcement exceptions are significantly narrower than the NSW equivalents. A similarly narrower approach to exceptions seems to apply in other areas. The position in relation to FOI is again clearly dealt with, with the FOI Act being given primacy in relation to access and amendment applications and disputes in its area of application — the public sector, as defined by the Act. In practice that will mean that the Information Privacy Principles in Victoria as they relate to access to and amendment of personal information will have a major impact on private sector information systems and practices.
While the Victorian Bill has been drafted to apply to both the private and public sectors, the Explanatory Memorandum makes it clear that the commencement provision has been structured so as to allow for staggered proclamation. It makes it clear that Victoria would not proceed to commence the provisions applying to the private sector if adequate data protection legislation for the private sector is introduced nationally in the near future. That condition would presumably be met if the Commonwealth does act to incorporate the voluntary principles issued by the federal Privacy Commissioner into the federal Privacy Act, and there are satisfactory constitutional arrangements made to extend the principles universally to the Australian private sector.
Commentators have praised the Victorian Bill for its coverage of both the public and private sectors, the relative narrowness of its exceptions and exclusions as compared to the NSW Act, and the clear way in which it addresses issues such as outsourcing. The main criticism has been the use of the federal Privacy Commissioner’s National Principles as the reference point for the core Information Privacy Principles. Greenleaf has said, referring at that time to the exposure draft:
In an effort to obtain national uniformity the Victorian Bill is therefore based on a set of Principles which are not the product of consensus, are more a product of horse-trading than considered reform, and which have been criticised very strongly by privacy and consumer organisations ... although welcomed by participating business representatives: (1999) PLPR 136.
International influences, as I noted in the comment relating to the adoption of data protection laws by the Thatcher Government in the UK in 1984, have often driven domestic laws. This is very true in Australia.
For more than 30 years many domestic parliaments have been driven to act by the work of the European Union and its predecessor organisations. The OECD, which has a number of non-European ‘first world’ nations as members, including Canada, New Zealand, the US and Australia, has also exerted influence. The early work of the European Union led to the Data Protection Convention of 1981 and now the Data Protection Directive of 1995, presently coming into force in Europe. Under the Directive, all member States are bound to pass laws which comply with minimum standards, and are applicable to the public and private sectors. Similarly, there are constraints placed on the transfer out of Europe of personal information for processing and use to countries that do not offer similar protections. The constraints are found in arts 25 and 26 of the Directive, and their application in practice has been the subject of considerable discussion and debate. The articles leave unaffected many categories of inter-governmental data flows, and no special laws or other arrangements are required. This is not the case with flows to the private sector. There are various ways in which a private sector organisation can satisfy the European Union that European citizens’ data is ‘adequately’ protected when under the control of a data processor or record keeper in a ‘third country’. One is by appropriate contractual arrangements, but another (and more attractive from both the efficiency and rights perspective) is by showing that the third country has an adequate legislative regime in place for protecting citizens’ privacy rights. That element of the EU Directive is an important contributing factor in the Australian debate.
An important study was released by the European Union in September 1998 on assessing the adequacy of third country arrangements: Application of Methodology designed to assess the Adequacy of the Level of Protection of Individuals with regard to Processing Personal Data: Test of the Method on Several Categories of Transfer, for the European Commission by the University of Edinburgh (Raab, Bennett, Gellman and Waters). This took the form of a study undertaken by a consortium of data protection specialists, designed to test an already developed methodology for the evaluation of levels of data protection afforded in non-EU countries. The methodology was tested by applying to it a series of test cases of specific data transfers to a selection of six third countries. The countries studied were Australia, Canada, China (Hong Kong SAR only), Japan, New Zealand and the US.
The five categories of transfer reviewed were human resources data, sensitive data in airline reservations, medical/epidemiological data, data in electronic commerce, and sub-contracted data processing. It lies beyond the scope of this paper to review the study in detail, but I recommend that data managers connected with these systems examine the observations made in the paper.
The broad conclusions of the study are replete with reservations as to the adequacy of third country laws in all the categories studied, consistently noting that where privacy laws do not apply strictly to the private sector, significant gaps in protection can exist. In such circumstances, the study notes that electronic commerce is virtually unregulated for data protection, and this situation is the same in the case of transfers of personal data between data controllers and data processors.
Since passage of the federal Privacy Act in 1988, we have seen dramatic developments in information technology, and data processing and data communication practices. At the beginning of this decade, the smart card had received no significant attention in Australia. The potentialities of the internet and the world wide web were only dimly appreciated. Email was beginning to be introduced into workplaces, but the huge take-up of computers and internet access in the home was as yet unanticipated. Some attention was being given to electronic commerce issues. In the public imagination intensive data processing applications were viewed in hierarchical terms, with subordinate computer linkages all ultimately joining to a single or sometimes a group of mainframes. Distributed data processing arrangements relying on the combined resources of networked personal computers were little developed.
All of these developments have implications for achieving reasonable levels of privacy protection in practice. Without care being taken in the design of systems, it may now be far more difficult to find all the communications and electronic documents that bear on a matter. Emails may contain vital communications but be expunged quickly. While file storage and file security issues appear to have become more difficult to address, some aspects of the new technology ought to assist in addressing privacy rights. It ought to be a relatively simple task to facilitate the exercise by individuals of their rights of access to data held about them. Similarly, it ought to be relatively simple to design systems so that data transfers and data inspections are monitored and logged.
While the technological advances have been great, it is important not to see them as rendering meaningless the case for protection of privacy. In the end, the case for privacy protection rests on an acceptance of the case’s human rights basis. In liberal democratic societies we recognise the uniqueness of all people and their right to have their individual dignity respected. We recognise a range of fundamental freedoms which should be accorded the status of human rights. One of those is the right to be free from unwarranted interference in relation to our private lives. Respect for privacy contributes to the intellectual, social and moral development of individuals and families. This in turn contributes to a better society. It is vital to continue to uphold these key attributes of a liberal democratic society whatever the present state of technology. The challenge is to give specific expression to the protection of the human right to privacy by way of principles, laws and methods of regulation which effectively uphold that right.
Judge Kevin O’Connor is President of the Administrative Decisions Tribunal of New South Wales; and was founding Federal Privacy Commissioner, 1989-1996.
This is an edited text of a paper delivered to the Records Management Association Conference in Darwin in August 1999.