Privacy Law and Policy Reporter
This information paper was issued by the Attorney General’s Department on 12 April to accompany the Bill.
The Privacy Amendment (Private Sector) Bill 2000 was introduced into Parliament by the Attorney General on 12 April 2000. The Bill proposes to amend the Privacy Act 1988 (Cth), which currently regulates the Commonwealth and ACT public sectors and private sector organisations that handle tax file numbers and credit information files. The Bill will come into effect on 1 July 2001 or 12 months after its commencement, whichever is the later.
The Government recognises the importance of privacy to the community and that many people are concerned about the way their personal information is used by the private sector.
In developing a system for the fair handling of personal information in the private sector the Government’s intention is to ensure that the scheme:
Creating a workable scheme required consideration of many issues and interests. The Government was committed to achieving the right balance — a balance between the protection of individual privacy interests and competing social interests such as the free flow of information to the public through the media; a balance between the interests of consumers and those of business.
The proposed legislation was developed in consultation with many sectors of the community. The Government is of the view that it does, as a result, strike the right balance. It will create the right environment for the growth of the information economy and will also provide Australian businesses with certainty when trading with European Union Member States. For the first time, Australians can be confident that information held about them by private sector organisations will be stored, used and disclosed in a fair and appropriate way. For the first time, Australians will have a right to gain access to that information and a right to correct it if it is wrong.
The Bill implements the National Principles for the Fair Handling of Personal Information (the National Principles) (http://www.privacy.gov.au/publications/index.html). These were developed by the Privacy Commissioner following extensive consultation with business and consumers.
The National Principles have been revised to accommodate legislative language and modified in their application to health information and transborder data flows. The modifications made to the National Principles in relation to health information are based on the Privacy Commissioner’s recommendations to the Government, following consultation with health stakeholders.
The National Principles in the Bill (called the National Privacy Principles or NPPs) (http://law.gov.au/privacy/npp.html) are intended to provide a basis for business to develop practices to ensure that the privacy of individuals is protected. They provide a default framework for the protection of personal information. Private sector organisations will be bound by them unless they have their own privacy code that has been approved by the Privacy Commissioner. A code will only be approved by the Privacy Commissioner if it provides at least the same standard of privacy protection as the NPPs.
Part IIIAA of the Bill sets out the matters that the Privacy Commissioner must take into account when deciding whether or not to approve a privacy code. Where a code sets out a procedure for making and dealing with complaints, the Privacy Commissioner must consider a range of matters, including whether the procedures meet prescribed standards. At this stage, the Government intends to prescribe the Benchmarks for Industry-Based Customer Dispute Resolution Schemes published by the Consumer Affairs Division of what was then known as the Department of Industry, Science and Tourism (August 1997) (http://www.treasury.gov.au).
The Bill will apply to the acts and practices of ‘organisations’. An ‘organisation’ is defined to mean a body corporate, an unincorporated association, a partnership, a trust or an individual.
A body corporate that is related to another body corporate will be permitted to share information. However, related bodies corporate will be required to comply with the NPPs in relation to using and handling the information (http://law.gov.au/privacy/bcfact.html).
A similar rule exists in relation to the collection and disclosure of personal information by partnerships. The rule will apply where one partnership dissolves and another partnership forms immediately afterwards which has at least one partner in common with the first partnership and carries on the same (or similar) business as the first partnership.
The Bill does not cover the State and Territory public sector or State and Territory government business enterprises (GBEs) that perform substantially core government functions.
The Bill will apply to certain acts and practices of organisations which occur outside Australia. This is to ensure that, as far as practicable, the legislation will apply in an environment where organisations operate across national boundaries and may move information overseas to use and process it. This is also intended to ensure that the provisions of the legislation are not avoided simply by moving personal information overseas (http://law.gov.au/privacy/otfact.html).
The Bill is intended to establish a comprehensive national scheme providing for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by organisations in the private sector. State and Territory laws that make provision for the collection, holding, use, correction, disclosure or transfer of personal information will continue to operate to the extent that they are not inconsistent with the Commonwealth legislation.
The Government recognises the particular sensitivities of an individual’s health information and the Bill takes into account these sensitivities. In May 1999, the Attorney General asked the Privacy Commissioner to conduct public consultations on how the National Principles for the Fair Handling of Personal Information could be applied to personal health information in a sensible and workable way. The Privacy Commi-ssioner’s report on those consultations was of great assistance in developing the relevant provisions.
The private sector legislation and subsequent development of guidelines represent a significant step forward in the development of a nationally consistent approach to privacy protection of health information.
The NPPs are designed to ensure an appropriate balance between privacy interests and other important public interests, such as the promotion of public health research and the effective planning and delivery of health services.
The balance between the interests of privacy and the need to facilitate medical research has been an issue that was examined closely. The balance that has been reached will ensure that health information can only be used for the purposes of research where absolutely necessary and under strict controls.
The Government acknowledges that the health profession already has a strong respect for the confidentiality of health information about individuals and maintains sound privacy practices in that respect. The Bill is not intended to interfere with those professional values and standards.
The Bill does, however, attempt to strike a balance between health professionals and consumers in relation to access by individuals to their own health information. It is a fundamental principle of fair information handling for individuals to be able to access and correct information about themselves. The Bill provides for access to health information except where legitimate and justifiable grounds exist for refusing access. Such grounds include situations where providing an individual with access to their health information would pose a serious threat to the life or health of that or any other person. In providing this right to health consumers, the Bill supports what is already good practice among many health professionals (http://law.gov.au/privacy/healthfact.html).
The Bill includes an exemption for acts done and practices engaged in by media organisations ‘in the course of journalism’. This exemption seeks to balance the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media. The objects clause in the Bill also highlights this need for a balanced approach.
A range of other provisions recognise the important role of the media in facilitating the free flow of information to the Australian public. For example, as part of the process of approving a code the Privacy Commissioner will have to be satisfied that code adjudicators will be required to have due regard to such issues. This is consistent with the obligation imposed on the Privacy Commissioner under the existing s 29(a) of the Privacy Act 1988.
In addition, the Bill provides that a journalist is not required to give information, answer a question or produce a document or record where this would tend to reveal the identity of a person who gave information to the journalist in confidence (http://law.gov.au/privacy/mediafact.html).
The Government is of the view that the handling of employee records is a matter better dealt with under workplace relations legislation. An act or practice engaged in by a current or former employer of a person in relation to an employee record will be exempt from the legislation if the act or practice is directly related to the current or former employment relationship. The requirement of a direct link to the employment relationship has been included to ensure that employers cannot use employee records for commercial purposes unrelated to the employment context.
An employee record is defined broadly as a record relating to the employment of an employee and includes the types of records typically held by employers on personnel files (http://law.gov.au/privacy/empfact.html).
All small businesses will be exempt from the operation of the legislation for a period of 12 months after the commencement of the legislation. This delayed application is designed to allow small business extra time to ensure compliance with the legislation. After the initial period it is intended that small business be exempt from the legislation unless there is a privacy risk. This is in accordance with government policy to minimise compliance costs for small business.
A small business is defined as a business with an annual turnover of $3 million or less. The calculation of annual turnover relies on the mechanism in A New Tax System (Goods and Services Tax) Act 1999 (Cth) (the GST legislation).
A small business will be exempt from the operation of the legislation unless it:
Political parties registered under Pt XI of the Commonwealth Electoral Act 1918 will be exempt from the operation of the legislation. Acts and practices of political representatives such as members of parliament and local government councillors will also be exempt from the legislation provided their acts and practices relate to an election, a referendum or other participation in the political process. Freedom of political communication is vitally important to the democratic process in Australia. This exemption is designed to encourage that freedom and enhance the operation of the electoral and political process in Australia.
The acts and practices of contractors (and their subcontractors) of registered political parties and political represent-atives will be exempt provided that the acts done or practices engaged in relate to an election, a referendum, or the participation of a registered political party or a political representative in the political process.
Acts done or practices engaged in by volunteers on behalf of and with the authority of a registered political party will also be exempt from the operation of the legislation.
The Bill enables a contract between a Commonwealth agency and the contractor (and any subcontract) to be the primary source of a contracted service provider’s obligations in respect of the personal information collected or held for the purpose of performing the contract. Contractual clauses must be consistent with the privacy obligations that apply to the agency (generally, the Information Privacy Principles in the Privacy Act 1988). Contractors will be subject to the NPPs (or to an approved code) to the extent that they are not inconsistent with the Commonwealth contract.
A small business operator that is also a contracted service provider under a Commonwealth contract will be subject to the legislation in respect of the performance of the contract, but will be exempt in relation to its other acts and practices.
To ensure that people are able to find out what privacy standards apply, agencies and contractors will be required to release, on request, details of privacy clauses in their contracts.
As a safeguard, the Bill contains a provision explicitly prohibiting a contracted service provider from using or disclosing personal information collected under a Commonwealth contract for direct marketing purposes unless this is a necessary part of the contract itself.
Specific provisions will ensure that the complaints system works smoothly where the complaint is made about an act or practice of an organisation that is also a contracted service provider where that act or practice is in relation to a Commonwealth contract.
The Bill contains a provision to cover the situation where, for one of the reasons specified, a remedy cannot be obtained from a contracted service provider. It allows the Privacy Commissioner to substitute the agency for the contracted service provider and is intended to ensure that the agency remains ultimately responsible for the acts and practices of its contracted service providers (http://law.gov.au/privacy/gcfact.html).
A specific provision will exclude acts and practices of organisations performed in relation to a contract with a State or Territory instrumentality where that contract involves handling of personal information. Such acts and practices will not be covered by the Commonwealth’s privacy scheme but rather the State or Territory’s own privacy standards.
A number of fact sheets are available that provide more detail about how the Bill applies [these are reproduced in full elsewhere in this issue].
The Bill is available at http://www. aph.gov.au/legis.htm. The Explanatory Memorandum and Second Reading Speech delivered by the Attorney General on 12 April 2000 may be accessed through Hansard at the Parliament House website (http://www.aph.gov.au/hansard/hansrep.htm).
This information paper was prepared by the privacy law team in the Information Law Branch. The team includes Carolyn Adams, Helen Daniels, Richard Glenn, Gabrielle Mackey and Allison Wood. You can contact the privacy law team by:
Email: email@example.com Mail: Ms Helen Daniels Assistant Secretary, Information Law Branch Attorney General’s Department Robert Garran Offices National Circuit, BARTON ACT 2600 Telephone: (02) 6250 6211 Facsimile: (02) 6250 5939.