Privacy Law and Policy Reporter
This is the second part of a review of Australian privacy laws against the EU’s adequacy criteria first carried out in mid-2000 and updated as a paper for the UNSW Continuing Legal Education Seminar, The New Australian Privacy Landscape, held in Sydney on Wednesday 14 March 2001. It is reprinted here by kind permission of the UNSW LE Program. The first part, covering the public sector and consumer credit reporting, appeared in (2001) 8(1) PLPR 16.
The Telecommunications Act 1997 (Cth), which set up a more diverse and de-regulated telecommunications market, requires telecommunications providers to comply with use and disclosure rules modelled on those in the Privacy Act 1988 (Cth) (which used to apply to Telstra when it was State owned, but not to the private sector).
The Act provides for industry developed codes of practice to be given statutory force, and for two privacy codes — the Protection of Personal Information of Customers of Telecommunications Providers (PPIC Code), a general code including all of the information privacy principles, and a specific code for Calling Number Display (CND Code). In 2000, these codes were registered by the Australian Commun-ications Authority (ACA) and are now binding on all (carriers and service providers) in the industry.
Individual complaints about breaches of the codes are handled by an industry funded Telecommunications Industry Ombudsman (TIO), while complaints about breaches of a more systemic nature, or of the underlying law, can be taken to the Australian Communications Industry Forum (ACIF, which developed the codes) or to the ACA.
The provisions of the Telecommun-ications Act apply to carriers and carriage service providers. These are technical definitions which in practice pick up most of the main providers of telecom-munications services, including operators of fixed and mobile telephone networks, re-sellers, and internet service or access providers (ISPs or IAPs). However, dealers and agents (for instance those selling mobile telephone services on behalf of the service operators) and internet content providers are not covered.
Since 1997 the Telecommunications Act has incorporated use and disclosure limitations modelled on Information Privacy Principles (IPPs) 10 and 11 of the Privacy Act. However, there was no statutory equivalent of the ‘fair and lawful collection’ principle. Since May 2000, all telecommunications carriers and carriage service providers have been required to comply with a complete set of information privacy principles — the National Privacy Principles (NPPs) — which include ‘fair and lawful collection’ (rule 5 of the PPIC Code). They also support the use and disclosure limitations and conditions in the Act: rules 6 and 7 of the PPIC Code are hybrids of IPP 10, IPP 11, NPP 2 and the Telecommunications Act provisions. This negates some of the criticisms of NPP 2 (see the section on the general private sector amendments below) because the Rules mostly set a higher standard.
These Rules are consistent with arts 6 and 7 of the EU Directive.
However, unlike NPP 2, there are no special protections for health data in Rules 6 and 7 (see under ‘Sensitive data’ below) and the special conditions applying to direct marketing only apply to use, not disclosure (see under ‘Rights of access, rectification and opposition’ below).
Special provisions relating to collection, use and disclosure of calling number display information are contained in the CND Code which has also been registered by the ACA and is therefore binding on all telecommunications providers.
Rule 8 of the PPIC Code repeats NPP 3, which requires organisations to take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date. This is consistent with art 6(d) of the EU Directive.
Rule 10 of the PPIC Code repeats NPP 5 (openness) and requires telecommunications providers to be open about their management of personal information. Rule 5 is a version of NPP 1 and includes a requirement to give notice of various matters when collecting personal data. These rules are consistent with arts 10 and 11 of the EU Directive.
Rule 11 of the PPIC Code repeats NPP 6, with some minor variations to reflect the telecommunications environment and specific provisions in the Telecommun-ications Act. To all intents and purposes it provides the same access and correction rights, exemptions and processes as NPP 6.
These rules are consistent with art 12 of the EU Directive.
Rule 6 of the PPIC Code includes special conditions where personal information is intended for use for direct marketing, and provides for individuals to be offered an ‘opt out’ opportunity, but only where the intended use is not part of the original purpose of collection or directly related and within the reasonable expectation of the individual. There is no equivalent provision in rule 7 in relation to disclosure for direct marketing, which could take place without the individual’s consent, or any opportunity for them to opt out. These rules therefore only partly provide the protection envisaged by art 14 of the EU Directive.
Rule 9 of the PPIC Code repeats NPP 4 verbatim. This is consistent with arts 16 and 17 of the EU Directive.
Rule 15 of the PPIC Code is a simplified version of NPP 12 which only limits collection of the sensitive data categories. There are no special restrictions or conditions on the use or disclosure of sensitive data — even health data, as the special provisions of NPP 2 are not carried over into rules 6 and 7 (see above). There is therefore no equivalent in the telecommunications privacy regime to art 8 of the EU Directive.
Rule 14 of the PPIC Code repeats the provisions in NPP 9 regarding transborder data flow. This is discussed in the next section.
The telecommunications regulatory regime relies largely on self-regulation. Registration of the PPIC and CND Codes has, however, brought into effect the safety net enforcement provisions of the Telecommunications Act and allows the ACA to issue warnings and directions in the event of persistent or serious breaches of the codes. Failure to comply with a direction can result in civil penalties
Complaints about breaches of the codes will initially be investigated by the TIO, an industry appointed and funded body which meets most of the standards of independence and autonomy generally regarded as necessary for a credible self-regulatory complaints scheme. All telecommunications providers are required by law to join the TIO scheme and there are more than 850 members.
The TIO has, since its inception, been able to handle complaints about breaches of privacy — initially by reference to the Privacy Act IPPs which used to apply to the government owned Telstra corporation. The TIO will now use the new registered privacy codes as the standard against which complaints will be assessed. The TIO can make binding determinations including awards of compensation, where appropriate, of up to $10,000 and can recommend payments of up to $50,000.
Unauthorised uses or disclosures of personal data in breach of Pt 13 of the Telecommunications Act are criminal offences punishable by up to two years’ imprisonment.
The complaints handling and enforce-ment aspects of the telecommunications privacy regime meet many of the standards envisaged in arts 22-24 and 28 of the EU Directive, except that there is no provision for remedies to be enforced by a constitutionally independent judiciary, and the supervisory responsibilities are somewhat fragmented between ACIF, the ACA and the TIO.
It is, however, expected that the PPIC Code will be submitted for approval by the Privacy Commissioner under the new general private sector legislation. If this happens, then depending on what role for the Privacy Commissioner is envisaged, the complaints handling, enforcement and supervisory aspects of the telecommun-ications regime may come into line with those applying more generally (see below).
Until recently, the remainder of the private sector (that is, besides consumer credit reporting and telecommunications) has been statutorily subject only to some very specific privacy rules relating to the use of the Federal Government tax file number (under the Privacy Act 1988) and to the disclosure of old criminal convictions (under the Crimes Act 1914 (Cth)).
Private businesses providing services under contract to government agencies may have been subject to contractual provisions relating to privacy. The Federal Privacy Commissioner has taken the view that this is a requirement under the security principle of the 1988 Act and has issued model contractual clauses for use by Commonwealth agencies. The NSW Privacy Commissioner has issued similar advice.
Some sectors have taken the initiative and developed voluntary codes of practice incorporating some or all of the NPPs. These principles were developed by the Privacy Commissioner through a consult-ative process between 1997 and 1999 as a template for self-regulation (during this period the Federal Government’s position was to favour self-regulation over statutory controls). The main codes of practice are as follows.
This was developed by the Australian Direct Marketing Association (ADMA) and includes the full set of NPPs (1998 version). It also has a code administration committee and process for dealing with complaints from consumers about breaches of the Code. Although consumer and privacy groups have been critical of some aspects of the Code, it was approved in 1999 by the Australian Competition and Consumer Commission (ACCC) as being sufficiently in the public interest to outweigh its anticompetitive effect. Adoption of the Code of Practice is a condition of membership of ADMA.
This scheme, launched in 1998, incorporates all of the NPPs (1998 version) except for the anonymity principle. It has a supervisory and complaint handling mechanism through a privacy compliance committee of the existing insurance industry complaint body, Insurance Enquiries and Complaints Ltd. General insurers were invited to adopt the principles and implement them no later than August 2000, but to date only some 30 insurers, representing less than 10 per cent of general insurance business, have done so. Many insurers have taken the view that they will await the forthcoming legislation.
The Internet Industry Association (IIA) has developed a Code of Practice which contains both general privacy principles and specific rules relating to unsolicited email (spam). Although the privacy section, which incorporates the NPPs, has been settled since 1998, it is only recommended by IIA for voluntary adoption by members and there is as yet no supervisory or complaint handling machinery.
In December 1999 the Federal Government announced that it would legislate for private sector privacy. After another round of consultation, in April 2000 the Privacy Amendment (Private Sector) Bill was introduced into Parliament. It was referred to a House of Repre-sentatives Committee (HoR Committee) which reported in July 2000, recommending several significant changes. Two Senate Committees also examined the legislation and made suggestions for changes. The legislation was finally enacted in December 2000 with only relatively minor amendments.
The scheme of the new Act is expressly intended to meet international concerns and obligations. One specific way in which it seeks to meet this objective is by provision for extraterritorial effect. The Act provides for the law to apply to acts or practices engaged in outside Australia by organisations subject to Australian law, including non-resident organisations carrying on business in Australia in respect of personal information collected or held in Australia (Privacy Act 1988, as amended in 2000, s 5B). The same clause also provides for the Privacy Commissioner to take action overseas to investigate complaints. While this is a generally helpful provision, it is limited to information about Australian citizens or permanent residents. This means that the Act would not apply to data about foreigners transferred out of Australia, and significantly undermines the effectiveness of the onward transfer principle (NPP 9) discussed below.
The definitional problems which apply under the previously existing Privacy Act (discussed in Part 1 of this article, under ‘Public sector ‘Exemptions and restrictions — Commonwealth’ in PLPR 8(1)16) are extended by the amendments to the private sector. They include the concept of a record, the exclusion of ‘generally available publications’ (expressly extended by the new amendments by the addition of ‘however published’, which increases the risk of abuse) and the uncertain application of the Act to email addresses.
The amendments only apply some of the NPPs to information collected before the commencement of the legislation. Those principles dealing with collection (NPPs 1, 10 and part of 3) and use (NPP 2) and access (NPP 6); and the anonymity principle (NPP 8) apply only to information collected, or transactions, after commencement. The other principles apply to all information whenever it was collected (s 16C).
The legislation will commence on 21 December 2001 (12 months after receiving the Royal Assent). Small businesses are granted a further 12 months to comply with some principles (s 16D).
Exemptions from the new private sector regime under the Commonwealth Act are of two types — exemptions (mostly conditional) for specified organisations, and exemptions for specified activities.
There is an unconditional exemption for State owned government business enterprises (s 6C(1)(3) and (4)). Given the exemption for State owned corporations in the NSW Act, this leaves most State owned enterprises in the country without any statutory privacy controls (although the Victorian Act covers enterprises in that State).
There is a conditional exemption for small businesses defined as those with an annual turnover of less than $3 million (ss 6C(1) and 6D). According to the Government, this will have the effect of exempting over one million or 94 per cent of all businesses. The exemption is conditional on the business not holding health information other than as part of employee records, and not collecting or disclosing personal information for a consideration. All small businesses are given an extra 12 months to comply. As the HoR Committee Report noted, the exemption is quite complex and may be very difficult to apply in practice. The report recommended that otherwise exempt small businesses be allowed to opt in, but accept the Government’s arguments for a broad exemption. The Government accepted the opt in proposal (s 6EA).
There is a conditional exemption from the collection and disclosure principles for ‘related bodies corporate’ (s 13B). This would have the effect of allowing (non-sensitive) personal information to be transferred between different businesses entities that are related through ownership without the normal application of the notice requirements and use and disclosure limitations, provided such transfers did not exceed individuals’ reasonable expect-ations. Critics of the Bill suggested that this could be a major loophole through which corporate groups could evade the purpose limitation objective, and that the exemption could even act as an incentive, in combination with the small business exemption, for structuring business groups with the intent of weakening the effect of the privacy law.
There is a conditional exemption for employee records, broadly defined (s 7B(3)). The HoR Committee Report rejected the Government’s contention that sufficient protection was contained in workplace relations legislation and recommended a significant narrowing of the exemption. The Government refused to accept any changes to this exemption, but has established a working party to look at the issue of privacy protection for employee records.
There is a conditional exemption for media organisations in the course of journalism. Journalism is very broadly defined (essentially covering any activity with the aim of publication) and this exemption was the subject of critical submissions to the HoR Committee. The Committee’s report stopped short of recommending limits to the exemption but suggested it be made subject to a code and kept under review. The Government accepted this suggestion (s 7B(4)).
There is an exemption for political acts and practices (s 7C) which means that none of the NPPs will apply to political parties, their volunteers and contractors, or to elected representatives. The HoR Committee recommended that some conditions be placed on this exemption but this was not accepted by the Government and the exemption passed unaltered.
There is also an uncontroversial exemption for individuals undertaking activities ‘other than in the course of business’ designed to exempt processing for personal, family or household affairs (s 7B(1)).
Contractors to Commonwealth and State agencies are exempted from the private sector NPPs in relation to those records for which they are contractually bound to observe the public sector IPPs or State equivalents (s 7B(5)). A contractor to the Commonwealth which is a small business otherwise exempt from the NPPs remains covered by the Act in relation to the IPPs (s 7B(2)).
The discussion of the principles which follows takes the default NPPs as the standard with which all organisations will have to comply under the legislation. This is not strictly correct, as organisations can apply for approval of codes of practice. However, any code must either incorporate the NPPs or ‘set out obligations that, overall, are at least the equivalent of all the obligations set out in [the NPPs]’ (s 18BB). On the assumption that the Privacy Commissioner will not approve any code that set out lesser standards (as he or she could be judicially reviewed if he or she did so), it is safe to refer to the NPPs throughout the remainder of this article.
There is, however, provision in the legislation for ‘waivers’ from the application of the NPPs, going beyond any of the statutory exemptions already discussed above. As noted in the first section of this article (2001 8(1) PLPR 16), the existing Privacy Act contains a mechanism for the Privacy Commissioner to make a public interest determination allowing a derogation from the IPPs. Under the private sector amendments, this mechanism is extended to the NPPs, and a new facility is introduced for temporary determinations, pending consideration of a full determination (Pt VI Div 2). Full determinations are subject to an elaborate and public consultation process and both full and temporary determinations are subject to disallowance by Parliament.
The Act will require private sector organisations that are not exempt to comply with the NPPs from 21 December 2001. NPPs 1 and 2 cover the purpose limitation principle between them by requiring collection of personal information to be necessary and done by fair and lawful means (Sch 3, NPP 1.1 and 1.2), and by placing limits and conditions on use and disclosure (Sch 3, NPP 2).
These provisions are broadly consistent with arts 6 and 7 of the EU Directive, but with at least two significant differences.
NPP 2 arguably goes further than arts 6 and 7 in allowing unconditional processing (use and disclosure) for the ‘primary’ purpose of collection and ‘related purposes within the reasonable expectation of the individual’ (Sch 3, NPP 2.1 and 2.1(a)). The ‘exceptions’ in the rest of the principle only apply to ‘secondary’ purposes. The related purpose exception in particular appears much broader than the ‘not incompatible’ specification in art 6.1(b).
One of the secondary use/disclosure exceptions in NPP 2 is for use/disclosure ‘required or authorised by or under law’ — similar to that in IPPs 10 and 11 in the public sector regime. As already noted, this is a wider exception than the criteria in art 7 of the Directive (in particular, art 7(c) and (e)).
Both the banking and health sectors claim in debate that they are already subject to strict common law duties of confidentiality. While this duty provides useful support to a non-disclosure principle, it does not apply to internal uses, and even to some external transfers for the purposes of the organisation. The common law duty is also limited to information which is inherently confidential — and the courts have defined this much more narrowly than the scope of personal information with which privacy laws are concerned.
NPP 4 requires organisations to take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date. This is consistent with art 6(d) of the EU Directive, but omits the additional requirement in 6(c) for ‘adequate, relevant and not excessive’ collection. It could be argued that the requirement of ‘necessity’ for purpose in NPP 1 automatically ensures relevance, but it is interesting to note that relevance is included in the equivalent IPP for Commonwealth public sector agencies (s 14, IPP 3(c)) and in the NSW Act, which also includes ‘adequate’ and ‘not excessive’.
NPP 5 requires organisations to be open about their management of personal information. NPP 1 includes a requirement to give notice of various matters when collecting personal data. These provisions are consistent with arts 10 and 11 of the EU Directive, although there has been some criticism of the discretion to notify after collection where notification prior or at the time of collection is not practicable (Sch 3, NPP 1.3).
NPP 6 provides a right of access for individuals to personal information about themselves and a right of correction, subject to various exceptions. Both the rights and the exceptions are broadly consistent with the equivalent provisions in arts 12 and 13 of the EU Directive. However, the Act now expressly extends the limitation of the correction right to Australian citizens and permanent residents, referred to already in the public sector section, to NPP 6 (s 41(4)), thereby leaving citizens of other countries no opportunity for remedies for breaches of this Principle.
There is no express provision encouraging organisations to provide as much information as possible, even where an exception is claimed, by severing or selectively deleting the withheld information. Case law under Freedom of Information Acts, which has been the mechanism for delivering the access right in the public sector, has clearly established that this is required. It has been suggested that private sector organisations are more likely to use an exception as an excuse for total withholding, and that a statutory requirement to provide as much information as possible would have been desirable.
NPP 2.1(c) provides for a partial right of opposition to direct marketing by requiring organisations to offer individuals an ‘opt out’. However, this provision only applies where the use for direct marketing is not part of the primary purpose or ‘directly related and within the individual’s reasonable expectations’. This means that in practice, there will be many direct marketing activities where individuals do not have to be offered an opt out opportunity.
It remains unclear whether the omission of ‘disclosure’ from NPP 2.1(c) works to the advantage or disadvantage of individuals. To take one view, it means that disclosure for direct marketing (for example, sale of lists) has to satisfy one of the other exceptions in NPP 2, such as consent (NPP 2.1(b)). To take another view, which sees NPP 2.1(c) as an ‘extra’ condition, there is never a statutory requirement to offer an opt out from disclosure, and organisations are free to make it part of their primary purpose or try to influence their customers’ expectations so as to satisfy NPP 2.1(a).
The codes of practice which incorporate earlier versions of the NPPs (including the ADMA Direct Marketing Code mentioned above) and which are already being followed by some organisations, are subject to the same limitations and ambiguities in relation to NPP 2.1(c) as the Act itself. The best that can be said is that NPP 2.1(c), wherever it appears, only partially provides the protection envisaged by art 14 of the EU Directive.
NPP 4 is a comprehensive security principle which is consistent with arts 16 and 17 of the EU Directive.
NPP 12 only limits collection of the sensitive data categories. There are no special restrictions or conditions on the use or disclosure of sensitive data (other than health data, for which there are some modifications to NPP 2). The Act therefore allows most sensitive information which has been collected for a legitimate purpose to be used for other purposes subject only to the normal restrictions in NPP 2.
There is considerable debate about whether the special health information provisions actually provide a higher level of protection, or have the opposite effect of authorising a wider range of uses and disclosures than would otherwise be the case. Health consumer groups are generally opposed to the provisions for health privacy, and are campaigning for separate tougher legislation with more emphasis on patient consent — along the lines of the existing ACT and Victorian legislation.
The private sector privacy regime does not generally provide equivalent protection for sensitive data to that envisaged in art 8 of the EU Directive.
NPP 9 is a principle dedicated expressly to the regulation of transfers of personal information to foreign countries. The principle is modeled on arts 25 and 26 of the EU Directive and seeks to achieve the same objective — ensuring as far as possible continued and adequate privacy protection for ‘exported’ data.
Unlike the earlier versions of this principle, which dealt with ‘other jurisdictions’ rather than foreign countries, NPP 9 does not now provide any protection where personal information is transferred either to a State or Territory government which is not subject to a privacy law or to one of the large number of private sector organisations which will be exempt from the Commonwealth regime.
The principle itself, in its application to ‘foreign’ transfers, differs in some significant respects from the terms of arts 25 and 26.
Under the Commonwealth Privacy Act, consent for transfer does not have to be ‘unambiguous’ and organisations are allowed to make an assumption about the likelihood of consent where it is impracticable to obtain it (Sch 3, NPP 9(b) and (e)).
Organisations are allowed to make their own assessment of whether there is ‘adequate protection’ in the destination country (Sch 3, NPP 9(a)).
The exception where ‘the organisation has taken reasonable steps to ensure that the information ... will not be held, used or disclosed inconsistently with the NPPs’ (Sch 3, NPP 9(f)) is much weaker than the nearest equivalent in art 26(2) in that it addresses only standards and not safeguards and the exercise of rights.
There is no equivalent in NPP 9 to the public interest, legal claims, or vital interests derogations in art 26, although it is assumed that the Government intends to provide for these in some other way, otherwise a range of important cross-border transfers — including for law enforcement or major emergencies — would be prohibited.
While the intention of NPP 9 is to provide an equivalent to arts 25 and 26, it appears to fall short of those provisions in a number of key respects and in other respects is more restrictive.
Complaint handling and enforcement under the proposed general private sector privacy regime is complicated by the provision for these matters to be dealt with, at least partially, in codes of practice.
Private sector organisations can develop a code of practice and submit it to the Privacy Commissioner for approval. A code may contain a customised version of a NPP (provided they are at least equivalent) and may also contain procedures for making and dealing with complaints, (which have to meet prescribed standards — some set out in the Act (s 18BB(3)) and some in a Government benchmark. A code of practice could establish a code adjudicator body which would fulfil some of the functions of the Privacy Commissioner.
For organisations not subject to an approved code, the default provisions of the Act will apply. These include most of the complaint handling and enforcement provisions that apply to public sector agencies under the pre-existing Act. As already noted above, these appear at first sight to meet the standards envisaged in arts 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision.
However, critics of the private sector amendments pointed out an inequity and defect in the enforcement provisions. The Act provides for determinations of code adjudicators to be enforced by the Federal Court or Magistrates Court (after a de novo hearing) in the same way as determinations of the Privacy Commissioner; code adjudicators, like the Commissioner, are also subject to judicial review on points of law. But there was no provision for complainants to appeal against an adverse decision by the Commissioner or a code adjudicator. This effectively meant that while a respondent organisation has a right of appeal on the merits of a complaint (by refusing to comply with a determination and having their case re-heard in court), a complainant can only appeal against a procedural defect.
While this flaw has also applied to the public sector regime which has been in operation for 12 years, critics suggest that it only becomes a serious matter with the extension of the law to the private sector. Public sector agencies are less likely to refuse to comply with determinations (it has not happened yet, although there have only been a handful of determinations), whereas experience in other tribunals suggests that many private sector respondents may resist. The Government accepted this argument and made a last minute change to the legislation to provide a right of appeal from decisions of code adjudicators to the Privacy Commissioner (s 18BI).
While code adjudicators will not have the same powers as the Privacy Commissioner — to investigate, call witnesses, require the provision of information and so on — their ability to refer complaints to the Commissioner (s 40(1B)) and, more importantly, the right of appeal should prevent this from being a major weakness.
It is not clear from the Act whether code adjudicators will be required to publish their determinations as the Commissioner is required to do. At least one critic has suggested that this is a serious lack of transparency and may hinder public scrutiny of the effectiveness of codes of practice.
Of the existing voluntary codes of practice that incorporate earlier versions of the NPPs, only the ADMA Direct Marketing Code and the General Insurance Industry Privacy Principles have established and theoretically functioning complaint bodies. However, the Insurance Privacy Compliance Committee has yet to receive any complaints, and there is no information publicly available about the operation of the ADMA scheme. Both have been criticised by consumer groups for not meeting all of the standards for independent complaint handling which are proposed as the minimum under the Act as amended. They certainly do not meet all of the EU Directive standards in relation to judicial remedies, compensation, sanctions and supervision (arts 22-24 and 28). v
Nigel Waters, Pacific Privacy Pty Ltd, Phone: 02 4981 0828 or 0407 230 342, <firstname.lastname@example.org>.
 Industry Code Protection of Personal Information of Customers of Telecommunications Providers, devel-oped by the Australian Communications Industry Forum and registered by the Australian Communications Authority on 1 May 2000.
 Industry Code Calling Number Display, developed by the Australian Communications Industry Forum and registered by the Australian Commun-ications Authority on 1 July 2000
 See <www.aca.gov.au>.
 Telecommunications Act 1997 (Cth) Pt 13.
 The same NPPs which now form the core of the proposed ‘private sector’ amendments to the Commonwealth Privacy Act 1988.
 Rule 6.1(c).
 See <www.tio.com.au>.
 See Explanatory Memorandum on the Privacy Amendment (Private Sector) Bill 2000, paras 383-385.
 House of Representatives Legal and Constitutional Affairs Committee Advisory Report on the Privacy Amendment (Private Sector) Bill 2000, July 2000 (HoR Report) — available online at <www.aph.gov.au/house/committee/laca/Privacybill/contents.htm>.
 Senate Standing Committee on Legal and Constitutional Affairs — report on the Privacy Amendment (Private Sector) Bill 2000 at <www.aph.gov.au/senate/committee/legcon_ctte/privacy/index.htm>; and Select Committee on Inform-ation Technologies inquiry into e-Privacy — no final report.
 Privacy Amendment (Private Sector) Act 2000 (Cth) s 3(b)(i).
 Privacy Amendment (Private Sector) Act 2000 Sch 1, cl 14.
 Privacy Amendment (Private Sector) Act 2000 s 2.
 HoR Report, p 11.
 HoR Report, Ch 9.
 HoR Report, Ch 3.
 Privacy and Personal Information Protection Act 1998 (NSW), s 11.
 That is, being alternative bases for use in NPP 2.1 and 2.1(a).
 HoR Report, Ch 6 and 7.
 Health Records (Access and Privacy) Act (ACT) 1997; Health Records Act 2001 (Vic).
 Benchmarks for Industry-Based Customer Dispute Resolution Schemes published by the Consumer Affairs Division of what was then known as the Department of Industry, Science and Tourism (August 1997).
 HoR Report, Ch 10.
 Submission to the HoR Committee by Professor Graham Greenleaf, University of New South Wales.
 Department of Industry, Science and Tourism above note 21 at footnote 85.