Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Greenleaf, Graham; Waters, Nigel --- "Private parts" [2001] PrivLawPRpr 48; (2001) 8(5) Privacy Law and Policy Reporter 108

Private parts

Compiled by Graham Greenleaf and Nigel Waters

NT and Qld take different privacy paths

Over the past weeks, Australia’s two northernmost jurisdictions have announced very different paths to privacy protection, both somewhat at odds with what the rest of Australia is doing.

The new Northern Territory Labor Government has tabled a draft Freedom of Information Bill which also includes some elements of privacy protection, going beyond the correction of personal records which is found in all Australian FOI laws. The draft Bill was introduced by Attorney-General Peter Toyne on 24 October 2001. Comment on the draft will be accepted until 28 February 2002.

Announcing the draft Bill, Dr Toyne said:

The information scheme we propose also seeks to protect the community against improper use of personal and commercial information held by government. It will place constraints on the use of such information for commercial purposes and provide an opportunity for an independent review where someone believes that improper use has occurred.

Provisions limiting the use of personal information contained in public registers are included in both the NSW and Victorian public sector privacy laws.

‘The draft bill is unique in that it has been specifically written to cater for the new information based economy and is therefore more relevant than similar legislation in other jurisdictions,’ Dr Toyne claims. An Information Commissioner, as is found in Queensland and WA, will deal with FOI/privacy complaints under the legislation. The Department of Corporate and Information Services will be actively involved in implementing the information and privacy scheme.

In contrast to this legislative route, the Queensland Government implemented, in September, a new purely administrative privacy regime. Attorney-General and Minister for Justice, Rod Welford, said the Government’s new policy created strict rules about how personal information was collected, stored, used and disclosed by the public sector. He said that an Information Standard, approved by State Cabinet, is based on Information Privacy Principles (IPPs) that apply to the Commonwealth public sector under the Commonwealth Privacy Act 1988. Each Queensland agency is required to develop a Privacy Plan within the next six months, and to appoint a Privacy Officer. Local government is not part of the privacy regime, unlike in NSW and Victoria, States which have privacy laws. Unlike NSW and Victoria, it would seem that Queenslanders will have no enforceable remedies or compensation in the event of privacy breaches by government. v

Further information (Qld):<www.justice.qld.gov.au/dept/privacy.htm>.Further information (NT):<www.nt.gov.au/ntg/information/index.shtml>.

Privacy Commissioner’s approach to enforcement

In August, federal Commissioner Malcolm Crompton wrote to the Australian Chamber of Commerce and Industry (ACCI) which had been critical of the Commissioner’s perceived approach to enforcement of the new private sector Principles. The following extract is an important statement of the Comissioner’s position.

I refer to the reports that you say you are receiving about the approach this Office will take to promoting compliance with the new law after 21 December this year. As I understand it, you are concerned that I have stated in a number of public forums that we will be deliberately seeking early breaches of the law then making public examples of the organisations involved, as a warning to others.

Let me assure you that this is not an accurate account of what I have been saying. In every public speaking engagement where the question of our approach to compliance has been raised, I have clearly stated that publicising breaches of the Act would be a last resort where it has proved impossible to arrive at a conciliated outcome.

Let me outline to you the approach that I have repeatedly espoused. This approach is based on using the lowest cost, lowest profile approach that the complainant and respondent organisation will allow.

These arrangements are:

• When we receive a complaint, we first check if the parties have attempted to resolve their differences directly and if not, whether it would be appropriate for them to try.
• In the new legislation, this is mandated by s 40(1A). In other words, we encourage internal complaints handling as a first resort.
• If this fails, we enter a stage of conciliation based on accepted principles of alternative dispute resolution. In most cases, we rely on phone calls and letters to the parties. In a small proportion of more intractable matters, we may meet with the parties face to face.
• This process has been very successful in the existing jurisdiction and usually results in our Office closing the complaint under s 41(2)(a) on the grounds that the respondent has adequately dealt with the matter. Moreover, in the vast majority of complaints over the last five years, resolution has not involved monetary compensation. Less than 6 per cent of complaints have involved financial compensation. In all but a few serious matters, the amounts have been very modest ($500 - $2000).
• Only twice in the 12 year life of the Privacy Act has the Commissioner had to use the formal determination making powers under s 52 and one of these occasions was at the request of the respondent.
• If the parties do not comply with the terms of a Determination, s 55A of the Act allows us to approach the Federal Court or the Federal Magistrates Service to seek enforcement via a de novo hearing. So far, we have never had to resort to this step.
• We also have powers under s 98 of the Act to seek injunctions to ensure compliance with the Act. Again, we have never had to use these powers.

In making these points, I should point out that this includes our jurisdiction over credit reporting activities in the private sector. Against this background, in all of my public speaking, I have noted that while publicity is an obvious option, we will only use it as a last resort and I have pointed out that we would much rather celebrate success than condemn failure; and that we are here to help organisations find privacy solutions. This approach is explicitly stated in the Strategic Plan launched in March 2000 and has been reiterated ever since.

In the course of making these remarks, I have also pointed out that if an organisation does not do the right thing after a complaint has been resolved, for example continues to flout the law or is clearly and consciously a ‘repeat offender’, then and only then will we seek to put the matter in the public arena.

I hasten to add that this approach has had, and will have, an impact on the public standing of this Office in the eyes of some. For example, when I outlined this philosophy in a talk to the Melbourne Press Club last March, I was roundly criticised during debate for being soft. In another instance when we issued a media statement (on request only) that flatly described the terms of a settlement with Harts Financial Services, its clients were described as ‘outraged that the Federal Privacy Commission (sic) has chosen not to fine the finance company’.

Hong Kong changes Privacy Commissioners

Hong Kong’s widely respected Privacy Commissioner for Personal Data, Stephen Lau, has decided not to seek re-appointment at the expiry of his term as Commissioner and has rejoined the private sector as President, Asia Pacific North, of Electronic Data Systems Corporation (EDS). Mr Lau was with EDS before taking up the post of Commissioner. Among other things, Mr Lau will be remembered for hosting in 1999 the most open and stimulating International Data Protection and Privacy Commissioner’s Conference in its 25 year history. He also holds a special place in the internationalisation of privacy principles, as the first Privacy Commissioner in an Asian jurisdiction.

The new Commissioner Mr Raymond Tang took up his post on 1 November 2001. Mr Tang is a lawyer of 35 years experience and until appointment was a barrister in private practice. From 1996 to 1999 he was with Hong Kong’s Securities and Futures Commission, first as its Chief Counsel and then as Special Counsel to the Chairman.

Technical changes to privacy offences?

The Law and Justice Legislation Amendment (Application of Criminal Code) Act 2001 (Cth) makes generic changes to the Criminal Code which apply to Federal privacy law. Schedule 40 amends the Privacy Act 1988 (Cth), to replace ‘knowingly or recklessly’, with ‘intentionally’ in the offence provisions (all of which are in the credit reporting provisions, Pt IIIA).

Commonwealth agencies websites ‘disappointing’

‘The results of the websites audit are overall disappointing,’ said Federal Privacy Commissioner, Malcolm Crompton, in a letter to agency heads about the results of a recent privacy audit of Commonwealth Government websites. In May 1999, the Commissioner’s Office issued Guidelines for Federal and ACT Government websites. The Government adopted these guidelines as part of the Government’s Online Strategy for the delivery of Commonwealth Government services, and set 1 June 2000 as the deadline for implementing the guidelines.

The 2001 survey found that nearly one third of Commonwealth websites still fail to meet the baseline requirement of displaying a privacy statement. Less than one quarter (21.6 per cent) of all websites that collect personal information had an adequate Information Privacy Principle 2 (IPP 2) statement or a direct link to a privacy statement. Less than half (42 per cent) of all websites audited warn users of the risks of transmitting data across the internet. Only 2.8 per cent of sites audited used encryption methods to ensure secure transmission of personal information.

Source: <www.privacy.gov.au/news/01_09.html>.