Privacy Law and Policy Reporter
Graham Greenleaf and Nigel Waters
One of the key challenges for the new federal Privacy Commissioner, Karen Curtis, will be to counter the increasingly common perception that the consequences of breaching privacy laws only constitute a tolerable business risk and do not justify significant effort or cost to avoid.
What messages have been sent by the Commissioner’s office in the nearly three years that the private sector amendments to the Privacy Act 1988 have been in force?
Contrary to some recent media reports, the approach taken by the previous Commissioner, Malcolm Crompton, can hardly be characterised as one of heavy enforcement. Rather the emphasis throughout his term, particularly in relation to the private sector, was one of ‘building a culture of compliance’ largely through education and guidance. Commissioner Crompton continued the practice of his two predecessors in avoiding formal enforcement action wherever possible – meaning nearly always.
According to his 2002-03 Annual Report, 81.5% of complaints of breaches of the NPPs were discontinued without a finding of any breach of the NPPs. Breaches of the NPPs were found in 127 cases (18.5%) but in all cases the complaint was not investigated further because the Commissioner considered that the respondent had taken adequate steps to resolve the matter. No information is given about whether all 127 complainants were happy about this (but apparently they are not – see X v Commonwealth Agency  PrivCmrA 4 at (2004) 11 PLPR 15) , and no details are given about what ‘adequate steps’ were taken, except in a handful of self-selected case notes published on the Commissioner’s website.
The figures for IPP complaints against public sector agencies, and for complaints against credit reporting bodies under Part IIIA are much the same.
In only one complaint since the private sector amendments commenced has the Commissioner made determinations under s52 (the Tenants Union v TICA complaint, dealt with by the Commissioner as four separate complaints: see (2004) 11 PLPR 14), and those Determinations required only marginal or minor systemic changes to the practices of the tenancy blacklist run by TICA.
After 15 years of operation of the Privacy Act there have still been only four other formal determinations of complaints against public sector agencies. The first two (in 1993) did not result in any enforcement. The last two (in 2003 and 2004 by Commissioner Crompton) have been in relation to ACT agencies, with one resulting in a minor payment of compensation (against which the dissatisfied complainant is appealing to the AAT), and the other a dismissial of the complainant’s claim for compensation (see Cases + Complaints this issue).
In other words, there is absolutely nothing on the public record to make either companies or agencies believe that that Privacy Act is ever enforced. Maybe it is, but only through conciliation behind closed doors.
The result of this ‘softly softly’ approach pursued by all the Commissioners to date is that many organisations regard privacy compliance as optional. Privacy Act obligations cannot be totally ignored, at least where this would be visible. Most larger organisations feel obliged to comply with the ‘notice’ requirements, although many privacy statements are inadequate. Privacy is also often thrown in as a further justification for increased security measures required for other reasons. Access to a person’s own record is also now more likely to occur. But beyond these steps, few organisations have felt it necessary to seriously address issues of whether collection is necessary, proportionate and fair, whether uses and disclosures are in fact compliant with the relevant principles, or whether records are accurate and relevant.
Legal advisers and compliance officers make it clear in informal discussions that in risk management terms, privacy compliance rates very low. This is partly a matter of relative priorities, because other regulatory requirements such as the Financial Services Reform Act and the continuing rounds of CLERP reforms have absorbed most compliance resources in recent years. But it is also due to rational judgements about the low risk to a business of breaching the NPPs. As with any law, compliance behaviour results from a calculation based firstly on the chances of being caught and secondly on the seriousness of the consequences.
Here, both are low risks, due to factors including: low levels of awareness of individual rights; the delays in investigating complaints when made; the effective cessation of audits; and the very limited capacity to undertake own-motion investigations. What is known of completed complaint investigations and audits suggests that the risk of any significant consequences is even lower.
The other side of enforcement
While it is clear that the Privacy Commissioner needs to do much more to make the complaints function of her office a deterrent to privacy breaches, rather than just an easily managed business risk, we don’t suggest that this is the only or necessarily the most significant change needed for effective enforcement of the Act.
All Privacy Commissioners to date have succumbed to a self-defeating process whereby the limited available resources are increasingly consumed by handling large volumes of relatively insignificant complaints, with a corresponding reduction in pro-active pursuit of systemic compliance issues (through audit and own-motion investigations). Complaint investigation can reveal important issues, but it also involves passively accepting whatever curious selection of issues arises from the small minority of individuals who persist with the complaints process. Commissioners have overlooked the leverage that can be obtained by pro-active compliance activity.
One opportunity is the abundant evidence of systemic non-compliance in credit reporting brought forward by the consumer movement. More examples are needed like the Commissioner’s recent action in causing One.Tel in Liquidation to have 65,000 customer default listings dropped from credit records after finding that One.Tel did not have systems in place to update customer credit default listings once a debt had been paid. A missed opportunity to date has been the failure to take up the issue of truly anonymous options for use of toll roads, despite the superficially obvious breach of NPP 8 involved (raised repeatedly by privacy advocates for several years).
We urge Commissioner Curtis to re-appraise the balance in the performance of her functions between education (necessary but not sufficient) and enforcement (essential). Within enforcement, we urge her to find a better balance between complaints investigation and pro-active enforcement. Evidence about the real privacy issues facing the community should be used to pro-actively set the agenda – calling to account those organisations that are regularly pushing the boundaries of compliance. This change of emphasis need not be at the expense of individual complainants, who are of course entitled to seek enforcement of their rights, and whose successful complaints can provide a powerful deterrent against future breaches. But the Commissioner needs be willing enforce the Act, and to publicise that she does so, using complaints strategically in support of a more important agenda – securing compliance with both the letter and the spirit of the Privacy Act.
Graham Greenleaf and Nigel Waters