Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Waters, Nigel --- "Privacy Act Reviews agree on changes needed" [2005] PrivLawPRpr 15; (2005) 11(7) Privacy Law and Policy Reporter 183

Privacy Act Reviews agree on changes needed

Nigel Waters

Case for change clear but environment not receptive

Two recent reviews of the federal Privacy Act are mutually supportive in reaching similar conclusions on many issues and in making plenty of suggestions for improvements, although there is little sign of a government appetite for changes, at least in the direction of stronger privacy protection.

The Privacy Commissioner’s report in March 2005 of her review of the private sector provisions of the Act [1] was followed in June by a report by a Senate Committee into the wider operation of the entire Act[2] . The credibility of both reports is enhanced by the numerous detailed submissions received – 136 to the Privacy Commissioner, and from 49 separate organisations to the Senate Committee.

The timing of the reports turns out to be unfortunate in that both reports are now likely to be viewed by the government, and others, through the prism of a renewed emphasis on national security, following the London bombings in July, as well as a new wave of initiatives on government efficiency[3] . It is to be hoped that any proposals motivated by either security or efficiency that involve greater intrusions into privacy are ‘road tested’ against the critiques in the two reports, and that the recommended safeguards are adopted. It would also be useful if the government could respond to the reports in a reasonable timeframe, although precedents are not encouraging[4] .

One common conclusion of both reports is that even the existing safeguards are in danger of being more apparent than real in the absence of adequate resources, both for the ombudsman and watchdog roles of the Privacy Commissioner and for attention within government agencies to privacy issues and compliance – for instance in the form of privacy impact assessments and internal audits.

Cross party agreement

The Senate Committee report can be seen partly as a ‘last stand’ from concerned opposition and minor party senators, before they lost the balance of power in the Upper House. In the case of committee chair Nick Bolkus and Democrat member Brian Greig, it was literally a parting shot, as both retired from the Senate in July after making significant contributions to the privacy debate during their time. Senator Bolkus had a somewhat mixed record as both a privacy invader and protector at various times - he will be particularly remembered for his very personal role as Minister in adding the credit reporting provisions to the Act in 1989.

But it is also significant that the report was unanimous and signals some concern by members of the coalition parties about the risks to privacy in the current political environment. It is particularly noteworthy that the Committee as a whole was unconvinced of the need for the current broad exemptions – specifically those for small businesses[5] , employee records[6] and political acts and practices[7] .

Commissioner suggest many changes

In contrast to the wide-ranging scope of the Senate Inquiry, the Privacy Commissioner’s review of the private sector provisions was necessarily constrained by the very limited terms of reference given to her by the government.

The Commissioner’s overall conclusion that the private sector provisions are ‘working well’ are disputed by the Senate Committee, although it generally supported most of the Commissioner’s detailed recommendations for improvements and calls for early implementation of them[8] . How the Commissioner reached her overall conclusion is something of a mystery, given that she acknowledges that the provisions have clearly failed to meet the objective of a single comprehensive national scheme, does not fully meet international concerns and obligations, and at least in the eyes of consumer and privacy advocates does not adequately provide for the privacy right of individuals. Furthermore both the number (85) of recommendations for action and the significance of some of them belie the conclusion.

The Commissioner has clearly felt constrained not to directly challenge the foundations of government policy on privacy – particularly the emphasis on light-touch co-regulation – despite considerable evidence that it is those foundations that are unsound. However, those who seek improvements in the level of privacy protection should look beneath the Commissioner’s choice of language – presumably designed not to upset the government and business interests – to the many useful changes which she has clearly identified as desirable.

These changes are generally either ones which consumer and privacy advocates have called for, or where there is common ground between them and businesses subject to the Act. The overall impression from business submissions, reflected in the report, is that compliance with the National Privacy Principles has not caused significant problems and that any burden stems from inconsistency, uncertainty and delays in complaint handling, all created by the exemptions and by the lack of resources for the Commissioner’s office.

Wider review desirable

The Senate Committee’s call for a wider review, by the Australian Law Reform Commission[9] , could be seen as a ‘buck-pass’ but should perhaps be viewed more positively. Like the similar recommendation from the Commissioner[10] , it reflects a recognition of the complexity of the issues involved, particularly in light of technological developments, and of the desirability of consistency both between jurisdictions and between sectors[11] . Neither of the two review processes could realistically have dealt with all of the issues, certainly within the timeframes available to them.

Scope of the Act

Because of the limitations of her terms of reference, the Privacy Commissioner’ only ventures into the area of scope is to recommend regulation of residential tenancy databases[12] and of all small telecommunications businesses[13] , and modification of the small business exemption to use the ABS’s 20 employee threshold rather than annual turnover[14] . As already noted, the Senate Committee, free of the same constraints, recommends that many of the current exemptions be removed.

Individuals’ control over personal information

Both reports discuss the differing viewpoints on the degree of control which individuals have over the way in which personal information is collected and used[15] . At the heart of this issue is the phenomenon of ‘bundled consent’ where individuals are asked to agree to a package of uses, not necessarily related or interdependent. The Commissioner can find no easy solutions to reconcile a range of common business practices which involve bundling with the reasonable expectations of individuals. She commits to working on further guidance[16] . However, her support for the concept of short form notices[17] can be seen as moving in the opposite direction, and this remains one of the most unsatisfactory aspects of the operation of the Act.

Application of the Act to new technologies – definition of personal information

Both reports acknowledge the uncertainty about the application of the Privacy Act arising from the definition of personal information. Technologies such as location dependent mobile phone services, and video surveillance (currently very much in vogue!) offer the potential for privacy intrusion without identification. The Senate Committee has made a useful recommendation to apply the law to information that allows individuals to be contacted even though they may not have first been identified[18] . Once again, the Senate Committee has been more robust than the Commissioner, who merely discusses the issue and flags it for a wider review without any recommendation[19] .

The Commissioner’s report does however discuss a number of emerging technology issues, including biometrics, electronic health records and voice over internet telephony, and suggests the use of binding codes as a way of addressing these and other new challenges for privacy[20] .

Outsourcing - Closing the loop on accountability

The Privacy Commissioner’s review identifies a weakness in the scheme of the Act which leads to a loss of accountability once handling of personal information is contracted out by an organisation which is covered by the Act. The Commissioner recommends amendment of National Privacy Principle 4 to expressly make the client agency responsible for ensuring protection of the information in the hands of the contractor (following the precedent in the equivalent public sector Information Privacy Principle). Pending any such amendment, the Commissioner will issue further guidance on the need to impose contractual obligations. She also invites the government to consider making a distinction between data controllers and data operators.[21]

Outsourcing highlights need for a single set of Principles

The Senate Committee noted the confusion and potential problems that arise where a private sector contractor which is subject to the NPPs takes on work from a Commonwealth agency which seeks to impose the IPP standards[22] . The Privacy Commissioner’s recommended solution to this is to move towards a single set of principles for both private and public sectors[23] .

Action needed on direct marketing

Both the Commissioner and the Senate Committee identify a need for greater control for individuals over direct marketing, the Commissioner limits herself to recommending a general opt-out right, and consideration of a national ‘Do-not-contact Register[24] , while the Senate Committee goes further in recommending a general opt-in right, consistent with the Spam Act 2003[25] .

Credit reporting – no change?

Attempts by the finance industry to question the current Privacy Act limits on credit reporting appear to have backfired (although their lobbying efforts continue unabated).

As Part IIIA of the Act was it outside her terms of reference, the Privacy Commissioner only mentions credit reporting where it comes up in the context of the other private sector provisions, and draws no conclusions. But the Senate Committee addressed the issue directly and could see no justification for the introduction of (so-called) ‘positive credit reporting’. The Committee also rejected ‘positive reporting’ on the basis that it could magnify problems associated with the current default reporting system[26] .

Health information in urgent need of consistent regulation

The Senate Committee supported the Privacy Commissioner’s recommendations aimed at achieving greater consistency and certainty about the rules applying to health information, and specifically acknowledged concerns about the effect of privacy laws on medical research[27] . The Commissioner’s proposed solution to the current ‘muddle’ is the early adoption by all jurisdictions of the Australian Health Ministers Council National Health Privacy Code[28] . This would also overcome undesirable constraints on the transfer of health information between health service providers and on cessation of health businesses[29] .

Confusion in privacy regulation of Media and Communications

The Privacy Commissioner acknowledges the unsatisfactory duplication and confusion in relation to telecommunications[30] , and recommends legislative amendments and other practical changes to address this problem[31] . She also recommends and mandatory consultation by the Broadcasting Regulator (now ACMA) and Media Bodies (such as the Press Council) in developing Codes that deal with privacy in relation to the media[32] . The Senate Committee acknowledges the variety of views on regulation of the media[33] but does not draw any conclusions.

International Adequacy

The Senate Committee notes the continuing unresolved issue of ‘adequacy’ in relation to the European Union’s Data Protection Directive (and potentially in relation to the laws of other jurisdictions which adopt a similar transborder data transfer standards). While neither the Committee nor the Privacy Commissioner found evidence of any significant detriment to Australian business, both call for measures to assist recognition of Australian Privacy Laws by the EU.[34] The Commissioner also offers support for the work of APEC privacy framework, which readers of PLPR will know remains controversial [see the update by the General Editor in this issue]. The Senate Committee noted the divergence of views on the APEC work but came to no conclusion[35] .

Law Enforcement gains some ground?

In one of its few concessions to greater intrusions, the Senate Committee invited the government to consider the Federal Police suggestion of a ‘notice to produce’ power for obtaining information from the private sector, presumably when they do not have grounds for a warrant[36] . This goes beyond the Privacy Commissioner’s recommended approach that further practical guidance should suffice[37] .

Misuse of Privacy law

The Senate Committee addressed the issue of the Privacy Act being used to avoid accountability and transparency – often through incorrect claims that release of information is not possible ‘ because of the Privacy Act (the BOTPA excuse). The Committee supported the suggestion from the Australian Privacy Foundation for the Privacy Commissioner to be able to issue corrective statements to be published at the expense of the organisation falsely claiming the BOTPA excuse[38] .

Complaint handling

While the Commissioner’s main excuse for complaint handling weaknesses is the lack of resources, she accepts some of the other criticisms that have been levied at the complaint handling provisions and processes, and undertakes to consider using the determination power earlier in cases which are not susceptible to conciliation[39] , and to give more feedback on systemic issues. She also recommends that the Act be amended to provide for merits review of the Commissioner’s decisions on complaints[40] – at present only judicial review is possible.

However, she also recommends that she be given a discretion to discontinue investigation of complaints where the harm to individuals is minimal and there is no public interest in pursuing the matter[41] . Given the track record of successive Commissioners in using the existing grounds for not investigating in a surprisingly large number of cases, many critics would be wary of making the Commissioner the sole arbiter of when a matter is in the public interest.

Support for Privacy Impact Assessment

One of the most encouraging recommendations from the Senate Committee is the call for a statutory privacy impact assessment (PIA) process for significant new proposals[42] . This recognises the limitation of the existing regime in addressing, early in the policy process, the threshold issue of how much monitoring surveillance is acceptable. The principles and complaint mechanisms in the Act operate largely as ‘downstream’ safeguards once decisions have been made on new systems and processes, but do not provide an opportunity for public debate about whether those systems and processes strike the right balance between privacy rights and other public policy objectives. The Senate Committee emphasises the importance of PIA processes being open and transparent[43] . While PIA has most relevance to public sector initiatives, it is interesting that the Senate Committee does not confine its discussion and recommendation to the public sector. The Privacy Commissioner briefly raises the possibility of PIA being relevant to the private sector, but makes no recommendation[44] .

Resources and Powers

The Privacy Commissioner’s recommendations for increased resources[45] , while well argued, can of course be readily dismissed by those opposed to effective regulation as self interested special pleading. Fortunately, the Senate Committee strongly supports the case for increased funding of the Office of the Privacy Commissioner[46] , particularly for strategic policy functions, and also urges the introduction of private sector auditing powers. The Commissioner specifically requests funding for consumer education[47] and complaint handling[48]

The Commissioner identifies a number of additional powers that would increase the effectiveness of the private sector provisions – these include the power to require remedial action on systemic issues both in complaint Determinations and after ‘own-motion’ investigations, and initiation of binding Codes or Guidelines[49] .

Valuable resources

While this article has focussed on the main recommendations of both reports, they also contain much useful discussion and analysis of a wide range of issues, including areas in which no firm findings or recommendations are made. The reports, and the many detailed submissions, provide a valuable resource for future debate.

Nigel Waters is Principal of Pacific Privacy Consulting and Associate Editor of PLPR

[1] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1998, March 2005

[2] Senate Legal and Constitutional References Committee, The real Big Brother: Inquiry into the Privacy Act 1988, June 2005

[3] Special Minister of State Senator Eric Abetz issued a statement on 6 June 2005 supporting the Privacy Commissioner’s call for a review of privacy laws, as a precursor to greater electronic service delivery, and the Minister for Human Services, Joe Hockey, has initiated a review of the case for a ‘whole of government’ smart card. (Sydney Morning Herald 16 June)

[4] The Senate Committee has had to call for a government response to the 2003 report of the Australian Law Reform Commission on Genetic Privacy: Essentially yours: Protection of Human Genetic Information in Australia, ALRC 96 (Senate Committee Recommendation 7), and for completion of the much delayed inter-departmental government review of the employee record exemption (Report para 7.35). The long-promised government review of childrens’ privacy has also yet to see the light of day.

[5] Senate Committee Recommendation 12 is for the removal of the small business exemption

[6] Senate Committee Recommendation 13 is for the Act to cover employee records, with the precise mechanism to be determined by the ALRC review (Recommendation 14)

[7] Senate Committee Recommendations 11 is for an overall review of the exemptions as part of the ALRC review, but with specific reference to the political acts and practices exemption. Democrat Senator Natasha Stott-Despoja made an additional principled criticism of the political exemption

[8] Senate Committee Recommendation 10

[9] Senate Committee Recommendations 1&2

[10] OPC Recommendation 1

[11] Senate Committee Recommendations 3,4 & 9

[12] OPC Recommendation 14-16

[13] OPC Recommendation 9

[14] OPC Recommendation 51

[15] Senate Committee paragraphs 4.140-4.148, OPC Section 4.1

[16] OPC Recommendation 22

[17] OPC Recommendations 19 &20

[18] Senate Committee Recommendation 6

[19] OPC pages 253-254

[20] OPC Chapter 8 and Recommendation 73

[21] OPC Recommendations 54-56

[22] Senate Committee paragraphs 5.77-5.80

[23] OPC Recommendation 5

[24] OPC Recommendations 23-25

[25] Senate Committee Recommendation 15

[26] Senate Committee Recommendation 17

[27] Senate Committee Recommendation 18

[28] OPC Recommendations 12-13

[29] OPC Recommendations 33-36

[30] OPC Section 2.3

[31] OPC Recommendations 8-11

[32] OPC Recommendation 58

[33] Senate Committee paragraphs 4.62-4.73

[34] Senate Committee Recommendation 16, Privacy Commissioner Recommendation 17. Negotiations between the Australian government and the EU are continuing. The EU has commissioned a further review by European and Australian privacy experts of the adequacy of Australia’s privacy laws, which is expected to report later this year.

[35] Senate Committee paragraphs 4.132-134

[36] Senate Committee paragraph 7.52

[37] OPC Recommendation 65

[38] Senate Committee paragraph 7.51

[39] OPC Recommendation 37

[40] [41] OPC Recommendation 40

[42] OPC Recommendation 46

[43] Senate Committee Recommendation 5

[44] Senate Committee paragraph 7.21

[45] OPC pages 255-256

[46] OPC Recommendations 26, 45 & 48

[47] Senate Committee Recommendation 19

[48] OPC Recommendation 26

[49] OPC Recommendation 45

[50] OPC Recommendations 7 & 44