Privacy Law and Policy Reporter
The Federal Privacy Commissioner, Karen Curtis, commenced her review of the private sector provisions of the Privacy Act 1988 in October 2004, with the publication of an Issues Paper and an invitation to interested parties to make submissions, by 22 December. The Commissioner intends to report to the Attorney-General by 31 March 2005.
Full information about the review, including submissions received, are available on the OFPC website at http://www.privacy.gov.au/act/review/index.html
Terms of reference
The terms of reference for the review were set by the Attorney-General in August 2004. They are limited to the private sector provisions introduced in 2000, thereby excluding the tax file number and credit reporting provisions that have been in the Act for much longer. The government has also excluded several topics which it claims are the subject of separate reviews. This is true of genetic information, on which the Australian Law Reform Commission reported in 2003, and employee records, which are under review by an interdepartmental working group. But nothing has emerged from the review of children’s privacy since late 2002, and there is no recent or current review of the political acts and practices exemption, so this exclusion can only be designed to avoid further scrutiny of the cynical self-serving way in which politicians have exempted themselves from the standards they expect from the rest of the community.
The terms of reference ask the Commissioner to review the degree to which the private sector provisions introduced in 2000 are meeting their objects, and the Commissioner has also taken the four objects specified as the framework for the Review. The Issues paper therefore deals in turn with:
• A single comprehensive and nationally consistent scheme
• International issues and obligations
• Recognising individual rights, and
• Balancing individual interests with business efficiency
The Commissioner has adopted an open and inclusive approach to the review. As well as inviting submissions from interested parties, the OFPC held a series of open meetings in major capital cities during November and December. These were well attended with the Sydney forum attracting more than 80 people. The Commissioner has also convened both a steering committee and a larger consultative group. These include representatives of business, professional and consumer interests and are meeting periodically during the Review to assist the Commissioner and her staff. The Review is also informed by the findings of survey research into community attitudes to privacy, carried out by Roy Morgan Research earlier in 2004.
In line with government best practice, the OFPC has assumed that submissions will be published unless confidentiality is specifically requested. As at 13 January, the OFPC had posted 114 submissions to its website, of which fifteen are confidential. Three of these are from private individuals, but it is disappointing that the others are mostly from large businesses or from industry bodies. Suppression of submissions from key industries is hardly conducive to the spirit of an open review and inevitably gives rise to suspicions about what changes these organisations are requesting. It is to be hoped that the Commissioner will find a way of ensuring that the substance of all confidential submissions is revealed in her report, without breaching the assurance of confidentiality.
Without having read the first batch of submissions, it is already possible to outline the likely range of views. The two meetings of the consultative group held so far, and the public forums, have made it clear that there are two broad perspectives.
The first view, shared by most of the business community, is that the private sector provisions are broadly satisfactory and that after the expense and effort of training and compliance programs in 2000-2002 the last thing that is needed is any major changes. There is however widespread dissatisfaction with the complexity and inconsistency of privacy regulation overall, with the states moving to fill perceived gaps in coverage – such as health privacy and surveillance – with customised laws. This is leading to precisely the patchwork of overlapping and inconsistent regulation that it was the federal government’s intention to avoid with the private sector amendments. It is not yet clear what the business community sees as the answer to this problem, although there are some indications that they would be prepared to sacrifice various exemptions and exceptions if this had the effect of deterring the states from adding to the complexity.
Some specific sectors of business are likely to take the opportunity to lobby for more significant changes, such as a relaxation of the credit reporting regime. While the operation of Part IIIA has been expressly excluded from the review, the Commissioner has left the door open by inviting submissions on how the 2000 amendments interact with other parts of the Act. Private detectives, debt collectors and fraud investigators in financial services companies are likely to press for greater access to information without consent – arguing that limited police resources necessitate better recognition of ‘private’ law enforcement. Charities appear generally concerned about the impact of the legislation but details of their concerns will only become clear from their submissions.
Organisations operating in the health sector are particularly concerned about the emerging patchwork of inconsistent heath privacy regulation and are hopeful that the slow process of developing a national health privacy code will lead to a rationalisation of the rules. Health care professionals and consumer advocates do however see significant dangers in the push for greater linkage of health data, and associated electronic health records which will require stronger rather than weaker privacy protection.
There would be firm resistance from most businesses and industry organisations to any tightening of the use and disclosure principle – for instance to prevent ‘bundling’ of purposes and reduce the flexibility that organisations enjoy through the allowance of ‘related’ secondary uses.
The other major strand of opinion is a widespread dissatisfaction, amongst consumer organisations, with the way the Act is working for ordinary people. This is as much a criticism of the way the Act is being enforced as of the National Privacy Principles themselves. The Privacy Commissioner is widely perceived as under-resourced but also ineffective – preferring expedient conciliation of individual complaints to assertive action to address systemic compliance issues. Long delays in processing individual complaints, followed by weak findings and remedies are serving as a deterrent to more individuals bringing complaints.
While business groups see the relatively low level of enquiries and complaints and access requests as an indication that the Act is working, consumer advocates are more inclined to attribute it to inadequate awareness and understanding of individuals rights.
Consumer and professional representatives (such as health care workers) share the concern of the business community about complexity, duplication and inconsistency, but would oppose any ‘levelling down’ of privacy protection standards.
Another area of consensus is a widely held scepticism about the value of lengthy privacy notices and statements, which are seen as ‘turn off’ for consumers and a compliance burden for business – particularly in telephone interactions. But consumer representatives would not want to see the overall provision of information reduced – rather it should be delivered closer to the time of use of information, with more choices for individuals at that stage. Business interests resist the costs of more targeted notification and consent, and argue that the provision of information is enough and that individuals are free to make choices as to whether to deal with an organisation on the basis of its privacy practices. Consumer groups are doubtful as to whether this is realistic – many individuals are not in a position to challenge privacy policies and for others it is not a salient enough issue to affect their choice of service provider – but that does not mean, in the view of consumer advocates, that individuals approve of common practices in secondary uses of information.
Consumer, business and professional interests all seem to recognise the limits of information privacy laws based on a civil remedy regime in dealing with the full range of privacy issues – such as surveillance and media intrusion - and accept that there will remain a role for the criminal law and some sector specific legislation such as the Telecommunications (Interception) Act. The role of common law, and the potential for a statutory tort of privacy invasion, have not been expressly canvassed in the Issues paper but may attract some comment, particularly in relation to the media exemption.
There is also a shared recognition of the challenge posed by identity management – and the tension between increasing ‘know your customer’ requirements in other legislation and the collection minimisation and anonymity principles in privacy laws. Again, the preferred solutions to these tensions and challenges will vary between business and consumer groups, and will only become clear from the detailed submissions.
The government appears puzzled by the low level of take up of the Code of Practice option – which they emphasised in the 2000 amendments as a major element of its ‘light touch’ approach to privacy regulation. It seems likely that there will be a consensus that there is limited value in the development of Codes, given that it involves considerable effort and expense, with little benefit other than a customisation of the principles in sector-specific language. Given that a Code cannot overall lessen the standards of the NPPs, and that decisions of a Code Adjudicator can be appealed to the Privacy Commissioner, there is no great advantage to be gained by business – and most seem content to comply with the default regime of the NPPs and OFPC as complaint handler.
Submissions will no doubt raise many other issues, and may favour some of the views outlined above more than others. It will be interesting to see what the Commissioner makes of all the input and what if any recommendations she makes to government for fine (or coarse!) tuning of the legislation. Then of course there is no guarantee that the government will take any notice of the Commissioner’s report, and it may well be that some interests will have judged that direct, and secret, lobbying may have more impact than declaring their hand in submissions. What changes if any are eventually made will reflect a wide range of considerations and influences over at least the next year. But it is to be hoped that the Commissioner’s review will at least lead to better informed and more considered decisions on any changes than would otherwise be made.
Nigel Waters is a member of the Commissioner’s Consultative Group for the Review, representing the Australian Privacy Foundation, and is also the principal author of the Foundation’s submission, which is available on its website at www.privacy.org.au .