The Overview may well be sufficient for some readers, as it provides a summary of what the scheme is trying to achieve and the essence of how it will work.
For readers who ask the question `Why do we need a fair information practices scheme?', Part 1 What is Information Privacy and How can We Protect It? has been included. It explains the background to the current state of privacy law and policy in Australia, and makes the case for fair information practices to apply in the private sector. It explains why there is a general consensus that market processes require some assistance to deal adequately with business and consumer concerns.
Part 1 also explains how compliance costs can be minimised, by a sensible timetable for phasing in any new requirements, and by piggy-backing on other communications with customers, existing staff training etc. At the same time, it must be recognised that there will be some initial compliance costs associated with the scheme, and modest continuing costs. But these will be proportional to the scale of information handling - only major information intensive businesses could face significant costs, and only if they have neglected security and other standards in the past. For many businesses, compliance with the standards will often yield direct benefits and savings to compensate. For most small and medium sized enterprises, overseas experience shows that the compliance cost is minimal.
Those who have already been part of the debate about private sector information privacy protection and are familiar with the background to the issues may wish to go straight to Part 2 How Would a National Scheme for Fair Information Practices Work?, and Part 3 What Should the Scheme Contain? Parts 2 and 3 draw on the responses to the discussion paper, Privacy Protection in the Private Sector, released by the Attorney-General's Department in September 1996 and address many of the comments made about the co-regulatory scheme it proposed. They also include input from the consultations that have taken place since March 1997, and draw on the significant body of experience and debate about self regulation and codes of practice more generally.
Part 2 explains how a National Scheme for Fair Information Practices could work - how it would cover all relevant areas of information handling; how to ensure compliance with best practice standards; and the relationship to other existing and proposed self-regulatory and statutory schemes. It sets out minimum specifications for scheme administration; complaint handling and dispute resolution; and compliance monitoring. Without these elements, a scheme would not be credible, either within Australia or to our international trading partners.
Part 3 discusses the principles and standards of fair information handling which would be needed as the foundation of the scheme. Following a general consensus, the Information Privacy Principles of the Privacy Act are used as the starting point, but criticisms of their relevance to the private sector have been heeded, and revised principles are put forward as a basis for discussion. It is acknowledged that the principles, and exceptions to them, will need to be thoroughly debated and tested against a wide range of practical situations, to ensure that they are workable in a business environment. Some suggestions are made about how some of the key issues might be resolved. These include:
Use of information for related purposes - business concerns about unrealistic constraints are acknowledged and balanced against the objective of meeting consumers' reasonable expectations.
Giving individuals a right of access - this is a key principle, but business fears about unfettered access to evaluative material and opinions, and unreasonable demands by individuals, are addressed. There are many precedents for how a reasonable balance can be struck, and the volume of access requests under similar schemes elsewhere is generally very modest.
Retrospectivity - it is explained that the principles will only be applied to information already collected where it is sensible and easy to do so - for instance reasonable security measures should apply to all personal information.
All the features of the scheme canvassed in this paper are open for discussion; it is offered simply as a starting point for further work by a representative working group. How such a group might be constituted and operate, and on what timetable, is discussed in Part 4 Developing the Scheme - a Proposed Consultation Process.
Part 4 explains how it is proposed to progress the development of the Scheme, with a timetable for consultation over the next few months. The timetable beyond the end of 1997 is deliberately left open, in recognition of the volatile policy environment. State or Territory legislation, sectoral regulation in areas such as health and telecommunications or electronic commerce, and other self-regulatory initiatives may necessitate a modification of the current approach. The international context is also changeable, with the European Union likely to firm up its position on the `adequacy' of privacy protection in other countries, and the United States government considering information privacy issues, especially in the electronic environment.
Further explanation and discussion of the case for a scheme is included as Appendix A, and more detailed discussion of some of the proposed principles in Appendix B.