36 Concerns have been raised both by business organisations and by consumer groups that any self-regulatory information privacy scheme may be fraught with difficulties. These concerns are not, however, unique to an information privacy scheme, but are frequently raised in relation to all self-regulatory schemes.
37 Both federal and state government fair trading and consumer protection organisations have examined these concerns and have responded with detailed guidelines that attempt to build into self-regulatory schemes various checks and balances to ensure that such schemes are workable and effective.
38 It is not the purpose of this Part to re-visit all these general concerns, but rather to make use of previous experience and discussion in designing a self-regulatory National Scheme for Fair Information Practices. We have drawn in particular on the guide prepared by Commonwealth, State and Territory Consumer Affairs Agencies in October 1996 entitled Fair Trading - Codes of Conduct and a Department of Industry Science & Tourism symposium on codes held in November 1996 entitled Industry Codes of Conduct - The Way Forward.13
39 The process of developing the scheme - including who should be involved directly and who else consulted and when - is dealt with in Part 4 of this paper. This part deals with an appropriate structure for the scheme, what organisations would be covered by the scheme, what would be the relationship between the scheme and other regulatory regimes and what commitments would be sought from participants to the scheme.
What sort of organisations should a scheme cover?
`Personal information' industries and others
40 It can be argued that some types of activity are much more likely to infringe on people's information privacy than others.
41 Some industries are by nature `personal information intensive'. For example, direct marketing depends for its effectiveness on being able to send marketing material to people likely to be interested in it; in order to identify such people, companies must have relevant information about particular individuals. Another example is business reference databases - like credit bureaus (already regulated by the Privacy Act); tenant databases or video hire databases - which make available to other businesses information about potential customers that is used to assess commercial risk. Such databases clearly depend for their effectiveness on comprehensive and accurate personal information.
42 By contrast, many businesses hold very little personal information. For example, a clothes shop might hold payroll records containing personal information about its employees (who it employed, how much it paid them and when) and invoice records about some of its customers (who it billed for what, how much, when and whether they paid). Most such businesses use that personal information only for internal accounting and management purposes, which would clearly be within the expectations of the subjects of the information.
43 Any scheme should be sensitive to the different levels of information privacy risk posed by different industries or activities. A clothes shop will very rarely be in a position to handle personal information in a way likely to raise privacy concerns. But that does not mean that it is inappropriate for any self-regulatory information privacy scheme to apply to businesses that handle comparatively little personal information. First, any firm can be in the personal information business. For example, today's information technology means that any firm can analyse, use and rent out its customer database to other organisations. Second, although some categories of business handle much less personal information than others, every business may be in a position where it has to make delicate judgements about the personal information it holds. For example, a man might approach a retailer trying to find out his ex-wife's expenditure. It may not happen often, but it will happen sometimes.
44 This suggests that it would be best to have a scheme that can be applied to any organisation, even though in practice some businesses would be very little affected. Provided there is no onerous requirement for businesses to spend time or money simply because they subscribe to the scheme, there is no reason to exclude any particular sector or individual business. There are many advantages of an all-inclusive scheme, particularly in terms of consistency and certainty for businesses and consumers. Having different schemes for different industries is also clumsy and difficult when so many businesses are operating across traditional industry boundaries.
45 Some business peak organisations are in any case opposed to the idea of general `small business' exemptions, partly because of the difficulty and arbitrary nature of any size threshold, and partly because it unfairly penalises businesses just above the threshold, to the extent that they have to bear any compliance cost or administrative burden.
Not-for-profit organisations
46 It is sometimes suggested that charities and other not-for-profit organisations are a special case and should not be subject to rules or regulations applying to commercial businesses.[14] It is hard to see a reason to exclude not-for-profit organisations - charities, religious organisations, political parties, public advocacy groups and the like - from the coverage of a self-regulatory fair information practices scheme. Such organisations hold and use large amounts of personal information. Indeed charities are some of the biggest and most sophisticated users of direct marketing, using personal information gathered from a variety of sources to identify potential supporters. Many are closely involved in providing support to the disadvantaged or people in crisis and in that role collect and exchange sensitive personal information about their clients.
47 There may be a case for providing special assistance to some not-for-profit organisations to help them understand and comply with the scheme, but small businesses and others will also need guidance and support. An important part of any scheme would be the production and dissemination of easy to read guidance material.
Corporate groups or legal entities?
48 An important question is whether fair information handling principles should apply to individual legal entities. In legal terms many large organisations are structured as a set of separate companies, even though they share a common ownership and operate under a single brand name. As the Australian Bankers Association said in its submission in response to the Attorney-General's Department's discussion paper:
Another important distinction between public and private sector bodies is that in the vast majority of cases, public sector bodies are single entity structures. This is not the case in the private sector where extensive group corporate structures are developed on holding company and subsidiary company relationships.
49 It would seem artificial to treat related companies as separate entities where customers regard them as the one organisation. On the other hand, a highly diversified conglomerate could include in one corporate structure companies operating in different markets and under different brands. Treating such a group as a single entity could lead to handling of personal information well outside the expectations or control of the customer.
50 On balance it would appear that a strict `legal entity' basis for applying fair information handling principles would not be best but that the grounds for aggregating different legal entities should take account of the reasonable expectations of the customer. These will be influenced by the trading names under which different legal entities operate, whether they are related entities, and by the markets in which they compete.
51 One of the difficulties in a flexible approach to related entities is the issue of liability - even in a self-regulatory scheme, there will need to be some degree of certainty about who it is that accepts responsibility for compliance with the terms of the scheme, and with the rulings of any complaint determination process. It would not be acceptable for businesses to use a generous and flexible definition to avoid or frustrate the exercise by individuals of their rights under the scheme.
52 It may be that this issue can be dealt with by a self-identification approach - related groups of companies could declare themselves as a single entity for the purposes of applying the principles, on condition that they also undertook to provide a single point of contact for individuals and the scheme administrator,[15] and to accept collective responsibility for any compliance issues or breaches of the code[16]. It would however follow from a self-identification approach that the relationships involved would need to be clearly communicated to information subjects such as customers or employees, so that they know who they are dealing with. In many cases, brand or trading names which are widely recognised and understood may serve this purpose.
Relationship with other regulatory schemes
53 There is a need to ensure that any scheme adopts a unified national approach with minimal inconsistency between sectors or industries. It was very clear from the responses to the September 1996 discussion paper from the Attorney-General's Department that all of the interested parties wanted to ensure that there is a consistent national framework. For example, Optus commented:
Electronic storage of information within centralised or interconnected databases by companies operating national businesses makes compliance with eight sets of State or Territory laws difficult and expensive.
Sectoral codes
54 In order to provide consistency, it will be necessary to ensure that any national privacy standards and principles prevail over privacy related provisions in any existing codes of practice. On the other hand, the administrative, monitoring and dispute resolution mechanisms required by a national privacy scheme can potentially be provided by existing self-regulatory or statutory mechanisms.
55 Examples of existing schemes which include some privacy protection provisions are:
the Code of Banking Practice;
the Telecommunications Industry Ombudsman Scheme - soon to be supplemented by codes of practice under the Telecommunications Act; and
codes of practice for the Life and General Insurance sectors.
56 It is anticipated that these provisions, already discussed in Part 1 of this paper, would be reviewed against any agreed set of information privacy principles emerging as part of the national privacy scheme. They would either be updated to be consistent with the national principles, or deleted and replaced in their entirety by a commitment to meet the national principles. Similarly, the mechanisms of the existing schemes would need to be reviewed, although these may be found to be sufficient once the national principles have been adopted.
57 For other sectors where there is no existing code of practice, it is expected that the principles in a national scheme could be applied directly, and this should be one of the objectives of the exercise. Experience in New Zealand under the Privacy Act 1993 is that most sectors have been able to comply with the principles set out in the Act, without needing to take up the option, available under the Act, of negotiating variations in a code of practice. Given the increasing trend towards diversification of commercial activities, it is desirable to keep the number of separate codes to a minimum, to avoid confusion about which rules apply to different activities of the same organisation.
State and Territory initiatives
58 Another major variable is the possibility of State and Territory regulatory initiatives, which may include privacy legislation. The Victorian and New South Wales governments have already indicated they may bring forward data protection legislation which could have some coverage of the private sector, and the ACT government has committed itself to statutory privacy protection for health records.
59 The development of a National Fair Information Practices Scheme, as proposed in this paper, can and should be compatible with State and Territory legislative initiatives. Any such laws are likely to take as their starting point commonly accepted principles such as those in the OECD Guidelines, which will then need to be customised to fit the circumstances of public and/or private sectors.
60 In customising information privacy principles for the private sector, States or Territories would have to undertake the same work as is envisaged in the national scheme process, and the outcome is likely to be similar, if only because the parties involved in those development processes would likely be the same parties involved in the development of a National Fair Information Practices Scheme. The main differences, if any, will lie in the monitoring, enforcement and complaint handling mechanisms, which can be considered separately from the actual information privacy standards.
61 Depending on the timing of any State or Territory initiatives, it may be that the work on a National Scheme for Fair Information Practices would be completed in time for its content to be incorporated in any sub-national or sectoral legislation, thereby avoiding the problem of inconsistency.
Consistency between public and private sectors
62 The boundaries between private and public sectors in Australia are increasingly blurred. Partnerships between government and business, contracting out by government agencies, corporatisation and privatisation of government business enterprises, all bring the public and private sectors into a close and interdependent relationship. Some of the functions that used to be performed directly by the Commonwealth government are now performed by private sector organisations and in some of these cases (such as employment services case managers), the organisations have been made subject to the Commonwealth Privacy Act in order to ensure that the information privacy of clients is not jeopardised.
63 The Government has indicated that the Privacy Act is to be amended to cover contractors supplying services to the Commonwealth in relation to personal information held by them on behalf of the Commonwealth. This means that many private sector organisations will be required to comply with the Privacy Act, in relation to some of their business activities, irrespective of any voluntary National Scheme for Fair Information Practices. A case can be made for differential standards, in that with public sector functions, issues of compulsory powers and public accountability come into play. It may also be that contractors could readily quarantine their handling of personal information for government and apply the different, and in some cases higher standards that would be required by the Privacy Act without undue difficulty.
64 Consistency should not be an end in itself, and should not be used to justify the imposition of a `government' standard on business where it is not applicable. On the other hand, consumers and citizens are likely to be confused if standards they can expect vary too much without obvious justification. In order to ensure national fair information handling standards that are consistent where that is appropriate, and bearing in mind the possibility of State, Territory or sectoral legislation, it will be desirable to draft standards that are, as far as is possible, compatible with the existing Information Privacy Principles. Part Three of this paper makes a start on this task.
Ensuring compliance with a national scheme
65 Any scheme for Fair Information Practices will need to include a set of recommendations directed to organisations about how they should handle the information they hold about individual, identifiable people.
66 In a self-regulatory scheme, there are a number of ways of trying to ensure the implementation of such recommendations. Some options are:
A The development and publication of guidelines on an advisory basis only, with commitment by individual organisations or peak bodies on a "self-declaration" basis.
B Guidelines or standards, but with reporting to or monitoring by an independent scheme administrator, possibly including formal accreditation, but no provision for remedies for breaches.
C A voluntary scheme, including agreed standards, monitoring by an independent scheme administrator, and possibly including accreditation; but also provisions for binding directions to comply, including remedies, in the event of breaches of the standards.
67 Options A and B risk a lack of support from the various stakeholders. Consumer and privacy advocacy groups would be concerned if there was no way to ensure that the scheme or guidelines would be effective, and business would argue that there was little incentive to ensure sufficient support to make the scheme viable. There seems little point in establishing rules or principles for privacy protection if there is no way of ensuring that they are followed in practice and that there are adequate mechanisms for supervision and sanctions. The aim of any scheme is to improve or maintain high standards of fair information handling, and it must therefore encourage and reward good practice and penalise poor practice.
68 It is significant that the European Data Protection Commissioners, in their preliminary thoughts on implementing the data transfer provisions of the EU Directive, have identified procedural mechanisms, and `means for ensuring the effective implementation (of rules)' as essential components of any `adequate protection'.[17]
69 From feedback to date, Option C would be problematic for most consumer and privacy groups which have reservations about the independence and effectiveness of similar existing schemes of this type. However, if Option C is accepted by most businesses and they actively take up the self-regulatory role defined within it, then this could provide confidence to consumers that their information was being handled fairly.
70 Option C is clearly the best option of the three, although its prospects for success will depend on overcoming the reservations of consumer groups as well as gaining commitment from business. The scheme outlined in this paper has therefore been designed for implementation in accordance with Option C
71 Pursuit of Option C will also require recognition of the substantial areas of the private sector which will already be covered by a statutorily backed scheme. Many businesses, such as retailers and financial institutions, in their capacity as service providers, will be subject to the privacy codes to be developed under the Telecommunications Act. Private companies undertaking work for Government which involves handling personal information will be subject to the existing Privacy Act. Clearly, any general fair information practices scheme should seek to complement these statutorily backed regimes, and it will be desirable to ensure maximum consistency to avoid a patchwork of different requirements.
Scheme administrator
72 It is generally recognised that a self-regulatory scheme is unlikely to be effective without an independent administrator to undertake administrative, coordination and monitoring functions. The administrator would, for example, monitor whether the objectives of the scheme are being met, whether it is cost effective, whether the members are complying with all aspects of the code and whether the scheme is sufficiently adaptable to meet the ongoing needs of its members.[18]
73 The administrator would also be responsible for the collection of data such as complaint statistics relating to how many complaints were received and what percentage were upheld, what was the nature of the resolution of the complaints and were complaints processed in a timely manner.
74 To be effective, a privacy scheme would need to be transparent, so that interested parties could gain access to much of the data and material collected or produced by the administrator. It is suggested that the administrator should print and distribute material about the scheme including the production of pamphlets relating to the complaint process including bench marking standards. As well, the administrator should be required to produce (at least) an annual report on the operation of the scheme.
75 On the assumption that good privacy practices will give private sector organisations a market advantage, it should follow that there will be a high take-up rate of the national privacy scheme by industry organisations and their members. In recognition of industry concern that the take-up rate may not be significant, it is suggested that the scheme administrator, or some other body, should monitor the rate of adoption of the scheme.
76 One of the main weaknesses of many voluntary schemes concerns the inability of the scheme to deal effectively with `free riders', that is, organisations which choose not to commit themselves to either the standards or the mechanisms, but which gain a benefit from the public perception that a scheme is in place. In some cases, organisations may follow some or all of the standards, but not subject themselves to the monitoring or dispute resolution processes, and may not contribute financially to the cost of the scheme.
77 One role for an independent scheme administrator would be to apply, or recommend the application of, sanctions or penalties against any `free rider'. Sanctions and penalties could include, for example, adverse publicity or recommendations that members of the scheme, and consumers, do not trade with the non-member.
78 A more formalised process would involve accreditation of organisations which commit themselves to the scheme, and this could also involve some form of symbol or logo that could be actively promoted as indicating that commitment. There is considerable experience of various forms of accreditation and quality marks which can be drawn on in the design of a national privacy scheme. Some form of independent monitoring or auditing would probably need to form part of any such accreditation. The scheme administrator could be expected to supervise both accreditation and auditing, although both processes could potentially be `sub-contracted' to a range of other organisations.
79 There are two issues that need to be addressed in relation to sanctions and penalties in a self-regulatory scheme. First, a non-member which is the subject of adverse publicity could possibly bring an action for defamation against the scheme administrator unless the published material was very carefully worded. Second, any action against the offending organisation may be seen to be anti-competitive and may breach the Trade Practices Act. (This is discussed later in this Part.)
80 An independent scheme administrator is a significant step in ensuring that the scheme is robust and effective and does not become a token process controlled by the organisations it covers. In the case of industry codes, the administrator is usually funded, but not directly controlled, by the members of the industry association. Apart from the appointment of an independent chair, such scheme administrators usually have industry and consumer representatives, and may include a government regulator. Examples of such independent industry administrators include the Council of the Telecommunications Industry Ombudsman and the Council of the Banking Industry Ombudsman.
81 In the case of a national privacy scheme, the scheme administrator would need to represent a diverse range of interests. It is envisaged that if an independent administrator were to be created, it would hopefully evolve from the working group of interested parties that would develop the initial scheme (see Part 4).
82 Consideration would need to be given to appropriate cost-sharing arrangements not only for the actual operation of the scheme administrator, but also for participation in the governing body - particularly the funding of consumer representation.
83 Consideration will also need to be given to the relationship between the scheme administrator and the Privacy Commissioner. The Privacy Commissioner is initiating and facilitating the development of a national privacy scheme. It is expected that the Commissioner, and her staff, would be involved in some way in the ongoing administration of a national privacy code, and at the very least would expect to be represented on the governing body of any privacy scheme administrator. This is a matter that will require further consideration.
84 As the scheme would not be confined to any one specific industry, it may be a complex and difficult task to raise sufficient funding for the administration of the scheme. This is also a matter that will require further consideration.
Complaint and dispute resolution
85 The credibility of any voluntary self-regulatory scheme depends significantly on the provision of accessible, low cost and effective complaint and dispute resolution procedures. In the first instance, the individual organisation should be given an opportunity to deal with complaints and disputes.[19] Responses to complaints should be fair, equitable, timely and objective. In order to achieve these objectives, complaint benchmarks should be established, and to this end, the Australian Standard for complaint handling (AS4269) could be used for guidance.
86 Where a complaint is not upheld, reasons should be provided in writing so that the complainant can pursue any appeal mechanisms. Normally, an appeal mechanism should be provided by the organisation itself, although care needs to be taken to ensure that such a mechanism constitutes a swift unbiased review of the complaint and not just an endorsement of the decision of a subordinate employee. Too many layers of internal appeal can act as a deterrent, and contribute to "appeal fatigue".
87 If the organisation is not able to resolve a complaint, consideration will need to be given to providing an appeal mechanism through an independent body. The scheme administrator could be used for this function, but this may give rise to conflicts of interest, for instance if the administrator was required to report on the efficacy of its own complaint handling procedures. Most self-regulatory schemes of any size have found it appropriate to separate the functions of scheme administration and dispute resolution.
88 It is envisaged that the existing industry complaint mechanisms could be used as appeal mechanisms, provided that they are sufficiently independent and adhere to the minimum dispute resolution benchmarks set by the national privacy scheme. The various statutory and industry ombudsmen already have arrangements for referring complaints to the most appropriate point, and this helps to prevent unnecessary forum-shopping. These arrangements would apply to privacy complaints, and could be extended to any new complaint handling bodies for other sectors. There would of course be agreements between dispute resolution schemes to prevent complainants seeking and receiving multiple remedies for the same complaint.
89 Where no independent industry complaint mechanism exists, consideration will need to be given to identifying or establishing a body that can independently investigate privacy complaints and has the necessary authority to enforce any adverse decisions. As the Privacy Commissioner already has a complaint handling function in relation to federal government agencies and credit providers, it may be appropriate to give her that function under the scheme.
90 The dispute resolution body would need to be able to apply sanctions such as:
requiring written undertakings or apologies;
requiring remedial action such as correction or deletion of records, better security, or improved practices for public notification;
requiring the organisation to re-train its staff or issue new internal procedures and guidelines;
where appropriate, awarding compensation for harm or damage directly resulting from a privacy breach.
91 Compensation would mean just that - it is not proposed that punitive financial damages would form part of a privacy scheme. But harm or damage should not be confined to demonstrated financial loss, and should include distress (as it does under the Privacy Act), where this can be clearly established.
92 In determining liability for financial compensation, it has been suggested that a due diligence defence should be recognised - such that an organisation would not be vicariously liable for actions of employees provided it had taken all reasonable steps to make staff aware of the principles and put in place systems and practices to comply. It is argued that this defence would provide an incentive for organisations, particularly small and medium sized enterprises, to be pro-active about compliance and training.
93 The contrary argument is that individuals should not miss out on remedies simply because their privacy was breached by the rogue actions of individual employees. Organisations should accept liability for the actions of employees whether or not they are acting within authority. Otherwise, it is argued, less scrupulous organisations could routinely hide behind a defence of due diligence, particularly where there is no prospect of criminal or other sanctions against individual employees.
94 In considering this issue further, it should be recognised that the number of cases where financial compensation for privacy breaches is likely to come into play would be very limited, if domestic and overseas experience is anything to go by - most privacy complaints do not involve financial claims.
Anti-competitive behaviours and the Trade Practices Act
95 It may be necessary to apply to have compliance with the scheme authorised by the Australian Competition and Consumer Commission. If authorisation is granted by the Commission, the scheme participants would have immunity from action under the competition provisions of the Trade Practices Act, on grounds of anti-competitive arrangements contained in the scheme. For such an application to be successful, it would need to be argued that the scheme produces benefits for the public that justify its impact on competition. This should not be difficult given the weight of arguments in favour of fair information practices and the international precedents.
Retrospective application
96 Many businesses are concerned about the issue of how any scheme would apply to personal information already collected and held. It is easier to discuss this in relation to specific information privacy principles, and this is done at the end of Part 3. The general approach, however, will be a common sense one - only those principles which can be readily and fairly applied to existing information should do so.
13 Fair Trading - Codes of Conduct, Australian Government Publishing Service, October 1996. Department of Industry Science & Tourism, Industry Codes of Conduct - The Way Forward (symposium held on 22 November 1996 to discuss an issues paper entitled `Codes of Conduct' dated November 1996).
[14] See for example the draft code of practice for Direct Selling being developed for Consumer Affairs Ministers by a working party chaired by the Australian Competition and Consumer Commission (ACCC).
[15] This would not require the identification of a `privacy officer' as discussed in the September 1996 discussion paper from the Attorney-General's Department.
[16] This does not mean multiple financial liability or "double jeopardy" - the idea is that relevant parties must agree between themselves who is responsible and liable for any remedial action and/or compensation.
[17] European Commission, Working Party on the Protection of Individuals with regard to the Processing of Personal Data, First Orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy, XV D/5020/97-EN final, 26 June 1997.
[18] In response to the September 1996 discussion paper from the Attorney-General's Department the AMP Society; Australian Direct Marketing Association; Life, Investment and Superannuation Association and MLC supported an independent privacy `board' representing consumers, community groups and industry, although this was in the context of a statutory scheme.
[19] In their responses to the Attorney-General's September 1996 paper, the Australian Bankers Association; Life, Investment and Superannuation Association; MLC Society and Telstra emphasised this point.