[Previous] [No next] [Title]
17. History of Australian privacy legislation
Graham Greenleaf and Nigel Waters, 2001- ; last revised 12 March
2003 by Graham Greenleaf
The following is a snapshot of the current scope of statutory privacy
protection under Australian law, and how Australia arrived at that position.
Much of the material is expanded in other Reading Guides, but it is best
to read this outline now to gain an overall picture.
For more detail on some points than in our outline below, see
Roger Clarke A
History of Privacy in Australia [to 1998 in current revision, but to
2002 re private sector privacy only] - a valuable work in progress which
captures most (but not all) of the important events.
Margaret Jackson Hughes on data protection in Australia, Lawbook
Co., (2nd Ed) 2001 - A useful account of the formal history of development
of Australian privacy laws, particularly the details of many obscure Bills
and government reports, but it contains little of the politics behind the
G Greenleaf & N Waters (Eds) Privacy
Law & Policy Reporter (10 issues per year, 1994 -) Butterworths
LexisNexis - This monthly periodical contains accounts of much of the post-1993
history, often with details of the politics behind the legislation.
Olujoke Akindemowo Chapter 6 'The protection of data and privacy' in
Technology Law in Australia, LBC Information Services 1999 - a brief
account, useful as a formal introduction
17.1. Public sectors
Pre-history (before the Privacy Act 1988 (Cth))
From 1975 - 1999 the NSW Privacy Committee Act 1975 empowered the
Privacy Committee, a `privacy ombudsman', which could investigate any alleged
invasions of privacy (public or private sector), attempt to conciliate,
and make recommendations. The Act did not contain any definition of privacy,
or any IPPs, and did not create any enforceable rights.
The Freedom of Information Act 1982 (Cth) Pt V introduced rights not only
of access but also of correction, to Commonwealth agency records.
Law Reform Commission's Report 22 Privacy (1983) - The report took
almost a decade to produce (1975-83) but in the end only recommended non-binding
Information Privacy Principles (IPP), an approach which had already been
overtaken by enforceable privacy laws in most of Europe. However, a version
of these IPPs, made enforceable, became the core of the Privacy Act
1988, so the Report is still of some interest.
Australia 'adheres' to OECD privacy Guidelines (1984)
See Roger Clarke Pre-History
to Late 1980s
For innumerable State and Federal failed bills, see Jackson/Hughes.
Federal: the Australia Card, TFN, and the Privacy
The defeat of the Commonwealth (Hawke/Keating) Government's proposal for
a national ID Card, the `Australia Card' in 1987 (for detailed readings,
see RG 10.4.5 The
Australia Card - a defeated ID card scheme? ) resulted in a political
compromise: the passage of legislation for a strengthened Tax File Number
(TFN) surveillance system only to be used to stop tax evasion, `balanced'
Privacy Act 1988 (Cth) with enforceable information privacy
rights (the previous Privacy Bill 1986 had no enforcement).
Act 1988 (Cth) requires Commonwealth agencies to comply with a set
of 11 Information Privacy Principles (IPPs).
The Hawke/Keating Government soon (1990) reneged on its promises that the
TFN system would only be used for tax enforcement purposes, and instead
extended it to cross-matching with information about government benefit
recipients (pensioners, students etc), authorised and somewhat controlled
by the Data-matching
Program (Assistance And Tax) Act 1990 (Cth). (for detailed readings,
see RG 10.4.5 Data
matching and the Tax File Number: a story of function creep)
The Australian Privacy Commissioner is appointed under the Act; the Commissioners
have been Kevin O'Connor (1988-96), Moira Scollay (1996-99), and Malcolm
Crompton (1999- )
States and Territories
New South Wales
and Personal Information Protection Act 1998 (NSW) was the first State
legislation to provide enforceable privacy rights in relation to a State
The NSW Privacy Commissioner is appointed under the Act - see the Privacy
NSW web site. The first Commissioner is Chris Puplick (former Chair
of the Privacy Committee and also Anti-Discrimination Commissioner) (1998
The NSW Privacy Commissioner also now holds the 'privacy Ombudsman' functions
(in relation to both public and private sectors) previously held by the
NSW Privacy Committee. Note that the Privacy Commissioner can therefore
investigate breaches of privacy by government agencies which fall outside
the privacy principles in the Act.
See G Greenleaf A
new era for public sector privacy in NSW (1999) 5 PLPR 130. The article
"The Privacy and Personal Information Protection Act 1998
is a reasonably strong piece of 1980's-style information privacy legislation
for the less important (ie non-exempt) parts of what remains of the NSW
public sector after corporatisation and privatisation. "
"In the unnecessarily limited realm in which it applies, it
is likely to provide some individuals with an effective and inexpensive
means of obtaining redress for unjustifiable invasions of privacy. In many
other important areas where State-owned corporations and State investigative
agencies affect people's privacy, they will simply be told 'the Act does
not apply. "
"The other down-side of this Act (as with much other privacy
legislation) is that it will make it easier for successive governments
to use it as a justification for extending surveillance activities, by
stressing that 'it will all be done in accordance with the privacy Act'
and 'the Privacy Commissioner will be consulted'. Few people in the public
or in public affairs will appreciate just how limited the Act's protections
are, and it will serve to assist in the extension of surveillance activities."
In 2000 Victoria enacted Australia's strongest public sector privacy legislation:
The Northern Territory
Act 2002 covers the protection of personal information, and also record
keeping and archive management of information held in the public sector
. It will come into effect by 1 July 2003. The first Information Commissioner
is Peter Shoyer, a former Assistant Information Commissioner in Queensland.
Other States and Territories
South Australia , Tasmania and
have non-legislative, non-enforceable (and probably non-significant)
administrative instructions similar to IPPs in other legislation applying
to their public sectors. The Commonwealth Privacy Act 1988 applies to the
ACT public sector.
For details of developments in these and other States/territories, see
Federal Privacy Commissioner summary
of State Privacy Laws.
All state jurisdictions provide access and correction rights to personal
information held in government documents, as part of their Freedom of Information
legislation (as does the Commonwealth - to whose FOI Act 1982 the
Privacy Act defers in relation to access and correction).
17.2. Private sector
Until 2001, there has been no privacy legislation applying to the Australian
private sector as a whole. As a result of the Privacy Amendment (Private
Sector) Act 2000, the Privacy Act 1988 now applies to some parts
of the private sector since 2001. The history of how this position was
reached is somewhat tortuous. Prior to 2001, there was some piecemeal coverage
of the private sector.
As mentioned above, the NSW Privacy Committee had 'ombudsman' powers to
investigate complaints against the private sector as it affected NSW, since
From the start of the Privacy Act 1988, private sector businesses were
required to follow TFN Guidelines - initially schedule to the Privacy Act
1988, subsequently re-issued by Privacy Commissioner.
IIIA of the Privacy Act 1988 (Cth) has since 1990 regulated
consumer credit reporting, with a set of specific rules covering much the
same ground as the IPPs.
What have been described as
most restrictive credit reporting laws in the Western world' (Graham
Greenleaf (1992) 66 ALJ 672 -674) resulted from a very effective campaign
in 1989 by privacy advocates after the credit industry attempted to expand
into `positive reporting', which would have involved the collection of
entire lending histories, not just defaults.
The self-regulation dead end
Pressure grew through the early 1990s for further extensions, partly due
to growing appreciation of electronic privacy issues, and partly in the
context of the planned EU Directive. In 1996, the Commonwealth Attorney-General
issued a Discussion Paper which foreshadowed private sector privacy legislation.
However, in March 1997 the Prime Minister abandoned these proposals in
favour of voluntary self-regulation by the private sector due to pressure
from some sections of the business community and a general antipathy to
regulation. He also requested the States and Territories not to legislate
in relation to the private sector. Other States followed his 'advice',
but Victoria continued to plan to legislate (See below). Privacy and consumer
groups took the view that the Prime Minister's self-regulatory approach
was unsustainable and would be reversed - see G Greenleaf The
Commonwealth abandons privacy - for now (1997) 4 PLPR 1 for an assessment
of the factors which might lead to the Commonwealth government reversing
its position and legislating.
The government intended that the Privacy Act 1988 (Cth) would be extended
to all outsourced (private sector) providers of contracted out or `outsourced'
Commonwealth services, but the Bill to implement this has was referred
(May 1998) to a Senate Committee and did not proceed. It had already been
extended to the private sector providers of Commonwealth employment services
(the replacements for the old CES). These developments were part of the
piecemeal and inconsistent extensions of the Act that were taking place
up to 1999.
In response to the Prime Minister's offer of assistance for self-regulation,
the Commonwealth Privacy Commissioner released a Consultation Paper Information
Privacy for Australia: A National Scheme for Fair Information Practices
in the Private Sector in August 1997 proposing one national self-regulatory
code for privacy protection. Consumer/privacy groups boycotted any discussions
on voluntary self-regulation, and have instead continued their campaign
to obtain legislation. However, they agreed to participate with business
groups in discussion on the content of privacy principles, and at the end
of the process the Commissioner released a set of National
Principles for the Fair Handling of Personal Information (February
1998). The role and content of these `National Privacy Principles' ('NPPs')
was criticised by Greenleaf
and Waters (April 1998) and by Clarke
(April 1998), and privacy and consumer groups refused to endorse them.
(Note: These NPPs are still very important because they form the main content
of the privacy rights in the amended Privacy Act.)
The Commissioner then (May 1998) started a new round of discussions on
methods of enforcement of privacy principles, but privacy and consumer
advocates boycotted these discussions and even business organisations seemed
to have little interest in them. The self-regulatory process produced nothing
significant by way of an overall approach to enforcement. The NPPs were
however taken up by two industry sectors, being incorporated in Codes of
Practice developed by the Insurance Council of Australia (for the General
Insurance industry) and by the Australian Direct Marketing Association.
Both schemes included industry specific complaint handling mechanisms,
which have however been criticised for lack of independence and other flaws.
Meanwhile, international pressures on Australia to provide adequate privacy
protection continued to mount, particularly from the European Union's privacy
Directive, which could lead to data export restrictions from Europe to
Australia. The extent to which any self-regulation could satisfy these
requirements was (and is ) contentious. (See elsewhere in this Reading
Guide dealing with International Standards)
Victoria released a draft Data Protection Bill in December 1998 to
apply to both public and private sectors. It was innovative in providing
both co-regulatory approach allowing for industry codes of conduct to replace
the privacy principles in the legislation (the 'National Privacy Principles'),
but still allowing for rights of appeal against decisions under industry
codes, and strong enforcement provisions. See G Greenleaf Victoria's
draft Data Protection Bill - The new model Bill?' (1999) 5 PLPR 136.The
Victorian government intended this initiative to bring pressure to bear
on the Federal government, offering to drop the private sector coverage
if the Commonwealth enacted satisfactory general principles for the whole
The 2001 'private sector amendments' to the Privacy
Act 1988 (Cth)
In January 1999 the Federal Government abandoned its self-regulatory approach
and announced an intention to introduce 'light-handed' legislation including
provision for co-regulation via industry codes of conduct. The Privacy
Amendment (Private Sector) Bill 2000 has was introduced into Federal Parliament
in April 2000. It is covered in detail in these Guides.
At a public meeting concerning the Bill in April 2000 the Federal Attorney-General
stated that the reason the Government had changed its mind in March 1997
and opposed privacy legislation was because key business groups had decided
they no longer wanted legislation, but by December 19989 those key business
groups had changed their minds again. So the government had decided that
legislation was now desirable.
For a formal explanation of the Bill see the Bills Digest No 193 1999-2000
For the history of the passage of the Bill, see the following articles:
By the time the Commonwealth Bill emerged from the parliamentary committee
processes (unusually the Bill was considered by three separate committees),
the Victorian government had changed and the new state government had introduced
a public-sector-only Bill of its own. The removal of the `threat' of a
patchwork of inconsistent laws came too late to derail the federal initiative.
The European Union is not yet satisfied that Australia's private sector
privacy legislation is 'adequate' in European terms; See
'Big' business became subject to the Act in December 2001; 'small' business
are only subject to the Act since December 2002
For a sketch of how a comparable Federation has made an equally complex
mess of private sector privacy legislation, consider Canada:
[Previous] [No next] [Title]