[Previous] [Next] [Title]

9. Enforcement and implementation of IPPs

Graham Greenleaf and Nigel Waters; revised by GG 23 /3/2002, Nigel Waters 14 May 2002 and 1/6/2003; GG 11/6/03

= required reading

= material added since the date of the class concerning this topic

9.1. The range of remedies

What types of remedies for complainants, and powers of a privacy Commissioner, provide the most fair, effective, and cost-effective way by which to ensure compliance with IPPs by data users, public confidence, and redress for those whose privacy has been adversely affected?

Here are some of the things that it might be desirable for privacy legislation to achieve by way of enforcement and remedies:

9.2. Powers and functions of privacy Commissioners

Australian, Hong Kong and New Zealand privacy laws, like their European and Canadian counterparts (but unlike the USA and some other Asia-Pacific jurisdictions like Japan, Taiwan and Korea) is based to a large extent around the role of a privacy or data protection Commissioner.

9.2.1. General references on Commissioner's roles

9.2.1. General references on Commissioner's roles

9.2.2. Independence

Factors contributing to a Commissioner's independence include the method of appointment, grounds for dismissal, reporting lines, and control over budget.



The federal Commissioner is effectively appointed by the Attorney-General and remains under the AGs Department for budgeting and reporting. Separation of the Office of the Privacy Commissioner from the Human Rights Commission in the mid 1990's brought both advantages and disadvantages in terms of independence, but overall had little effect on the practical inability of the Commissioner to be too critical of the government of the day. A parliamentary committee suggested making the Commissioner an Officer of Parliament (like the Auditor General and Ombudsman) but without guaranteed funding the then Commissioner preferred to stay within the mainstream bureaucracy. The Commissioner can be dismissed for bankruptcy, physical or mental incapacity, outside employment or misbehaviour (undefined but precedents in other areas). The Commissioner does have a fairly high degree of independence in terms of his ability to report, including directly to Parliament, and to make public statements, but in practice this freedom is constrained by the necessity to keep on reasonable terms with the government of the day to protect the budget of the office.

The NSW and Victorian Commissioners are in a similar position - appointed by the government for fixed terms, but dependent on a government department for funding and other support. The Victorian Commissioner automatically ceases to hold office if declared bankrupt or is convicted, but can otherwise only be suspended and dismissed with the approval of Parliament. Under the NSW PPIPA, the Commissioner, like his federal counterpart, can be removed by the government for undefined misbehaviour or incompetence. But the practical limits of independence may be illustrated by the resignation of the NSW Commissioner in May 2003. The superficial reason for this was a conflict of interest in the handling of a complaint in another jurisdiction, but the real reason is widely understood to have been repeated public falling out between the Commissioner and the government over both privacy and anti-discrimination issues, leading the Commissioner to find his position untenable without the confidence of the Premier.

Hong Kong

The Commissioner can only 'be removed from office by the Chief Executive with the approval by resolution of the Legislative Council on the ground of- (i) inability to perform the functions of his office; or (ii) misbehaviour. ' ( html s5(5)(b) )

See Berthold & Wacks p179

9.2.3. Powers and functions

9.2.3. Powers and functions

Australian Federal Commissioner

Australian Federal Commissioner

Section 27 limits the Federal Commissioner's functions to those specified. Also, these functions do not of themselves carry enforcement powers (which are limited to selected functions discussed below). However, the general functions were always wide and have been extended - one of the successes of the political battles over the TFN matching extension and associated parliamentary inquiries. Note the following extended powers: The Commissioner's functions were further extended in 1993 in relation to National Health Act guidelines (s.27(1)(pa)) and in 2000 in relation to the added private sector jurisdiction - s.27 (1)(aa)-(ad) and (ea)

The effectiveness of all these functions and roles depends on the Commissioner's willingness to perform them, the resources available, and the methods he or she chooses to publicise the outcomes. Some of the functions expressly require or allow reporting to the Minister' (see (c),(f) & (r)), and sections 30-34 deal expressly with the manner of reporting on some functions. Federal Commissioners to date have varied in their approach to public reporting of their various functions - sometimes issuing a specific report, at other times leaving comment to the Annual Report, and in some cases not publicly reporting at all.

NSW Commissioner

NSW Commissioner

Contrast the Privacy Committee Act 1975 (NSW) (now repealed), where the Committee had general power to investigate and make recommendations concerning any interference with privacy (undefined) - but no powers of enforcement (s.36 - specifically (l)).

This general role is now largely retained by the Privacy Commissioner in the NSW PPIPA 1998.

The first NSW Commissioner made use of his power to make a special report to Parliament (s.65) on two occasions - one involving a local council which refused to act on the Commissioner's recommendation, and the second criticizing a Minister over his actions in relation to an alleged incident at a school (see (2002) 9(6) PLPR 109).

Victorian Commissioner

The Victorian Information Privacy Act 2000 s.58 gives the State Privacy Commissioner perhaps the most extensive and least constrained set of functions, including, like the NSW Act, an express role to make public statements.

Hong Kong Commissioner

s8 Functions and powers of Commissioner

In addition to powers to supervise the operation of the DPPs, the Commissioner has functions allowing him to:

See Berthold & Wacks p180-1

9.2.4. Statutory guidance on exercise of functions

9.2.4. Statutory guidance on exercise of functions

Privacy legislation often requires Commissioners to have regard to certain matters when exercising their powers and functions.

Section 29 of the Privacy Act 1988 gives the Australian federal Commissioner a list of such matters, including government and business `efficiency'; the desirability of a free flow of information (all of which can compete with privacy) and international obligations (some of which can support privacy and others of which may compete). The Victorian Act (s.60) refers the Commissioner back to the objects clause (s.5) which contains a similar free flow of information interest to be balanced. The NSW Act appears to contain no such `constraints'.

9.3. Breaches of IPPs - the basis of remedies

Remedies in data protection legislation are usually available only as a result of a breach of IPPs, even though some legislation uses more general descriptions such as `interferences with privacy'.

9.3.1. Australia Federal - `Interferences with privacy'

9.3.1. Australia Federal - `Interferences with privacy'

The Privacy Act 1988 does not contain any sweeping prohibition on breaches of a person's privacy.

- s16 simply says agencies may not breach the IPPs.

SS 18 & 18 B impose similar obligations on TFN recipients and credit providers and agencies in respect of the relevant rules. Section 16A now imposes a similar obligation on `organisations' in relation to the National Privacy Principles or a relevant approved Code of Practice . These provisions are significant as they impose on agencies a legal duty not to breach the IPPs. Among other things, a breach of this section would be the basis on which to seek an injunction against an agency under s98 and on which complaints can be founded.

Note that the New Zealand Privacy Act 1993 introduces another element - an action is only an `interference with privacy' if it breaches an IPP (or Code etc) AND has caused a loss, damage, injury etc (s.66). The effect of this is to prevent the Commissioner from even investigating a complaint if the complainant cannot show some detriment at the outset. Under the Australian laws, detriment would have a bearing on the remedy awarded, but is not a test to be passed at such an early stage.

9.3.2 Basis of remedies - State Acts

The Victorian IPA similarly defines `interferences with privacy' as an act or practice contrary to an IPP (or applicable Code) - s.14(3). The NSW PPIPA takes a more direct approach - agencies are required to comply with the IPPs (s.21(1) and an contravention is both reviewable conduct under Part V (s.21(2)) and grounds for complaint to the Privacy Commissioner (s.45(2).

9.3.3. Hong Kong

s4 Data protection principles 'A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance.'

The Hong Kong Commissioner does not have powers to investigate 'non-DPP' complaints (see s38 requiring reasonable grounds for believing there has been a contravention of the Ordinance).

9.4. investigation of complaints

9.4.1. Australian federal Privacy Act 1988

Investigation of complaints

Complainants must be `affected' individuals, although there is a conditional provision for representative complaints by one of a class of similarly affected individuals ( s38 ).

Preliminary Inquiries

On receipt of a complaint, the Commissioner can, and often does, initiate preliminary inquiries under s.42 to determine if he/she has the power to investigate further and if he/she wishes to exercise their discretion to do so.

Investigation on Commissioner's own motion

The Commissioner may investigate a possible `interference' on his own initiative, (ie; without a complaint) ( s.40(2) ). This power has been exercised regularly by successive federal Commissioners in relation to matters that are brought to light by media reports or by pubic interest organizations, or referred by Ministers or other politicians.

This is a particularly valuable provision both because individuals will often not be aware that they have been affected (eg: by breaches of security), and because the actual damage to any one individual may not be significant enough for them to be prepared for the investment of time and effort required to pursue a complaint. Where a privacy breach has affected many people only slightly, the own-motion investigation is particularly useful.

There have been a number of high profile `own motion' investigations over the last decade, many of which have been published as `stand-alone' reports, although there is no comprehensive index of these available - details would have be extracted from the successive annual reports. Some examples are:

Some `own motion' investigations are the subject of media releases from the Commissioner. One 2001 example is:

Differences in enforcement of the NPPs

If there is an industry code in existence, with a separate Code complaint handling machinery covering the organization complained about (eg the General Insurance Information Privacy Code ), a complainant must take their complaint first to the code adjudicator, and cannot ask the Privacy Commissioner to investigate it initially. If no industry code applies (or if a Code has no complaint handling component - eg: the Queensland Clubs Code ), then a complainant can go directly to the Privacy Commissioner to request an investigation. In this case, the Commissioner's investigative powers and remedies are essentially the same as in relation to Commonwealth agencies.

As a result of a last minute amendment, individuals can ask the Privacy Commissioner to review a decision of a Code adjudicator ( s18BI ).

See G Greenleaf 'Private sector privacy: Problems of interpretation' [2001] CyberLRes 3 for the following aspects of enforcement in relation to the NPPs: Ironically, Code Adjudicators are subject to a much more rigorous reporting requirement than the Commissioner. The Prescribed Standards require written `anonymised' reports of all determinations (naming neither complainant nor respondent) to be made publicly available, and the Guidelines require a very detailed annual report to be submitted to the Commissioner, who is required by the Act (s.97(2A)) to include details of the `number, nature and outcomes' of complaints made under Codes. This requirement may result in fuller reporting by the Commissioner of his own complaint handling activity - he has recently commenced a series of anonymised case reports on the OFPC Web site.

9.4.2. NSW PPIPA 1998

9.4.3. Victorian IPA 2000

9.4.4. Hong Kong Ordinance

See ss37 - 48

See Berthold & Wacks Chapter 11

9.4.5. Investigation of broader ('non-IPP') privacy complaints

Both the NSW and Victorian Privacy Commissioners have powers to investigate, conciliate and report on complaints concerning any aspect of an individual's privacy (but not to make determinations). The Victorian Commissioner only has this role in relation to the public sector, but the NSW Commissioner can exercise it in relation to both the public and private sectors (the most important survival of the powers of the previous NSW Privacy Committee).

The Commonwealth Commissioner does not have power to investigate complaints or make recommendations on individual complaints which are outside the scope of an 'interference with privacy', which means a breach of one of the sets of prescribed rules listed above.

9.5. Remedies available from Commissioners

9.5.1. Powers to award remedies

There is a great deal of variation in the powers of Commissioners to provide remedies to complainants.

Federal Commissioner - s52

s52 gives the Commissioner broad powers concerning determinations of complaints, including power to award damages. Note (b)(ii) allows him/her to order reasonable acts to redress complaint; and (b)(iii) provides for compensation (including (1A) injury to feelings ; (3) expenses; and (3B) corrections and additions to records.

NSW Commissioner and ADT

The Commissioner can only conciliate complaints ( s49 ), but agencies are required to make decisions about remedies (including the option of compensation) after conducting internal reviews of complaints ( s53(7) ),

An agency's decisions can be reviewed by the Administrative Decisions Tribunal, which has broad powers to award remedies, including compensation capped at $40,000 ( s55 )

G Greenleaf Complaint investigation and remedies in 'A new era for public sector privacy in NSW' (1999) 5 PLPR 130

Victorian Commissioner and VCAT

Under the Victorian IPA, the roles of the Commissioner (ss.25-37) and the Civil and Administrative Tribunal (ss.38-43) in relation to complaints are very similar to their counterparts in NSW, except that there is no statutory requirement for internal review, and the Tribunal can award compensation of up to $100,000 (s.43). See later concerning appeals.

The Victorian Commissioner can issue compliance notices (s.44) for serious and flagrant, or repeated, breaches of the IPPs (or a Code), and it is an offence not to comply with a compliance notice (s.48) although government agencies would attract only a modest fine.

Hong Kong

The Commissioner can issue s50 Enforcement notices 'directing the data user to take such steps as are specified in the notice to remedy the contravention'. Failure to comply is a criminal offence (s64(7)).

The Commissioner has power to issue enforcement notices in cases of urgency even before an investigation is completed (s50(8)).

The Commissioner has no power to award damages. The complainant must proceed before a Court under s66 for compensation from a data user for a breach of the Ordinance.

9.5.2. Method of resolution and reporting of complaints

9.5.2. Method of resolution and reporting of complaints

Irrespective of what formal powers they have, there is variation in how Commissioners exercise them, particularly in relation to the extent to which they use their formal powers to make final 'determinations ' (Aust) or 'final opinions' (NZ) as to whether there has been a breach of IPPs (or other provisions of the Acts).

The alternative is to resolve complaints informally, by mediation, without ever making a final finding. Questions then arise as to the extent to which such informal resolutions of complaints are publicised adequately,

Australian Federal Commissioner

'Tabula Rasa': Ten Reasons Why Australian Privacy Law Does Not Exist - [2001] UNSWLJ 4
No formal s52 determinations made
In contrast to NZ and HK, in 13 years (1988-2001) the Australian Federal Commissioner has only made two s52 determinations - both against Commonwealth agencies: In over a decade the Federal Privacy Commissioner has made only these two formal determinations of complaints concerning the IPPs, and none concerning the other jurisdictions including credit reporting under Part IIIA or the Tax File Number Guidelines.

Note: In 2000-2001 the Commissioner's office started the formal investigation of 194 complaints (61 in 99-2000, 131 in 98-99), and 'closed' (ie settled or dismissed) 133 complaints (103 in 99-00, 91 in 98-99) (none resulted in formal determinations under s52) (Annual Reports).

Why are there no s52 determinations?

Does the fact that no complainants insisted on a formal s52 determination mean that all sets of complainants and respondents in settled cases were satisfied with the result? At least in relation to complainants, there are reasons why it is not possible to conclude this. If the Commissioner suggests to a complainant that a matter might be settled on particular terms, then even if the complainant disagrees what would be the point in their insisting that the Commissioner proceed to a formal s52 determination if they cannot turn their disagreement into an appeal? They may as well agree and be done with it. As a result, there may be an unknown 'dark figure' of dissatisfied complainants due to the Act's structural defect in not allowing appeals against the Commissioner's decisions. If so, a side effect is that we see even fewer reasoned s52 determinations than we otherwise might expect, and the development of privacy law is thus reduced.

Settled complaints
Unfortunately, successive Commissioners have not systematically reported on complaint settlements. The summaries of settled complaints in the Commissioner's Annual Reports are very uninformative. In effect, there are few known interpretations / precedents to inform anyone what is possible.

Here are a few known examples of settled complaints from earlier years:

In 2000-2001 the Commissioner found no breach of the Act in 47% of cases (38% in 99-00) and closed another 23% on the basis that they had been adequately dealt with - 9 of these involving compensation payments amounting to $52,000 in total (in 99-00 44% adequately dealt with including 7 cases involving compensation totalling $7000 and in 98-99 7 cases totalling $18,000).

As a result of this limited reporting, potential complainants or respondents (or their advisers) have precious little information about how the Act is interpreted from prior complaints experience. The overall impression that is left by thirteen years operation of the Privacy Act is that, while Commissioners are interested in doing justice to individual complainants, the use of the complaints function of the Act to develop privacy law and to guide parties to future complaints is a matter which has the lowest possible priority.

However, in 2002, the Commissioner commenced a welcome series of anonymised case reports on the OFPC Website and these could progressively build up into a useful resource.

Australia - Reporting of private sector complaints

The Australian Federal Privacy Commissioner has decided that it is only in 'rare circumstances' that he will consider identifying a company that is the subject of a privacy complaint. Information Sheet 13 The Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act states that the normal anonymised approach will be as follows:
"The Office includes in its annual report some cases studies on complaints it has handled and investigations it has carried out. These are reported in summary form and do not generally identify the complainant or respondent. With the new private sector provisions, the Office plans to add to this approach by publishing more frequent, de-identified case notes on complaints it has handled (see above). The aim of these will be to help organisations and the community understand the way the Office applies the provisions of the Act and, where relevant, the provisions of approved codes."
The circumstances where respondents (companies etc) will be named are as follows:
"On occasion there may be some merit in making public the circumstances of a particular complaint or investigation. This may be, for example, where there is already publicity around a particular matter before it reaches the Office or where, despite all the other approaches the Office has taken, an organisation continues to engage in behaviour that constitutes an interference with privacy. This would clearly be a serious step which could have commercial consequences for the organisation concerned. It would only be appropriate in rare circumstances. In the ordinary course of events, the Commissioner would not consider such a step unless:

* an organisation either repeatedly or very seriously breaches the Privacy Act;

* the organisation demonstrates by its actions that it does not intend to comply with its legal obligations; and

* all other measures have failed to change the organisation's behaviour."
This conjunction of requirements means that, no matter how repeatedly or seriously a company has breached the Act, if it demonstrates an intention to mend its ways it will not be named at the Privacy Commissioner's initiative. 'Name and shame' is not part of this Commissioner's armoury.

The only likely way that the identities of privacy-invading companies will be known is where complainants have the courage to go public and the media to report them, or the complainant pushes for a formal determination under s52. The two s52 determinations made by previous Commissioners in the past 13 years have been published, and have identified the respondent departments, but Information Sheet 13 is silent on that.

Even more restrictive, the reporting of identified complaints is completely eliminated if a complaint is dealt with under an industry Privacy Code (Part IIIA Privacy Act 1988). The Privacy (Private Sector) Regulations 2001 set our in Schedule 1 'Prescribed standards for procedures relating to complaints', which gives the Commissioner his instructions from the government as to what industry codes he can and cannot approve. Part 5 'Accountability' states under 'Principle' that 'Reports of determinations and information about complaints must be published...', but in fact only mentions determinations. In relation to determinations it includes the initially positive requirement in cl 5.2 that '(1) Written reports of determinations by an independent adjudicator must ... (b) be made available to any other interested person or body' but unfortunately then provides that '(4) A report must not: (a) name any complainant or respondent organisation'. The 'determinations' made by Code adjudicators are supposed to be the same as those made under s52 (s18BB(3)(d)), so there appears to be an inconsistency between previous practice and the Regulations. Part 5 says nothing about publication of details of other complaints which are resolved by mediation not by a determination, so there is no reason to assume that the Commissioner's approach to providing de-identified summaries will be followed

NSW Commissioner

The formal complaints mechanism for complaints to the NSW Privacy Commissioner under the PIPPA 1998 (ss.45-51) has only been available since 1 July 2000. The first Annual report on the new regime is not available on the web site, which only contains reports of two special investigations. The NSW Act also provides for complainants to follow an alternative route of internal review, with a right of appeal to the NSW Administrative Decisions Tribunal (ss.52-56) - see 9.6.2 below. The Commissioner has to be notified of internal reviews and will presumably publish statistics on them and their outcomes in future. The Privacy NSW website already provides links to ADT decisions.

Canada - British Columbia Commissioner

Canada - British Columbia Commissioner

New Zealand Commissioner

In 2000-2001 the NZ Commissioner closed 654 complaints without reaching a final opinion, and closed 116 after reaching a final opinion (and found 49 or these of substance). (Annual Report 2000-2001).

There is extensive reporting of settled complaints by the New Zealand Privacy Commissioner, by http://www.knowledge-basket.co.nz/privacy/scompf.html summaries in his monthly 'Private Word' newsletter, and by periodic release of collections of complaint notes.

Hong Kong Commissioner

Hong Kong Commissioner

In 1999-2000, of 303 complaints formally completed, 137 (45%) were resolved through mediation, 13% found to be unsubstantiated on investigation, and 24% were withdrawn. Of the 56 (18%) formally resolved, 29 were found to involve contraventions of the Ordinance. These resulted in 21 warning notices, requiring written undertakings to implement remedies, with only 4 resulting in enforcement notices directing remedial actions.

The HKPCO reports anonymised summaries of both complaints and enquiries on its web site. However, there is no comprehensive reporting of cases which have gone to the stage of formal resolution.

s48 provides 'the Commissioner may, after completing an investigation and if he is of the opinion that it is in the public interest to do so, publish a report' detailing the results of the investigation, his recommendations and comments. However, it must 'prevent the identity of any individual being ascertained from it' (s48(3)), but this right of anonymity does not apply to data users (s48(4)(b)), only to complainants and other 3rd party individuals. (See Berthold & Wacks p205 for more discussion.)

9.5.3. Enforcement of final decisions of Commissioners

Australian Federal Commissioner

Commonwealth agencies are simply bound to comply with determinations when made ( s58 ). See also s59 (obligations of principal officers of agencies), and s60 (compensation awarded to be an agency debt).

The problem of enforcement of Privacy Commissioner's decisions against other parties arises from Brandy v Human Rights and Equal Opportunity Commission (1995) High Court (see Casenote (1995) 2 PLPR 32) where it was held that, in relation to complaints against respondents other than the Commonwealth, the previous system for lodging HREOC determinations (including Privacy Act 1988 s52 determinations) in the Federal Court, whereupon they become binding, was an invalid exercise of the judicial power. The 'quick Brandy fix' was to revert to the old system of a de novo hearing in the Federal Court in order to enforce a determination by a HREOC Commissioner or the Privacy Commissioner. Unfortunately, one of the anomalies arising from that expedient is the unfair difference in de facto appeal rights outlined below.

9.6. Appeals from / review of Commissioner's decisions

In most jurisdictions where data protection laws are in force, there have been few if any significant decisions by Courts (or even by administrative appeals tribunals) interpreting the legislation and its enforcement. This pattern is also apparent in the Asia-Pacific region.

We should try to understand: (i) how significant this is; and (ii) why it occurs.

9.6.1. Australian Federal Privacy Act

There is no right of appeal against determinations by the Privacy Commissioner in relation to complaints against agencies (IPPs) or complaints against the private sector (NPPs). Either side can only appeal to the AAT concerning the amount of compensation or expenses awarded by the Commissioner (agencies only with A-G's permission) (s61).

Judicial review of the Commissioner's decisions is available, but not a right of appeal on the merits of the complaint.

Appeals against Code Adjudicators to the Privacy Commissioner

Appeals against Code Adjudicators to the Privacy Commissioner

Due to a last minute amendment to the Privacy Act (Private Sector) Bill 2000 there is now a right of appeal to the Privacy Commissioner against any determination by a Code Adjudicator (s18BI), to include a review of 'any finding, declaration, order or direction that is included in the determination'.

This right of appeal will reduce the appeal of industry codes in some industry sectors.

9.6.2. NSW PPIPA

9.6.2. NSW PPIPA

The NSW Act, although it appears to give complainants a right of appeal to the Administrative Appeals Tribunal, also has a defect which will frustrate complainants. Complainants may elect whether to have a complaint about a breach of the IPPs investigated and conciliated by the NSW Privacy Commissioner (s45), or subject to an internal review by the agency concerned (s53). However, the right of appeal is only against an internal review by an agency (s55), so if a complainant is dissatisfied with the Commissioner's conciliation, they will first have to seek an internal review before their right to appeal to the AAT arises.

The ADT has commenced publication of all decisions on review of internal reviews under the PPIPA by its General and Appeals Divisions.

9.6.3. Victorian IPA

9.6.3. Victorian IPA

The Victorian Act is the only one that appears to give dissatisfied complainants (or agencies) an unfettered right (s.37) to have the NPPs and other provisions interpreted by the Victorian Civil and Administrative Appeals Tribunal (VCAT) and ultimately by the Courts. There appear to be no published VCAT cases involving the IPA.

9.6.4. Hong Kong

There is a right of appeal against the Commissioner's decisions to the Administrative Appeals Board (AAB), by either the complainant or the data user: The AAB hears the matter ab initio.

To date (2002) there have been less than 20 such appeals (decisions not yet available online). Some of the decisions (in English) are:

There is no right of appeal to a Court against an AAB decision, on the merits of a decision.

However, either party to a complaint may seek judicial review of a decision by either (i) the Commissioner or (ii) the AAB. Such judicial review may be on the basis of either error of law or procedural deficiencies. For example, in Eastweek v Privacy Commissioner for Personal Data [2000] HKCA 137 , Eastweek sought judicial review of the Commissioner's decision by the Court of First Instance because the decision 'was erroneous in law or unreasonable on Wednesbury principles and had been arrived at in breach of procedural fairness', and subsequently appealed to the Court of Appeal. The Court of Appeal found that there was an error of law in the Commissioner's interpretation of DPP1 (in relation to the meaning of 'personal data collection').

There are therefore two other avenues by which Courts may interpret the Ordinance:

* Kwan Chi On v. Hong Kong Baptist University and Another [1997] HKCFI 625 - DPP 3 raised in attempt to prevent disclosure of personal data by University to a third party. (Substantive issue not discussed by Court as decided on other grounds.)

9.7. Remedies

9.7.1. Award of damages - see 9.5 above

9.7.2. Injunctions

Australia - Federal

Although it is not possible for a complainant to appeal from a determination by the Commissioner to a Court in relation to a complaint about the Federal IPPs or the NPPs, an injunction can be sought to restrain a breach. Section 98 of the Privacy Act 1988 allows 'the Commissioner or any other person' (including, but not limited to, a complainant likely to be affected by the breach) to go direct to the Federal Court or the Federal Magistrates Court to seek an injunction to prevent a breach of the IPPs or NPPs. The injunction power, which has never been used, allows a litigant in an appropriate case to have an IPP or NPP interpreted by the Courts, and then pursue compensation or another remedy from the Commissioner.

It is important to note that the injunction power applies to the private sector.

Courts have not shown an adequate appreciation that s98 is included in the Act. For example, in Ibarcena v Templar [1999] FCA 900, Finn J seems to have proceeded on the mistaken assumption that 'Mr Ibarcena cannot simply allege a breach of an Information Privacy Principle of the Privacy Act for the purpose of enlivening this Court's jurisdiction and for the grant of relief'. With respect, he can by seeking an injunction, at least in relation to breaches or potential breaches where an injunction would be appropriate[1] .

Similarly, in Goldie v Commonwealth of Australia Federal Court of Australia, [2000] FCA 1873, French J gave an account of how complainants could come before a Court, but omitted any mention of s98 injunctions

9.7.3. Compliance Notices

9.7.3. Compliance Notices


* Victorian IPA IPA 2000 s44. 'Compliance notice' gives the Commissioner a power not found in other Australian Acts, but which is the basis of enforcement in the Hong Kong and UK Acts:
      s44 (1) The Privacy Commissioner may serve a compliance notice on an organisation, if it appears to
him or her that--
(a) the organisation has done an act or engaged in a practice in contravention of an
Information Privacy Principle, including an act or practice that is in contravention of an
applicable code of practice; and
(b) the act or practice--
(i) constitutes a serious or flagrant contravention; or
(ii) is of a kind that has been done or engaged in by the organisation on at least 5
separate occasions within the previous 2 years.
(2) A compliance notice requires the organisation to take specified action within a specified
period for the purpose of ensuring compliance with the Information Privacy Principle or
applicable code of practice.

Hong Kong

Hong Kong

See above concerning the role of 'enforcement notices' in the Hong Kong Ordinance.


9.7.4. Criminal offences

9.7.4. Criminal offences


Criminal offences are the exception rather than the rule in Australian privacy legislation. There are the few exceptions:

Hong Kong

See Berthold & Wacks pgs 235-6

9.7.5. Tortious actions based on breaches of IPPs / NPPs

9.7.6. Liability for breaches by other parties

Hong Kong


9.7. Co-regulation: codes of practice etc

Private sector

Since 1989, the Commonwealth Act has provided for a Credit Reporting Code of Conduct, issued by the Commissioner under Part IIIA, which supplements the prescribed standards for credit reporting in that Part, and which have statutory effect - the Code is a disallowable instrument.

The private sector amendments to the Commonwealth Act in 2000 provide a potentially major role for Codes of Practice, which can both vary the Principles and provide an alternative `first tier' dispute resolution scheme (Part IIIAA). Any variation to the NPPs must provide, overall, at least the equivalent of the statutory obligations. A long list of criteria which Codes must meet to be approved by the Privacy Commissioner can be supplemented by additional requirements in Guidelines. Draft Code Development Guidelines issued by the Commissioner in May 2001for comment suggest a very demanding standard of both content and process and it remains to be seen how many sectors are prepared to go through the process. Given that the standards cannot be lower, and that a separate complaints mechanism will come at a direct cost to the sector concerned without avoiding the prospect of Privacy Commissioner decisions (an appeal right was inserted at the last moment), it is difficult to see what significant advantage a Code will bring.

Codes under Part IIIAA are not disallowable instruments.

Commonwealth public sector

Various Guidelines issued by the Commissioner - eg TFNs, data matching, medicare and pharmaceutical benefits scheme - which have statutory force - effectively customized versions of the IPPs for specific sectors or activities. These guidelines are disallowable instruments

Public Interest Determinations - 'One-off' public sector variations

The Commonwealth Act has provided since 1988 for the Commissioner to waive the application of one or more of the IPPs for one or more Commonwealth agencies, where other public or private interests are seem to outweigh the protection of privacy. Obtaining such a waiver, by means of a Public Interest Determination under Part VI is a fairly complex and time-consuming process, involving community consultation, and only 6 have been issued since 1988.

The private sector amendments to the Commonwealth Act in 2000 extend the scope of Part VI to private sector businesses and also introduce a new instrument - the temporary public interest determination - which can be obtained more quickly and easily, but which is time-limited.

NSW public sector

The NSW Act provides for Codes of Practice which can weaken the statutory IPPs but must not impose a higher standard (PIPPA ss. 29-32) The NSW Act also allows the NSW Privacy Commissioner to issue Directions under s.41 which can exempt an agency from complying with one or more of the IPPs - this is equivalent to the Commonwealth Public Interest Determinations.

Victorian public sector

The Victorian Act provides for Codes of Practice which can vary the IPPs as long as they are "no less stringent" (IPA ss.18-24).

There is no equivalent in the Victorian Act to the public interest determination or direction provisions of the Commonwealth and NSW Acts

9.8. Privacy audits and inspection

Federal Commissioner

The Privacy Act 1988 was one of the first privacy laws in the world to include provision for pro-active privacy auditing by the regulator. (There was some previous experience under the Canadian Federal Act). The Privacy Commissioner has the function of conducting audits of Commonwealth agencies compliance with the IPPs (s.27(1)(h)), and has a similar function in relation to Tax File Numbers, and due to subsequent amendments, in relation to credit reporting and data-matching.

However, the Commissioner does not have an audit power in relation to the private sector generally. The government opposed this in the consultations concerning the private sector Bill.

The Privacy Commissioner has maintained a reasonably active audit program since 1989, varying in intensity and scope with resource availability. Details of audits conducted in both the public and private sectors are published in the Commissioner's Annual Reports and should, at least in theory, serve a valuable educational function in demonstrating to other agencies and organizations what practical steps are required to satisfy the relevant principles or standards. The Commissioner has also run seminars to disseminate audit findings more widely, and encourages the private sector to commission audits by private contractors independently of the Commissioner's own program, which can only ever inspect a small proportion of the total `population'.

The Commissioner has published details of the audit process:

NSW and Victorian Commissioners

While the NSW Privacy Commissioner does not have an express audit or inspection function other than in relation to complaints, his functions and powers appear to be broad enough to allow him to conduct `pro-active' inspections if he chose to do so. In practice, the NSW Commissioner is so poorly resourced that there is no realistic prospect of a proactive audit or inspection role other than in response to high profile incidents.

The Victorian Commissioner has been given a specific audit role (s.58(j) and (g)). It remains to be seen if the Victorian Commissioner is able to devote any resources to pro-active work - although it is understood that the office will be significantly better resourced than in NSW.

9.9. Privacy impact assessments

In most jurisdictions there have been a variety of studies and reviews aimed at assessing the privacy implications of new proposals, mainly in government but also in the private sector. Recently, there have been attempts to formalize and characterise Privacy Impact Assessment as a distinct tool or technique.

9.10. Privacy management plans

The NSW Act requires agencies to prepare formal Privacy Management Plans explaining how they intend to comply with the IPPs, and outlining procedural aspects such as processes for access requests and internal reviews (s.33 PiPPA). Agencies were required to submit initial Plans to the Privacy Commissioner by 1 July 2000 (the same date as compliance with the IPPs became `actionable'. In reality , many agencies left the preparation of Plans very late and many agencies, including some major ones, did not make the deadline.

While there is no equivalent requirement in either the Commonwealth or Victorian Acts, many agencies in both jurisdictions carried out (Cwlth) or are undertaking (Vic) major reviews of their handling of personal information to prepare for compliance, although these are typically not as `public' as the NSW Plans, which the Privacy Commissioner intends to make publicly available (only 14 Plans were online as at 3 May , although others are available on agencies own sites) . In NSW, agencies are also required to report annually on their implementation of their Plans. The federal Privacy Commissioner has encouraged Commonwealth agencies to do the same, along the lines of the statutory requirement in the FOI Act (s.8), but there has only been a limited take up of this valuable option.

9.11. Privacy 'seals' and other voluntary standards

The voluntary adoption of the National Privacy Principles by the Direct Marketing and Insurance Industries, already discussed above under Codes, are a form of `seal' program, and both schemes have in fact developed logos which signatories can display as evidence of their commitment.

Privacy seal programs have been established for longer in other jurisdictions - notably the United States. For commentary on some of these programs, see:

Main criticisms are of `self certification' - no independent assessment of compliance, and of inadequate or non-existent complaint and enforcement mechanisms.

A new privacy seal program, by the Australian Privacy Compliance Centre , was launched in Australia in April 2001, as a component of a wider trust in e-commerce initiative.

9.12. Privacy protection as a technical standard

Another possible model of privacy regulation, both at the national and international levels, is the development of consensus-based standards throught the international standards-setting organisations (the Intenational Standards Organisation, ISO, and its national equivalents) which normally set technical standards such as for food hygeine, accounting practices etc.

One important question about the development of such Standards (international or national) is whether their adoption by companies (or government departments) can satisfy the data export requirements of the European Union's privacy Directive. If adoption of this type of Standard can satisfy the EU requirements, then there is less pressure on governments (such as in Australia) to legislate for privacy protection.

The development of such standards emerged as a serious possibility in the mid to late 1990s but has now receded.

The Canadian Standard

Canada is the first country to develop a Standard for privacy. The principles in the Canadian `Model Code' should be compared with the IPPs.

Canadian Standards Association Model Code for the Protection of Personal Information (unofficial copy on Roger Clarke's pages - note the useful additional links at the end).

The content, and some of the enforcement problems of the Canadian Standard, are criticised in Graham Greenleaf Stopping surveillance: Beyond 'efficiency' and the OECD 3 PLPR 148

Attempts to internationalise the `Standards' approach

An attempt is curently underway to create an international privacy standard through the International Standards Organisation (ISO).

Colin Bennett Prospects for an International Standard for the Protection of Personal Information: A Report to the Standards Council of Canada (1997) - Bennett (who was very involved in the development of the Canadian Standard) provides a detailed assessment of the potential value of an international standards-based approach.

Bennet gives details of the following background to these developments:

The ISO's study group has not yet issued a report.

Chris Connolly `An International Standard for privacy?' (1997) 4 Privacy Law & Policy Reporter 90 summarises the international developments up to late 1997. In it he says:

There have been several reports in the media suggesting that the International Standards Organisation (ISO) is writing a privacy standard. There have also been several reports suggesting that compliance with such a standard will ensure compliance with the European Union Directive on Data protection. These reports are inaccurate. The ISO has taken the first steps towards consideration of the need and practicality of a standard on the protection of personal information. That is all. The European Union has made no comment on the relationship between the Directive and any potential standard.
In late 1999 the work of the Group was put on hold. Delegates had failed to reach a consensus on whether the development of a Standard was worthwhile, and the entire process was overtaken by negotiations between the EU and the United States which eventually led to the development of the Safe Harbour provisions.


Standards Australia initially considered the development of an Australian Privacy Standard. However, since 1999 Standards Australia has instead concentrated on adding privacy requirements to specific technical standards. Examples include the Australian Standard on Intelligent Transport Systems and the Australian Standard on the Exchange of Client Data. The usual format is that developers will be required to take privacy issues into account when designing systems and the NPPs or IPPs will be provided as an appendix for `guidance'.

The practical effect may be quite important, if the IPPs/NPPs are 'built in' at the design stages of systems, products and services. [1] See Casenote by P Gunning (2001) 7 PLPR Issue 10 (forthcoming)

[Previous] [Next] [Title