Government tables new privacy legislation
Tim Dixon
Baker & McKenzie, Sydney
(for publication in Telemedia)
Legislation to extend the Privacy Act to the private sector is now before
the Australian Parliament, following the release of the Privacy Amendment
(Private Sector) Bill 2000 by the Attorney-General Daryl Williams.
The legislation is now being considered by a parliamentary committee and
while some distance still needs to be covered before the final shape of
the legislation is known, its general framework is unlikely to change.
Background to Current Privacy Legislation
The legislation is the latest stage in a long path towards national privacy
legislation since the election of the Howard Government:
-
Initially, the Coalition's 1996 election manifesto included a commitment
to "world best" privacy legislation covering the private sector, and was
critical of the slow response of the previous Government to public concerns
over the erosion of personal privacy.
-
In September 1996 the Attorney-General, Daryl Williams, released a discussion
paper on the proposed extension of the Privacy Act 1988 to the private
sector. It involved extending the existing Information Privacy Principles
to the private sector, with minimal changes to the overall regulatory regime.
However, the Bill had several design flaws and this prompted intensive
private lobbying for its abandonment by key industry groups.
-
In March 1997 the Prime Minister, Mr Howard, announced that the Government
would not be extending privacy legislation to the private sector, citing
the problem of the regulatory imposition of compliance for small businesses.
Instead, the Prime Minister indicated that privacy should be dealt with
under self-regulatory processes.
-
Over the course of 1997, the then Privacy Commissioner, Moira Scollay,
initiated a consultation process in which industry groups, privacy experts,
advocates and consumer organisations worked on the development of a set
of privacy principles which could apply to businesses either through industry
codes or national legislation.
-
In February 1998, the Privacy Commissioner launched the National Principles
for the Fair Handling of Personal Information (generally known as the National
Privacy Principles). Industry groups such as the Insurance Council of Australia,
the Australian Direct Marketing Association, the Australian Communications
Industry Forum and the Internet Industry Association sought to insert these
principles (sometimes with some modifications) into their industry codes.
A revised set of Principles was released in January 1999 after further
consultations over the issue of exemptions for law enforcement agencies.
-
Between 1997 and 1998 the development of the internet and a growing number
of well publicised privacy invasions gave increasing public profile to
the privacy issue. A public campaign to extend privacy legislation to the
private sector gained increasing support. By the second half of 1998, several
industry groups were publicly and privately advocating the extension of
the legislation to the private sector. The support of business groups was
prompted by increasing concerns that in the absence of a consistent national
scheme, a patchwork of different industry standards and legislation would
emerge. This fear was heightened by the development of a Victorian Data
Protection Bill
for privacy protection which aimed to cover the public
and private sector.
-
In December 1998 Attorney-General Daryl Williams and the Minister for Communications,
Information Technology and the Arts Senator Richard Alston jointly announced
that the government would implement a "light touch" extension of the Act
to the private sector, which would provide for a default set of privacy
standards in the absence of industry codes to be approved by the Privacy
Commissioner. This legislative proposal was developed throughout 1999 through
the Core Consultative Group, a similar group to that which was involved
in the development of the National Privacy Principles.
-
In December 1999 the Government released Key Provisions of its Privacy
Amendment (Private Sector) Bill 2000. After further public consultations
the Government tabled the Bill in Parliament in April 2000.
-
The legislation went for review to the House of Representatives Committee
on Legal and Constitutional Affairs during the May Budget sitting. The
Committee will release its report on 19 June 2000 and it will still take
some time before the Bill makes its way through the Senate, which is unlikely
to complete its deliberations on the Bill until the spring session of Parliament.
The amended legislation will then return to the House of Representatives,
where its approval is uncertain.
Coverage
The amendments to the Privacy Act 1988 extend a set of National
Privacy Principles (NPPs) to the private sector. The NPPs were originally
developed by the Privacy Commissioner in 1997 through a process of consultation
with industry and consumer groups. In turning them into legislative provisions,
the detail of these principles has been substantially expanded. The NPPs
differ from the Information Privacy Principles (IPPs) which apply to Commonwealth
Government agencies.
The National Privacy Principles set out minimum standards for
the handling of personal information. These relate to:
-
Collection of personal information: Collection must be necessary
for an organisations activities, must be collected lawfully and fairly
and as a general principle with the individual's consent.
-
Use and disclosure of personal information: As a general
principle, information can only be used or disclosed for its original purpose
unless the person has consented to its use or disclosure for another purpose.
Exemptions apply to initial contact for direct marketing (if consent wasn't
practicable originally) and other situations such as when there are issues
of law enforcement, public safety or protecting the company from fraud.
-
Accuracy of personal information: Organisations must take
reasonable steps to ensure that they keep personal information accurate,
complete and up to date.
-
Security of personal information: Organisations must take reasonable steps
to protect the personal information which they hold from misuse, loss unauthorised
access, modification or disclosure.
-
Openness in relation to the organisations practices: Organisations
which collect personal information must be able to document their practices
and must make this information available on request.
-
Access and correction rights: As a general principle, organisations
must give individuals access to their personal information and must allow
them to correct it or explain something with which they disagree, unless
disclosing this would have an unreasonable impact on someone else's privacy.
This principle is subject to exemptions such as if this disclosure would
compromise a fraud investigation.
-
Use of government identifiers: Organisations cannot use a
government agency's identifier as its identifier. This would cover items
such as drivers' licence numbers, Medicare numbers, a Tax File Number (which
in my case is covered by other legislation) or any future identity numbers
assigned by a government agency.
-
Anonymity: Organisations must give people the option of entering
into transactions anonymously where it is lawful and practicable. For example,
this would apply to travel on a bus but not to opening a bank account.
-
Restrictions on transborder data flows: As a general principle,
organisations can only transfer the personal information about an individual
to a foreign country if they believe that the information will be protected
by a law or a contract which upholds privacy principles similar to the
NPPs.
-
Special provision for sensitive personal information: A higher
level of privacy protection applies to sensitive personal information,
which includes information about a person's health, political or religious
beliefs or affiliation, and sexual preference. This information must only
be collected with the individual's consent.
The NPPs apply to all organisations (other than public sector organisations,
which are already covered by the Information Privacy Principles). This
includes a body corporate, an unincorporated association, a partnership,
a trust or an individual. However, exceptions are granted to the following
organisations:
-
Small Businesses: A small business is defined as a business
with an annual turnover of $3 million or less, which does not provide a
health service or hold health information, which does not provide contractual
services to the Commonwealth and does not transfer personal information
about an individual to anyone else for any kind of benefit. In other words,
small businesses are covered if they are involved in the sale of personal
information.
-
The Media: Acts or practices done by an organisation in the
course of journalism will be exempt from the legislation. Journalism is
defined broadly to mean the collection, preparation and dissemination of
news, current affairs, documentaries and other information for the purpose
of making the material available to the public. This provision explicitly
aims to strike a balance between the public interest in providing adequate
privacy safeguards with the public interest in allowing a free flow of
information to the public through the media. The scope of this exemption
is especially broad. An organisation can be classified as a media organisation
if it is engaged in the provision of information to the public, and its
"activities consist of ..... dissemination of ..... material having the
character of news, current affairs, information or a documentary". This
has attracted criticism because it would be open for the exemption to be
claimed for privacy invasive practices.
-
Political parties: Registered political parties will be exempt
from the legislation for their activities in connection with an election,
a referendum, or other participation in the political process. This was
a surprise inclusion in the legislation, as it had never previously been
raised during the extensive consultations over the legislation. The Government
has argued that it is necessary to give this exemption in order to give
effect to the implied constitutional freedom of political speech outside
of governments this argument does not appear to have been taken seriously.
It is generally accepted that this exemption protects the sophisticated
direct marketing strategies and little-known uses of databases by the major
parties.
-
Domestic use: This exemption applies to use of personal information
related to personal, family or household affairs relating to personal information.
Scope
The legislation will cover all types of personal information which are
not publicly available but, will exclude:
-
Employee records: Employee records are defined as a record
relating to the employment of an employee including engagement, training,
disciplining, resignation, termination, terms and conditions, contact details,
performance or conduct, remuneration, the union membership, health information
and financial affairs. It is extends to current and former employers.
-
Personal information already in existence when the amendments
come into operation.
-
State government contractors: The acts and practices of contractors to
state and territory governments and agencies in relation to handling personal
information under contracts need only to comply with the applicable standards
of the state or territory and will otherwise be exempt from the Act.
-
Transfers of personal information between "related bodies corporate",
as defined under section 50 of the Corporations Law. Related bodies
corporate are essentially businesses which have a shared controlling interest.
Under section 50, where a body corporate is:
(i) a holding company of another body corporate;
(ii) a subsidiary of another body corporate;
(iii) a subsidiary of a holding company of another body corporate,
the bodies are related to each other.
Under section 46, a body corporate (in this section called the first body)
is a subsidiary of another body corporate if, and only if:
(i) the other body:
(A)
controls the composition of the first body's board;
(B)
controls more than one-half of the maximum number of possible votes at
a general meeting of the first body; or
(C)
hold more than one-half of the issued share capital of the first body;
(ii) the first body is a subsidiary of a subsidiary
of the other body.
This might allow a large organisation with diverse businesses to pool
its personal data collections without the knowledge of its customers. Restrictions
still apply to the use and disclosure of this information, but an organisation
which was able to conduct direct marketing to customers apparently conduct
direct marketing in respect of all of the operations of its related bodies
corporate.
The NPPs
The heart of the legislation is the National Privacy Principles. The NPPs
are broadly similar to privacy principles embodied in privacy laws introduced
throughout the industrialised world in recent years, broadly based on the
1980 OECD privacy principles. The principles impose restrictions on the
collection, use and disclosure of personal information. They impose requirements
relating to the quality and security of personal information as well as
requiring openness about information practices and where practicable, giving
individuals the option to remain anonymous in transactions. Individuals
are given rights to access personal information, subject to restrictions.
There are controls on the transfer of personal information to someone in
a foreign country which does not have similar privacy protection. A higher
standard of privacy protection is required for "sensitive information"
- defined to include information about an individual's racial or ethnic
origin, political opinions, membership of a political association, religious
beliefs or affiliations, philosophical beliefs, union membership, sexual
preference or practices, criminal records and health information.
Privacy Codes
By default, the NPPs apply to organisations - that is, unless the organisation
is a signatory to a voluntary code which has been approved by the Privacy
Commissioner. However, the legislation leaves open the option of industry
groups or individual firms developing their own codes of conduct in place
of the NPPs. Codes can be developed by any organisation or group, but cannot
impose a lower standard or privacy protection than the NPPs. Codes must
be approved by the Privacy Commissioner after a process of consultation.
The codes are intended to give the legislation maximum flexibility while
retaining a consistent standard of privacy protection.
Enforcement
Once in place, an individual who believes that the code has been breached
may make a complaint to the organisation concerned. If it is not resolved
satisfactorily, they may make a complaint to the Privacy Commissioner,
or if an independent adjudicator has been appointed to administer the code,
they must make the complaint to that body.
-
If there is an approved code of conduct in place, the complaint will normally
be handled by a code authority. In practical terms, this might be the Telecommunications
Industry Ombudsman, the Banking Industry Ombudsman or the code authority
for the Australian Direct Marketing Association code of conduct.
-
If there is no approved code of conduct in place, the complaint is handled
by the Privacy Commissioner.
Breach of the NPPs can result in an order from either a code authority
or the Privacy Commissioner to restrain an action, undertake an action,
or to give monetary compensation.
A decision to give an individual a remedy can be appealed in the Federal
Magistrate's Court, and can be enforced through the Court if it is not
given effect. A decision against an individual cannot be appealed although
the decision itself is subject to the process of administrative review.
One of the key weaknesses in the enforcement mechanism is that while
Code authorities will be required to submit an annual report on their complaint
handling, there is no other mechanism for accountability in the decision
making process for handling complaints. There is, for example, no process
for the Privacy Commissioner to issue binding rulings or interpretations,
which may be needed because of the generality of many provisions of the
legislation. This is especially a problem since individuals will have no
general appeal right or recourse (other than a formal review under the
Administrative Division Judicial Review Act 1977) if a code authority rules
against a complainant. Under the ADJR Act, the review of the decision is
restricted to review for errors of law and does not extend to review of
the merits of a decision, such as the policy used in the decision making
by a code authority, and the weight given to primary evidence for the purpose
of inferring factual conclusions. The ADJR Act will nevertheless allow
individuals to obtain an explanation as to why an unfavourable decision
was reached.
Conclusions
While there are strengths in the general framework of the legislation -
a set of overarching principles which can be applied with some flexibility
- the Bill is flawed by exemptions which are, by international standards,
quite extraordinary. These exemptions create significant problems:
Given the complexity of the legislation and its broad exemptions, the Government
will have a difficult time arguing that consumer confidence in ecommerce
will be bolstered. For example, the overwhelming majority of Australian
businesses have a general exemption from the legislation (subject to limitations)
through the small business provision. Consumers will often not know whether
the organisation they are dealing with is covered by the legislation or
not. The complexity of the legislation is likely to add to confusion rather
than create clarity. This is especially the case in the online environment
when consumers have no pre-existing relationship or knowledge of companies
with whom they may be doing business. Forrester Research in the United
States has estimated that a lack of consumer confidence about the protection
of personal information online resulted in a loss of $2.8 billion in potential
ecommerce business last year. These concerns can be addressed directly
with a world-standard privacy regime; but a confusing, compromised proposal
such as this one will not overcome the lack of consumer confidence which
continues to retard the growth of ecommerce in Australia.
The implications of this exemption are not entirely clear. For example,
if a small business is involved in one transfer of information for some
kind of benefit, does this mean that it is covered by the privacy legislation
in respect of all of its holdings of personal information? Is it only covered
in respect of the handling of that particular record? If it makes available
a set of records for some kind of benefit to a third party at one point
in time, for how long is that set of information records covered by the
provisions of the Act? Likewise, does the fact that some information collected
by an organisation is made available to the public mean that the organisation
is exempted from the operation of the Act in respect of all other processes
of collecting, using, handling and disclosing this information? If political
parties are exempted from the legislation in relation to practices associated
with elections, referenda or the political process generally, does this
allow the political party to on-sell information to other organisations
without the individual's consent? By creating so many broad exemptions,
the legislation creates uncertainty in many
With such broad exemptions, Australia is unlikely to make it on to the
anticipated European Union "White List" of countries whose privacy protection
is "adequate", and with whom European businesses can confidently exchange
personal information. This undermines Australian efforts to position itself
as the leading data processing in the Asia Pacific centre, especially as
Hong Kong and New Zealand both have privacy legislation which is likely
to meet the EU standards.
The decentralised nature of the complaint handling process may result in
the development of different interpretations and privacy standards. This
could be especially difficult for some companies which may belong to a
number of industry organisations and whose activities may extend across
several industry sectors.
These issues are likely to receive a hearing through the parliamentary
process as the legislation gives through the two House of Representatives.
There is strong public support for legal protection for privacy - according
to a 1999 Roy Morgan survey, 56% say that they are worried by invasion
of privacy through new technology, and consistently surveys show more than
four out of five people supporting privacy legislation for businesses.
As yet, that public concern has not been fully reflected in the Government's
legislative plans.
Tim Dixon is an associate at Baker & McKenzie in Sydney and is
Chairman of the Australian Privacy Foundation.