There is increasing awareness, both in Australia and overseas, of the privacy implications of new information technologies. This has led to mounting pressure to ensure that those technologies are introduced in ways which respect the expectations of individuals in relation to the handling of their personal information.
Consumers want to know how the information they give to business will be used, and they want to be confident that their personal information will be protected against misuse. Businesses want to build loyalty and trust with their customers by assuring them that their information will be handled fairly. They also want to be certain that their competitors will not either undermine the image of their industry, or put them at a commercial disadvantage, by misusing personal information.
Australian businesses also want to be sure that there can be a free flow of information in the international trade setting, which requires that our trading partners have confidence that Australia has adequate practices for handling personal information. Businesses and Governments wanting to encourage their customers to use electronic commerce and electronic service delivery need to assure them that their information privacy will be protected.
There is now a broad consensus that this issue needs to be resolved urgently as part of the essential enabling framework for the new information economy.
Over the past 25 years, many countries have introduced privacy and data protection laws. In Australia, the Privacy Act already covers some private sector activities, with special rules in relation to credit reporting and tax file numbers. The Act also applies to Commonwealth and ACT government agencies and some private contractors handling personal information on behalf of government. It is soon be extended to all contractors.
In September 1996, the Attorney-General's Department released a discussion paper on a possible approach to privacy protection in the private sector more generally. Over a hundred submissions were received, many making valuable suggestions about how the existing Privacy Act could be adapted to apply to the private sector.
In March 1997 the Federal Government announced that it preferred voluntary self-regulation to address this issue because of concerns about the costs of compliance with a legislatively based scheme.
The scheme presented in this consultation paper attempts to provide a viable self-regulatory option, but it is designed to be compatible with existing Commonwealth privacy laws and any further legislation which might be considered necessary in particular sectors, States or Territories. There is a national interest in resolving the uncertainty over what standards will be required as soon as possible, and it is essential for our future as an advanced information based economy that these standards are as consistent as possible across all sectors, and throughout Australia. Therefore, a central aim is for this scheme to be the Australian scheme for the private sector, to avoid a patchwork of approaches which would add unnecessary uncertainty, complexity and cost.
The Scheme deals with the fair and responsible handling of personal information. Put simply, this means:
informing people about why their personal information is being collected and what it is to be used for;
allowing people reasonable access to information about themselves and to correct it if it is wrong;
making sure that the information is securely held and cannot be tampered with, stolen or improperly used; and
limiting the use of personal information, for purposes other than the original purpose, without the consent of the person affected, or in certain other circumstances.
The National Scheme for Fair Information Practices in the Private Sector put forward in this paper is about giving individuals more control over the way in which their personal information is handled, and ensuring they are treated fairly. It also sets out the opportunities for businesses and the responsibilities they carry and addresses a possible role for Government in setting the necessary enabling policy framework.
The scheme consists of three components:
principles or standards for the handling of personal information;
processes for business to `sign on' to the Scheme, and for promoting and monitoring compliance with the principles; and
mechanisms for handling complaints about breaches of the principles, and providing effective remedies for people affected.
The paper actively confronts and addresses the issue of costs to business. The scheme aims to ensure adequate protection for individuals with minimal red tape.
The scheme seeks to use existing self-regulatory codes and complaint mechanisms where they exist. Where business sectors already have ways of ensuring compliance with codes of behaviour, they are to be used. In sectors where no complaint or compliance mechanisms currently exist, the paper suggests some choices for how to proceed. The choices involve either purely business based solutions, or some involvement for government. These choices require further debate.
The paper draws on an analysis of the many valuable responses to the discussion paper Privacy Protection in the Private Sector, issued by the federal Attorney-General's Department in September 1996, and on subsequent consultations with many different businesses and peak organisations, as well as consumer and privacy groups.
The paper recognises, and attempts to deal with, the legitimate concerns and criticisms that have been raised about the practical application of information privacy principles to commercial activities and business administration. But it also seeks to reassure and remind business that all of these concerns have already been adequately addressed elsewhere in the world, and within government administration in Australia. Some of the concerns raised have been based on a misunderstanding of information privacy principles and how they work in practice.
Agreement on a National Scheme for Fair Information Practices will build consumer confidence and release a significant brake on the adoption of new technologies.