General principles and specific standards
97. There are around one million businesses in Australia, as well as thousands of non-profit organisations, and, depending on the definitions used, several hundred different industries or sectors. The information privacy issues that arise are naturally very diverse. Nevertheless, experience overseas suggests that it should be possible to devise principles that can be followed in most sectors without modification.[20] They could be supplemented by more specific standards, where necessary, for particular sectors or activities.
Starting point principles[21]
98. The Information Privacy Principles (IPPs) in the existing federal Privacy Act are the only set of privacy principles currently in any Australian law (see Appendix D). They were the centrepiece of the legislative option discussed in the September 1996 discussion paper from the Attorney-General's Department and, although the Government has announced that it does not intend to develop a legislatively based scheme for the private sector, they still constitute a natural starting point for discussion.
Need for plain English principles
99. A constant theme in the responses to the September 1996 discussion paper from the Attorney-General's Department was that the language of the Information Privacy Principles in the Australian Privacy Act is complex, legalistic and too detailed. Two particular issues are the use of technical terms - `collector', `record keeper', `generally available publication', `record', `solicit' etc - and attempts in the IPPs to list obligations in detail, where a more general formulation might be preferable, for example, IPPs 2(c)-(e), 5.1(b), 5.3(a)-(f) and 7.1. This paper aims for clearer and simpler, but still effective, standards which can be easily understood and applied by businesses.
Limits to the collection and use of personal information
100. In broad terms the aim is to ensure that an organisation collects personal information only where doing so serves a legitimate purpose and that an organisation uses the information only for that purpose, unless one of a number of exceptions - such as consent, related purpose, imminent harm, legal authorisation - applies. These exceptions are discussed below.
Determining the purpose of collection
101. The primary difficulty is defining what is meant by the purpose of collection. It is easier to do this in the public sector where the purposes for which most agencies hold information are relatively well defined by legislation. Private sector organisations may have many different purposes for collecting information.
102. Even so, it should still be possible to identify an original purpose of collection. Where the information is collected direct from the individual, we can refer to the context: when people provide information to a private sector organisation, they almost always do so for a particular purpose - to buy a particular product or enter a competition or make a donation or get a discount. This is the original purpose of collecting the information. Where the information is not collected from the subject, the organisation usually uses the information soon after it collects it and it seems reasonable to take this as a guide to the original purpose of collection. For example, if a business asks a previous employer about a job applicant and then decides to hire them, it seems clear that it collected the information to make a hiring decision.
103. There can be more than one original purpose for collecting personal information, even if they are unrelated. If a person provides information on the understanding that it will be used for two different purposes, it is reasonable to say that both of these are purposes of collection.
Limiting collection to legitimate purposes
104. A legitimate purpose must be lawful, and should be openly acknowledged by the organisation, although that does not mean that the organisation has to state its purpose every time it collects information (see below What should organisations tell the people they are collecting information about?). Organisations must be able to collect the information they need to run their business but people's privacy is put at risk if information about them is stockpiled on the off-chance that it may be useful in future. Requiring organisations to collect information only where that is `necessary' may be too restrictive: it is often reasonable to collect information which is relevant but not strictly necessary.
105. A possible form of words for this principle is:
An organisation should only collect personal information that makes a direct contribution to one of its legitimate purposes.
Limiting the use of personal information
106. If people are to have any control over what happens to information about them in the hands of others, there must be some limits on what organisations can do with the information.
`Use' should include disclosing and publishing personal information
107. The present Privacy Act distinguishes between `use' (primarily internal) and `disclosure' (primarily external release). There is some advantage in this - people are usually more concerned about disclosure to third parties than they are about internal uses. But it also causes some difficulties in the application of the principles. The exceptions in the IPPs are very similar for use and disclosure - where they differ it is not easy to see why. The distinction is not a critical part of a privacy scheme - internationally, some privacy principles treat disclosures as just another `use'.[22] In the interests of a simple and easily understood set of rules, it is suggested that the starting point for discussion should be a single `use limitation' principle, which would apply to all uses of personal information, including publication and disclosure outside the organisation, and which would be subject to a single set of exceptions.
Use for the purpose of collection
108. A possible form of words for the use limitation principle is:
An organisation should only use personal information: for the purpose for which it was collected [or ...]
109. Other acceptable uses are discussed below.
Uses related to the original purpose of collection
110. The IPPs in the Australian Privacy Act allow other uses where:
the purpose for which the information is used is directly related to the purpose for which the information was obtained.[23]
111. Some secondary uses of personal information are clearly within people's reasonable expectations. For example, if a company collects information for the original purpose of selling a product, most people would expect that it could also use the information to judge the profitability of that product, or to offer them a related product (unless they had asked not to receive offers).
112. In assessing whether a secondary use is within people's reasonable expectations, the sensitivity of the information will also be relevant. For example, banks are diversifying into areas such as health insurance. It is doubtful if people would expect that information about their medical treatment would be used to offer (or refuse) them life insurance.
113. A related use may be within most people's reasonable expectations even though it is made without the consent of the individual in the particular case. As long as most reasonable people would regard the purpose of the use as related to the original purpose, it will pass the test.
114. There needs to be some reasonably clear link between the use of the information and the original purpose of collection. Otherwise, the principle would achieve nothing - a person who provides personal information would be leaving its use entirely to the discretion of the organisation.
115. A possible form of words is:
An organisation should only use personal information: ... [or] if the purpose of that use is reasonably related to the original purpose of collection.
Uses made with the consent of the subject of the information - opt out and opt in
116. Since the aim of information privacy is to give people some control over the handling of their information by others, there should be no objection to the use of personal information with the free and informed consent of the information subject.
117. Many of the responses to the September 1996 discussion paper from the Attorney-General's Department argued that a person should be regarded as having consented when they have been given a chance to deny their consent and have not taken it; in other words, if they have not `opted out' of a particular use.[24] This would often be enough to satisfy a consent test, provided the option has been clearly presented and the person has been given enough information to make an informed decision and a reasonable time to respond. But there will be circumstances, where sensitive information or uses are involved, where explicit opt-in consent would be preferable. Exactly which contexts demand an opt-in approach is a matter for further consultation, though uses of detailed medical records would be an obvious possibility.
118. A possible form of words for this sort of use is:
An organisation should only use personal information: ... [or] if the subject of the information has consented to the use.
Uses necessary to protect life or health
119. While it will not happen very often, it is sometimes necessary for private sector organisations to use personal information about their customers in emergency situations. For example, an airline might be asked to release information about passengers on a flight which carried a person infected with cholera. The present IPPs limit emergency uses to cases where there is a `serious and imminent' threat to the life or health of any person, not just the subject of the information. It may be that this is too strict a test, and that a broader discretion should be allowed, provided organisations are able to justify the use of this exception after the event.
120. A possible form of words for this sort of use is:
An organisation should only use personal information: ... if the organisation has reasonable grounds for believing that the use will reduce a threat to the life or health of any person.
Uses that are required by law
121. The existing Australian IPPs say that personal information may be used for a purpose other than the purpose of collection or disclosed where that `is required or authorised by or under law'.[25] Private sector organisations will often be required to compile certain records, for passing on to authorities; for example, employers and financial institutions are obliged to report individuals' income to the Tax Office. They are also subject to statutory and common law demands on a case by case basis, for instance where police produce a search warrant or subpoena, or through the discovery process in civil litigation. There is no suggestion that privacy principles should interfere with the operation of these important processes.
122. Few private sector organisations will be authorised by statute law to use information in particular ways. Some professional associations may be authorised to publish details about their registered members. Common law obligations like a duty of care may sometimes authorise a particular use of personal information.
123. A possible form of words for this sort of use is:
An organisation should only use personal information: ... [or]
if the use is required or authorised by law.
Uses related to law enforcement
124. The Privacy Act provides that government agencies can use personal information for a purpose other than that for which it was collected and can disclose personal information, where that is reasonably necessary for the enforcement of the criminal law or the protection of the public revenue.[26] Such an exception makes little sense in the private sector context: private organisations are rarely going to be in a position to judge what is `reasonably necessary'.
125. It is sometimes appropriate for organisations to assist law enforcement investigations by providing personal information, even if there is no formal legal obligation and the subject of the information has not consented. But the 1992 revelations by the New South Wales Independent Commission against Corruption about an extensive unauthorised trade in personal information - an informal `mates club' - illustrate the risks of an overly casual attitude to official requests.[27]
126. A possible form of words for this sort of use is:
An organisation should only use personal information: ... [or]
if a person or body involved in the investigation of criminal offences asks the organisation to use personal information; the organisation has reasonable grounds for believing that the person or body is making the request in connection with a legitimate investigation of criminal offences; and the personal information is provided by a statement recorded in writing; or
if the organisation has reasonable grounds for believing that an offence has been committed and the organisation uses the personal information to report the offence to the relevant authorities.
127. There are two additional reasons why some further discussion of this exception may be desirable. First, the privatisation or contracting out of government functions is now reaching into areas such as prisons and security. Second, private businesses also have interests in fraud control and security, with the police and other government authorities increasingly unable to pursue minor crimes for lack of resources. The principles should be able to accommodate reasonable use of personal information in this context.
128. The answer to these two trends may not lie in a general law enforcement exception to the `purpose limitation' principle. A sensible interpretation of the `related purpose' exception, together with appropriate extension of statutory powers and safeguards to contractors, may suffice.
Fair, lawful and non-intrusive collection
Fair means
129. Information Privacy Principle 1.2 in the Commonwealth Privacy Act requires that `personal information shall not be collected by a collector by ... unfair means'. It is almost a tautology to say that the collection of personal information should be fair. The problem is to determine what `unfair' means.[28] In a public sector context, the Privacy Commissioner has generally taken this to mean collection by deception or intimidation.
130. One area where `unfair' will need fleshing out in practical terms is the use of inherently intrusive practices like covert video surveillance. Such collection of information is not unlawful, but is it fair? For example, if an employer suspects that an employee is stealing goods, is it fair to install hidden video cameras in the workplace? It seems likely that many people would accept that it is, on certain conditions: for example, if the thefts are serious, if other methods have been tried and failed, if the tapes are used only to identify the culprit, and if those covered by the surveillance are told what has been done. The circumstances in which covert collection is fair will need to be further discussed.
Lawful means
131. Information privacy principles generally contain a requirement that personal information be collected by lawful means.[29] It is hard to see an argument against such a requirement - responsible information handling must be within the law.
Non-intrusive collection
132. Even if collection is lawful and fair it may still significantly intrude on a person's privacy, for example, asking probing questions of someone whose relative has just died, making repeated requests for the same information or making phone calls to collect information late at night. All these may be justified in some circumstances but their intrusiveness suggests there should be a high standard of justification for their use. The IPPs in the Privacy Act say that when a government agency is collecting personal information directly from the individual it should take reasonable steps to make sure that:
the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.[30]
133. There are two problems with this wording. First, it introduces the concept of `personal affairs', which is hard to define. Second, the organisation will not always be able to know whether collection intrudes unreasonably - it may not have enough information about the individual's circumstances to know that the collection is unreasonably intrusive.[31] One way of dealing with these problems would be to eliminate `personal affairs' from the wording and to confine the reach of the principle to the means of collection.
134. A possible form of words would be:
An organisation should not collect personal information by unlawful, unfair or unreasonably intrusive means.
What should organisations tell the people they are collecting information about?
135. The fundamental idea behind information privacy is that people should be able to exercise some control over the way that information about them is collected, stored, used, disclosed and so on. They cannot do this if they have no way of finding out how their information is used. The Australian IPPs express this idea by requiring that individuals are made aware of certain matters, including the purpose for which the information is being collected; if the collection of the information is authorised or required by or under law; and any person, body or agency to whom the information is usually disclosed.[32]
136. The matters listed go some way to providing the person with the information they need to make an informed choice about whether or not to provide personal information about themselves, but not the whole way. In particular, they do not require the person to be told the consequences of choosing to provide or not to provide the information; this is clearly important to people's decisions and could reasonably be added to the requirement.
How specific should the information be?
137. Often the organisation will not know exactly which organisations it will be disclosing personal information to. In providing individuals with this sort of information, organisations should be able to describe a range of possible disclosures in generic terms; for example, referring to `State compensation authorities' or `debt collectors' rather than naming all the possibilities. This is the approach the Privacy Commissioner has taken to the principle in a public sector context.
Exceptions to the principle
138. There must be some exceptions to this principle. First, the context in which the individual provides the information may make it clear that some particular disclosure may be made. For example, if a company offers to pass on a person's details to other firms which it recommends, the person automatically knows that their personal information will be disclosed to a range of other organisations. Second, when the person has recently had a reasonable opportunity to acquaint themselves with these matters, it may be reasonable to excuse the organisation from going through the same process again. Third, there may be other situations where giving detailed information is inappropriate. For example, where a company that suspects an employee of theft asks the person where they were at a certain time; to tell the person `we are asking you this for the purpose of finding out whether or not you have been stealing' would defeat the whole purpose of the exercise.
139. These exceptions would all be covered by an appropriate interpretation of `reasonable steps' and it may not be necessary to list them in the principle itself.
140. A possible form of words for this principle would be:
When collecting personal information from the subject of the information, an organisation should take reasonable steps to let the person know how it will use the information and the consequences for the person of providing and of not providing the information.
Safeguarding personal information
141. Most private sector organisations readily accept that they should protect any personal information they hold against unauthorised access. This principle appears in almost all information privacy schemes internationally.[33] The Australian IPPs say:
A record-keeper ... shall ensure: (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; ...[34]
142. Not all personal information is equally sensitive. Some personal information - like psychiatric reports or a person's HIV status - is very sensitive and unauthorised access to that information nearly always brings a risk of harm to the person. Other personal information, like address, is not sensitive for most people, though it can be sensitive for judges or police officers or victims of domestic violence.
143. It may be appropriate to associate with the principle some factors that should be taken into account in assessing what steps are reasonable, for example, the sensitivity of the information; special consideration for information about such things as race, sexual life, political affiliations, religious beliefs and medical history; the consequences for the individual and the organisation if the information is mishandled; and the likelihood of deliberate attempts to breach security safeguards.
144. A possible form of words for the security principle would be:
An organisation should take reasonable steps to protect the personal information it holds from unauthorised access.
Destroying personal information
145. Related to the collection limitation principle is the principle that personal information should not be retained unless it is reasonable to do so. Such a principle should not prevent organisations from keeping personal information when it still has a legitimate use. For example, it should allow organisations to keep information long enough to be sure that it will not be necessary for legal proceedings. And they should be able to comply with genuine archival requirements.
146. One possible form of words would be:
An organisation should take reasonable steps to destroy personal information if
the information is no longer used for the purpose for which it was collected or any related purpose, and
there is no legal reason to retain it.
Ensuring the quality of personal information
147. Since the use of low quality personal information can impose serious disadvantage on the subject of the information, organisations have a responsibility to take reasonable measures to ensure the quality of the personal information that they hold. This idea appears in a number of places in the existing Australian IPPs: IPPs 3(c), 7.1, 8 and 9. There is really only a single obligation here: an organisation should take reasonable measures to ensure that the personal information it handles is of good quality, given what it is to be used for. This should apply when the organisation is collecting information, while it holds the information (including when it is challenged by the subject of the information - see Allowing individuals to correct their own personal information below) and when it uses the information.
148. Any scheme must recognise that the costs of checking must be weighed against the risk of the information being of low quality and the likely consequences if it is. The inclusion of the `reasonable steps' qualification may accommodate these concerns.
149. A possible form of words would be:
An organisation should take reasonable steps to make sure that the personal information it collects, holds or uses is of good quality.
Letting people know what personal information an organisation holds
150. A precondition for giving people some control over personal information about them is to let them know that it is there in the first place. The Australian IPPs express this idea in IPP 5.1 and 5.3 (see Appendix D).
151. `Reasonable steps' to satisfy an openness principle could include making brochures available, providing general information online, mailing information to customers, or establishing a well publicised telephone enquiry number. In most cases, this obligation would really be no more than normal good customer service practice.
152. A possible form of words would be:
An organisation should take reasonable steps to let people find out what sort of personal information it holds and how it uses the information.
Keeping a written record of information held by an organisation
153. Two further provisions of the existing Australian IPP 5 that would not appear to fit comfortably in a self-regulatory privacy scheme for the private sector are:
the requirement at IPP 5.3 that an organisation shall maintain a document describing the different types of personal information it holds; and
the requirement at IPP 5.4 that the organisation shall provide this document to the Privacy Commissioner on an annual basis (for publication in a consolidated Digest).
154. Neither of these requirements would achieve much if applied to the private sector. It is suggested that they could be dropped.
Allowing individuals to gain access to their personal information
155. Allowing people access to their personal information, subject to appropriate exemptions, is a fundamental principle of fair information handling. It is also a good way of making sure that the information is accurate. In the responses to the Attorney-General's Department's discussion paper, an access principle received strong support from consumer and privacy groups. Many businesses and business groups also supported the principle, though with a range of concerns about the circumstances in which it would be legitimate to deny access.[35]
156. A possible form of words for the general principle is:
An organisation should take reasonable steps to provide a person with the personal information it holds about them.
157. The terms of reasonable exceptions to the access principle will need to be developed in consultation with stakeholders.
Exceptions to a right of access to personal information
158. There are clearly a number of situations in which it is not reasonable to expect an organisation to provide an individual access to personal information that it holds about them. The Attorney-General's Department's 1996 discussion paper identified a number of areas where exceptions might be appropriate:
where the information requested did not exist or could not be found;
where the information requested was not held by the organisation;
where giving access would endanger the safety or physical or mental health of any individual;
where giving access would involve the disclosure of commercial in confidence information;
where giving access would unreasonably impinge upon the privacy of other individuals;
where the information requested is evaluative or opinion material;
where giving access would prejudice the safe custody or rehabilitation of individuals;
where giving access would encroach on legal professional privilege;
where giving access would amount to contempt of court; and
where giving access would impose unreasonable costs on the organisation.
159. Debate about exceptions to the access principle will be vigorous, but acceptable compromises have been struck both in public sector FOI laws and in information privacy laws overseas. The following section discusses one particularly contentious possible exception. Others are discussed in Appendix B.
Opinion or evaluative information
160. In the responses to the September 1996 discussion paper from the Attorney-General's Department, a number of business groups proposed an exemption for `opinion or evaluative material'.[36] Some argue that there is a much stronger case for access to this sort of information in the public sector, where statutory powers are being exercised, consequences for individuals are often serious, and principles of natural justice are required by law. It is suggested that it is inappropriate to import an administrative law approach to `reasons' for decisions into a commercial environment where individuals are contracting voluntarily for goods or services.
161. There are some difficulties with these arguments. First, opinion or evaluative material is exactly the sort of information that has the greatest impact on individuals. To exclude it from an access provision would greatly reduce the ability of individuals to challenge inaccurate or incomplete information the use of which may have an important impact on their lives, even in commercial transactions. For example, business reference databases may include opinion about the reliability of customers and employment records may include subjective assessments of character or competence. If people cannot gain access to such information they have no way of disputing its accuracy. Second, it is not always easy to say when fact shades into opinion; a blanket exemption for `opinion' would require a delicate line-drawing exercise.
162. Business concerns about access to evaluative material also appear partly based on a belief that it would apply to personal notes, and make many of the day to day practices of most people in the workplace impossible. Any access principle should be drafted in such a way as to make a clear distinction between personal working documents and notes, which would be exempt (as they are in Freedom of Information laws) and information on organisational records which, subject to other exemptions, would be accessible. The objective of an access principle is to give individuals rights in relation mainly to information which forms part of a permanent record which may be accessed by many people, and used over a period of time. It is not to give access to personal notes or jottings of a transient nature made in the course of people's work.
163. The NZ Privacy Act has a narrower exemption for evaluative material from the obligation to give access:
[if] the disclosure of the information or of information identifying the person who supplied it, being evaluative material, would breach an express or implied promise -
(i) which was made to the person who supplied the information; and
(ii) which was to the effect that the information or the identity of the person who supplied it or both would be held in confidence.[37]
164. Such an exception would allow employment references and other performance reports to be provided to organisations in confidence.
Form of requests and access
165. There should be considerable flexibility in both the form in which requests for access may be made and the form in which access to information may be given.
166. Most Freedom of Information legislation (which applies to all public sectors in Australia except in the Northern Territory) requires requests to be made in writing, but given that there is now widespread access to telephones, faxes and emails, this may not be necessary for the private sector.
167. There are a number of ways of providing access to information. Photocopying relevant documents is the most obvious but sometimes it will be easier to provide access by inspection, on a screen or even over the phone. The important point is that an organisation should not be able to avoid its responsibilities by imposing an inconvenient form of access that acts as a barrier to people who want access to the information the organisation holds about them.
Charges
168. Giving people access to personal information that an organisation holds about them imposes some costs on the organisation. It involves, at least, locating the information and making it accessible, in one way or another.
169. In many cases, these costs will be very low. If all the organisation has to do is look up a file in alphabetical order and photocopy a sheet of paper, access could be provided free of charge. If meeting an access request involves considerable effort the organisation should be able to charge reasonable fees. But no organisation should be able to impose artificially high charges as a way of avoiding its obligations under the scheme. One option would be to put a cap on access charges.
170. To charge people just for making a request would undermine the access principle and act as a deterrent. Those on low incomes in particular could be prevented from exercising their rights.
Allowing individuals to correct their own personal information
171. If an individual can establish that the personal information an organisation holds about them is of low quality, they should be able to have it corrected. IPP 7 in the Privacy Act expresses the principle this way:
A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record: (a) is accurate; and (b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.
172. Most organisations regard this as good practice in any case - it is not in the organisation's interest to be making decisions on the basis of poor quality information. But there are some practical issues. `Accuracy' is not the only dimension of information quality that needs to be addressed. The use of incomplete information can also have serious effects. For example, a person may be denied a job because the employer finds out that they have been convicted of an offence; if the employer does not also find out that the conviction was quashed and the police involved convicted of perjury, an injustice may be done. Similarly, irrelevant and out of date information can have harmful effects. For these reasons, individuals should be able to mount reasonable challenges to the overall quality of personal information about them, as well as to the accuracy of any factual details.
173. This right must however be balanced against organisations' freedom to make judgment and assessments, and to record information received in good faith. If the organisation is convinced the information is of sufficient quality for the intended purposes and the individual disagrees, the compromise that appears in Freedom of Information legislation is for the organisation to attach to its records a statement from the person disputing the quality of the information. Such cases are rare and a similar approach may work in the private sector.
174. A possible form of words for the correction right would be:
If an organisation holds personal information about a person and the person is able to establish that the information is not of good quality, the organisation should take reasonable steps to amend the information so that it is of good quality.
If the person and the organisation disagree about the quality of the information and the person asks the organisation to associate with the information a statement disputing its quality, the organisation should take reasonable steps to do so.
Should the principles apply `retrospectively'?
175. A number of the responses to the discussion paper from the Attorney-General's Department expressed concern that it would be impractical to try to apply the principles to information that organisations already hold.[38] The scheme will have to take a common sense approach to this question. The guiding idea should be that the principles apply as far as possible to all personal information except where that is clearly impractical or unfair to the organisation.
176. The collection limitation and notification principles[39] clearly cannot operate retrospectively. The use limitation principle[40] should apply as far as it can to existing information although this may not always be feasible, for example, where an organisation collected information in the expectation of using it for a secondary purpose but did not need at that time to seek people's consent. The security and openness principles[41] could probably apply to all personal information. The destruction and quality principles[42] could apply to all personal information but organisations obviously cannot be expected immediately to review all the personal information they hold. The access and correction principles[43] could apply to all factual information but there would need to be some exceptions to cover opinion or evaluative material information collected on the assumption that it would not be accessible to the individual.
Other principles
177. The discussion in this paper is based on the IPPs in the Federal Privacy Act but a number of other privacy principles have been proposed, partly in response to technological changes. They include principles about the use of publicly available information, the ability to conduct transactions anonymously, charging for the exercise of privacy rights, the primacy of individual consent, the matching of data from different sources and the use of identification numbers. These proposed principles are discussed in the final section of Appendix B.
[20]For example, the NZ Privacy Act provides that the Privacy Commissioner may issue `codes of practice' that modify the Act's information privacy principles in relation to a particular class of organisation or activity or occupation. When the Act was first introduced in 1993 many industries thought they would need the principles modified by way of a code of practice. In the end, most industries could live comfortably with the principles. The Privacy Commissioner has issued only three codes of practice to date.
[21]Further, more detailed discussion of some of the proposed principles is included in Appendix B.
[22]For example, the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; Directive 95/46 of the European Parliament on `the protection of individuals with regard to the processing of personal data and on the free movement of such data'; Germany's federal Law for Data Processing and Data Protection 1990; and Sweden's Data Act 1989.
[23]IPP 10.1(e).
[24]The Australian Direct Marketing Association, American Express, the Australian Retailers Association, International Masters Publishers, the Life, Investment and Superannuation Association, Readers Digest and others.
[25]IPP 10.1(c) and, for disclosure of personal information, IPP 11.1(d).
[26]IPP 10.1(d) and IPP 11.1(e).
[27]Independent Commission Against Corruption, Report on Unauthorised Release of Government Information, Sydney, 1992.
[28]A point made in a number of responses to the September 1996 discussion paper from the Attorney-General's Department, including those from the AMP Society, the Life, Investment and Superannuation Association and MLC.
[29]For example: Information Privacy Principle 1.2 in s.14 of the Privacy Act (Commonwealth); the Collection Limitation Principle at paragraph 7 of the OECD guidelines; Principle 4 of the Canadian Standard (CAN/CSA-Q830-96).
[30]IPP 3(d).
[31]Both these points emerged from the responses to the September 1996 discussion paper from the Attorney-General's Department. The first was made by the AMP Society and the second by the Australian Bankers' Association.
[32]IPP 2(c)-(e).
[33]For example, the Security Safeguards Principle at paragraph 11 of the OECD guidelines; Information Privacy Principle 5 in section 6 of the Privacy Act (NZ); article 17 of Directive 95/46 of the European Parliament on `the protection of individuals with regard to the processing of personal data and on the free movement of such data'; and article 5 of the Act for Protection of Computer Processed Personal Data held by Administrative Organs 1988 (Japan).
[34]IPP 4, Privacy Act 1988
[35]Consumers and advocates commenting on this issue include the Breast Implant Resource Service, the Central Coast Legal Centre, the Consumers' Health Forum, the Public Interest Advocacy Centre, the National Association of Tenant Organisations and the NSW Association for Mental Health. Businesses and business groups include the Real Estate Institute of Australia, Transax Equifax and Remington White.
[36]For example, the Australian Bankers Association and Credit Union Services Corporation Australia.
[37]Paragraph 29(1)(b).
[38]For example, the Australian Bankers Association, the Life, Investment and Superannuation Association, the Mt Eliza Plastic Surgery Centre and the Victorian Employers' Chamber of Commerce and Industry.
[39]See Limiting collection to legitimate purposes and What should organisations tell the people they are collecting information about?.
[40]See Limiting the use of personal information.
[41]See Safeguarding personal information and Letting people know what personal information an organisation holds.
[42]See Destroying personal information and Ensuring the quality of personal information.
[43]See Allowing individuals to gain access to their personal information and Allowing individuals to correct their own personal information.