	Home \| Databases \| WorldLII \| Search \| Feedback Privacy Law Resources

Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources

You are here: WorldLII >> Databases >> Privacy Law Resources >> 2000 >> [2000] PrivLRes 4

Dixon, Tim --- "Government tables new privacy Bill" [2000] PrivLRes 4; [2000] CyberLRes 6 (1 January 2000)

	[Home] [Databases] [Search] [Feedback] [Help]
	Privacy Law Resources

You are here: WorldLII >> WorldLII Databases >> PrivLRes >> 2000 >> [2000] PrivLRes 4

[Global Search] [PrivLRes Search] [Help]

'Government tables new privacy Bill' ([2000] CyberLRes 6) - [2000] PrivLRes 4

Government tables new privacy legislation

Tim Dixon
Baker & McKenzie, Sydney
(for publication in Telemedia)

Background to Current Privacy Legislation
Coverage
Scope
The NPPs
Privacy Codes
Enforcement
Conclusions

Legislation to extend the Privacy Act to the private sector is now beforethe Australian Parliament, following the release of the Privacy Amendment(Private Sector) Bill 2000 by the Attorney-General Daryl Williams.The legislation is now being considered by a parliamentary committee andwhile some distance still needs to be covered before the final shape ofthe legislation is known, its general framework is unlikely to change.

Background to Current Privacy Legislation

The legislation is the latest stage in a long path towards national privacylegislation since the election of the Howard Government:

Initially, the Coalition's 1996 election manifesto included a commitmentto "world best" privacy legislation covering the private sector, and wascritical of the slow response of the previous Government to public concernsover the erosion of personal privacy.
In September 1996 the Attorney-General, Daryl Williams, released a discussionpaper on the proposed extension of the Privacy Act 1988 to the privatesector. It involved extending the existing Information Privacy Principlesto the private sector, with minimal changes to the overall regulatory regime.However, the Bill had several design flaws and this prompted intensiveprivate lobbying for its abandonment by key industry groups.
In March 1997 the Prime Minister, Mr Howard, announced that the Governmentwould not be extending privacy legislation to the private sector, citingthe problem of the regulatory imposition of compliance for small businesses.Instead, the Prime Minister indicated that privacy should be dealt withunder self-regulatory processes.
Over the course of 1997, the then Privacy Commissioner, Moira Scollay,initiated a consultation process in which industry groups, privacy experts,advocates and consumer organisations worked on the development of a setof privacy principles which could apply to businesses either through industrycodes or national legislation.
In February 1998, the Privacy Commissioner launched the National Principlesfor the Fair Handling of Personal Information (generally known as the NationalPrivacy Principles). Industry groups such as the Insurance Council of Australia,the Australian Direct Marketing Association, the Australian CommunicationsIndustry Forum and the Internet Industry Association sought to insert theseprinciples (sometimes with some modifications) into their industry codes.A revised set of Principles was released in January 1999 after furtherconsultations over the issue of exemptions for law enforcement agencies.
Between 1997 and 1998 the development of the internet and a growing numberof well publicised privacy invasions gave increasing public profile tothe privacy issue. A public campaign to extend privacy legislation to theprivate sector gained increasing support. By the second half of 1998, severalindustry groups were publicly and privately advocating the extension ofthe legislation to the private sector. The support of business groups wasprompted by increasing concerns that in the absence of a consistent nationalscheme, a patchwork of different industry standards and legislation wouldemerge. This fear was heightened by the development of a Victorian DataProtection Billfor privacy protection which aimed to cover the publicand private sector.
In December 1998 Attorney-General Daryl Williams and the Minister for Communications,Information Technology and the Arts Senator Richard Alston jointly announcedthat the government would implement a "light touch" extension of the Actto the private sector, which would provide for a default set of privacystandards in the absence of industry codes to be approved by the PrivacyCommissioner. This legislative proposal was developed throughout 1999 throughthe Core Consultative Group, a similar group to that which was involvedin the development of the National Privacy Principles.
In December 1999 the Government released Key Provisions of its PrivacyAmendment (Private Sector) Bill 2000. After further public consultationsthe Government tabled the Bill in Parliament in April 2000.
The legislation went for review to the House of Representatives Committeeon Legal and Constitutional Affairs during the May Budget sitting. TheCommittee will release its report on 19 June 2000 and it will still takesome time before the Bill makes its way through the Senate, which is unlikelyto complete its deliberations on the Bill until the spring session of Parliament.The amended legislation will then return to the House of Representatives,where its approval is uncertain.

Coverage

The amendments to the Privacy Act 1988 extend a set of NationalPrivacy Principles (NPPs) to the private sector. The NPPs were originallydeveloped by the Privacy Commissioner in 1997 through a process of consultationwith industry and consumer groups. In turning them into legislative provisions,the detail of these principles has been substantially expanded. The NPPsdiffer from the Information Privacy Principles (IPPs) which apply to CommonwealthGovernment agencies.

The National Privacy Principles set out minimum standards forthe handling of personal information. These relate to:

Collection of personal information: Collection must be necessaryfor an organisations activities, must be collected lawfully and fairlyand as a general principle with the individual's consent.
Use and disclosure of personal information: As a generalprinciple, information can only be used or disclosed for its original purposeunless the person has consented to its use or disclosure for another purpose.Exemptions apply to initial contact for direct marketing (if consent wasn'tpracticable originally) and other situations such as when there are issuesof law enforcement, public safety or protecting the company from fraud.
Accuracy of personal information: Organisations must takereasonable steps to ensure that they keep personal information accurate,complete and up to date.
Security of personal information: Organisations must take reasonable stepsto protect the personal information which they hold from misuse, loss unauthorisedaccess, modification or disclosure.
Openness in relation to the organisations practices: Organisationswhich collect personal information must be able to document their practicesand must make this information available on request.
Access and correction rights: As a general principle, organisationsmust give individuals access to their personal information and must allowthem to correct it or explain something with which they disagree, unlessdisclosing this would have an unreasonable impact on someone else's privacy.This principle is subject to exemptions such as if this disclosure wouldcompromise a fraud investigation.
Use of government identifiers: Organisations cannot use agovernment agency's identifier as its identifier. This would cover itemssuch as drivers' licence numbers, Medicare numbers, a Tax File Number (whichin my case is covered by other legislation) or any future identity numbersassigned by a government agency.
Anonymity: Organisations must give people the option of enteringinto transactions anonymously where it is lawful and practicable. For example,this would apply to travel on a bus but not to opening a bank account.
Restrictions on transborder data flows: As a general principle,organisations can only transfer the personal information about an individualto a foreign country if they believe that the information will be protectedby a law or a contract which upholds privacy principles similar to theNPPs.
Special provision for sensitive personal information: A higherlevel of privacy protection applies to sensitive personal information,which includes information about a person's health, political or religiousbeliefs or affiliation, and sexual preference. This information must onlybe collected with the individual's consent.

The NPPs apply to all organisations (other than public sector organisations,which are already covered by the Information Privacy Principles). Thisincludes a body corporate, an unincorporated association, a partnership,a trust or an individual. However, exceptions are granted to the followingorganisations:

Small Businesses: A small business is defined as a businesswith an annual turnover of $3 million or less, which does not provide ahealth service or hold health information, which does not provide contractualservices to the Commonwealth and does not transfer personal informationabout an individual to anyone else for any kind of benefit. In other words,small businesses are covered if they are involved in the sale of personalinformation.
The Media: Acts or practices done by an organisation in thecourse of journalism will be exempt from the legislation. Journalism isdefined broadly to mean the collection, preparation and dissemination ofnews, current affairs, documentaries and other information for the purposeof making the material available to the public. This provision explicitlyaims to strike a balance between the public interest in providing adequateprivacy safeguards with the public interest in allowing a free flow ofinformation to the public through the media. The scope of this exemptionis especially broad. An organisation can be classified as a media organisationif it is engaged in the provision of information to the public, and its"activities consist of ..... dissemination of ..... material having thecharacter of news, current affairs, information or a documentary". Thishas attracted criticism because it would be open for the exemption to beclaimed for privacy invasive practices.
Political parties: Registered political parties will be exemptfrom the legislation for their activities in connection with an election,a referendum, or other participation in the political process. This wasa surprise inclusion in the legislation, as it had never previously beenraised during the extensive consultations over the legislation. The Governmenthas argued that it is necessary to give this exemption in order to giveeffect to the implied constitutional freedom of political speech outsideof governments this argument does not appear to have been taken seriously.It is generally accepted that this exemption protects the sophisticateddirect marketing strategies and little-known uses of databases by the majorparties.
Domestic use: This exemption applies to use of personal informationrelated to personal, family or household affairs relating to personal information.

Scope

The legislation will cover all types of personal information which arenot publicly available but, will exclude:

Employee records: Employee records are defined as a recordrelating to the employment of an employee including engagement, training,disciplining, resignation, termination, terms and conditions, contact details,performance or conduct, remuneration, the union membership, health informationand financial affairs. It is extends to current and former employers.
Personal information already in existence when the amendmentscome into operation.
State government contractors: The acts and practices of contractors tostate and territory governments and agencies in relation to handling personalinformation under contracts need only to comply with the applicable standardsof the state or territory and will otherwise be exempt from the Act.
Transfers of personal information between "related bodies corporate",as defined under section 50 of the Corporations Law. Related bodiescorporate are essentially businesses which have a shared controlling interest.Under section 50, where a body corporate is:

(i) a holding company of another body corporate;
(ii) a subsidiary of another body corporate;
(iii) a subsidiary of a holding company of another body corporate,

the bodies are related to each other.Under section 46, a body corporate (in this section called the first body)is a subsidiary of another body corporate if, and only if:
(i) the other body:
(A) controls the composition of the first body's board;
(B) controls more than one-half of the maximum number of possible votes ata general meeting of the first body; or
(C) hold more than one-half of the issued share capital of the first body;
(ii) the first body is a subsidiary of a subsidiaryof the other body.

This might allow a large organisation with diverse businesses to poolits personal data collections without the knowledge of its customers. Restrictionsstill apply to the use and disclosure of this information, but an organisationwhich was able to conduct direct marketing to customers apparently conductdirect marketing in respect of all of the operations of its related bodiescorporate.

The NPPs

The heart of the legislation is the National Privacy Principles. The NPPsare broadly similar to privacy principles embodied in privacy laws introducedthroughout the industrialised world in recent years, broadly based on the1980 OECD privacy principles. The principles impose restrictions on thecollection, use and disclosure of personal information. They impose requirementsrelating to the quality and security of personal information as well asrequiring openness about information practices and where practicable, givingindividuals the option to remain anonymous in transactions. Individualsare given rights to access personal information, subject to restrictions.There are controls on the transfer of personal information to someone ina foreign country which does not have similar privacy protection. A higherstandard of privacy protection is required for "sensitive information"- defined to include information about an individual's racial or ethnicorigin, political opinions, membership of a political association, religiousbeliefs or affiliations, philosophical beliefs, union membership, sexualpreference or practices, criminal records and health information.

Privacy Codes

By default, the NPPs apply to organisations - that is, unless the organisationis a signatory to a voluntary code which has been approved by the PrivacyCommissioner. However, the legislation leaves open the option of industrygroups or individual firms developing their own codes of conduct in placeof the NPPs. Codes can be developed by any organisation or group, but cannotimpose a lower standard or privacy protection than the NPPs. Codes mustbe approved by the Privacy Commissioner after a process of consultation.The codes are intended to give the legislation maximum flexibility whileretaining a consistent standard of privacy protection.

Enforcement

Once in place, an individual who believes that the code has been breachedmay make a complaint to the organisation concerned. If it is not resolvedsatisfactorily, they may make a complaint to the Privacy Commissioner,or if an independent adjudicator has been appointed to administer the code,they must make the complaint to that body.

If there is an approved code of conduct in place, the complaint will normallybe handled by a code authority. In practical terms, this might be the TelecommunicationsIndustry Ombudsman, the Banking Industry Ombudsman or the code authorityfor the Australian Direct Marketing Association code of conduct.
If there is no approved code of conduct in place, the complaint is handledby the Privacy Commissioner.

Breach of the NPPs can result in an order from either a code authorityor the Privacy Commissioner to restrain an action, undertake an action,or to give monetary compensation.

A decision to give an individual a remedy can be appealed in the FederalMagistrate's Court, and can be enforced through the Court if it is notgiven effect. A decision against an individual cannot be appealed althoughthe decision itself is subject to the process of administrative review.
One of the key weaknesses in the enforcement mechanism is that whileCode authorities will be required to submit an annual report on their complainthandling, there is no other mechanism for accountability in the decisionmaking process for handling complaints. There is, for example, no processfor the Privacy Commissioner to issue binding rulings or interpretations,which may be needed because of the generality of many provisions of thelegislation. This is especially a problem since individuals will have nogeneral appeal right or recourse (other than a formal review under theAdministrative Division Judicial Review Act 1977) if a code authority rulesagainst a complainant. Under the ADJR Act, the review of the decision isrestricted to review for errors of law and does not extend to review ofthe merits of a decision, such as the policy used in the decision makingby a code authority, and the weight given to primary evidence for the purposeof inferring factual conclusions. The ADJR Act will nevertheless allowindividuals to obtain an explanation as to why an unfavourable decisionwas reached.

Conclusions

While there are strengths in the general framework of the legislation -a set of overarching principles which can be applied with some flexibility- the Bill is flawed by exemptions which are, by international standards,quite extraordinary. These exemptions create significant problems:

Given the complexity of the legislation and its broad exemptions, the Governmentwill have a difficult time arguing that consumer confidence in ecommercewill be bolstered. For example, the overwhelming majority of Australianbusinesses have a general exemption from the legislation (subject to limitations)through the small business provision. Consumers will often not know whetherthe organisation they are dealing with is covered by the legislation ornot. The complexity of the legislation is likely to add to confusion ratherthan create clarity. This is especially the case in the online environmentwhen consumers have no pre-existing relationship or knowledge of companieswith whom they may be doing business. Forrester Research in the UnitedStates has estimated that a lack of consumer confidence about the protectionof personal information online resulted in a loss of $2.8 billion in potentialecommerce business last year. These concerns can be addressed directlywith a world-standard privacy regime; but a confusing, compromised proposalsuch as this one will not overcome the lack of consumer confidence whichcontinues to retard the growth of ecommerce in Australia.
The implications of this exemption are not entirely clear. For example,if a small business is involved in one transfer of information for somekind of benefit, does this mean that it is covered by the privacy legislationin respect of all of its holdings of personal information? Is it only coveredin respect of the handling of that particular record? If it makes availablea set of records for some kind of benefit to a third party at one pointin time, for how long is that set of information records covered by theprovisions of the Act? Likewise, does the fact that some information collectedby an organisation is made available to the public mean that the organisationis exempted from the operation of the Act in respect of all other processesof collecting, using, handling and disclosing this information? If politicalparties are exempted from the legislation in relation to practices associatedwith elections, referenda or the political process generally, does thisallow the political party to on-sell information to other organisationswithout the individual's consent? By creating so many broad exemptions,the legislation creates uncertainty in many
With such broad exemptions, Australia is unlikely to make it on to theanticipated European Union "White List" of countries whose privacy protectionis "adequate", and with whom European businesses can confidently exchangepersonal information. This undermines Australian efforts to position itselfas the leading data processing in the Asia Pacific centre, especially asHong Kong and New Zealand both have privacy legislation which is likelyto meet the EU standards.
The decentralised nature of the complaint handling process may result inthe development of different interpretations and privacy standards. Thiscould be especially difficult for some companies which may belong to anumber of industry organisations and whose activities may extend acrossseveral industry sectors.

These issues are likely to receive a hearing through the parliamentaryprocess as the legislation gives through the two House of Representatives.There is strong public support for legal protection for privacy - accordingto a 1999 Roy Morgan survey, 56% say that they are worried by invasionof privacy through new technology, and consistently surveys show more thanfour out of five people supporting privacy legislation for businesses.As yet, that public concern has not been fully reflected in the Government'slegislative plans.

Tim Dixon is an associate at Baker & McKenzie in Sydney and isChairman of the Australian Privacy Foundation.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2000/4.html