You are here:
Privacy Law Resources >>
 PrivLRes 4
| Name Search
| Recent Documents
Dixon, Tim --- "Government tables new privacy Bill"  PrivLRes 4;  CyberLRes 6 (1 January 2000)
You are here:
WorldLII Databases >>
 PrivLRes 4
'Government tables new privacy Bill' ( CyberLRes 6) -  PrivLRes 4
Government tables new privacy legislationTim Dixon
Baker & McKenzie, Sydney
(for publication in Telemedia)
Legislation to extend the Privacy Act to the private sector is now beforethe Australian Parliament, following the release of the Privacy Amendment(Private Sector) Bill 2000 by the Attorney-General Daryl Williams.The legislation is now being considered by a parliamentary committee andwhile some distance
still needs to be covered before the final shape ofthe legislation is known, its general framework is unlikely to change.
Background to Current Privacy LegislationThe legislation is the latest stage in a long path towards national privacylegislation since the election of the Howard Government:
- Initially, the Coalition's 1996 election manifesto included a commitmentto "world best" privacy legislation covering the private sector,
and wascritical of the slow response of the previous Government to public concernsover the erosion of personal privacy.
- In September 1996 the Attorney-General, Daryl Williams, released a discussionpaper on the proposed extension of the Privacy Act 1988 to the privatesector. It involved extending the existing Information Privacy Principlesto the private sector, with minimal changes
to the overall regulatory regime.However, the Bill had several design flaws and this prompted intensiveprivate lobbying for its abandonment
by key industry groups.
- In March 1997 the Prime Minister, Mr Howard, announced that the Governmentwould not be extending privacy legislation to the private
sector, citingthe problem of the regulatory imposition of compliance for small businesses.Instead, the Prime Minister indicated that
privacy should be dealt withunder self-regulatory processes.
- Over the course of 1997, the then Privacy Commissioner, Moira Scollay,initiated a consultation process in which industry groups, privacy
experts,advocates and consumer organisations worked on the development of a setof privacy principles which could apply to businesses
either through industrycodes or national legislation.
- In February 1998, the Privacy Commissioner launched the National Principlesfor the Fair Handling of Personal Information (generally
known as the NationalPrivacy Principles). Industry groups such as the Insurance Council of Australia,the Australian Direct Marketing
Association, the Australian CommunicationsIndustry Forum and the Internet Industry Association sought to insert theseprinciples (sometimes
with some modifications) into their industry codes.A revised set of Principles was released in January 1999 after furtherconsultations
over the issue of exemptions for law enforcement agencies.
- Between 1997 and 1998 the development of the internet and a growing numberof well publicised privacy invasions gave increasing public
profile tothe privacy issue. A public campaign to extend privacy legislation to theprivate sector gained increasing support. By the
second half of 1998, severalindustry groups were publicly and privately advocating the extension ofthe legislation to the private
sector. The support of business groups wasprompted by increasing concerns that in the absence of a consistent nationalscheme, a patchwork
of different industry standards and legislation wouldemerge. This fear was heightened by the development of a Victorian DataProtection Billfor privacy protection which aimed to cover the publicand private sector.
- In December 1998 Attorney-General Daryl Williams and the Minister for Communications,Information Technology and the Arts Senator Richard
Alston jointly announcedthat the government would implement a "light touch" extension of the Actto the private sector, which would
provide for a default set of privacystandards in the absence of industry codes to be approved by the PrivacyCommissioner. This legislative
proposal was developed throughout 1999 throughthe Core Consultative Group, a similar group to that which was involvedin the development
of the National Privacy Principles.
- In December 1999 the Government released Key Provisions of its PrivacyAmendment (Private Sector) Bill 2000. After further public consultationsthe Government tabled the Bill in Parliament in April 2000.
- The legislation went for review to the House of Representatives Committeeon Legal and Constitutional Affairs during the May Budget
sitting. TheCommittee will release its report on 19 June 2000 and it will still takesome time before the Bill makes its way through
the Senate, which is unlikelyto complete its deliberations on the Bill until the spring session of Parliament.The amended legislation
will then return to the House of Representatives,where its approval is uncertain.
CoverageThe amendments to the Privacy Act 1988 extend a set of NationalPrivacy Principles (NPPs) to the private sector. The NPPs were originallydeveloped by the Privacy Commissioner
in 1997 through a process of consultationwith industry and consumer groups. In turning them into legislative provisions,the detail
of these principles has been substantially expanded. The NPPsdiffer from the Information Privacy Principles (IPPs) which apply to
The National Privacy Principles set out minimum standards forthe handling of personal information. These relate to:
The NPPs apply to all organisations (other than public sector organisations,which are already covered by the Information Privacy Principles).
Thisincludes a body corporate, an unincorporated association, a partnership,a trust or an individual. However, exceptions are granted
to the followingorganisations:
- Collection of personal information: Collection must be necessaryfor an organisations activities, must be collected lawfully and fairlyand as a general principle with
the individual's consent.
- Use and disclosure of personal information: As a generalprinciple, information can only be used or disclosed for its original purposeunless the person has consented to its use
or disclosure for another purpose.Exemptions apply to initial contact for direct marketing (if consent wasn'tpracticable originally)
and other situations such as when there are issuesof law enforcement, public safety or protecting the company from fraud.
- Accuracy of personal information: Organisations must takereasonable steps to ensure that they keep personal information accurate,complete and up to date.
- Security of personal information: Organisations must take reasonable stepsto protect the personal information which they hold from
misuse, loss unauthorisedaccess, modification or disclosure.
- Openness in relation to the organisations practices: Organisationswhich collect personal information must be able to document their practicesand must make this information available
- Access and correction rights: As a general principle, organisationsmust give individuals access to their personal information and must allowthem to correct it
or explain something with which they disagree, unlessdisclosing this would have an unreasonable impact on someone else's privacy.This
principle is subject to exemptions such as if this disclosure wouldcompromise a fraud investigation.
- Use of government identifiers: Organisations cannot use agovernment agency's identifier as its identifier. This would cover itemssuch as drivers' licence numbers,
Medicare numbers, a Tax File Number (whichin my case is covered by other legislation) or any future identity numbersassigned by a
- Anonymity: Organisations must give people the option of enteringinto transactions anonymously where it is lawful and practicable. For example,this
would apply to travel on a bus but not to opening a bank account.
- Restrictions on transborder data flows: As a general principle,organisations can only transfer the personal information about an individualto a foreign country if they believe
that the information will be protectedby a law or a contract which upholds privacy principles similar to theNPPs.
- Special provision for sensitive personal information: A higherlevel of privacy protection applies to sensitive personal information,which includes information about a person's health,
political or religiousbeliefs or affiliation, and sexual preference. This information must onlybe collected with the individual's
- Small Businesses: A small business is defined as a businesswith an annual turnover of $3 million or less, which does not provide ahealth service or
hold health information, which does not provide contractualservices to the Commonwealth and does not transfer personal informationabout
an individual to anyone else for any kind of benefit. In other words,small businesses are covered if they are involved in the sale
- The Media: Acts or practices done by an organisation in thecourse of journalism will be exempt from the legislation. Journalism isdefined broadly
to mean the collection, preparation and dissemination ofnews, current affairs, documentaries and other information for the purposeof
making the material available to the public. This provision explicitlyaims to strike a balance between the public interest in providing
adequateprivacy safeguards with the public interest in allowing a free flow ofinformation to the public through the media. The scope
of this exemptionis especially broad. An organisation can be classified as a media organisationif it is engaged in the provision
of information to the public, and its"activities consist of ..... dissemination of ..... material having thecharacter of news, current
affairs, information or a documentary". Thishas attracted criticism because it would be open for the exemption to beclaimed for privacy
- Political parties: Registered political parties will be exemptfrom the legislation for their activities in connection with an election,a referendum,
or other participation in the political process. This wasa surprise inclusion in the legislation, as it had never previously beenraised
during the extensive consultations over the legislation. The Governmenthas argued that it is necessary to give this exemption in
order to giveeffect to the implied constitutional freedom of political speech outsideof governments this argument does not appear
to have been taken seriously.It is generally accepted that this exemption protects the sophisticateddirect marketing strategies and
little-known uses of databases by the majorparties.
- Domestic use: This exemption applies to use of personal informationrelated to personal, family or household affairs relating to personal information.
ScopeThe legislation will cover all types of personal information which arenot publicly available but, will exclude:
(i) a holding company of another body corporate;
- Employee records: Employee records are defined as a recordrelating to the employment of an employee including engagement, training,disciplining, resignation,
termination, terms and conditions, contact details,performance or conduct, remuneration, the union membership, health informationand
financial affairs. It is extends to current and former employers.
- Personal information already in existence when the amendmentscome into operation.
- State government contractors: The acts and practices of contractors tostate and territory governments and agencies in relation to
handling personalinformation under contracts need only to comply with the applicable standardsof the state or territory and will
otherwise be exempt from the Act.
- Transfers of personal information between "related bodies corporate",as defined under section 50 of the Corporations Law. Related bodiescorporate are essentially businesses which have a shared controlling interest.Under section 50, where a body corporate is:
(ii) a subsidiary of another body corporate;
(iii) a subsidiary of a holding company of another body corporate,
the bodies are related to each other.Under section 46, a body corporate (in this section called the first body)is a subsidiary of another body corporate if, and only if:
(i) the other body:
(A) controls the composition of the first body's board;
(B) controls more than one-half of the maximum number of possible votes ata general meeting of the first body; or
(C) hold more than one-half of the issued share capital of the first body;
(ii) the first body is a subsidiary of a subsidiaryof the other body.
This might allow a large organisation with diverse businesses to poolits personal data collections without the knowledge of its customers.
Restrictionsstill apply to the use and disclosure of this information, but an organisationwhich was able to conduct direct marketing
to customers apparently conductdirect marketing in respect of all of the operations of its related bodiescorporate.
The NPPsThe heart of the legislation is the National Privacy Principles. The NPPsare broadly similar to privacy principles embodied in privacy
laws introducedthroughout the industrialised world in recent years, broadly based on the1980 OECD privacy principles. The principles
impose restrictions on thecollection, use and disclosure of personal information. They impose requirementsrelating to the quality
and security of personal information as well asrequiring openness about information practices and where practicable, givingindividuals
the option to remain anonymous in transactions. Individualsare given rights to access personal information, subject to restrictions.There
are controls on the transfer of personal information to someone ina foreign country which does not have similar privacy protection.
A higherstandard of privacy protection is required for "sensitive information"- defined to include information about an individual's
racial or ethnicorigin, political opinions, membership of a political association, religiousbeliefs or affiliations, philosophical
beliefs, union membership, sexualpreference or practices, criminal records and health information.
Privacy CodesBy default, the NPPs apply to organisations - that is, unless the organisationis a signatory to a voluntary code which has been approved
by the PrivacyCommissioner. However, the legislation leaves open the option of industrygroups or individual firms developing their
own codes of conduct in placeof the NPPs. Codes can be developed by any organisation or group, but cannotimpose a lower standard
or privacy protection than the NPPs. Codes mustbe approved by the Privacy Commissioner after a process of consultation.The codes
are intended to give the legislation maximum flexibility whileretaining a consistent standard of privacy protection.
EnforcementOnce in place, an individual who believes that the code has been breachedmay make a complaint to the organisation concerned. If it
is not resolvedsatisfactorily, they may make a complaint to the Privacy Commissioner,or if an independent adjudicator has been appointed
to administer the code,they must make the complaint to that body.
Breach of the NPPs can result in an order from either a code authorityor the Privacy Commissioner to restrain an action, undertake
an action,or to give monetary compensation.
- If there is an approved code of conduct in place, the complaint will normallybe handled by a code authority. In practical terms, this
might be the TelecommunicationsIndustry Ombudsman, the Banking Industry Ombudsman or the code authorityfor the Australian Direct
Marketing Association code of conduct.
- If there is no approved code of conduct in place, the complaint is handledby the Privacy Commissioner.
A decision to give an individual a remedy can be appealed in the FederalMagistrate's Court, and can be enforced through the Court
if it is notgiven effect. A decision against an individual cannot be appealed althoughthe decision itself is subject to the process
of administrative review.
One of the key weaknesses in the enforcement mechanism is that whileCode authorities will be required to submit an annual report on
their complainthandling, there is no other mechanism for accountability in the decisionmaking process for handling complaints. There
is, for example, no processfor the Privacy Commissioner to issue binding rulings or interpretations,which may be needed because of
the generality of many provisions of thelegislation. This is especially a problem since individuals will have nogeneral appeal right
or recourse (other than a formal review under theAdministrative Division Judicial Review Act 1977) if a code authority rulesagainst
a complainant. Under the ADJR Act, the review of the decision isrestricted to review for errors of law and does not extend to review
ofthe merits of a decision, such as the policy used in the decision makingby a code authority, and the weight given to primary evidence
for the purposeof inferring factual conclusions. The ADJR Act will nevertheless allowindividuals to obtain an explanation as to why
an unfavourable decisionwas reached.
ConclusionsWhile there are strengths in the general framework of the legislation -a set of overarching principles which can be applied with some
flexibility- the Bill is flawed by exemptions which are, by international standards,quite extraordinary. These exemptions create
Given the complexity of the legislation and its broad exemptions, the Governmentwill have a difficult time arguing that consumer confidence
in ecommercewill be bolstered. For example, the overwhelming majority of Australianbusinesses have a general exemption from the legislation
(subject to limitations)through the small business provision. Consumers will often not know whetherthe organisation they are dealing
with is covered by the legislation ornot. The complexity of the legislation is likely to add to confusion ratherthan create clarity.
This is especially the case in the online environmentwhen consumers have no pre-existing relationship or knowledge of companieswith
whom they may be doing business. Forrester Research in the UnitedStates has estimated that a lack of consumer confidence about the
protectionof personal information online resulted in a loss of $2.8 billion in potentialecommerce business last year. These concerns
can be addressed directlywith a world-standard privacy regime; but a confusing, compromised proposalsuch as this one will not overcome
the lack of consumer confidence whichcontinues to retard the growth of ecommerce in Australia.The implications of this exemption are not entirely clear. For example,if a small business is involved in one transfer of information
for somekind of benefit, does this mean that it is covered by the privacy legislationin respect of all of its holdings of personal
information? Is it only coveredin respect of the handling of that particular record? If it makes availablea set of records for some
kind of benefit to a third party at one pointin time, for how long is that set of information records covered by theprovisions of
the Act? Likewise, does the fact that some information collectedby an organisation is made available to the public mean that the
organisationis exempted from the operation of the Act in respect of all other processesof collecting, using, handling and disclosing
this information? If politicalparties are exempted from the legislation in relation to practices associatedwith elections, referenda
or the political process generally, does thisallow the political party to on-sell information to other organisationswithout the individual's
consent? By creating so many broad exemptions,the legislation creates uncertainty in manyWith such broad exemptions, Australia is unlikely to make it on to theanticipated European Union "White List" of countries whose privacy
protectionis "adequate", and with whom European businesses can confidently exchangepersonal information. This undermines Australian
efforts to position itselfas the leading data processing in the Asia Pacific centre, especially asHong Kong and New Zealand both
have privacy legislation which is likelyto meet the EU standards.The decentralised nature of the complaint handling process may result inthe development of different interpretations and privacy standards.
Thiscould be especially difficult for some companies which may belong to anumber of industry organisations and whose activities may
extend acrossseveral industry sectors.These issues are likely to receive a hearing through the parliamentaryprocess as the legislation gives through the two House of Representatives.There
is strong public support for legal protection for privacy - accordingto a 1999 Roy Morgan survey, 56% say that they are worried by
invasionof privacy through new technology, and consistently surveys show more thanfour out of five people supporting privacy legislation
for businesses.As yet, that public concern has not been fully reflected in the Government'slegislative plans.
Tim Dixon is an associate at Baker & McKenzie in Sydney and isChairman of the Australian Privacy Foundation.