WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources

You are here:  WorldLII >> Databases >> Privacy Law Resources >> 2001 >> [2001] PrivLRes 3

Database Search | Name Search | Recent Documents | Noteup | LawCite | Help

Waters, Nigel --- "The New Australian Privacy Landscape" [2001] PrivLRes 3; [2001] CyberLRes 9 (14 March 2001)

WorldLII [Home] [Databases] [Search] [Feedback] [Help]

UNSW Continuing Legal Education Seminar

Wednesday 14 March 2001


Part 1: Introduction and Overview  new Australian privacy laws in an international context


Nigel Waters, Pacific Privacy Pty Ltd and Convenor, Australian Privacy Charter Council


With increasing globalisation of e-commerce, privacy protection is rapidly becoming a transnational issue. As we do more and more of our transactions on-line, and as organizations contract out more and more functions  often offshore - we can no longer protect our privacy with purely domestic laws. Also, even where privacy regulations address wholly domestic activities, the standards expected are drawn form comparative international experience.

Australian privacy laws have long been influenced by overseas jurisdictions and international agreements. The Commonwealth Privacy Act 1988 expressly references both the 1980 Guidelines of the Organisation for Economic Co-operation and Development (OECD) and the International Covenant on Civil and Political Rights (Article 17).

During the 1990 s, much of the debate about extension of the Privacy Act to the private sector revolved around the perceived adequacy  of Australian law in the context of the European Union s data protection Directive. This Directive, developed in the early 1990s, enacted  in 1995 and taking effect in 1998, requires all EU member states to have consistent privacy laws. Those laws must contain trans-border data flow  provisions which control the export of personal data to third countries outside the EU. The basic principle is that export will only be allowed if either the third country has adequate laws or if specific protection arrangements are put in place for the specific transfer  eg: by contract. The EU has issued successive waves of guidance about how these provisions will work in practice[1]. Also, in 2000, the EU Commission reached agreement with the US government about a so-called Safe Harbour arrangement for transfer of personal data from Europe to the US. This provided for a largely self-regulatory scheme of privacy protection to be considered adequate for the purposes of the Directive and EU laws. The Safe Harbour agreement has been widely criticized, not only by privacy advocates but also by the EU Parliament and the Article 29 Working Group of EU Data Protection Commissioners. It is seen as an essentially political compromise necessitated by the American economic dominance, and cannot necessarily be taken as a model for application elsewhere in the world. New Zealand has already moved to amend its 1993 Privacy Act to include a trans-border data flow provision and to address other weaknesses that might prevent it being judged inadequate. Hong Kong s forward thinking in 1995 when enacting its Personal Data (Privacy ) Ordinance means that it already well placed to be found adequate  as the EI works its way through assessments of its trading partners.[2]

The debate over privacy laws in New South Wales and Victoria also referenced the EU Directive. Although the resulting laws in both States only apply to the public sector, and therefore have less need to meet international standards, consistency and avoidance of a patchwork of differential regulation were seen as important. The Victorian Information Privacy Act 2000 seeks to achieve this objective by adopting the Privacy Commissioner s National Privacy Principles, and its success will therefore depend on how adequate those principles are judged to be. The NSW government, by adopting its own version of the principles, must be judged separately.

How adequate will the new Australian privacy laws be in meeting the international standards? Part 2 of this paper attempts to answer this question with a detailed analysis.

Before doing so however, it should be noted that the long term future of privacy protection goes well beyond the relatively simple adoption of internationally recognized privacy principles. These principles are still a good foundation for good housekeeping  and for giving individuals remedies for deliberate or inadvertent breaches. But the principles alone do not address the more significant privacy issues facing modern society. These are the threshold issues about how much personal data we allow to be collected in the first place, including such highly sensitive data as our genetic makeup; and the extent to which we allow other public and private interests to override individuals  privacy preferences.

Traditional collection, use and disclosure principles only go so far in dealing with the private sector s assertions of a freedom to communicate as part of a competitive market economy. Neither do they in themselves provide the answers to a range of important public policy questions. These include:
  • How far do we allow individuals to opt out of uses of health care data which could both improve their own health and that of others, and reduce the cost of health care to the community?
  • What limits do we place on the powers of law enforcement agencies to access otherwise private data, including the content of our communications, when faced with evidence that such access can reduce crime and increase safety?
  • How much cross-matching of data do we allow for the purposes of administering welfare programs efficiently, when we know that there are disbenefits not only in terms of loss of privacy but also in erroneous suspicions, leading to unwarranted harassment and discrimination.

These and other questions require both new policy and analytical tools, such as privacy impact assessment of new initiatives; and in some cases new technological tools for privacy protection, such as software agents that allow for anonymous or pseudonymous transactions. The issues are the same worldwide, and we increasingly look to shared experience and shared solutions. Australia is belatedly catching up with Europe and nearer neighbours New Zealand and Hong Kong in respect of statutory information privacy protection. Can we be more pioneering in our approach to the wider and in some ways more significant issues of privacy policy?


Part 2: Adequacy of Australian Privacy Laws in relation to the European Union Directive



For the purposes of this analysis in this paper, it is convenient to consider four broad sectors, between which the level and type of privacy protection currently varies considerably:

  • The public sector  government departments and agencies and state owned businesses.
  • Consumer Credit reporting
  • Telecommunications
  • The rest of the private sector

Each of these sectors will be dealt with separately, applying the EU criteria to assess adequacy of protection. Some of the explanation of legal processes and mechanisms given in the first section (public sector) will be applicable to the others, and cross references will be made where appropriate to avoid repetition.

The Public Sector

Scope of Regulation and Overview


Until the new amendments take effect in December 2001, the Commonwealth Privacy Act 1988 primarily covers the activities of federal government departments and agencies, subjecting them to a set of Information Privacy Principles based on the OECD Guidelines, and the supervision of a Privacy Commissioner.[3] The Act was subsequently amended in 1989-1991 to add functions relating to special rules for data-matching and the national health identification number.

In the ACT, Territory government agencies are subject to the Commonwealth Privacy Act, and there is also a separate law covering the handling of health information in both the public and private sectors (Health Records (Access and Privacy) Act 1997).

While both New South Wales and Queensland have had statutory Privacy Committees with an Ombudsman complaint handling function, the only State to currently have a fully fledged data protection law is New South Wales (NSW), which passed the Privacy and Personal Information Protection Act in 1998. The NSW Act, which came fully into effect in most respects on 1 July 2000, applies to most government agencies, but not to state owned corporations and there are also major exemptions which will be discussed later. There is a NSW Privacy Commissioner[4] with powers of investigation, while complaints of alleged breaches of the Information Protection Principles are dealt with either by the Commissioner, who can attempt to conciliate, or by the Administrative Decisions Tribunal, which can make binding orders including for compensation of up to $40,000.

In Victoria, the Information Privacy Act was passed in late 2000 and commences in September 2001. The Victorian Act is more comprehensive than the NSW Act, having fewer exemptions, and covering state owned enterprises. There will be a Victorian Privacy Commissioner with strong powers including the issue of compliance notices, and complaints, if not conciliated, can be decided by the Victorian Civil and Administrative Tribunal which can make binding orders, including for compensation of up to $100,000. A separate Health Records Bill was introduced into the Victorian Parliament in 2000 and is expected to pass in 2001. It contains similar complaints and enforcement arrangements to the Information Privacy Act, with the Health Services Commissioner playing an equivalent role to that of the Privacy Commissioner.

South Australia, Tasmania and Western Australia have all adopted versions of Information Privacy Principles as administrative instructions to their departments and agencies, but these do not have the force of law and there are no supervisory or enforcement mechanisms (South Australia has a part time Privacy Committee with some advisory and ombudsman functions).

Exemptions and restrictions


Exemptions from the Commonwealth, NSW and Victorian Acts are of two types - complete exemptions for specified agencies, and exemptions for specified activities or types of data.

Commonwealth


Under the Commonwealth Privacy Act, there is a relatively short list of completely exempt agencies which includes intelligence agencies, parliamentary departments, and some government business enterprises.[5] The Courts are exempt for information relating to their judicial functions.

Contractors in general are not subject directly to the Act, although eligible employment agencies are. However, in order to comply with the security principle (see below), agencies need to bind contractors with contractual terms to observe the privacy principles.

The Commonwealth Act provides a mechanism for waivers from the application of one or more of the principles through a Public Interest Determination by the Privacy Commissioner. However the process involved is complex and transparent and any such Determinations are subject to disallowance by Parliament. As a result, only a handful of Determinations have been made in the eleven years of the Act's operation, mostly for specific and non-controversial matters.

The application of the Act is complicated by the fact that most of the principles apply to records containing personal information - not to the information itself. The definition of record confirms that documents, databases and photographs are all covered, but an important exemption is provided by the exclusion from the definition of "generally available publications"[6]. This means that the Act cannot address the serious privacy issues that arise from the secondary use of public registers. Some laws governing individual public registers already contain limited privacy protections such as restrictions on direct marketing uses and facilities for suppression for individuals at risk, and there is a growing debate at both Commonwealth and State level about the need for more general rules on use of public registers. The exemption also creates a risk of deliberate circumvention of privacy controls by a policy decision to publish personal information.

Another definitional problem is that "personal information" may not include data such as e-mail addresses or phone numbers which are typically used as surrogate identifiers and which can be used to interact with individuals even if the user is unaware of the holders true identity.[13]

A significant exemption is that only citizens and permanent residents have the right to seek correction (rectification) of personal information.[14] This contrasts with the application of all the other principles and all other rights under the Act to any individual, whatever their nationality or place of residence.

There is provision in the Act for 'waivers' from the application of the IPPs, going beyond any of the statutory exemptions already discussed above. The Privacy Act contains a mechanism for the Privacy Commissioner to make a Public Interest Determination allowing a derogation from the IPPs.[15] Determinations are subject to an elaborate and public consultation process and are subject to disallowance by Parliament.

New South Wales (NSW)


Under the Privacy and Personal Information Protection Act 1998, a number of major state government agencies are exempted from some or all of the principles. These include the Police and other law enforcement and investigative agencies (these are quite broadly defined) in respect of their operational functions. All state owned corporations are completely exempt, as are courts, tribunals and Royal Commissions in the exercise of their judicial functions.

Contractors providing data services are directly subject to the Act.

The NSW Act provides for agencies to receive further exemptions by means of either a Code of Practice or a Direction by the Privacy Commissioner (both of which have to be approved by the Minister, but not by Parliament). These can weaken (but not increase) the level of protection. Several Codes of Practice and Directions have already been approved, creating further exemptions[16].

The Act applies directly to personal information, but generally available publications are exempt

Victoria

The Information Privacy Act applies to most public sector agencies and other bodies. Courts and tribunals are exempt in respect of their judicial functions, and law enforcement agencies are exempt from some of the principles but only where non-compliance is considered necessary on reasonable grounds.

Contractors to public sector agencies are directly subject to the Act.

The Act applies directly to personal information, but generally available publications are exempt. Health information (broadly defined) is excluded, but is covered by the separate Health Records Bill.

The provision in the Information Privacy Act for Codes of Practice expressly rules out Codes which set less stringent standards than the statutory principles, and there is no other mechanism in the Act for further waivers or exemptions other than provision for a government Order exempting an organization where it is covered by an alternative statutory scheme.

Purpose Limitation Principle


The Commonwealth, NSW and Victorian Acts include purpose limitation principles which are very similar, and which address the same objective as Articles 6(1)(b) and 7 of the EU Directive. They all adopt the approach of allowing collection only where lawful and necessary, and then separately restricting use and disclosure[17].

The basic principle in all three laws is that personal information should only be used or disclosed for the primary or original purpose of collection. Use and disclosure for secondary purposes is only permitted:
  • With the consent of the individual (similar to Article 7(a) although none of the laws require consent to be unambiguous, and this leaves considerable scope for interpretation);
  • For related purposes (arguably similar to Article 6(1)(b) (not incompatible), and 7(b), although the wording of the Australian provisions varies considerably both between jurisdictions and between use and disclosure, leaving considerable scope for generous interpretations of what is a related purpose)
  • To avoid serious and imminent harm (similar to Article 7(d) and Article 13(1)(g))
  • Where authorized or required by law (this is a wider exception than the criterion of legal obligation in Article 7(c) of the Directive)
  • In a range of public interest circumstances (broadly similar to those in Article 7(e) and Article 13(1)(a)-(f))

The way in which Australian laws deal with purpose limitation in respect of sensitive data is considered separately below.

Data Quality Principle


The Commonwealth, NSW and Victorian Acts include one or more data quality principles[18]. These mostly impose the same requirements as Article 6(1)(c) & (d), although there are differences. The Commonwealth Act omits 'adequate and not excessive' and, somewhat confusingly, places 'accuracy' in the correction principle, although apparently applying it to all stages of information handling. The Victorian Act omits 'adequate, relevant and not excessive', while the NSW Act has the full set of criteria from Article 6.

All three laws also include, under the security principle, a principle of 'keeping no longer than necessary'[19] imposing a similar requirement to Article 6(1)(e).

Transparency Principle


The Commonwealth, NSW and Victorian Acts include transparency and openness under two separate principles. A notice principle[20] requires organizations to inform individuals when they are collecting information about certain matters, broadly similar to those in Articles 10 & 11. A separate openness principle[21] requires organisations to make publicly available general information about their handling of personal information.

There are some significant differences in the detail of these requirements. Unlike the NSW and Victorian Acts, the Commonwealth Act does not expressly require individuals to be notified of the identity of the collector; of access and correction rights, and of any consequences of not supplying information. Both the Commonwealth and NSW Acts only apply the notice requirement where an organization is collecting directly from an individual (the Article 10 situation), whereas the Victorian Act applies a similar obligation where information is collected indirectly (equivalent to Article 11).

The Commonwealth and NSW Acts provide for publication of a Personal Information Digest by the respective Privacy Commissioners giving general information about the personal information holdings of agencies[22]. Under the Commonwealth Act, publication is mandatory, but there has been relatively little use of the hard copy Digest published annually. Under the NSW Act, the Commissioner has a discretion to publish a Digest, but has no immediate plans to do so.

Rights of Access, Rectification and Opposition


Access & Correction

The Commonwealth, NSW and Victorian Acts include rights of access and correction. In all three cases, this principle is complicated by interaction with existing Freedom of Information laws which even before the enactment of privacy laws gave individuals a right of access and correction to information held by government agencies.

The approach taken by the privacy laws is to create separate rights[23] but to defer to the FoI laws for the implementation of those rights. The Commonwealth Privacy Act adds a further ground for correction (relevance), but limits the correction right to Australian citizens and permanent residents.[24] All three privacy laws provide additionally for individuals to add 'challenges' to their files where correction is inappropriate, and the NSW Act also provides for third party recipients of information to be notified of corrections or challenges, where practicable.

The FoI laws contain a number of exemptions or grounds for withholding access or refusing correction, which are either designed to protect the privacy of third parties or directed towards important public interests of the kind acknowledged in Articles 12 &13. (The Victorian Act includes a detailed list of exemptions, and access and correction mechanisms to apply to contracted service providers who are not already subject to FoI). There is a constant public debate about the exemptions, which many critics argue provide too many grounds for public servants and governments to withhold access, and is subject to abuse which undermines the objective of the access right.

Rights of Opposition

The right to object to particular types of processing, established by Article 14 of the EU Directive, is not provided in the Australian laws governing the public sector. None of the laws provides for the right to object generally as in Article 14(a), although it is likely that in most public sector contexts either an express legal authority, or one of the Article 13 exemptions would override any expectation of a right to object. The right of opposition to direct marketing (Article 14(b)) arguably has limited application to the public sector and is not provided in any of the three Acts. However, following a well publicized controversy in June 2000, the Commonwealth government has agreed to amend the legislation setting up an Australian Business Register to give individual registrants an 'opt-out' from direct marketing uses.

More generally, there is considerable debate about the direct marketing uses of personal information in public register information. The NSW Act has specific provisions relating to public registers[25] and these include a right for individuals to have details suppressed if their safety or well being is at risk (this right already exists in relation to some specific registers), but a desire to avoid direct marketing would not satisfy this test. The Victorian government is currently studying the public register issue.

Security Principle


The Commonwealth, NSW and Victorian Acts all include a security principle[26] which imposes the same general requirement as Articles 16 & 17.

Sensitive Data


The Commonwealth Act contains no special provisions in relation to sensitive data other than the government issued tax file number which is subject to a separate and restrictive regime. However, other Commonwealth laws contain specific privacy rules relating to old criminal convictions[27], and data held for the purposes of the Medicare and Pharmaceutical Benefits Schemes[28]. The Privacy Commissioner has a supervisory role in relation to these separate regimes.

The NSW Act includes a specific sensitive data principle[29] which imposes tighter conditions on the disclosure (but not collection or use) of certain categories of personal information, being:
  • ethnic or racial origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • health, and
  • sexual activities.

This list includes all of the categories in Article 8.

Disclosure is generally permitted only to prevent a serious or imminent threat to life or health, but a number of the exemptions apply, including express consent; where authorized or required by law; where reasonably necessary for law enforcement; and in certain circumstances for health care or treatment.

The Victorian Act also has a sensitive data principle which applies to collection (but not use or disclosure) of personal information about:
  • racial or ethnic origin;
  • political opinions;
  • membership of a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership of a professional or trade association;
  • membership of a trade union;
  • sexual preferences or practices, and
  • criminal record

This list includes all of the categories in Article 8 (except health which is covered separately - see below). However, because the principle only restricts collection, then provided an organization has bona fide grounds for collecting sensitive information, there are no additional constraints on what it can be used for or who it can be given to, beyond those applying generally under the use and disclosure principle[30].

The grounds under which sensitive information can be collected include: consent; required by law; serious and imminent threat to life or health; incapacity for consent; legal defence; and research.

Note: In Victoria, health information (which is broadly defined) is excluded from the definition of personal information and therefore from the scope of the Information Privacy Act, but is to be protected by a separate law - set out in the Health Records Bill 2000.

The Victorian Act also contains a specific principle concerning unique identifiers[31] designed to provide a safeguard against the creation of a single identifier that could be used to crossmatch data across all government departments.

Onward Transfers


The Commonwealth Act, which predates the EU Directive, contains no specific provisions relating to onward transfers to other jurisdictions, although advocates have argued that the security principle[32] might require a data 'exporter' to take reasonable steps to ensure that personal information was not misused in the hands of a recipient. The government does not appear to be proposing any amendments to accompany its private sector privacy Bill (see below) which would apply an onward transfer restriction to Commonwealth agencies. Any transfers of personal data to a Commonwealth agency will not therefore be able to meet the criteria expected in relation to the Directive's onward transfer provisions.

The NSW and Victorian Acts both expressly address the issue of onward transfer in an attempt to meet the requirements of the Directive.

Under the NSW Act, the 'Special restrictions' principle[33] which deals with sensitive data also prohibits public sector agencies from disclosing personal information outside the State unless either a relevant privacy law is in force, or the disclosure is permitted under a privacy Code of Practice. The Privacy Commissioner is required to develop a Code concerning onward transfers by 1 July 2001. He can also issue determinations as to which laws in other jurisdictions qualify as having a relevant privacy law in force.

The extent to which this provision meets the criteria expected in relation to the Directive's onward transfer provisions will depend on the content of the Code and/or basis of any determinations by the Commissioner.

Many of the general exemptions apply to this onward transfer principle - so that it does not restrict transfers which are reasonably necessary for law enforcement; authorized or required by law; or with the express consent of the individual, or made by specified investigative agencies[34].
The Victorian Act adopts the onward transfer principle[35] developed by the Privacy Commissioner to put limits on the flow of information outside Victoria. An organisation is only allowed to transfer personal information outside Victoria if it reasonably believes the recipient is subject to a law, or other binding obligation, which imposes restrictions on the use of that information that are substantially similar to the information privacy principles.
Personal information may also be transferred with the individual's consent or if the transfer is necessary for the performance of a contract. If consent of the individual cannot practically be obtained, the organisation can only transfer the information if it is for the benefit of the individual and if the individual would be likely to give the consent.

As there are few exemptions from any of the principles, this provision in the Victorian Act would seem to satisfy the criteria expected in relation to the Directive's onward transfer provisions, but only if there is some mechanism for giving rulings or guidance on what constitutes an adequate level of protection in other jurisdictions. The Act gives the Privacy Commissioner a function of publishing model terms for a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria[36]. But there is no express provision for more general guidance on adequacy.

Independent investigation and adjudication of complaints


Under the Commonwealth, NSW and Victorian laws, complaints are investigated by the Privacy Commissioner.[37] All three Privacy Commissioners are appointed as statutory officers with a high degree of theoretical independence from government[38]. They are appointed for fixed terms and can only be removed from office on very serious grounds such as misbehaviour or incapacity. The Victorian Act follows the same model[39]. All three jurisdictions have final adjudication of complaints being by courts or tribunals which are even more independent.[40]

In all cases, the Commissioner's resources are provided through a sponsoring government department and they are subject to a range of budgetary and other pressures which have led at times to their effective independence being questioned. But this is no different from the situation in most countries, and Australian jurisdictions have not only a strong tradition of respect for the independence of statutory officers but also a highly developed system of administrative law which would allow any 'suspect' decisions to be challenged.

The remedies available to individuals whose privacy rights are infringed include, in all three jurisdictions, directions to perform specified actions, and the possibility of compensation for loss or damage (capped at $40,000 in NSW and $100,000 in Victoria). There is an emphasis in all three laws on conciliation and mediated settlements. Under the Commonwealth law there have been many such settlements, some including payment of compensation, but only a handful of formal determinations. The NSW and Victorian schemes are too new to have any 'case law'.

The complaints handling and enforcement aspects of the three statutory public sector privacy regimes generally appear to meet the standards envisaged in Articles 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision. (But see comments below in relation to the recent private sector amendments to the federal law concerning defects in enforcement which may become more obvious with private sector application).

Consumer Credit Reporting

Scope of Regulation and Overview


The Commonwealth government legislated for privacy protection in consumer credit reporting in 1989, by means of an amendment to the Privacy Act 1988, introducing a new part (Part IIIA). The detailed statutory provisions are supplemented by a Code of Conduct and several Determinations issued by the Privacy Commissioner, which have the force of law as subordinate legislation endorsed by the Parliament.

The Credit Reporting regime relies on definitions of credit provider, consumer credit to apply to a business activity rather than to any specified organizations, although credit reporting agencies are also defined and subject to additional rules. Although Part IIIA and the Code of Conduct do not exactly follow the normal sequence of information privacy principles, they cover the same ground with rules on collection, storage, use and disclosure, and rights of access and correction. The Credit reporting regime is subject to the same supervisory and enforcement mechanisms as the public sector principles, with the Privacy Commissioner able to audit, investigate complaints, and make orders which are enforceable through the Federal Court.

Exemptions and restrictions


Within the narrowly defined area of consumer credit reporting covered by the Privacy Act, there are few exemptions and restrictions on the operation of the law. Hire arrangements are considered as credit even where payment is made in advance, if the value of the goods is greater than the hire fee. Purely commercial credit reporting is not covered but there are complex rules about the interaction of information about personal creditworthiness and commercial lending practice. Some agents of credit providers, including both sales agents and legal advisers, are treated as though they were credit providers while handling personal information for their 'principal', but others - such as debt collectors, are not and can obtain access only to certain specified information even when recovering debts for a credit provider client.

The effect of the 'boundaries' of this jurisdiction depend on whether it is seen as imposing stricter privacy protection than applies elsewhere, or as permitting use of personal information which would otherwise be 'off-limits'. In the context of an otherwise unregulated private sector (the position for the last ten years), the former view is more accurate. Once privacy law applies to the rest of the private sector (see below) it may be more accurate to see the boundaries as conferring benefits - authorizing membership of an exclusive 'club' with privileged access to personal information without the express consent of individuals (although credit assessment would most likely be considered a related purpose under the normal application of privacy principles).

Purpose Limitation Principle


Part IIIA of the Privacy Act strictly limits access to personal credit information to businesses that are credit providers[41], and restricts both the use and further disclosure of that information to purposes associated directly with assessment of creditworthiness[42]

Data Quality Principle


Credit reporting agencies and credit providers are required to take reasonable steps to ensure that personal information they hold is accurate, up-to-date, complete and not misleading.[43] The Code of Conduct specifies steps that must be taken to assist in meeting this requirement.[44]

Transparency Principle


The main means of implementing this principle in consumer credit reporting is an indirect requirement on credit providers to notify applicants for credit about disclosure to a credit reporting agency and subsequent implications.[45] Although the Act and Code of Conduct do not spell out notice requirements, they make it impossible for consumer credit reporting to operate unless individuals have been given quite detailed information. This is generally provided by means of versions of standard wording agreed between the Privacy Commissioner and industry representatives.[46]

Some of these notices take the form of 'consent for disclosure' to be signed by individuals when applying for credit, but as they are effectively a condition of credit, and applicants cannot decline to allow disclosure, they are more accurately described as providing notice rather than obtaining consent.

Credit providers are also required to give individuals additional information if they refuse them credit on the basis of a credit report. This information includes reference to the individual's right of access and rectification

Rights of Access, Rectification and Opposition


Access & Correction

The Privacy Act provides individuals with a right of access to credit information files held by credit reporting agencies and to credit reports held by credit providers or reporting agencies[47]. The Act and Code of Conduct contain detailed provisions relating to correction of inaccurate data.

In relation to credit information files, the dominant reporting agency has a well established system for handling requests for access and correction which is periodically audited by the Privacy Commissioner and appears to work well, dealing with many thousands of requests each year.

Rights of Opposition

There are no specific rights of 'opposition' in Part IIIA or the Code but the issue of 'secondary' direct marketing does not arise as it is not a permitted use of credit information files or credit reports in the first place - although 'primary' direct marketing in relation to credit (eg other loans that might be of interest) is arguably permitted.[48]

Security Principle


The Act requires credit reporting agencies and credit providers to take reasonable steps to ensure that personal information they hold is protected by reasonable security safeguards.[49]

Sensitive Data


The Act expressly prohibits credit information files from containing information about
  • Political, social or religious beliefs or affiliations;
  • Criminal record;
  • Medical history or physical handicaps;
  • Race, ethnic origins or national origins
  • Sexual preferences or practices; and
  • Lifestyle, character or reputation.[50]


Onward Transfers


The Act pre-dates express consideration of the onward transfer issue, but the security provision does require credit reporting agencies and credit providers to take reasonable steps to ensure that security standards are maintained when contracting out any service.[51]

Provided any disclosures are lawful under the general disclosure provisions of Part IIIA, it makes no difference currently whether they are to organizations within or outside Australia. However, under the proposed general private sector amendments to the Act, credit reporting agencies and credit providers will have to comply with the onward transfer principle (see below) as well as with all of the credit specific provisions.

Independent investigation and adjudication of complaints


The same processes and machinery applies to credit reporting as to the public sector jurisdiction (see above[52]). The only difference in terms of enforcement and remedies is that Part IIIA also contains some offence provisions. It is a criminal offence, for instance, to make an unauthorized use or disclosure[53] (fines of up to $150,000), to give a false or misleading credit report[54] (fine of up to $75,000), or to obtain unauthorized access[55] (fine of up to $30,000).

The complaints handling and enforcement aspects of the credit reporting privacy regime meet the standards envisaged in Articles 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision.

Telecommunications

Scope of Regulation and Overview


The Telecommunications Act 1997, which set up a more diverse and de-regulated telecommunications market, requires telecommunications providers to comply with use and disclosure rules modelled on those in the Privacy Act (which used to apply to the state owned telco).

The Act also provides for industry developed Codes of Practice to be given statutory force, and two privacy codes, a general one including all of the information privacy principles and a specific code for calling number display have been developed. In 2000, these Codes were registered by the Australian Communications Authority (ACA)[56] and are now binding on all participants in the industry (carriers and service providers).

Individual complaints about breaches of the Code rules are handled by an industry funded Telecommunications Industry Ombudsman (TIO), while complaints about breaches of a more systemic nature, or of the underlying law, can be taken to the Australian Communications Industry Forum (ACIF - which developed the Codes) or to the ACA.

Exemptions and restrictions


The provisions of the Telecommunications Act apply to carriers and carriage service providers. These are technical definitions which in practice pick up most of the main providers of telecommunications services, including operators of fixed and mobile telephone networks, re-sellers, and Internet service or access providers (ISPs or IAPs). However, dealers and agents (for instance those selling mobile telephone services on behalf of the service operators) and Internet content providers are not covered.

Purpose Limitation Principle


The Telecommunications Act itself has since 1997 incorporated use and disclosure limitations modeled on Information Privacy Principles 10 & 11 of the Privacy Act.[57] However, there was no statutory equivalent of the 'fair and lawful collection' principle. Since May 2000, all telecommunications carriers and carriage service providers have been required to comply with a complete set of information privacy principles - the National Privacy Principles (NPPs)[58], which include 'fair and lawful collection (Rule 5). They also support the use and disclosure limitations and conditions in the Act.[59] Rules 6 & 7 are a hybrid version of IPPs 10 & 11; NPP 2, and the Telecommunications Act provisions, which because they mostly set a higher standard, negates some of the criticisms of NPP 2 (see the section on the general private sector amendments below).

These rules are consistent with Articles 6 & 7 of the EU Directive.

However, unlike NPP 2, there are no special protections for health data in Rules 6 & 7. (see under sensitive data below in this section), and the special conditions applying to direct marketing only apply to use, not disclosure (see under rights of opposition below in this section).

Special provisions relating to collection, use and disclosure of Calling Number Display information are contained in a separate Industry Code which has also been registered by the ACA and is therefore now binding on all telecommunications providers.[60]

Data Quality Principle


Rule 8 of the binding Industry Code repeats National Privacy Principle 3 which requires organizations to take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. This is consistent with Article 6(d) of the EU Directive.

Transparency Principle


Rule 10 of the binding Industry Code repeats National Privacy Principle 5 (Openness) and requires telecommunications providers to be open about their management of personal information. Rule 5 is a version of NPP 1 and includes a requirement to give notice of various matters when collecting personal data. These rules are consistent with Articles 10 & 11 of the EU Directive.

Rights of Access, Rectification and Opposition


Access & Correction

Rule 11 of the binding Industry Code repeats National Privacy Principle 6, with some minor variations to reflect the telecommunications environment and specific provisions in the Telecommunications Act. To all intents and purposes it provides the same access and correction rights, exemptions and processes, as NPP6.

These rules are consistent with Article 12 of the EU Directive.

Rights of Opposition

Rule 6 includes special conditions where personal information is intended for use for direct marketing, and provides for individuals to be offered an 'opt-out' opportunity[61], but only where the intended use is not part of the original purpose of collection or directly related and within the reasonable expectation of the individual. There is no equivalent provision in Rule 7 in relation to disclosure for direct marketing, which could take place without the individual's consent, or any opportunity for them to opt-out. These rules therefore only partly provide the protection envisaged by Article 14 of the EU Directive.

Security Principle


Rule 9 of the binding Industry Code repeats National Privacy Principle 4 verbatim. This is consistent with Articles 16 & 17 of the EU Directive.

Sensitive Data


Rule 15 of the binding Industry Code is a simplified version of National Privacy Principle 12 which only limits collection of the sensitive data categories. There are no special restrictions or conditions on the use or disclosure of sensitive data - even health data, as the special provisions of NPP 2 are not carried over into Rules 6 & 7 (see above). There is therefore no equivalent in the telecommunications privacy regime to Article 8 of the EU Directive.

Onward Transfers


Rule 14 repeats the Transborder data flow National Principle (NPP 9) in its entirety. This is discussed in the next section.

Independent investigation and adjudication of complaints


The telecommunications regulatory regime relies largely on self-regulation. Registration of the CPI and CND Codes has however brought into effect the safety net enforcement provisions of the Telecommunications Act and allows the ACA to issue warnings and directions in the event of persistent or serious breaches of the Codes. Failure to comply with a direction can incur civil penalties

Complaints about breaches of the Code will however initially be investigated by the Telecommunications Industry Ombudsman (TIO) an industry appointed and funded body which nevertheless meets most of the standards of independence and autonomy generally regarded as necessary for a credible self-regulatory complaints scheme.[62] All telecommunications providers are required by law to join the TIO scheme and there are over 850 members.

The TIO has since its inception been able to handle complaints about breaches of privacy - initially by reference to the Privacy Act IPPs which used to apply to the government owned Telstra corporation. The TIO will now use the new registered privacy Codes as the standard against which complaints will be assessed. The TIO can make binding determinations including awards of compensation where appropriate of up to $10,000 and can recommend payments of up to $50,000.

Unauthorised uses or disclosures of personal data in breach of Part 13 are criminal offences punishable by up to 2 years imprisonment.

The complaints handling and enforcement aspects of the telecommunications privacy regime meet many of the standards envisaged in Articles 22-24 and 28 of the EU Directive, except that there is no provision for remedies to be enforced by a constitutionally independent judiciary, and the supervisory responsibilities are somewhat fragmented between ACIF, the ACA and the TIO.

It is however expected that the Code on Customer Personal Information will be submitted for approval by the Privacy Commissioner under the new general private sector legislation[63]. If this happens, then depending on what role for the Privacy Commissioner is envisaged, the complaints handling and enforcement and supervisory aspects of the telecommunications regime may come into line with those applying more generally (see below).

The rest of the Private Sector

Scope of Regulation and Overview


Until recently, the remainder of the private sector, outside consumer credit reporting and telecommunications, has been statutorily subject only to some very specific privacy rules relating to the use of the federal government tax file number (under the Privacy Act 1988) and to the old criminal convictions (under the Crimes Act).

Private businesses providing services under contract to government agencies may have been subject to contractual provisions relating to privacy. The federal Privacy Commissioner has taken the view that this is a requirement under the security principle of the 1988 Act and has issued model contractual clauses for use by Commonwealth agencies. The NSW Privacy Commissioner has issued similar advice.

Some sectors have taken the initiative and developed voluntary codes of practice incorporating some or all of the National Privacy Principles (NPPs). These principles were developed by the Privacy Commissioner through a consultative process between 1997 and 1999 as a template for self regulation (during this period the federal government s position was to favour self-regulation over statutory controls). The main Codes of Practice are as follows:

Direct Marketing Code of Practice


This was developed by the Australian Direct Marketing Association (ADMA) and includes the full set of National Privacy Principles (1998 version). It also has a code administration committee and process for dealing with complaints from consumers about breaches of the Code. Although consumer and privacy groups have been critical of some aspects of the Code, it was approved in 1999 by the Australian Competition and Consumer Commission (ACCC) as being sufficiently in the public interest to outweigh its anti-competitive effect. Adoption of the Code of Practice is a condition of membership of ADMA.

General Insurance Industry Information Privacy Principles

This scheme, launched in 1998, incorporates all of the National Privacy Principles (1998 version) except for the anonymity principle, and has a supervisory and complaint handling mechanism through a privacy compliance committee of the existing insurance industry complaint body. Insurance Enquiries and Complaints Ltd. General insurers have been invited to adopt the principles and implement them no later than August 2000, but to date only some 30 insurers, representing less than 10% of general insurance business, have done so. Many insurers have taken the view that they will await the forthcoming legislation.

Internet Industry Association Code of Practice

The Internet Industry Association (IIA) has developed a Code of Practice which contains both general privacy principles and specific rules relating to unsolicited e-mail (spam). Although the privacy section, which incorporates the National Privacy Principles, has been settled since 1998, it is only recommended by IIA for voluntary adoption by members, and there is as yet no supervisory or complaint handling machinery.

The new legislation.

In December 1999 the federal government announced that it would now legislate for private sector privacy. After another round of consultation, in April 2000 a Privacy Amendment (Private Sector) Bill was introduced into Parliament. It was referred to a House of Representatives Committee (HoR Committee) which reported in July, recommending several significant changes[64]. Two Senate Committees also examined the legislation and also made suggestions for changes[65]. The legislation was finally enacted in December 2000 with only relatively minor amendments.

The scheme of the Act is expressly intended to meet international concerns and obligations.[66] One specific way in which it seeks to meet this objective is by provision for extra-territorial effect. The Actl provides for the law to apply to acts or practices engaged in outside Australia by organizations subject to Australian law, including non-resident organizations carrying on business in Australia in respect of personal information collected or held in Australia.[67] The same clause also provides for the Privacy Commissioner to take action overseas to investigate complaints. While this is a generally helpful provision, it is limited to information about Australian citizens or permanent residents. This means that the Act would not apply to data about foreigners transferred out of Australia, and undermines significantly the effectiveness of the onward transfer principle (NPP9) discussed below.

The definitional problems which apply under the existing Privacy Act (discussed above under public sector - scope and overview) are extended by the amendments to the private sector. They include the concept of a record, the exclusion of generally available publications (expressly extended by the new amendments by the addition of 'however published'[68], which increases the risk of abuse) and the uncertain application of the Act to e-mail addresses.

The amendments only apply some of the National Principles to information collected before the commencement of the legislation. Those principles dealing with collection (NPPs 1,10 and part of 3) and use (NPP2) and access (NPP6); and the anonymity principle (NPP8) apply only to information collected, or transactions, after commencement. The other principles apply to all information whenever it was collected.[69]

The legislation will commence on 22 December 2001 (12 months after receiving the Royal Assent[70]. Small businesses are granted a further twelve months to comply with some principles.[71]

Exemptions and restrictions


Exemptions from the new private sector regime under the Commonwealth Act are of two types - exemptions (mostly conditional) for specified organizations, and exemptions for specified activities.

There is an unconditional exemption for state owned government business enterprises.[72] Given the exemption for state owned corporations in the NSW Act this leaves most state owned enterprises in the country without any statutory privacy controls (although the Victorian Act covers theirs).

There is a conditional exemption for small businesses defined as those with an annual turnover of less than $3 million.[73] According to the government, this will have the effect of exempting over 1 million or 94% of all businesses[74]. The exemption is conditional on the business not holding health information other than as part of employee records, and not collecting or disclosing personal information for a consideration. All small businesses are given an extra 12 months to comply. As the HoR Committee Report noted, the exemption is quite complex and may be very difficult to apply in practice. The report recommended that otherwise exempt small businesses be allowed to opt-in, but accepts the government's arguments for a broad exemption. The government accepted the opt-in proposal[75].

There is a conditional exemption from the collection and disclosure principles for 'related bodies corporate'.[76] This would have the effect of allowing (non-sensitive) personal information to be transferred between different businesses entities that are related through ownership without the normal application of the notice requirements and use and disclosure limitations, provided it did not exceed individuals' reasonable expectations. Critics of the then Bill suggested that this could be a major loophole through which corporate groups could evade the purpose limitation objective, and could even act as an incentive, in combination with the small business exemption, for structuring of business groups expressly to weaken the effect of the privacy law.[77]

There is a conditional exemption for employee records, broadly defined[78]. The HoR Report rejected the government's contention that sufficient protection was contained in workplace relations legislation, and recommended a significant narrowing of the exemption.[79] The government refused to accept any changes to this exemption, but has established a working party to look at the issue of privacy protection for employee records.

There is a conditional exemption for media organizations in the course of journalism. Journalism is very broadly defined (essentially covering any activity with the aim of publication) and was the subject of critical submissions to the HoR Committee. The Committee's report stops short of recommending limits to the exemption but does suggest it be made subject to a code, and that it be kept under review. The government accepted this suggestion.[80]

There is an exemption for political acts and practices[81] which means that none of the Principles will apply to political parties, their volunteers and contractors, or to elected representatives. The HoR Committee recommended that some conditions be placed on this exemption but this was not accepted by the government and the exemption passed unaltered.

There is also an uncontroversial exemption for individuals undertaking activities 'other than in the course of business' designed to exempt processing for personal, family or household affairs.[82]

Contractors to Commonwealth and State agencies are exempted from the private sector National Privacy Principles (NPPs) in relation to those records for which they are contractually bound to observe the public sector IPPs or state equivalents (see above)[83]. A contractor to the Commonwealth which is a small business otherwise exempt from the NPPs remains covered by the Act in relation to the IPPs.[84]

The discussion of the principles which follows takes the default National Privacy Principles as the standard with which all organizations will have to comply under the legislation. This is not strictly correct in that organisations can apply for approval of Codes of Practice. However, any Code must either incorporate the National Privacy principles or 'set out obligations that, overall, are at least the equivalent of all the obligations set out in [the NPPs]'.[85] On the assumption that the Privacy Commissioner will not approve any Code that set out lesser standards (he/she could be judicially reviewed if he/she did so), it is safe to refer to the NPPs throughout the remainder of this paper.

There is however provision in the legislation for 'waivers' from the application of the NPPs, going beyond any of the statutory exemptions already discussed above. As noted in the Public Sector section of this paper, the existing Privacy Act contains a mechanism for the Privacy Commissioner to make a Public Interest Determination allowing a derogation from the IPPs. Under the private sector amendments, this mechanism is extended to the NPPs, and a new facility is introduced for temporary determinations, pending consideration of a full Determination.[86] Full determinations are subject to an elaborate and public consultation process and both full and temporary determinations are subject to disallowance by Parliament.

Purpose Limitation Principle


The Act will require private sector organizations that are not exempt to comply with the National Privacy Principles (NPPs) (from December 2001). NPPs 1 & 2 between them cover the purpose limitation principle by requiring collection of personal information to be necessary and by fair and lawful means[87], and by placing limits and conditions on use and disclosure.[88]

These provisions are broadly consistent with Articles 6 & 7 of the Directive, but with at least two significant differences.

NPP 2 arguably goes further than Articles 6 & 7 in allowing unconditional processing (use and disclosure) for the 'primary' purpose of collection and 'related purposes within the reasonable expectation of the individual'.[89] The 'exceptions' in the rest of the principle only apply to 'secondary' purposes. The related purpose exception in particular appears much broader than the 'not incompatible' in Article 6.1(b).

One of the secondary use/disclosure exceptions in NPP 2 is where the use/disclosure is 'required or authorized by or under law' - similar to that in IPPs 10 & 11 in the public sector regime. As already noted, this is a wider exception than the criteria in Article 7 of the Directive[90]

Both the banking and health sectors claim in debate that they are already subject to strict common law duties of confidentiality. While this duty provides useful support to a non-disclosure principle, it does not apply to internal uses, and even to some external transfers for the purposes of the organization. The common law duty is also limited to information which is inherently confidential - and the courts have defined this much more narrowly than the scope of personal information with which privacy laws are concerned.

Data Quality Principle


NPP 4 requires organizations to take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. This is consistent with Article 6(d) of the Directive, but omits the additional requirement in 6(c) for 'adequate, relevant and not excessive'. It could be argued that the requirement of 'necessity' for purpose in NPP1 automatically ensures relevance, but it is interesting to note that relevance is included in the equivalent IPP for Commonwealth public sector agencies[91], and in the NSW Act, which also includes 'adequate' and 'not excessive'.[92]

Transparency Principle


National Privacy Principle 5 (Openness) requires organizations to be open about their management of personal information. NPP 1 includes a requirement to give notice of various matters when collecting personal data. These provisions are consistent with Articles 10 & 11 of the EU Directive, although there has been some criticism of the discretion to notify after collection where notification prior or at the time of collection is not practicable.[93]

Rights of Access, Rectification and Opposition


Access & Correction

NPP 6 provides a right of access for individuals to personal information about themselves and a right of correction, subject to various exceptions. Both the rights and the exceptions are broadly consistent with the equivalent provisions in Articles 12 & 13 of the EU Directive. However, the Act now expressly extends the limitation of the correction right to Australian citizens and permanent residents, referred to already in the public sector section, to NPP6[94], thereby leaving citizens of other countries no opportunity for remedies for breaches of this Principle.

There is no express provision encouraging organizations to provide as much information as possible, even where an exception is claimed, by severing or selectively deleting the withheld information. Case law under Freedom of Information Acts, which has been the mechanism for delivering the access right in the public sector, has clearly established that this is required. It has been suggested that private sector organizations are more likely to use an exception as an excuse for total withholding, and that a statutory requirement to provide as much information as possible would be desirable.

Rights of Opposition

NPP 2.1(c) provides for a partial right of opposition to direct marketing, by requiring organizations to offer individuals an opt-out. However, this provision only applies where the use for direct marketing is not part of the primary purpose or 'directly related and within the individual's reasonable expectations'.[95] This means that in practice, there will be many direct marketing activities where individuals do not have to be offered an opt-out opportunity.

It remains unclear whether the omission of 'disclosure' from NPP 2.1(c) works to the advantage or disadvantage of individuals. On one view, it means that disclosure for direct marketing (eg sale of lists) has to satisfy one of the other exceptions in NPP 2 - such as consent (NPP2.1(b)). On another view, which sees 2.1(c) as an 'extra' condition, then there is never a statutory requirement to offer an opt-out from disclosure, and organizations are free to make it part of their primary purpose or try to influence their customers expectations so as to satisfy 2.1(a).

The Codes of Practice which incorporate earlier versions of the NPPs (including the ADMA Direct Marketing Code mentioned above) and which are already being followed by some organizations, are subject to the same limitations and ambiguities in relation to NPP 2.1(c) as the Act itself. The best that can be said is that NPP 2.1(c) wherever it appears only partially provides the protection envisaged by Article 14 of the EU Directive.

Security Principle


NPP 4 is a comprehensive security principle which is consistent with Articles 16 & 17 of the EU Directive

Sensitive Data


National Privacy Principle 12 only limits collection of the sensitive data categories. There are no special restrictions or conditions on the use or disclosure of sensitive data - other than health data, for which there are some modifications to NPP 2. The Act therefore allows most sensitive information which has been collected for a legitimate purpose to be used for other purposes subject only to the normal restrictions in NPP2.

There is considerable debate about whether the special health information provisions actually provide a higher level of protection, or have the opposite effect of authorizing a wider range of uses and disclosures than would otherwise be the case[96]. Health consumer groups are generally opposed to the provisions for health privacy, and are campaigning for separate tougher legislation with more emphasis on patient consent - along the lines of the existing ACT legislation.[97] As already noted, the Victorian government has already decided to legislate separately and has introduced a Health Records Bill to cover not only state agencies but any organizations funded by the State.

The proposed private sector privacy regime does not generally provide equivalent protection for sensitive data to that envisaged in Article 8 of the EU Directive.

Onward Transfers


NPP9 is a principle dedicated expressly to the regulation of transfers of personal information to foreign countries. The principle is modeled on Article 25 & 26 of the EU Directive and seeks to achieve the same objective - ensuring as far as possible continued and adequate privacy protection for 'exported' data.

Unlike the earlier versions of this principle, which dealt with 'other jurisdictions' rather than foreign countries, NPP9 does not now provide any protection where personal information is transferred either to a State or Territory government which is not subject to a privacy law or to one of the large number of private sector organizations which will be exempt from the Commonwealth regime (see above).

The principle itself, in its application to 'foreign' transfers, differs in some significant respects from the terms of Articles 25 & 26.
  • Under the Commonwealth Act, consent for transfer does not have to be 'unambiguous', and organizations are allowed to make an assumption about the likelihood of consent where it is impracticable to obtain it.[98]
  • Organisations are allowed to make their own assessment of whether there is 'adequate protection' in the destination country.[99]
  • The exception where 'the organization has taken reasonable steps to ensure that the information ...will not be held, used or disclosed inconsistently with the NPPs'[100] is much weaker than the nearest equivalent in Article 26(2) in that it addresses only standards and not safeguards and the exercise of rights.
  • There is no equivalent in NPP9 to the public interest, legal claims, or vital interests derogations in Article 26, although it is assumed that the government intends to provide for these in some other way - otherwise a range of important cross border transfers - including for law enforcement or major emergencies - would be prohibited.

While the intention of NPP 9 is to provide an equivalent to Articles 25 & 26, it appears to fall short of those provisions in a number of key respects, while in other respects being more restrictive.

Independent investigation and adjudication of complaints


Complaint handling and enforcement under the proposed general private sector privacy regime is complicated by the provision for these matters to be dealt with, at least partially, in Codes of Practice.

Private sector organizations can develop a Code of Practice and submit it to the Privacy Commissioner for approval. A Code may contain a customized version of the National Privacy Principles (provided they are at least equivalent) and may also contain procedures for making and dealing with complaints (which have to meet prescribed standards - some set out in the Act[101] and some in a government benchmark.[102] A Code of Practice could establish a Code Adjudicator body which would fulfil some of the functions of the Privacy Commissioner.

For organizations not subject to an approved Code, the default provisions of the Act will apply. These include most of the complaint handling and enforcement provisions that apply to public sector agencies under the pre-existing Act. As already noted above, these appear at first sight to meet the standards envisaged in Articles 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision.

However, critics of the private sector amendments pointed out an inequity and defect in the enforcement provisions.[103] The Act provides for determinations of Code Adjudicators to be enforced by the Federal Court or Magistrates Court (after a de novo hearing) in the same way as determinations of the Privacy Commissioner; Code Adjudicators, like the Commissioner, are also subject to judicial review on points of law. But there was no provision for complainants to appeal against an adverse decision by the Commissioner or a Code Adjudicator. This effectively meant that while a respondent organization has a right of appeal on the merits of a complaint (by refusing to comply with a determination and having their case re-heard in court); a complainant can only appeal against a procedural defect.

While this flaw has also applied to the public sector regime which has been in operation for 12 years, critics suggest that it only becomes a serious matter with the extension of the law to the private sector. Public sector agencies are less likely to refuse to comply with determinations (it has not happened yet, although there have only been a handful of determinations), whereas experience in other rights tribunals suggests that many private sector respondents may resist. The government accepted this argument and made a last-minute change to the legislation to provide a right of appeal from decisions of Code Adjudicators to the Privacy Commissioner.[104]

While Code Adjudicators will not have the same powers as the Privacy Commissioner - to investigate, call witnesses, require the provision of information etc, their ability to refer complaints to the Commissioner[105], and more importantly the right of appeal should prevent this from being a major weakness.

It is not clear from the Act whether Code Adjudicators will be required to publish their determinations, as the Commissioner is required to do. At least one critic has suggested that this is a serious lack of transparency and hinder public scrutiny of the effectiveness of Codes of Practice.[106]

Of the existing voluntary Codes of Practice that incorporate earlier versions of the National Privacy Principles, only the ADMA Direct Marketing Code and the General Insurance Industry Privacy Principles have established and theoretically functioning complaint bodies. However the Insurance Privacy Compliance Committee has yet to receive any complaints, and there is no information publicly available about the operation of the ADMA scheme. Both have been criticized by consumer groups for not meeting all of the standards for independent complaint handling which are proposed as the minimum under the Act as amended[107]. They certainly do not meet all of the EU Directive standards in relation to judicial remedies, compensation, sanctions and supervision.[108]


*************************************
Nigel Waters, Pacific Privacy Pty Ltd
02 4981 0828 or 0407 230 342
nigelwaters@primus.com.au
*************************************


[1] most recently Recommendation 1/2000 on the Implementation of Directive 95/46/EC and Opinion 1/2001 on the Draft Commission Decision on Standard Contractual Clauses for the transfer of Personal Data to third countries under Article 26(4) of Directive 95/46  for both see <http://www.europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm>
[2] The EU Commission has already issued adequacy assessments of Hungary, Switzerland and the US http://www.europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm , while the Article 29 Working Party has issued an opinion on Canada  see <http://www.europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm> [3] See http://www.privacy.gov.au/
[4] See http://www.lawlink.nsw.gov.au/pc
[5] The exemptions are to be found partly in the definitions in s.6 and partly in Schedules to the Freedom of Information Act which are 'imported' by reference in s.7.
[6] Privacy Act 1988 (Cwth) s.41(4).
7 Privacy Act 1988 (Cwth), s.14 - IPPs 1,10 & 11; Privacy and Personal Information Protection Act 1998 (NSW), ss.8,17 & 18; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.1 and 2.
8 Privacy Act 1988 (Cwth), s.14 - IPPs 3 & 8; Privacy and Personal Information Protection Act 1998 (NSW), ss.11 & 16; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 3.
9 Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
10 Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
11 Privacy Act 1988 (Cwth), s.14 - IPP 2; Privacy and Personal Information Protection Act 1998 (NSW), s.10; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.3 & 1.5.
12 Privacy Act 1988 (Cwth), s.6
[13] see Submission to House of Representatives Committee on the Privacy Amendment (Private Sector) Bill 2000, s.6.2.
[14] Privacy Act 1988 (Cwth) s.41(4).
[15] Privacy Act 1988 (Cwth) Pt VI.
[16] As at February 2001, the Minister had approved ten Codes, covering health, police, local government, housing, Legal Aid Commission, Dept of Fair Trading, Bureau of Crime statistics, workforce profiling, the DPP, and law enforcement and investigative agency access to public registers. A further eight codes were listed by Privacy NSW as submitted, proposed or released for consultation
[17] Privacy Act 1988 (Cwth), s.14 - IPPs 1,10 & 11; Privacy and Personal Information Protection Act 1998 (NSW), ss.8,17 & 18; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.1 and 2.
[18] Privacy Act 1988 (Cwth), s.14 - IPPs 3 & 8; Privacy and Personal Information Protection Act 1998 (NSW), ss.11 & 16; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 3.
[19] Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
[20] Privacy Act 1988 (Cwth), s.14 - IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), ss.12(a); Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.2.
[21] Privacy Act 1988 (Cwth), s.14 - IPP 2; Privacy and Personal Information Protection Act 1998 (NSW), s.10; Information Privacy Act 2000 (Vic), Schedule 1, IPPs 1.3 & 1.5.
[22] Privacy Act 1988 (Cwth), s.27(1)(g); Privacy and Personal Information Protection Act 1998 (NSW), s.40.
[23] Privacy Act 1988 (Cwth), s.14, IPPs 6 & 7; Privacy and Personal Information Protection Act 1998 (NSW), ss.14 & 15; Information Privacy Act 2000 (Vic), Schedule 1, IPP 6.
[24] Privacy Act 1988 (Cwth) s.41(4).
[25] Privacy and Personal Information Protection Act 1998 (NSW), ss 57-59
[26] Privacy Act 1988 (Cwth), s.14, IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), s.12; Information Privacy Act 2000 (Vic), Schedule 1, IPP 4.
[27] Crimes Act 1914, Part VIIC.
[28] National Health Act 1953 s.135AA.
[29] Privacy and Personal Information Protection Act 1998 (NSW), s.19(1).
[30] IPP2
[31] Information Privacy Act 2000 (Vic), Schedule 1, IPP 7.
[32] Privacy Act 1988 (Cwth), s.14, IPP4
[33] Privacy and Personal Information Protection Act 1998 (NSW), s.19(2)-(5).
[34] Privacy and Personal Information Protection Act 1998 (NSW), ss.23-28.
[35] Information Privacy Act 2000 (Vic), Schedule 1, IPP 9.
[36] Information Privacy Act 2000 (Vic), s.58(f)
[37] Privacy Act 1988 (Cwth), Part V; Privacy and Personal Information Protection Act 1998 (NSW), Part 4 Division 3.
[38] Privacy Act 1988 (Cwth), Part IV Division 1; Privacy and Personal Information Protection Act 1998 (NSW), Schedule 1; Information Privacy Act 2000 (Vic), Part 7.
[39] Information Privacy Act 2000 (Vic), Part 7 and
[40] The Federal Court or Magistracy; the NSW Adminstrative Decisions Tribunal and the Victorian Civil and Administrative Tribunal.
[41] Privacy Act 1988 (Cwth), s.18K.
[42] Privacy Act 1988 (Cwth) ss.18L, 18N.
[43] Privacy Act 1988 (Cwth) s.18G.
[44] Credit Reporting Code of Conduct 1996, 1.3-1.5
[45] see Privacy Act 1988 (Cwth) s.18E(8)(c).
[46] see Credit Reporting Advice Summaries, Part 8.
[47] Privacy Act 1988 (Cwth) s.18H.
[48] Privacy Act 1988 (Cwth) s.18L(c).
[49] Privacy Act 1988 (Cwth) s.18G.
[50] Privacy Act 1988 (Cwth) s.18E(2).
[51] Privacy Act 1988 (Cwth) s.18G(c).
[52] see the section on public sector privacy, and the Privacy Commissioner's web site at http://www.privacy.gov.au/
[53] being a breach of ss.18J, 18L, 18N, 18P or 18Q of the Privacy Act 1988 (Cwth).
[54] Privacy act 1988 (Cwth) s.18R.
[55] Privacy act 1988 (Cwth) ss.18S and 18T.
[56] see http://www.aca.gov.au
[57] Telecommunications Act 1997 (Cwth), Part 13.
[58] The same NPPs which now form the core of the proposed 'private sector' amendments to the Commonwealth Privacy Act 1988.
[59] Industry Code Protection of Personal Information of Customers of Telecommunications Providers, developed by the Australian Communications Industry Forum and registered by the Australian Communications Authority on 1 May 2000.
[60] Industry Code Calling Number Display, developed by the Australian Communications Industry Forum and registered by the Australian Communications Authority on 1 July 2000
[61] Rule 6.1(c).
[62] see http://www.tio.com.au
[63] See Explanatory Memorandum on the Privacy Amendment (Private Sector) Bill 2000, paras 383-385.
[64] House of Representatives Legal & Constitutional Affairs Committee Advisory Report on the Privacy Amendment (Private Sector) Bill 2000, July 2000 (HoR Report) - available on line at
http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm
[65] Senate Standing Committee on Legal & Constitutional Affairs - report on the Privacy Amendment (Private Sector) Bill 2000 at http://www.aph.gov.au/senate/committee/legcon_ctte/privacy/index.htm ; and Select Committee on Information Technologies inquiry into e-Privacy  no final report.
[66] Privacy Amendment (Private Sector) Act 2000, s.3(b)(i).
[67] Privacy Act 1988, as amended in 2000, s.5B.
[68] Privacy Amendment (Private Sector) Act 2000, Schedule 1, s.l.14 .
[69] Privacy Act 1988, as amended in 2000, s.16C.
[70] Privacy Amendment (Private Sector) Act 2000, s.2.
[71] Privacy Act 1988, as amended in 2000, s.16D.
[72] Privacy Act 1988, as amended in 2000, s.6C(1)(3) &(4).
[73] Privacy Act 1988, as amended in 2000 s.6C(1) and 6D.
[74] HoR Report, p11.
[75] Privacy Act 1988, as amended in 2000, new s.6EA.
[76] Privacy Act 1988, as amended in 2000, s.13B
[77] HoR Report, Chapter 9.
[78] Privacy Act 1988, as amended in 2000, s.7B(3).
[79] HoR Report, Chapter 3.
[80] Privacy Act 1988, as amended in 2000, s.7B(4)
[81] Privacy Act 1988, as amended in 2000, s.7C
[82] Privacy Act 1988, as amended in 2000, s.7B(1)
[83] Privacy Act 1988, as amended in 2000, s.7B(5)
[84] Privacy Act 1988, as amended in 2000s .7B(2)
[85] Privacy Act 1988, as amended in 2000, s.18BB.
[86] Privacy Act 1988, as amended in 2000, Part VI Division 2.
[87] Privacy Act 1988, as amended in 2000, Schedule 3, NPP1.1 & 1.2
[88] Privacy Act 1988, as amended in 2000, Schedule 3, NPP2
[89] Privacy Act 1988, as amended in 2000, Schedule 3, NPP2.1 and 2.1(a).
[90] in particular, Article 7(c) and (e).
[91] Privacy Act 1988 (Cwth), s.14 - IPP3(c).
[92] Privacy and Personal Information Protection Act 1998 (NSW) s.11.
[93] Privacy Act 1988, as amended in 2000, Schedule 3, NPP1.3.
[94] Privacy Act 1988, as amended in 2000, s.41(4).
[95] being alternative bases for use in NPP 2.1 and 2.1(a).
[96] HoR Report, Chapters 6 & 7
[97] Health Records (Access and Privacy) Act (ACT) 1997
[98] Privacy Act 1988, as amended in 2000, Schedule 3, NPP9(b) and (e).
[99] Privacy Act 1988, as amended in 2000, Schedule 3, NPP9(a).
[100] Privacy Act 1988, as amended in 2000, Schedule 3, NPP9(f).
[101] Privacy Act 1988, as amended in 2000, s.18BB(3).
[102] Benchmarks for Industry-Based Customer Dispute Resolution Schemes published by the Consumer Affairs Division of what was then known as the Department of Industry, Science and Tourism (August 1997).
[103] HoR Report, Chapter 10.
[104] Privacy Act 1988, as amended in 2000, s.18BI
[105] Privacy Act 1988, as amended in 2000, s.40(1B).
[106] Submission to the HoR Committee by Professor Graham Greenleaf, University of New South Wales.
[107] Benchmarks for Industry-Based Customer Dispute Resolution Schemes See footnote 85
[108] Articles 22-24 and 28


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2001/3.html