WARNING:
This Digest was prepared for debate. It reflects the legislation as
introduced and does not canvass subsequent amendments. This Digest
does not have any official legal status. Other sources should be
consulted to determine the subsequent official status of the
Bill.
CONTENTS
Passage History
Purpose
Background
Main Provisions
Concluding Comments
Endnotes
Contact Officer & Copyright Details
Privacy Amendment Bill 1998
Date Introduced: 5 March
1998
House: Representatives
Portfolio: Attorney-General
Commencement: 28th day after
Royal Assent
The purpose of
the Bill is to extend the Privacy Act 1988 to cover some
private sector organisations contracted to provide a service to the
Commonwealth.
The Privacy Act 1988 (the Principal
Act) deals with the gathering, processing and dissemination of
information about the individual. It sets down detailed Information
Privacy Principles regulating the handling of personal information
by Commonwealth Government agencies and ACT Government agencies.
The Information Privacy Principles are based on the Organisation
for Economic Co-operation and Development Guidelines of 1980 on the
protection of privacy, to which Australia is a signatory.
After a pre-election commitment to extend
privacy regulation to the private sector the Attorney-General
announced in September 1996 that the Government would be
legislating to extend the Privacy Act to the private sector.(1)
There were some enthusiastic responses to the proposal and a
discussion paper was issued.(2) There were also a range of
responses to the discussion paper.
In March 1997 the Prime Minister announced that
the Government would not legislate to extend the Privacy Act to the
private sector and that it had made efforts to dissuade State or
Territory Governments from introducing privacy legislation that
would impact on the private sector, citing concern for the
implications in compliance costs.(3) This announcement attracted
quite a degree of community and media attention and some strenuous
criticisms.(4) There was also a suggestion that trade with Europe
could be affected if Australia's privacy legislation was not
sufficiently strengthened.(5) The current Bill will cover some
private sector bodies, but only in so far as they are providing
services traditionally provided by the public sector.
It has been pointed out that, to the extent that
they are concerned with commercial factors, the private sector does
not need to be concerned with issues of privacy unless the approach
adopted has a significant impact on business.(6) In 1994 the
Privacy Commissioner issued Guidelines regarding the need to
include appropriate terms and conditions in contracts between
Commonwealth agencies and the private sector.(7) The outsourcing of
government functions has generally involved such conditions and
requirements being placed into contracts. However, this has not
necessarily meant that individuals affected have a right of redress
since they are not parties to the contract and the private sector
bodies have not previously been subject to the specific
requirements of the Principal Act. The difficulties of ensuring
that contracting bodies comply with the privacy requirements in the
contract are significant. The contract laws are a rather 'blunt
instrument' when dealing with breaches of the principles of
privacy.(8)
There are also questions raised by the Bill as
to how access should be provided to information. The
inter-relationship between the Principal Act and the Freedom of
Information Act 1982 was examined by the Australian Law Reform
Commission and Administrative Review Council in 1996.(9) There has
yet to be a government response to the Report, but the outsourcing
issue has forced a partial response.
The provisions of the Bill seek to ensure that
services can be included or excluded by regulation. (This occurs in
the proposed subsection 6(1) definition of 'excluded funded
service'.) The provisions allowing inclusion or exclusion by
regulation rather than legislation may be the source of some
controversy on the grounds that it detracts from the role of
Parliament in an important policy area.
Item 1 inserts into subsection
6(1) of the Principal Act an extension of the definition of agency
which will cover a 'contracted service provider'. Item
4 defines contracted service providers, to include any
person under contract to a Commonwealth agency, although there are
exceptions established in item 6 ('excluded funded
services'). The exceptions include the services specified in
Schedule 3 and a mechanism is provided which will
allow services to either be added to or subtracted from the list of
excluded funded services by regulation (item 6).
The services currently listed in Schedule 3 are
quite extensive and include a range of health service providers and
services provided to members of the public with regard to family
relationship by community-based or volunteer organisations. These
agencies are currently not subject to the Principal Act and,
according to the Explanatory Memorandum, should not be covered
because it would be a significant extension of the Act and
unrelated to preserving the existing protections it offers.
The definition of a 'contracted service
provider' extends to the use of sub-contractors and the provision
of services to third parties in connection with the Commonwealth
agency's functions (items 3 & 8). Under
proposed section 6A the definition of a contracted
service provider would also cover 'notional contracts' between
Commonwealth agencies.
This means that the Information Privacy
Principles will apply to contracted service providers - i.e. the
same protections will apply to information held by private sector
agencies entering into a contract with the Commonwealth as the
protections offered to personal information held by a Commonwealth
agency. The new definition of contracted service provider is more
expansive than previous itemised coverage and so it subsumes the
specific coverage of an eligible case manager, the nominated
Australian Government Health Services company and eligible hearing
service providers (there are numerous consequential amendments). By
using the past tense with respect to the contract the provisions of
item 4 ensure that complaints can be taken to the
Privacy Commissioner after the completion or termination of the
contract.
Item 7 inserts a definition of
'outsourcing agency' into section 6. An outsourcing agency is
defined as the Commonwealth agency to which the services are
provided under a Commonwealth contract. This definition is then
used to deal with the transfer of information between the
outsourcing agency and a contracted service provider (item
22) and is used in the sections dealing with the
regulation and handling of complaints involving contracted service
providers. Item 22 defines the transfer of
information between an outsourcing agency and a contracted service
provider as a 'use' rather than a disclosure. This means that
Information Privacy Principle 10, rather than Information Privacy
Principle 11 applies to the transfer and makes the process of
transfer less onerous.
Item 9 inserts proposed
subsections 6(4A) & 6(4B) to specify that the
contracted service provider is only covered in so far as they are
providing services under a Commonwealth contract. This ensures that
private sector bodies which hold personal information are not
generally required to comply with the Principal Act but only when
providing a service under a Commonwealth contract. It also means
that the personnel records of the service provider are not covered
by the Act. Proposed subsection 6(4C) excludes the
Australian Capital Territory from the Bill's proposed extension of
coverage.
Section 7 of the Act sets out the acts and
practices that are covered by the various provisions of the Act.
Items 11, 13 and 14 combine to create the new
definitions of the acts and practices of a contracted service
provider which are covered. There are exempt acts and practices
defined by item 18 which give the contracted
service provider the same exemptions as the outsourcing agency. A
proposed subsection 8(1A) ensures that the acts
and practices of someone acting on behalf of the contracted service
provider are also covered, even in the absence of an employee
relationship or contract.
Item 20 provides for a new
section 8A which would attribute the actions of a
contracted service provider who is not resident in Australia to the
responsible agency. The responsible agency is the body which last
made the personal information available to the non-Australian based
contracted service provider. This brings responsibility for actions
which may be taken overseas within the ambit of Australia's
Privacy Act.
Item 23 makes amendments to
section 15 which make provisions about when the various Information
Privacy Principles come into operation with respect to a contracted
service provider. Principles 1, 2 and 3, which deal with the
collection of information, apply after commencement of the
amendments. Principles 4, 8 and 9, which deal with storage,
accuracy and relevance to the use of records, apply to information
collected both before and after the amendments.
Principles 10 & 11, which deal with use and
disclosure apply differently according to who collected the
information. In the case of information collected by a Commonwealth
agency the principles apply to information collected both before
and after the Bill, however in the case of information collected by
the contracted service provider they only apply to information
collected after the Bill. The extent to which Principles 10 &
11 can be complied with is affected by the process of collecting
the information, however it would still, on occassions, be possible
to apply these principles to information collected by the
contracted service provider when the process of collection had not
been governed by the requirements of the Act.
Principles 5, 6 and 7 are all related to the
rights to access information and have alterations made. The
Explanatory Memorandum foreshadows amendments to the Freedom of
Information Act 1982, which is given as the reason these
principles will come into force only once the date, to be
determined by these foreshadowed amendments, has been gazetted.
Principle 5 has various requirements regarding how the holder of
information makes it public what information they are holding.
Item 24 makes provisions that would enable the
outsourcing agency to take the actions necessary for Principle 5 to
be complied with, rather than the contracted service provider. It
also makes provisions for the outsourcing agency to be the body
which deals with freedom of information requests.
Proposed sections 30(3)(da) &
32(2) require the Privacy Commissioner to give reports
regarding a contracted service provider who may not be complying
with the Information Privacy Principles to the outsourcing agency
as well as the Minister. Similarly, notice must be given to the
outsourcing agency of the Commissioner's determinations in a case
involving a contracted service provider (proposed section
53A).
The proposed amendments to section 36 would
ensure that when handling a complaint the Privacy Commissioner can
allow the complainant to amend the complaint to specify the
contracted service provider as the respondent, instead of the
outsourcing agency. This will cater for situations where it might
be unclear whether it's the outsourcing agency or the contracted
service provider who may have violated the requirements of the Act.
The Commissioner is required to inform the outsourcing agency when
he or she is investigating a complaint against a contracted service
provider. There are also requirements for the outsourcing agency to
be informed regarding a discontinued investigation against a
contracted service provider.
Proposed sections 50A and 52A
would allow the Privacy Commissioner to substitute the outsourcing
agency for the contracted service provider if the contracted
service provider dies or ceases to exist (or becomes bankupt or
insolvent etc.) and a complaint could not be dealt with
appropriately otherwise. These provisions would ensure that a
complainant was not left without remedy in the case of a breach of
the Privacy Principles and that the outsourcing agency retains a
degree of responsibility regarding the behaviour of the contracted
service provider.
Schedule 2 of the Bill provides
for amendments to be made to the Disability Discrimination Act
1992, Racial Discrimination Act 1975, and Sex
Discrimination Act 1984 which will prevent the extension being
made to the Principal Act from applying to these Acts. The
definition of an 'agency' in the discrimination acts is changed to
a 'Commonwealth agency'. If private sector bodies were covered by
the discrimination acts there would be difficulties with the
enforceability of determinations made under these Acts.
The Explanatory Memorandum to the Bill includes
the requisite 'Regulation Impact Statement' which considers the
costs and benefits of various options for reform to the Government,
business and the community. With respect to the costs to
Government, the statement only considers the costs to individual
Departments and agencies of the various options. It does not
consider the impact of any of the changes on the Privacy
Commissioner's office. The Bill will presumably affect the
activities of the Commissioner's office since the Bill will extend
the Act to cover previously uncovered organisations. Mr Nigel
Waters, a prominent privacy commentator (and former head of the
Privacy Branch of the Human Rights and Equal Opportunity
Commission), has commented:
Given that there will be an immediate addition
to the Commissioner's jurisdiction of a large number of contractors
providing a wide variety of services, with thousands more as and
when additional services and functions are outsourced, the
government's commitment to effective implementation of the
amendments must be in doubt....The new jurisdiction will place
additional strains on the Commissioner's already depleted staff,
following the major cutbacks in the 1997 Federal Budget.(10)
He goes on to point out that no resources appear
to have been earmarked for education, complaint investigation or
auditing of the many contractors that should be 'seriously facing
up to compliance for the first time.' These issues have yet to be
addressed by the Government. The Explanatory Memorandum highlights
the fact that the Bill is extending to cover bodies
previously unregulated by the Principal Act, rather than
information previously unregulated by the Principal Act.
Hence an argument could be made that the amendments will not
significantly increase the Privacy Commissioner's workload. Despite
the potential criticisms regarding lack of funding, the Bill, in
itself, is likely to be seen as unexceptionable and
uncontroversial.
-
- Press Release 'Privacy in the Private Sector' by Daryl
Williams, MP, 12 Sept 1996.
- Proposed legislation designed to extend Privacy Act to cover
the private sector is welcomed', ABC's P.M. Thursday, 12
Sept. 1996.
- Press Release 'Privacy Legislation' by John Howard,
MP, 21 March 1997.
- For instance the Australian Privacy Charter Council, the CPSU
and others (see 'Business, community and privacy groups raise
concerns over the Government's decision not to extend privacy
legislation into the private sector: CPSU raises concerns over a
plan to outsource information technology of government
departments': 7:30 Report, Thursday 3 April 1997).
- See: 'Analysts debate privacy legislation, focusing on an
ultimatum issued by the European Union that it will not trade with
countries which do not have strong privacy aws', Lateline,
Thursday 17 April 1997, and 'Privacy International threatens to
push for he European Union to impose economic sanctions on
Australia after Europe's privacy aws come into effect in October'
A.M., Thursday 17 April 1997.
- Nigel Waters, Address to Records Management Association
Seminar, Canberra, 11 March 1998.
- Outsourcing and Privacy - Advice for Commonwealth Agencies
considering contracting out (outsourcing) information technology
and other functions', Privacy Commissioner, August 1994.
- Waters, op cit.
- Australian Law Reform Commission/Administrative Review Council,
Open Government, A review of the Freedom of Information Act
1982, January 1996.
- Address to Records Management Association Seminar, Canberra, 11
March 1998.
Kirsty Magarey
24 March 1998
Bills Digest Service
Information and Research Services
This paper has been prepared for general distribution to
Senators and Members of the Australian Parliament. While great care
is taken to ensure that the paper is accurate and balanced, the
paper is written using information publicly available at the time
of production. The views expressed are those of the author and
should not be attributed to the Information and Research Services
(IRS). Advice on legislation or legal policy issues contained in
this paper is provided for use in parliamentary debate and for
related parliamentary purposes. This paper is not professional
legal opinion. Readers are reminded that the paper is not an
official parliamentary or Australian government document.
IRS staff are available to discuss the paper's contents with
Senators and Members
and their staff but not with members of the public.
ISSN 1328-8091
© Commonwealth of Australia 1997
Except to the extent of the uses permitted under the
Copyright Act 1968, no part of this publication may be
reproduced or transmitted in any form or by any means, including
information storage and retrieval systems, without the prior
written consent of the Parliamentary Library, other than by Members
of the Australian Parliament in the course of their official
duties.
Published by the Department of the Parliamentary Library,
1997.
Back to top