Bills Digest No. 193  1999-2000Privacy Amendment (Private Sector) Bill 2000


Numerical Index | Alphabetical Index

WARNING:
This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.

CONTENTS

Passage History
Purpose
Background
Main Provisions
Concluding Comments
Endnotes
Contact Officer & Copyright Details

Passage History

Privacy Amendment (Private Sector) Bill 2000

Date Introduced: 12 April 2000

House: House of Representatives

Portfolio: Attorney-General

Commencement: 12 months after Royal Assent or 1 July 2001, which ever is the later. Schedule 3 commences on Royal Assent.

Purpose

To establish a national co-regulatory privacy scheme for the private sector.

Background

Privacy Act 1988 (Cth)

Privacy first became an issue of major national significance in the debate surrounding the proposed introduction of the Australia Card in the late 1980s. While the proposal for an identity card failed, the element of the package involving privacy protection survived. The main concern at that time focussed on the need to regulate the activities of government. Consequently the Privacy Act 1988 (Cth) (the Principal Act), was enacted to cover the activities of the Commonwealth public sector. It sets down detailed Information Privacy Principles regulating the handling of personal information by Commonwealth Government agencies and ACT Government agencies. The Information Privacy Principles (IPPs) are based on the Organisation for Economic Co-operation and Development (OECD) Guidelines of 1980 on the protection of privacy, to which Australia is a signatory. These IPPs cover methods used to collect personal information, storage and security of personal information, notice of existence of record systems, access of individuals to their own records, accuracy and completeness of personal information and use of personal information and disclosure to third parties. The Act does extend to the private sector to the extent that it includes provisions and guidelines governing the consumer credit industry and restricting the use of tax file number information.

Rationale for further regulation

Since the passage of the Privacy Act in 1988, there have been dramatic developments in information technology and data communication practices. Increasing sophistication of information technology, with its capacity to collect, analyse and disseminate information on individuals, has introduced a sense of urgency to the demand for legislation able to meet this advance. The development of potentially invasive techniques such as collecting and analysing 'electronic footprints', and devices such as 'cookies'(1) mean that there is a need to protect not only the content of information that is being transmitted across the Internet but also the footprints which are created by that traffic. For example on-line spending patterns will generate vast amounts of data which may be 'mined' for the purposes of consumer profiling and targeted marketing.

These developments create human rights issues. Privacy is increasingly accepted as being a human right or at least a precondition for the effective exercise of other more traditional human rights. Australia has international obligations arising under the International Covenant of Civil and Political Rights to ensure its adequate protection. In particular Article 17 of the ICCPR states that 'no one shall be subjected to arbitrary interference with his privacy' and requires that individuals should have 'the right to the protection of the law against such interference'.

Leaving aside the rights argument, these technological developments have also given rise to more pragmatic economic and trade pressures, which make privacy protection a matter of concern to businesses as well as consumers. While Australians have been world leaders in embracing Internet technology, surveys and research indicate Australian consumers are showing a clear reluctance to use electronic commerce because of a lack of confidence in the security and confidentiality of the Internet.(2) Another factor in the Australian debate is the European Union Data Protection Directive of 1995 now in force in Europe. Under the Directive, all member states are bound to pass privacy laws that comply with minimum standards, and are applicable to the public and private sectors. Similarly, the Directive places constraints on the transfer out of Europe of personal information for processing and use in countries that do not offer similar protections.

As a result of this Directive, if Australia does not extend its privacy regime to the private sector, then theoretically any business within the EC which wishes to send personal data to an Australian business would be required to ensure that it satisfies the criteria for exportation to countries which lack adequate privacy safeguards. In most cases this would require the imposition of contractual safeguards, a potentially costly exercise which is likely to place Australian businesses at a competitive disadvantage vis-a-vis those in countries such as New Zealand which already have private sector privacy laws.(3)

Commonwealth Government regulation of private sector privacy

The momentum for comprehensive private sector privacy protection in Australia has been building across the political spectrum over the last few years and is reflected in the recommendations of a number of public bodies including the Broadband Services Expert Group,(4) the House of Representatives Standing Committee on Legal and Constitutional Affairs,(5) the Senate Economic References Committee,(6) the Australian Law Reform Commission(7) and the Senate Legal and Constitutional Affairs References Committee.(8) At the same time a 1996 survey of Australian businesses conducted by Price Waterhouse revealed that 64 per cent favoured such a course.(9)

At the federal level regulation of privacy in the private sector has had a somewhat drawn out gestation period. It began in September 1996(10) when the Federal Government released a Discussion Paper which gave effect to its election commitment that it would ensure the implementation of a privacy law regime in Australia comparable with best international practice.(11) This contained detailed proposals for the introduction of a co-regulatory scheme for the private sector which was to be based on the existing structure of Information Privacy Principles together with provision for the development of binding codes of practice. Despite the generally positive reaction to the Discussion Paper, the Prime Minister announced in March 1997 that the Government would not legislate to extend the Privacy Act to the private sector and that it had made efforts to dissuade State and Territory Governments from introducing privacy legislation that would impact on the private sector, citing concern about compliance costs.(12) Instead the Government requested the Privacy Commissioner to liaise with industry with a view to establishing a voluntary self-regulatory scheme. It appears that the major lobby groups opposed to a legislative regime were the Australian Bankers' Association and the Australian Chamber of Commerce and Industry.(13)

A further development occurred in February 1998 when the Attorney-General issued a set of benchmark principles developed by the Privacy Commissioner known as the National Principles for the Fair Handling of Personal Information. When the National Principles were released the Attorney General said it was still to be determined as to how the scheme would be implemented but the approach was likely to be voluntary.(14) However, on 16 December 1998 the Federal Government announced that it intended to legislate to support and strengthen self-regulatory privacy protection in the private sector and that a 'light touch' regulatory regime would be introduced, based on these National Principles but with the opportunity for private sector codes to be developed. An information paper outlining the Commonwealth Government's proposed legislative approach was released in early September 1999, followed by a draft of the proposed legislation in December 1999. The Bill was tabled in the House of Representatives on 12 April 2000 and immediately referred to the House of Representatives Legal and Constitutional Affairs Committee for inquiry. The Committee is due to report on 26 June 2000. The Digest canvasses some of the submissions made to that inquiry.

Main Provisions

Objectives

Clause 3 sets out the policy objectives of the Bill. The Bill aims to establish a national privacy scheme for the private sector and to do so in a way which balances the various interests involved. These interests are:

  • Australia's international obligations and international concerns
  • the individual's interest in protecting privacy, and
  • human rights and social interests that compete with privacy including the right to a free flow of information and the right of business to achieve its objectives efficiently.

This clause appears to avoid couching privacy in terms of human rights. Further, it refers to the individual's interest in protecting privacy and the right of business to achieve its objectives efficiently.(15) Professor Graham Greenleaf, suggests that this pro-business bias may affect the interpretation of the Principal Act by the Privacy Commissioner, code investigators and the courts.(16)

Schedule 1-Amendment of the Privacy Act 1988

Schedule 1 of the Bill amends the Principal Act. While the Bill relies on some of the definitions within the Act, it essentially provides a separate privacy scheme for the private sector and leaves intact the current arrangements relating to the Commonwealth public sector, credit reporting and tax file numbers.

Item 1 amends section 3 of the Principal Act to replace the words 'interferences with the privacy of persons' with the words 'the collection, holding, use, correction, disclosure or transfer of personal information'. Section 3 confirms that State and Territory laws that make provision for the collection, holding, use, correction, disclosure or transfer of personal information will continue to operate to the extent that they are not directly inconsistent with the terms of the Bill.(17)

Definitions

Items 4 to 35 insert into section 6 of the Principal Act definitions relevant to the provisions of the Bill. The Bill also relies on definitions already contained in the Principal Act including definitions of 'record', 'personal information' and 'generally available information'. Section 13(18) makes it clear that the Act applies to personal rather than commercial data. Personal information is defined in current section 6 to mean information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

The Bill makes a further distinction between the use of personal information and the use of sensitive information. Sensitive information is a new expression and defined to mean information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health information (item 27).

Interferences with privacy by private sector organisations

Item 39 inserts proposed paragraph 7(1)(ee). Currently subsection 7(1) defines what is meant by a reference to 'an act or practice' that is an interference with the privacy of the individual. Proposed paragraph 7(1)(ee) adds an act done, or practice engaged in, by an organisation to the list of acts or practices to which the Act applies.

Central to the operation of the Bill is the definition of 'organisation'. An organisation is defined in proposed section 6C in item 36 to mean:

  • a body corporate
  • an unincorporated association
  • a partnership
  • a trust, or
  • an individual.

but does not include a small business operator, an agency,(19) a registered political party, a State or Territory authority,(20) or a prescribed instrumentality of a State or Territory.

A single legal entity may be several different 'organisations' when acting in different capacities. An example given in the Bill is a trustee. A person may be both an 'organisation' in their personal capacity and a different organisation in their capacity as trustee of a trust (proposed subsection 6C(2)).

Interferences with privacy

Item 52 inserts proposed sections 13A-13F. Proposed section 13A sets out the general rule relating to interferences with privacy by organisations.

An act or practice of an organisation is an interference with the privacy of an individual if:

  • it breaches an approved privacy code that binds the organisation, or
  • where the organisation is not bound by an approved code, the organisation breaches a National Privacy Principle (NPP).

A breach of an approved privacy code and a breach of a National Privacy Principle are determined according to proposed sections 6B and 6A respectively.

Where the organisation is a contracted service provider for a Commonwealth contract an act or practice of that organisation is an interference with the privacy of an individual if:

  • the act done or the practice engaged in is inconsistent with an approved code or the NPPs and is inconsistent with the relevant provision of the Commonwealth contract, or
  • the organisation uses or discloses the personal information obtained for the purpose of meeting an obligation under a Commonwealth contract for direct marketing.

The regulation of contract service providers is further clarified in proposed subsection 6A(2).(21)

Item 52, proposed subsection 13A(2), confirms that these obligations on private sector organisations co-exist with other obligations they may have under the Act as a credit reporting agency, a credit provider or a file number recipient.

Item 34 adds subparagraphs (c) - (f) to current subsection 6(7). As suggested above, the Bill essentially provides a separate privacy regime for the private sector and leaves intact the current arrangements relating to the Commonwealth public sector, credit reporting and tax file numbers. Amended subsection 6(7) confirms that complaints under the Act can therefore be more than one type of complaint. For example a complaint may be both a code complaint and a credit reporting complaint, or a tax file number complaint and an NPP complaint.

Exceptions to the general rule regarding interferences with privacy

Proposed sections 13B, 13C and 13D contain exceptions to the general rule regarding interferences with privacy by private sector organisations.

Related bodies corporate

Proposed section 13B identifies situations where acts and practices of related bodies corporate would not be interferences with privacy.

For the purposes of the Bill the Corporations Law test is applied to determine whether bodies corporate are related (proposed subsection 6(8) in item 35). According to section 50 of the Corporations Law one body corporate is related to a second body corporate when:

  • it is a holding company of the second body corporate
  • it is a subsidiary of the second body corporate, or
  • it is a subsidiary of a holding company of the second body corporate.

According to proposed section 13B related bodies corporate may share personal information without there being an interference with privacy. However in using or holding that information, the related body corporate must then comply with the NPPs or a binding privacy code. It does not have the freedom to use and handle that personal information however it wishes (proposed section 13B Note). This is further reinforced in NPP 2.3 (in item 139) which states that related bodies corporate that share personal information must use the information for the primary purpose for which it was initially collected. If it is to be used for any other purpose (ie a secondary purpose) then it must comply with the conditions set down in NPP 2.

Note the related body corporate exemption is limited to the collection and disclosure of personal information that is not "sensitive information". For example the provision does not allow the disclosure of health information between private hospitals or between co-located private hospitals and community held centres run by related bodies corporate.(22)

Partnerships

Proposed section 13C details acts and practices of partnerships that do not constitute an interference with privacy. Its purpose is to allow personal information to be shared when partnerships are dissolved and reformed.

Extraterritorial acts

Proposed section 13D stipulates that acts and practices of an organisation done outside Australia will not be an interference with privacy if the act or practice is required by an applicable law of a foreign country.

Proposed section 13E confirms that the exceptions in proposed sections 13B 13C and 13D do not interfere with the current privacy regime relating to public sector agencies, credit reporting and tax file numbers.

Other Exemptions

Small business

The Bill contains special exemptions for small businesses. By virtue of the definition of 'organisation' at proposed section 6C small business operators are not organisations and therefore are exempt from the operation of the Bill. A small business is defined as one which has an annual turnover of $3 million or less as measured at a nominated test month (proposed subsection 6D(1)). Annual turnover is to be calculated according to the method used in the A New Tax System (Goods and Services) Act 1999 (proposed subsection 6D(2)).

A small business operator is an individual, body corporate, partnership, unincorporated association or trust that:

  • carries on one or more small businesses, and
  • does not carry on a business that is not a small business (proposed subsection 6D(3)).

All small business operators will be exempt from the legislation unless they:

  • provide a health service to another individual and hold health information except in an employee record (proposed paragraph 6D(4)(b))
  • disclose personal information about another individual to third parties for a benefit, service or advantage (proposed paragraph 6D(4)(c))
  • collect personal information about another individual from third parties by providing a benefit, service or advantage (proposed paragraph 6D(4)(d))
  • are contracted to provide a service to the Commonwealth (proposed paragraph 6D(4)(e)), or
  • are prescribed by regulation as being covered by the Bill (proposed section 6E).

In these situations where small businesses will come within the new regime they will be given an extra 12 months in which to comply (proposed section 16D in item 54).

In relation to proposed section 6E, before making regulations to bring a small business within the provisions of the Act, the Minister must consult the Privacy Commissioner and must be satisfied that it is in the public interest to regulate the small business operator in question (proposed sub-section 6E(4)).

The range of businesses exempted under the small business provision is much broader than under the exposure draft of the Bill, in two respects. First, the earlier definition of small business excluded organisations holding sensitive information, not just health information, which is a more limited term.(23) Second, the threshold definition of small business has been increased from a turnover of $1 million to a turnover of $3 million. According to a senior officer in the Dept of Employment, Workplace Relations and Small Business the figure of $3 million was considered more appropriate on the basis that it will cover 98.9 % of businesses categorised as small businesses according to ABS data.(24)

The Government has stated the rationale for this exemption is to reduce the regulatory burden of compliance costs on small businesses. Evidence from jurisdictions which have recently enacted private sector privacy laws suggests, however, that cost has not been a substantial problem.(25) Further the complexity of calculating and determining whether an organisation falls below or above the $3 million threshold may be as great a burden on small businesses as compliance with the legislation might be.(26)

One of the stated objectives of the Bill is to give individuals the trust and confidence that they need to make use of electronic commerce. The small business exemption will however exclude many Internet based businesses from the Bill's operation.(27) It could be argued therefore that the complexity and the extent of the exemption works against individuals developing clear privacy expectations in their dealings with organisations. Further, small businesses that need or wish to display their privacy credentials will be excluded from doing so.(28)

Individuals

Proposed subsection 7B(1) in item 42 exempts acts done or practices engaged in by individuals where those acts are done, or practices are engaged in other than in the course of business. This is reiterated in proposed section 16E which states that the NPPs do not apply for the purposes of, or in connection with the individual's personal, family or household affairs.

Organisations acting under Commonwealth contract

The provisions regulating small businesses that act as contracted service providers to the Commonwealth appear complex. Proposed paragraph 6D(4)(e) excludes such entities from the definition of a small business operator, thereby excluding them from the small business exemption. However under proposed subsection 7B(2) an organisation that would be defined as a small business but for the fact that it is a contracted service provider for a Commonwealth contract need only comply with the Bill in relation to its activities that are for the purposes of a Commonwealth contract.(29) Effectively the organisation is entitled to the small business exemption in relation to its activities that are not for the purposes of a Commonwealth contract.

Employee records

Proposed subsection 7B(3) exempts certain acts or practices of an organisation that is or was an employer of an individual. To qualify for exemption, the act or practice must be directly related to:(30)

  • the employment relationship, and
  • an employee record held by the organisation.

An employee record is defined in proposed subsection 6(1) to mean a record of personal information relating to the employment of the employee. It may include other sensitive information, such as recruitment and termination information, employment terms and conditions, health and banking information (item 12).

In relation to this exemption the Government's view is that while employee records deserve privacy protection, such protection is more properly a matter for workplace relations legislation. Under the Workplace Relations Act 1996 privacy is not an 'allowable matter', that is, a matter for which the Industrial Relations Commission has jurisdiction to make an award. While privacy issues can be included in agreements made under that Act, arguably this could lead to inconsistent outcomes and significant gaps in protection. Workplace Relations Regulations do make some provision for employees' access to their records. Regulations 131K, 131L and 131M give employees rights of access to and correction of the records that must be kept about them. These are made under section 353A of the Workplace Relations Act 1996 which allows the Government to make regulations about making and keeping employee records and the inspection of these records.

It would appear therefore that there is a limited scope for protecting employee records under the Workplace Relations Act 1996, however to date the Government has not indicated what plans it might have to further regulate and protect the privacy of employee records.

It could be argued that the proposed employee record exemption also causes inconsistencies in the Principal Act in two ways. First, much of the information in an employee record is of a sensitive nature and may relate to health matters. Sensitive and health information is given more specific levels of protection in other parts of the Bill and the employee record exemption is arguably not consistent with this protection.

A second inconsistency is that employees of Federal Government agencies already covered by the Privacy Act will have privacy rights which private sector employees will not have under the new provisions.

Journalism

Proposed subsection 7B(4) exempts acts and practices of media organisations done in the course of journalism. According to the Explanatory Memorandum this exemption seeks to balance the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media.(31)

A media organisation is defined as an organisation that is engaged in or whose activities include journalism (proposed subsection 6(1)). Journalism is defined as the collection, preparation and dissemination of news, current affairs, documentaries and other information to the public. This also includes commentary and opinion on, or analysis of, this kind of material (proposed subsection 6(1)). According to the Attorney-General's Department Fact Sheet the definition is wide and recognises that journalists deal with a broad range of information, such as sports news, cultural events and the arts. The Fact Sheet cites the example of an issues-based community group that concentrates on fundraising and lobbying. While the Department suggests that such a body may also have a legitimate role to keep the public informed about its concerns, it fails to elaborate on why this should involve the use of personal information.(32) The Privacy Commissioner and other privacy advocates have suggested that these terms are so broadly defined that the exemption could arguably cover any organisation which collects and disseminates personal information over the Internet. According to the Privacy Commissioner the breadth of this exemption may leave an organisation such as the recently publicised CrimeNet unregulated.(33)

Other jurisdictions, including the EU and New Zealand, have also recognised the need to protect journalism, although the definitions used in those jurisdictions are much narrower in application. The Privacy Commissioner has noted that the word 'information' has not been used in equivalent definitions of 'news activity' or 'media organisation' in overseas jurisdictions.(34)

The Bill also protects journalists' sources of information. Item 106 inserts proposed subsection 66(1A) so that a journalist is permitted to refuse to give information, answer a question or produce a document or record which is sought under the Principal Act where this would tend to reveal the journalist's confidential source.

Organisations acting under State contract.

Proposed subsection 7B(5) exempts acts or practices of an organisation acting under contract with a State or Territory authority, the rationale being that such activities should be regulated at State or Territory level.(35)

Political acts and practices

The Bill contains two distinct exemptions relating to the political process. One relates to political parties and the other to acts and practices of members of parliament.

Political parties are exempt from the operation of the Bill by virtue of defining organisations in proposed section 6C so as not to include political parties. The exemption relating to members of parliament found in proposed section 7C is a narrower exemption. It exempts acts and practices of members of parliament (Commonwealth, State and Territory) or local government representatives that are related to an election, a referendum, or participation by the political representative in the political process. Proposed subsections 7C(2)-7C(4) exempt similar political acts and practices of contractors, subcontractors and volunteers working for registered political parties or political representatives. It would appear that nominated candidates for election to political office are not included in this exemption. It could be argued that if the rationale for the exemption is the furtherance of democracy then it should cover people seeking election as well as those already in office.

Under the exemptions provided in the Bill, the elector information databases currently maintained by the major political parties would remain unregulated. The Commonwealth Electoral Act 1918 does prohibit the commercial or other unauthorised use of personal electoral information provided by the Australian Electoral Commission.(36) However that Act makes no provision to allow electors the right to access and correct that information. The consequence therefore of exempting political parties from the Bill is that electors would have no statutory right to check their own information on these political party databases to ensure accuracy and to avoid misrepresentation.

The Federal Privacy Commissioner has expressed concern about the proposed exemption for political parties and members of parliament stating:

If we are to have a community that fully respects the principles of privacy and the political institutions that support them, then these institutions themselves must adopt the principles and practices they seek to require of others. I believe that political organisations should follow the same practices and principles that are required in the wider community.(37)

The exemptions relating to members of Parliament and political parties do not exist in other jurisdictions such as New Zealand or Canada.

Existing databases

Proposed section 16C in item 54 provides a more limited privacy regime for personal information collected by an organisation before the commencement of the Bill. The Government's rationale for this partial exemption is that to apply all the principles to existing information would impose unjustifiably high compliance costs on business. NPPs 1, 2, 3 (so far as it relates to collection) 6, 8 and 10 will only apply to the collection of personal information that occurs after the commencement of the Bill. In effect this means that NPPs that deal with collection, use, disclosure, right of access and correction will not apply to information collected before the commencement of the Bill.

However the Attorney-General's Department suggests that after the legislation takes effect, organisations when updating existing databases of personal information will need to comply with all aspects of the Bill including those provisions relating to collection, access, use and disclosure.(38) The Department is of the view that any alteration to information held before the commencement of the Bill will cause that information to be newly collected for the purposes of the application of the Bill.

Electronic Frontiers Australia (EFA) argues that the principles of access and correction and use and disclosure are important privacy principles that apply irrespective of whether the data is in existence prior to commencement of the legislation. Rather than a blanket exemption EFA suggests a transition period of twelve months may be more appropriate.(39)

Public registers and generally available publications

The current Act and the Bill do not regulate the use of public registers. Under proposed subsection 16B(2) the Act applies to personal information that has been collected by an organisation only if the information is held in a record. A record is defined in section 6 to exclude generally available publications.(40) Public registers are a public resource and therefore arguably access and use should not be regulated by privacy legislation. However, as the Communications Law Centre has indicated, technology now provides the means by which third parties can re-configure and process this information in ways that exceed the purpose for which it was collected.(41) It is of note that legislation in other jurisdictions contains specific provisions regulating the use of public registers.(42)

Requirements for Commonwealth contracts

Protection of personal information held by most Commonwealth agencies is already provided for under the Principal Act. The Privacy Act sets out 11 Information Privacy Principles (IPPs) which govern the collection, storage, security, use and disclosure of personal information as well as access to and correction of such information held by public sector agencies.

The outsourcing of government functions in recent years has raised concerns about privacy regulation of personal information held by Commonwealth contracted service providers. The current situation is that agencies generally are required to include privacy protection clauses in their contracts. However, this has not necessarily meant that individuals affected have a right of redress since they are not parties to the contract and the private sector bodies have not previously been subject to the specific requirements of the Principal Act. The difficulties of ensuring that contracting bodies comply with the privacy requirements in the contract are significant. The law of contract is a rather 'blunt instrument' when dealing with breaches of the principles of privacy.(43)

The Government acknowledged in 1997 that legislation was needed to ensure that the protections offered by IPPs were not undermined by outsourcing of government functions. It introduced the Privacy Amendment Bill 1998 to achieve that end. The Bill lapsed when Parliament was prorogued for the 1998 election. The current Bill contains provisions to address this issue.

Under proposed section 95B in item 131 agencies entering into a Commonwealth contract that involves the collection and or holding of personal information must take contractual measures to ensure that a contracted service provider for the contract does not breach the Information Privacy Principles. Under proposed subsections 95B(3) and 95B(4) the contract must also contain provisions to regulate subcontracts in the same way. Effectively this means an organisation when acting as contracted service provider to the Commonwealth must comply with the IPPs rather than with the NPPs which would otherwise apply to the contractor as a private sector organisation. The section applies to agencies entering into Commonwealth contracts in their own right as well as those entering a contract on behalf of the Commonwealth.

Item 11 inserts into subsection 6(1) of the Principal Act a definition of contracted service provider. When read with the definitions of 'government contract', 'Commonwealth contract' and 'subcontractor', the definition covers any person who under a contract with the Commonwealth or an agency either is or was responsible for the provision of services to a Commonwealth agency, either directly or as a subcontractor. Proposed section 16F in item 54 contains an extra safeguard to protect personal information held for the purposes of a contract with a Government agency from being used for direct marketing purposes.

National Privacy Principles

Item 139 inserts proposed Schedule 3 - National Privacy Principles into the Act. The NPPs set out rules relating to the collection, use, disclosure, quality and security of personal information and are based on the National Principles for the Fair Handling of Information developed by the Privacy Commissioner in 1998. Whereas the 1998 principles were issued in the form of guidelines the NPPs tend to be mandatory in their language. The earlier principles have also been modified to apply to health information and international data transfer. The NPPs are a variation on the Information Privacy Principles (IPPs) in Part III of the Act which generally apply to Commonwealth Government agencies. Both sets of principles (NPPs and IPPs) will operate concurrently under the proposed regime.

The NPPs contain a number of departures from the IPPs. These are most apparent in relation to the treatment of direct marketing uses of information, issues regarding anonymity, the use of common identifiers, transborder data flows and the use of sensitive and health information.

NPP 1 Collection

NPP 1 sets the standard for collection practices of organisations. Among other things organisations must only collect personal information that is necessary for one or more of its functions. The information should only be collected by lawful and fair means and it must not be collected in an intrusive manner. At the time of collection the intended uses of the information should also be made clear.

NPP 2 Use and disclosure

NPP deals with the use and disclosure of personal information. It is arguably the most complex of the principles due in part to the way it makes special arrangements for health information, sensitive information and direct marketing.

The general rule is that personal information must only be used or disclosed for the primary purpose for which it was collected. There is however a wide-ranging list of situations where such information may be used for some other purpose ie a secondary purpose. These situations include:

  • where the secondary purpose is related to the primary purpose and the individual would reasonably expect it to be used for that secondary purpose (note: in the case of sensitive information the secondary purpose must be 'directly related', although the difference between 'related and 'directly related' is not defined in either the Bill or the explanatory materials)
  • where the individual has consented to the use or disclosure. As defined in the Principal Act consent may be either express or implied and according to the Explanatory Memorandum implied consent could legitimately be inferred from the individual's failure to object to a proposed use or disclosure, provided that the option to opt out was clearly and prominently presented and easy to take up
  • where the organisation reasonably believes the use or disclosure would lessen or prevent threats to life, health or safety
  • where the use or disclosure relates to an investigation or reporting of an unlawful activity
  • where the use or disclosure is required by law, or
  • where the organisation reasonably believes the use or disclosure is reasonably necessary for a range of activities carried out by an enforcement body. Note that enforcement body is defined in item 13 to include an extensive list of State and Commonwealth agencies.

It is of note that the 1980 OECD guidelines only permit usage for secondary purposes in cases of consent and legal authority.

Use and disclosure of health information

Health groups are concerned that some of these exceptions are not suitable for the health industry because they allow the passing on of information outside the therapeutic relationship. For example NPP 2 envisages that it is acceptable to provide information to law enforcement agencies. It is questionable whether it would be possible to run a drug treatment service if users thought that information about criminal acts might be passed on to law enforcement agencies.

NPP 2 also provides additional special conditions for the use of health information for some secondary purpose.

Health information may be used for the secondary purpose of research or the compilation of statistics, relevant to public health or public safety when:

  • it is impractical to seek the individual's consent
  • it is used and disclosed according to the Privacy Commissioner's guidelines, and
  • in the case of disclosure, the organisation reasonably believes that the recipient of the information will not disclose the health or personal information.

NPP 2 also regulates the disclosure of health information to persons responsible for an individual. Where an individual is unable to give consent to the disclosure of health information, doctors may provide the patient's family with information to help to provide care or treatment or for particular compassionate reasons.

Direct marketing

NPP 2 also deals with direct marketing. Personal information may only be used or disclosed for the secondary purpose of direct marketing where:

  • it is impracticable to seek the individual's consent, (although impracticable is not defined or explained in the Bill or the Explanatory Memorandum)
  • the organisation gives the individual an express opportunity to opt out of direct marketing communications at no charge, and
  • the individual has not already asked to be excluded from direct marketing.

In terms of direct marketing by e-mail this would appear to regulate organisations to the extent that they must give customers the option to opt out. It does not provide the higher standard of requiring customers to 'opt-in' which has been recommended by some privacy advocates(44) and adopted in the Internet Industry Association's voluntary code.

Sensitive information which by definition include health information may not be used for the secondary purpose of direct marketing.

NPP 3 Data quality

NPP 3 requires an organisation to take reasonable steps to make sure that personal information is accurate, complete and up-to-date at the time the organisation collects, uses and discloses the information.

NPP 4 Data security

NPP 4 requires an organisation to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Further an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed.

NPP 5 Openness

According to NPP 5 an organisation must have a clearly documented publicly available privacy policy. In practical terms this would require website operators to have clearly identified privacy statements.

NPP 6 Access and correction

According to NPP 6, if an organisation holds personal information about an individual, the organisation must provide the individual with access to that information. NPP 6.1 lists an extensive range of exceptions to this rule including if:

  • in the case of personal information other than health information - providing access would pose a serious and imminent threat to the life or health of any individual
  • in the case of health information - providing access would pose a serious threat to the life or health of any individual
  • providing access would have an unreasonable impact upon the privacy of other individuals
  • the request for access is frivolous or vexatious
  • providing access would be unlawful
  • denying access is required or authorised by or under law, and
  • providing access would be likely to prejudice an investigation of possible unlawful activity.

If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

Access to and correction of health information

NPP 6 effectively grants patients a right of access to their own personal health information held in the private sector subject to those exceptions listed above. Consumer groups suggest that the large number of exceptions mean the provision is considerably weaker than the right of access that is available to patients in the public sector.(45) It would also seem that the right of access to health records does not fit easily into NPP 6 which is drafted in more general terms and contains exceptions which are not applicable in the context of health. For example the exception relating to 'prejudicing an investigation into possible unlawful activity' should not be a consideration in giving patients access to their medical records.

The Bill and the explanatory materials make no reference to how this principle relates to or affects the High Court decision in Breen v Williams.(46) The High Court in Breen v Williams unanimously held that under the common law a patient does not have a right of access to inspect and/or obtain copies of his or her medical records in part on the grounds that copyright attaches to the notes made by medical practitioners in the course of their professional practice.

The AMA notes with concern that the Bill, through NPP 6, seeks to overturn the common law with respect to patient access to medical records.(47) An alternative point of view put by an officer of the Attorney-General's Department is that the Bill works on the basis that while the ownership of the records will still reside with the organisation that holds them it also recognises that there are different interests involved including the interest of the person whose information is contained in the records.(48)

NPP 7 Identifiers

NPP 7 prevents an organisation from using an identifier assigned by Commonwealth agencies or contracted service providers. Examples of identifiers include Medicare numbers and pension numbers. Note that a separate regime regulating the use of tax file numbers is already found in Part III of the Privacy Act.

There is some concern about this prohibition on the basis that the use of common unique identifiers in the health industry is regarded as a way of opening up opportunities for health services to share patient information in ways which can lead to safer, cheaper and more effective service. The Privacy Commissioner also notes that there are situations where the use of a Medicare number may be used in a beneficial way to identify individuals in circumstances where a false identification could have serious consequences.(49)

NPP 8 Anonymity

NPP 8 requires that where it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

NPP 9 Transborder data flows

NPP 9 prohibits an organisation in Australia from transferring personal information to a recipient in a foreign country not subject to a comparable information privacy scheme unless certain conditions apply. Amongst other things these conditions relate to consent, and contractual obligations.

NPP 10 Sensitive and health information

NPP10 contains a separate regime regulating the collection of sensitive information and health information. Sensitive information is defined in item 27 to include health information.

An organisation must not collect sensitive information about an individual unless a certain set of circumstances exists. These include:

  • where the individual has consented
  • where the collection is required by law
  • where the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, and
  • where the individual is physically or legally incapable of giving consent to the collection.

NPP 10 details a set of additional situations in which health information can be collected about an individual. These include where the information is necessary to provide a health service to the individual. In this case the information must be collected as required by law or in accordance with rules relating to professional confidentiality.

Further, an organisation may collect health information about an individual if the collection is necessary for:

  • research or the compilation or analysis of statistics relevant to public health or public safety, or
  • the management, funding or monitoring of a health service.

In these situations certain safeguards must be satisfied. The information will not be made available if non-identified, aggregate data is sufficient for research purposes and furthermore, organisations will have to show that they cannot conduct this research without the information and that there is no reasonable way to get a person's consent.

The rationale for the research exemption is that medical research is often carried out with the approval of an ethics committee using identified data and without the consent of individuals whose information is being used. The Privacy Commissioner suggests the proposed arrangement is broadly similar to the current provisions in section 95 of the Act(50) which he argues have worked well in the last ten years.(51)

Privacy codes

An underlying principle of the Bill is that private sector organisations will be able to develop their own privacy codes to regulate the collection, storage, use and disclosure of personal information. This 'co-regulatory' arrangement is intended to allow for privacy principles to be tailored to meet the needs of a particular part of the private sector.

Item 54 inserts a new Division 3 headed 'Approved privacy codes and the National Privacy Principles' which comprises proposed sections 16A - 16F.

Proposed section 16A sets out the relationship between an approved privacy code and the NPPs. Essentially an organisation must either comply with an approved privacy code or if not bound by an approved code, then an organisation must comply with the NPPs. In addition proposed subsections 16A(3) and 16A(4) stipulate that these obligations in no way interfere with obligations already in force regarding tax file number recipients, consumer credit agencies, and crediting reporting as set out in other parts of the Act.

Approval of privacy codes

Proposed Part IIIAA of the Act inserted by item 58 sets out the criteria and procedure for approval of privacy codes. By virtue of the definition of organisation, codes may be developed in respect of specific organisations, specific professions and specific information and in relation to specific classes of all of these (proposed subsection 18BB(7)).

Written applications to the Privacy Commissioner for the approval of a privacy code may be made by an organisation (proposed section 18BA). The Commissioner may consult appropriate persons before deciding whether to approve a code (proposed subsection 18BB(1)). In deciding whether to approve a privacy code the Commissioner must be satisfied that the code meets the requirements as specified in proposed subsection 18BB(2).

The code must:

  • set out obligations that are at least the equivalent of the obligations contained in the NPPs
  • specify the organisations bound by the code or a way of determining the organisations that are or will be bound by the code
  • only bind organisations that have consented to be bound by the code
  • contain procedures to enable an organisation to cease to be bound by the code, and
  • provide adequate opportunity for members of the public to comment on a draft of the code (proposed subsection 18BB(2)).

If the code contains procedures for making and dealing with complaints, the Commissioner must have regard to an additional set of factors. For example the code must:

  • meet prescribed standards and appropriate Commissioner guidelines
  • provide for the appointment of an independent adjudicator
  • ensure that the adjudicator will provide an appropriate balance between the various interests, and
  • ensure that the code adjudicator has the same powers as the Commissioner regarding the making of determinations, findings, declarations, orders and directions (proposed subsection 18BB(3)).

The role of the Privacy Commissioner

The Principal Act establishes an office of Privacy Commissioner with responsibility for oversight of the legislation and provides for a system of enforcement whereby the Commissioner can investigate complaints and make determinations, which are enforceable in the Federal Court.

The role of the Commissioner is considerably expanded under the Bill. In the current Act, subsection 27(1) lists the functions of the Commissioner in relation to interferences with privacy. Items 59-68 insert new provisions into section 27 to provide the Commissioner with additional functions and powers. Amongst other functions the Commissioner may:

  • approve privacy codes, approve variations of approved codes and revoke those approvals (item 59)
  • investigate an act or practice of an organisation that may be an interference with the privacy of an individual as set out in proposed section 13A and if appropriate settle by conciliation the matters that gave rise to the dispute (item 59)
  • perform the functions and exercise the powers of an adjudicator under an approved code where the Commissioner has been appointed as the adjudicator under that code (item 59)
  • promote an understanding and acceptance of the National Privacy Principles (item 61)
  • examine proposed legislation that would require or authorise acts or practices which, if done by organisations, might amount to interferences with privacy (item 60)
  • publish guidelines in relation to matters such as the development of privacy codes and privacy breaches and complaints (item 63), and
  • provide advice to a Minister, agency, organisation or an adjudicator for an approved privacy code on any matter relevant to the operation of the Act (item 64).

Public interest determinations

Part VI of the Principal Act gives the Privacy Commissioner the power to determine that an act or practice of an agency which might constitute a breach of the IPPs shall be disregarded for the purposes of the Act. The Commissioner can only make such a determination where satisfied that the public interest in the agency doing the act outweighs to a substantial degree the public interest in adhering to that IPP. Items 118-130 amend the Act to extend the Commissioner's power to make similar determinations in relation to NPPs and to give the Commissioner the power to make temporary public interest determinations.

Proposed subsection 72(2) in item 118 provides that the Commissioner may make a written determination that an act or practice of an organisation which breaches or may breach an approved privacy code or a NPP that binds the organisation is not to be regarded as a breach of the code or the NPP in situations where there is an overriding public interest in the organisation being able to perform the act or practice. Organisations may apply in accordance with the regulations for a public interest determination under section 72 about a particular act or practice (proposed subsection 73(1) in items 119-120).

The Commissioner may also make temporary public interest determinations for periods of up to twelve months according to the procedures of amended sections 72 and 73 in situations where the Commissioner is satisfied the circumstances require an urgent decision (proposed section 80A). A temporary determination made under proposed Division 2 will be a disallowable instrument (proposed section 80C).

Schedule 2 - Amendment of other Acts

Administrative Decisions (Judicial Review) Act 1977

Item 1 ensures that a decision by an adjudicator under an approved privacy code will be subject to judicial review.

Customs Act 1901

Item 3 authorises disclosure of personal information to a Customs officer when the information relates to actual or proposed travel of persons or goods. In dealing with the information, the Customs officer is subject to the Privacy Act 1988.

Telecommunications Act 1977 and the Telecommunications (Consumer Protection and Service Standards) Act 1999.

Items 4-20 involve amendments to the Telecommunications Act 1977 and the Telecommunications (Consumer Protection and Service Standards) Act 1999

Part 6 of the Telecommunications Act contains provisions encouraging each telecommunications sector to develop codes dealing with privacy and consumer protection issues. The codes are to be developed within the industry regulatory framework and submitted for consideration by the Privacy Commissioner before registration. The codes are voluntary in the first instance, but breaches can be dealt with by the Australian Communications Authority.

The amendments clarify the relationship between the industry codes and standards which characterise the self-regulatory framework in the particular telecommunications industry and the Privacy Act 1988 (as amended by the Bill). The amendments do not disturb the basic self-regulatory framework set out in Part 6 of the Telecommunications Act, but item 4 clarifies that nothing in an industry code or standard can displace the obligations placed on the industry by the Privacy Act 1988 or an approved privacy code.

Schedule 3 - Disclosures to intelligence bodies

Section 93A of the Australian Security Intelligence Organisation Act 1979 prevents the Privacy Act 1988 from applying to an agency when it discloses personal information to ASIO. Item 1 repeals this provision. However item 3 inserts a similar provision, proposed subsection 7(1A), into the Privacy Act 1988. Proposed subsection 7(1A) would have the same effect and in addition it extends the exemption to personal information disclosed to ASIS. The exemption applies to all past acts as well as those which occur after commencement of the amendment.

Concluding Comments

A separate code for health information?

The Privacy Commissioner has strongly supported the inclusion of health information in the Bill on the basis that:

the health sector is a significant part of the Australian economy and personal health information is also held in a variety of other contexts, for example in insurance, superannuation and employment. A different approach to the protection of personal health information would make the objective of a nationally consistent framework difficult to achieve.(52)

The Commissioner has also undertaken to produce appropriate guidelines to clarify many of the unresolved issues that relate to health information.(53)

Against that it must be acknowledged that the Bill is made more complex by incorporating provisions that relate specifically to health information. Of more significance is that many consumer health groups and members of the health industry(54) have strongly argued that health information should be removed from coverage under this Bill and a regime be prepared which would cover privacy and access in both the public and private health sectors. They suggest the health industry more than other regimes requires a privacy regime which remains consistent when people move between public and private services.

The ACT Community and Health Services Complaints Commissioner in giving evidence to the Parliamentary inquiry into the Bill argued:

[While the focus of the Bill] is on industries where normally the organisations that collect information keep it and do not pass it on to anyone else, the health industry is quite different by its nature. It is one where it is necessary in the patient's interest to share information. The object of the exercise is not to prevent information passing around, but to control it and make sure that it goes to the people who should have it. We need to control the flow of information rather than stop it. We need to ensure that patients have some measure of control over the flow of information. We need to make sure that the quality of the information is high, that it is accurate, it is not misleading, it is up to date, it does not undermine the credibility of patients and so forth. And it needs to be consistent amongst all the agencies involved.(55)

Groups such as the Public Interest Advocacy Centre also point to other jurisdictions where privacy in personal health records is protected through a separate specialist health privacy framework.(56)

The 'Adequacy' of the Bill in relation to the European Union Data Protection Directive.

The Government has stated that one of the objectives of the Bill is to ensure compatibility with the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data thus removing any potential barriers to international trade.(57) While the Attorney-General has expressed confidence that the Bill will be considered 'adequate'(58) other interest groups are concerned that the Bill falls short of the EU requirements.(59) A detailed comparison of the two regimes is beyond the scope of this digest. However it can be noted briefly that they are different to the extent that the exemptions relating to employee records, small business, political parties and political representatives are not found in the EU Directive. Further it would seem that the EU restrictions on the use of public registers and secondary uses of information are tighter than those in the Bill. Whether these differences will affect the transfer of personal information between Australia and Europe is not clear. As Nigel Waters wrote in February 2000:

Nearly a year on from the EU Directive coming into force, other governments and interested parties can be forgiven for wondering if the Europeans are bluffing about restricting transborder transfers of personal information. At the time of writing, no transfers have to my knowledge been blocked by European supervisory authorities since the Directive came into force in October 1998, and no such challenges are pending... even where 'export prohibition' provisions are already in place, there has been little sign of enforcement action.(60)

A complex balance of interests

The regulation of privacy in Australia has been described as a ragbag and a patchwork of different standards, applying across industries, technologies and State and Territory boundaries. The passing of the Privacy Amendment (Private Sector) Bill 2000 with its myriad of standards and exemptions will not change this. Under the proposed regulatory arrangements, the rules relating to privacy will change depending on whether an organisation is big or small, whether it is public sector or private sector, and whether it is a matter relating to health, credit, or retail. Individuals wishing to pursue their rights will have to navigate their way around subtle technical differences according to whether they are dealing with a federal, state or non-government organisation.

At the same time it is acknowledged that privacy in a modern society is not an absolute. The rights of the individual must be balanced against the needs of the community. It could therefore be argued that this patchwork arrangement may be the most effective method of managing a cultural phenomenon which is found in a diverse range of circumstances each demanding specific, flexible attention. As NSW Privacy Commissioner, Chris Puplick, has commented, there is a growing appreciation that the purpose of privacy legislation is not so much to require strict compliance with black letter law but to create a climate where organisations are trusted with personal information. Under this model the legal provisions aim to create a working environment where employees and clients can feel comfortable that such trust is justified. This he claims puts a premium on openness and education.(61)

The detail of the legal framework however remains important and Commissioner Puplick's own judgement is that the model put forward in the Bill requires greater clarity and consistency.(62) The diversity of other opinions expressed in the submissions to the Parliamentary inquiry show that Parliament has a complex task in assuring itself and the community that the Bill has struck or, as amended, will strike the right balance. In particular the Parliament might consider whether the broad exemptions found in the Bill that relate to employee records,(63) the media,(64) small business,(65) and existing databases(66) have tipped the balance in favour of business at the expense of the individual's right to privacy.

Endnotes

  1. A cookie is a unique number stored by the user's browser in the computer. It has given website operators unprecedented access to Internet users' habits and allowed them to target their advertising.
  2. 56% of Australians are worried about invasion of privacy issues created by new information technologies. (Roy Morgan Research Centre, August 1999). At February 2000 28% of all Australian households had home Internet access, but only approximately 5% of Australian adults used the Internet to purchase or order goods or services. See ABS website media release 13 June 2000. http://www.abs.gov.au/Ausstats/ABS%40.nsf/dddcf05472f88677ca2568b5007b8615/f28f14aa10c60cfbca2568fd000503a1!OpenDocument
  3. Privacy Act 1993 (NZ)
  4. Broadband Services Expert Group, Networking Australia's Future: Final report 1994 [Internet -http://www.dcita.gov.au/cgi-bin/trap.pl?path=/pubs/network/toc.htm]
  5. Report called In Confidence, 1995, recommendation 38.
  6. Telecommunications Toward the Year 2000, 1995, ch 5.
  7. See Australian Law Reform Commission and Administrative Review Council, Open Government: a review of the Federal Freedom of Information Act 1982, 1995, recommendation 103.
  8. Privacy in the Private Sector, 1998.
  9. Price Waterhouse, Privacy Survey, 1996.
  10. The ALP Government in 1995 also made a pre-election commitment to regulating privacy in the private sector. See: Attorney-General, Press Release, 10 December 1995.
  11. Attorney-General, the Hon Daryl Williams, Press Release, 21 March 1997.
  12. ibid.
  13. Kevin O'Connor, 'Why a national law to protect the privacy of Australians?', Telecommunication Journal of Australia, v 48, 1998, p. 22.
  14. Press Release, 20 February 1998.
  15. Although note that section 29 of the Act, regarding the Commissioner's need to balance the various interests, also describes business as a 'right'.
  16. Graham Greenleaf, Submission to the House of Representatives Legal and Constitutional Affairs Committee, Inquiry into the Privacy Amendment (Private Sector) Bill 2000, (subsequently referred to as Submission), p. 2.
  17. To date New South Wales and the Australian Capital Territory have privacy laws. The ACT has applied the Commonwealth Act to its own jurisdiction. The NSW Government has passed privacy legislation for its public sector jurisdiction, Privacy and Personal Information Protection Act 1998. The substantive provisions come into force on 1 July 2000. No State or Territory has privacy legislation affecting the private sector.
  18. Note that section 13 refers to 'interferences with privacy' which has been removed by item 1.
  19. An agency is defined in section 6 of the Principal Act and includes a range of Commonwealth public sector bodies. A separate regime based on the Information Privacy Principles will continue to regulate 'agencies'.
  20. Proposed section 6F sets out a procedure enabling the Governor-General to make regulations to enable State or Territory authorities to be brought within the privacy regime of the Bill. Note that proposed section 6E does the same with small business.
  21. Proposed subsection 6A(2) confirms that a privacy clause in a Commonwealth contract that is inconsistent with a NPP will prevail over that NPP. Further obligations on Commonwealth agencies contracting with organisations are described at p 13.
  22. Attorney-General's Department, Fact Sheet: Private Sector Privacy Bill and Related Bodies Corporate, 12 April 2000. http://www.law.gov.au/privacy/bcfact.html
  23. There is no explanation for this change in the explanatory materials to the Bill. According to an officer from Attorney-General's, this change was negotiated with the Department of Employment, Workplace Relations and Small Business and was considered the preferred method of protecting those who were at greatest risk of privacy invasion. House of Representatives, Legal and Constitutional Affairs Committee, Reference, Privacy Amendment Bill 2000, Transcript of Evidence of Ms Gabrielle Mackey, 24 May 2000, p. 6. http://www.aph.gov.au/house/committee/laca/Privacybill/24may.pdf
  24. ABS data is based on the publication, Survey of Small Businesses in Australia, 1999. The original figure of $1 million according to ABS data would have covered 93.8% of small businesses. Source: A senior officer of the Department of Employment, Workplace Relations and Small Business gave evidence at the Legal and Constitutional Affairs Hearing on Thursday 8 June 2000.
  25. There is no similar exemption in the Privacy Act 1993 (NZ), the Personal Information Protection and Electronic Documents Act 2000 (Canada) and the Data Protection Act 1998 (UK). The experience of New Zealand is of particular interest; the limited information available to date does not suggest that the cost of implementation has been a major problem. For example the New Zealand Real Estate Institute commented in 1994 that, while the passing of the Privacy Act 1993 (NZ) would have a considerable impact on the manner in which the industry might deal with personal information, it did not expect that there would be any significant cost of compliance, what was required was common sense and fair dealing. (Reported in Moira Paterson, 'Privacy Protection in Australia: the need for an effective private sector regime', Federal Law Review, v 26, Oct 1998, p 399.) Evidence from Quebec suggests that implementing data protection measures may more than pay for itself in terms of cost reduction or increased productivity that have resulted from improved information handling practices. (Reported in Moira Paterson, op cit, p. 383.)
  26. Federal Privacy Commissioner, Submission, pp. 9-10.
  27. An officer of the Attorney-General's Department agreed with this assertion when giving evidence at the Legal and Constitutional Affairs Hearing on 25 May, p. 6.
  28. As Graham Greenleaf suggests there is no provision for a business that comes within the definition of 'small business operator' to 'opt in' to be bound by the Act. (Source: Submission, p. 7.)
  29. These requirements are set out at p. 13.
  30. Explanatory Memorandum, p. 69.
  31. Ibid.
  32. Attorney-General's Department, Fact Sheet: Privacy and the Media, 12 April 2000.
  33. CrimeNet makes available for a fee, criminal histories collated from publicly available sources.
  34. For example section 2 of the Privacy Act 1993 (NZ) restricts the definition of 'news medium' to an agency 'whose business or part of whose business consists of a news activity'. A 'news activity' means the gathering of news, or the preparation or compiling of articles or programmes of or concerning news, observations on news, current affairs, for the purposes of dissemination to the public or any section of the public.
  35. In relation to New South Wales which does have public sector privacy legislation this exclusion will leave businesses performing contracted services for State authorities largely uncovered, given that in most instances they are not required to comply with the mandatory compliance provisions under the Privacy and Personal Information Protection Act 1999. Source: New South Wales Privacy Commissioner, Submission.
  36. Section 91B.
  37. Media Release, 12 April 2000. http://www.privacy.gov.au/news/00_05.html
  38. Attorney-General's Department, Fact Sheet: Privacy and Existing Databases, 12 April 2000. http://www.law.gov.au/privacy/Personalfact.html
  39. Electronic Frontiers Australia, Submission, para 5.
  40. A generally available publication is defined to mean a magazine, book, newspaper or other publication that is or will be generally available to members of the public.
  41. Communications Law Centre, Submission, p. 12.
  42. eg. Privacy and Personal Information Protection Act 1998 (NSW) Part 6 provides protection against disclosure for purposes unrelated to the purpose of the register; enables agencies to require information about the intended use of any information obtained from inspection; and enables individuals to request that their personal information be removed from or not placed on a publicly available register and not be disclosed to the public. The New Zealand provisions are discussed in Office of the Privacy Commissioner, Privacy Act Review 1998, Discussion Paper, No 5. http://www.privacy.org.nz/recept/discpr5.html
  43. Nigel Waters, Address to Records Management Association Seminar, Canberra, 11 March 1998.
  44. eg. Electronic Frontiers Australia, Submission, para 4.
  45. Consumers' Health Forum, Submission, p. 8.
  46. (1995) 186 CLR 71.
  47. AMA, Submission, p. 4.
  48. House of Representatives, Legal and Constitutional Affairs Committee, Reference, Privacy Amendment Bill 2000, Transcript of Evidence of Ms Gabrielle Mackey, 24 May 2000, p 18.http://www.aph.gov.au/house/committee/laca/Privacybill/24may.pdf
  49. Federal Privacy Commissioner, Submission, p. 17.
  50. These allow the Commissioner to issue guidelines relating to the use of health information held in the public sector for research purposes.
  51. Federal Privacy Commissioner, Frequently Asked Questions: Personal Health Information and Access by Researchers under the Privacy Sector Scheme. http://www.privacy.gov.au/news/refaq.html
  52. Federal Privacy Commissioner, Submission, p. 14.
  53. ibid.
  54. Australian Consumers Association, Submission, p 2; Public Interest Advocacy Centre, Submission, no 79.
  55. House of Representatives, Legal and Constitutional Affairs Committee, Reference, Privacy Amendment Bill 2000, Transcript of Evidence of Mr Kenneth Patterson, 24 May 2000, p 62.http://www.aph.gov.au/house/committee/laca/Privacybill/24may.pdf
  56. eg. The Health Information Privacy Code in New Zealand.
  57. Information paper on the Introduction of the Privacy Amendment (Private Sector) Bill 2000. http://www.law.gov.au/privacy/InformationPaper.html
  58. Second Reading Speech, Privacy Amendment (Private Sector) Bill 2000, Parliamentary Debates (Hansard), House of Representatives, 12 April 2000, p. 15075.
  59. eg. Graham Greenleaf, Submission, p. 10.
  60. Nigel Waters, 'Rethinking information privacy - a third way in data protection?', Privacy Law and Policy Reporter, v 6 no 8, February 2000, p. 121.
  61. Chris Puplick, 'Unravelling the complexities of state regulations and Commonwealth laws to understand their application to your business', Privacy Law Conference, April 2000.
  62. Privacy Commissioner of New South Wales, Submission, p. 4.
  63. See above at p. 9.
  64. See above at p. 10.
  65. See above at p. 7.
  66. See above at p. 12.

Contact Officer and Copyright Details

Mary Anne Neilsen
23 June 2000
Bills Digest Service
Information and Research Services

This paper has been prepared for general distribution to Senators and Members of the Australian Parliament. While great care is taken to ensure that the paper is accurate and balanced, the paper is written using information publicly available at the time of production. The views expressed are those of the author and should not be attributed to the Information and Research Services (IRS). Advice on legislation or legal policy issues contained in this paper is provided for use in parliamentary debate and for related parliamentary purposes. This paper is not professional legal opinion. Readers are reminded that the paper is not an official parliamentary or Australian government document.

IRS staff are available to discuss the paper's contents with Senators and Members
and their staff but not with members of the public.

ISSN 1328-8091
© Commonwealth of Australia 2000

Except to the extent of the uses permitted under the Copyright Act 1968, no part of this publication may be reproduced or transmitted in any form or by any means, including information storage and retrieval systems, without the prior written consent of the Parliamentary Library, other than by Members of the Australian Parliament in the course of their official duties.

Published by the Department of the Parliamentary Library, 2000.

Back to top


Facebook LinkedIn Twitter Add | Email Print