The Australian Privacy Principles Exposure Draft is the first stage of the
Government's proposed reform of the privacy regime. The aim of the reform is to
implement a streamlined set of unified privacy principles that provide for
privacy rights and obligations so as to protect an individual from the risk of
harm through inappropriate sharing and handling of their personal information.
As stated in the Government's response to the Australian Law Reform
Commission's (ALRC) review, 'underpinning the enhanced protection of privacy is
a simple and clear framework' that is principles-based.
This chapter canvasses general issues raised by submitters to the
inquiry which principally go to concerns about the complexity and structure of
the APPs, the definition of some terms used, and exemptions from the Privacy
Act. Other matters discussed include the consultation process undertaken in
developing the exposure draft, implications for state and territory governments,
the need for a transition period, and the potential compliance and cost burden of
the proposed reforms.
Clarity of the Australian Privacy Principles
The objective of streamlined principles that are clear and easy to
understand is fundamental to the privacy regime and was the subject of much
comment by submitters. As a first step to this aim, the two existing sets of
privacy principles – the Information Privacy Principles and the National
Privacy Principles – have been replaced with a single set of unified
principles. Professor Rosalind Croucher, President, ALRC, commented on the
benefits of such an approach and noted that having one set of principles
applying to private sector organisations and one set applying to public sector
agencies may cause confusion and that:
...where there is confusion there is the possibility of an
imperfect protection and an imperfect respect for the fundamental protection of
personal information. In that context, the development of a unified set of
principles would only improve the ability for those governed by it to discharge
the responsibility under them.
Most submitters supported the unified principles approach. The
Australian Institute of Credit Management, for example, commented:
...this will result in a consistent approach to the management
of personal information irrespective of the nature of the entity that is
managing the personal information. Further it will facilitate an individual's
understanding of how their personal information is to be managed.
The committee received some positive comments about the drafting of the
APPs. The National Association for Information Destruction (NAID-Australasia)
for example, commented that the drafters of the APPs have achieved 'a balance
between providing clear guidance while not being over prescriptive' and
commended the use of 'reasonableness and technological neutrality to achieve
However, other submitters were of the view that the draft APPs are
overly complex and lack clarity and do not achieve the aims of high-level
principles-based law. Concern was expressed that this may work against
accessibility and compliance. The Office of the Privacy Commissioner (OPC)
commented that the following factors should be noted in assessing the APPs:
- the importance of clear and accessible language to ensure the overall effectiveness
- the need for accessibility for individuals to understand and navigate
the APPs, often without legal expertise;
- the benefits of simplicity and clarity for agencies and businesses to understand
and comply with their obligations (including those small businesses currently
covered by the Privacy Act).
It was also noted that the ALRC had recommended that the privacy
principles should be drafted to pursue, as much as practicable, the following
(a) the obligations in the privacy principles generally
should be expressed as high-level principles;...
(c) the privacy principles should be simple, clear and easy
to understand and apply.
In its discussion of this objective, the ALRC expressed the view that
principles-based regulation should be the primary method used to regulate
privacy in Australia. The ALRC noted that a principles-based approach has the
advantages of greater flexibility, broader application, a greater degree of
'future-proofing' and has considerable stakeholder support.
The ALRC did not recommend the adoption of a pure form of principles-based
regulation; rather it acknowledged the benefits of allowing principles to be
supplemented by more specific rules in regulations or other legislative
instruments. In addition, the ALRC stated that 'a primarily principles-based
framework can itself adopt varying degrees of detail and prescription within
Professor Croucher, ALRC, also commented:
So the privacy principles stand as the high-level aspirations
and the embodiment of the things that are regarded as the necessary tools to
provide or facilitate the protection of personal information at that
The Government accepted the ALRC's recommendations for the drafting of
The Companion Guide commented that the APPs are 'not like other types of
legislation' and are principles-based law. It was noted that principles-based
law is 'the best regulatory model for information privacy protection in
Australia' and that:
By continuing to use high-level principles, the Privacy Act
regulates agencies and organisations in a flexible way. They can tailor
personal information handling practices to their diverse needs and business
models, and to the equally diverse needs of their clients.
The Privacy Act combines principles-based law with more
prescriptive rules where appropriate. This regulation is complemented by
guidance and oversight by the regulatory body, the Office of the Australian
This is comparable to international regulatory models in
Canada, New Zealand and the United Kingdom.
Submitters argued that the APPs do not achieve the objective of
high-level principles nor simplicity. The Office of the Victorian Privacy
Commissioner (Privacy Victoria) noted that while some of the APPs are
successfully expressed as high-level principles, 'in others the level of detail
and complexity work against this aim'. For example, a number of exceptions
included in various APPs are specific to Commonwealth agencies. Privacy
Victoria concluded that:
A better approach would be to draft high-level, simple, lucid
principles, which could equally apply to Commonwealth, State or Territory
public sector agencies, local councils or private sector organisations. Then,
where one or more of these entities needed modification to or exemption from
the specific APP, this could be done in a separate section of the Privacy
The OPC supported a high-level, principles-based, technology-neutral
approach 'that is capable of protecting and promoting individuals' privacy into
The OPC noted that one of the significant benefits of principles-based law is
that it is generally easier for the public, and entities with obligations, to
privacy law should enable entities to understand the policy underpinning the
law and to adapt their practices accordingly. The law should be clear, but also
sufficiently flexible, to enable entities to determine how best to pursue their
functions and activities in a way that complies with the Privacy Act.
The OPC went on to state that clear and easily understood obligations,
make it easier for entities to comply, and thereby reduces the administrative
burden and cost of compliance and the frequency of privacy breaches and
Submitters provided specific examples of APPs which were not considered
to meet the aim of high-level principles. The Australian Finance Conference (AFC),
for example, commented that APP 8 (cross border disclosure) was
substantially different to what was recommended by the ALRC and from the
current NPP 9. AFC commented that:
...as a matter of policy and drafting it fails to achieve the
key objectives (e.g. high-level principles, simple, clear and easy to
understand and apply) of the reforms. It also shifts the risk balance heavily
to the entity and we query the individual interest justification to support
A significant concern raised by submitters was the complexity of some of
the APPs. The OPC noted that during its 2005 Private Sector Review stakeholders
called for greater simplicity in the drafting of privacy protections. The OPC
concluded that the extent to which the exposure draft and APPs achieve the
widely supported objectives of high-level principles that are simple and easy
to understand 'is an important yardstick for the success of the overall
However, submitters commented that some of the APPs are highly detailed,
lengthy, legalistic and complex, with some provisions having to be read in
conjunction with other sections to understand how they will apply. It was concluded
that the APPs are not clear or easy to understand and apply, contrary to the
The Victorian Privacy Commissioner commented:
...the current drafting of the APPs works against the
simplification and harmonisation which was the core recommendation of the ALRC.
The APPs should be redrafted in order to achieve this fundamental objective.
The Public Interest Advocacy Centre (PIAC) also provided similar
comments and argued that a clear and more accessible document should be the aim
of the reforms. PIAC stated that this has not been achieved. Rather 'the draft
document reads as highly legalistic, and is not designed for easy access by the
public'. PIAC noted that the ALRC's recommended principles were approximately 10
pages long, while the APP exposure draft is 41 pages long 'reading often like
the most complicated sections of the taxation law'. PIAC concluded:
Whilst it does appear that the Government has admirably adopted
many suggestions made in the consultation process, thereby making the document
more complex and qualified, the purpose of having clear privacy principles now
appears lost. A plain English redraft is clearly needed.
Qantas also commented on this matter and submitted:
Qantas is concerned that the simple language and structure
contained in the current National Privacy Principles (NPPs) has been abandoned
in favour of a more verbose and complex set of principles which are more
difficult to interpret and discern the intention and meaning of.
The concerns about the effect of complex nature of the APPs were
highlighted by the Law Council of Australia (LCA) which commented that it is particularly
important for the APPs to be written in plain English, as 'the purpose of the
legislation is to give meaning to the privacy rights of individuals'. The LCA was of the view that those outside
of the legal profession will be discouraged from engaging with or even reading
the APPs. In addition, in their current form, entities are likely to find it
difficult to comply with privacy requirements. While it was acknowledged that
guidelines would be established by the Privacy Commissioner, the LCA concluded
that 'it is also important that the legislation itself is clear and not
In a supplementary submission, the LCA made additional comments in
relation to the complexity of the APPs and stated that the APPs should revert to
the simpler style of the NPPs which was based on the original OECD guidelines.
The LCA added that 'many of the distinctions in the proposed legislation appear
unnecessary, making the proposed new principles difficult to interpret, and
therefore less accessible to ordinary members of the public at large, to
privacy practitioners, regulated organisations and consumers'. The LCA gave
examples of the APPs that are more verbose and complex than the NPPs:
APP 2 replaces the shorter NPP 8, even though the meaning is
The Office of the Guardian for Children and Young People (South
Australia) supported the LCA's view and stated that many 'small to medium-sized
NGOs would be unable to allocate resources to develop organisational policies
and procedures that translate the Principles into operational instruction'.
Other submitters provided specific examples of where the complexity of
the APPs would pose issues with compliance. Privacy Law Consulting, for
example, stated that APP 7 (direct marketing) is complex with an equally
complex matrix of data types, circumstances and requirements. As a result:
...organisations will find it difficult to develop compliance
programs and systems that can distinguish between, and manage, the matrix of
data types, circumstances and requirements. This could result in, for example, organisations
simply adopting "the lowest common denominator" (e.g. providing opt‐out facilities and/or
obtaining consent) in relation to all direct marketing activities, which may be
unintended consequences of the principle.
The OPC provided examples of overly long terms used repeatedly; for example,
the use of 'such steps that are reasonable in the circumstances, rather than
the shorter, more concise 'reasonable steps'. In addition, the OPC commented
that requirements that are substantially similar are repeated, adding to the
complexity of the APPs; for example, the requirements relating to the
collection of sensitive information in APP 3(2) and (3).
The many suggestions for simplification of specific APPs are discussed
in the relevant chapters of this report. However, the OPC made the following general
suggestions to simplify the APPs and make them more readily understandable:
format the principles in the simpler style used by the ALRC in
its Model Unified Privacy Principles (UPPs) or the existing NPPs;
use more concise language to reduce length; for example,
'reasonable steps' rather than 'such steps are reasonable in the
avoid repeating requirements that are substantively similar
(consider grouping them into one clause);
consider the plain meaning of terms and use them consistently;
keep principles high‐level
and generally applicable to all entities (rather than to a specific agency or
The OPC noted that there were a range of agency specific exceptions
throughout the APPs with the first appearing in APP 3. The OPC stated that
the APPs 'are intended to provide a broad framework for the appropriate
collection, use or disclosure of personal information by agencies and
organisations'. Provisions, including the 'required by or authorised by law'
provision, take into account the needs of agencies. Rather than agency specific
provisions being incorporated in the APPs, the OPC was of the view that it is
preferable that the specific activities are addressed in portfolio legislation
Keeping the Privacy Act's exceptions generally applicable
will maximise the APPs' coherence and relevance to all entities. This is
consistent with the recommended objectives that the principles should be 'high‐level', and should be
redrafted to achieve greater logical consistency, simplicity and clarity.
The OPC went on to argue that agencies should be aware of existing and
new exceptions (for example, the missing persons and the declared emergencies
and disasters exceptions) as a means of providing for flexibility for their
operations. The OPC also commented that the inclusion of broadly worded
exceptions to the general principles could lead to a reduction in
accountability of agency activity; for example, the term 'diplomatic or
consular functions or activities' could cover a very wide range of activities.
The OPC concluded that the inclusion of agency specific exceptions should be
limited to instances where there is no appropriate alternative. In addition, it
could be considered whether any such exceptions should be accompanied by rules
made by the Privacy Commissioner as is envisaged with the missing person
exception. The OPC concluded:
Overall, any such exceptions, or authorisations in other
legislation, should balance the agencies' needs to fulfil their functions, with
individuals' expectations of personal information protection and agency
The committee considers that the task faced in drafting a unified set of
privacy principles to achieve the Government's aim has been complex and
difficult. Drafters were required to consolidate privacy principles covering
both agencies and organisations and incorporate the ALRC's recommendations
accepted by the Government as well as a broader range of exceptions in some
APPs. This has, in some instances, resulted in longer principles. However, the
committee does not agree that longer principles are necessarily more complex as
has been argued by some submitters.
The committee supports the view that the APPs must be clear, simple and
accessible to all users, not just legal or privacy practitioners. Without an understandable
and accessible privacy regime, there is a danger that compliance issues may
arise, that effectiveness of the regime may be undermined and that individuals
will not adequately understand their privacy rights. The committee has noted
the views of the OPC in relation to the need to simplify some aspects of the
APPs. As the national privacy regulator, and given its role in investigating
complaints, providing advice on privacy rights and providing guidance to
agencies and organisations on their new obligations, the committee takes
particular note of the OPC's views.
The committee therefore considers that there are opportunities to refine
the APPs to improve clarity and simplicity, particularly in relation to the use
of more concise language to reduce the length of the APPs and avoid the
repetition of requirements that are substantially similar.
The committee recommends that the Department of the Prime Minister and
Cabinet re-assess the draft Australian Privacy Principles with a view to
improving clarity through the use of simpler and more concise terms and to
avoid the repetition of requirements that are substantially similar.
A further matter raised in relation to the complexity of the APPs was
the inclusion of agency specific provisions. In particular, submitters pointed
to the exceptions provided to agencies in some APPs for example, APP 3
(collection of solicited personal information) and APP 8 (cross border
disclosure of personal information). The committee acknowledges that the
consolidation of the IPPs and NPPs has resulted in the inclusion of agency
specific provisions as the privacy regime must include flexibility for
particular agencies to carry out their functions. However, the committee notes
the comments of submitters that this may affect adversely the objective of
establishing high-level principles. The committee therefore believes that
reconsideration be given to the inclusion of agency specific provisions in the
light of the OPC's suggestion that agency specific matters should, in the first
instance, be dealt with in portfolio legislation.
The committee recommends that reconsideration be given to the inclusion
of agency specific provisions in the Australian Privacy Principles in the light
of the Office of the Privacy Commissioner's suggestion that agency specific
matters should, in the first instance, be dealt with in portfolio legislation.
The Companion Guide notes that the order in which the APPs appear is
intended to reflect the cycle that occurs as entities 'collect, hold, use and
disclose personal information.
This approach was supported by submitters.
The ALRC further commented:
The manner in which the structure reflects the information
cycle also provides great integrity to the structure of the proposed
However, Privacy NSW recommended that if the privacy principles are to
better reflect the information cycle, and how entities use personal
information, APP 10 (quality of personal information) and APP 11 (security
of personal information) should be situated after the notification principle
(APP 5) and before the use and disclosure principle (APP 6). Privacy
NSW commented that the processes of ensuring quality and security of personal
information should happen before decisions about use or disclosure of personal
Various submitters commented on the inclusion of the APPs within the
legislation with each APP forming a separate section of the Act. As a result of
this structure, it was noted that the numbering of the sections of the exposure
draft is confusing: the number of each APP does not correspond with the section
number of the APP. It was recommended that either each APP be numbered the same
as the section or clause number, or that the APPs be provided in a schedule to
the new Privacy Act.
Professor Graham Greenleaf and Mr Nigel Waters commented on both these
suggestions. They noted that difficulties have arisen in referring to the NPPs
as these are located in a schedule to the current Privacy Act. However, they
also observed that making each principle a separate section of the Act risks causing
confusion. This has occurred with NSW Privacy and Personal Information
Protection Act 1998 where references to the principles and the sections of
the NSW Act have been confused. Professor Greenleaf and Mr Waters came to the
conclusion that having each principle in a separate section means that 'the Act
will work better in online research systems', and that this probably outweighs
the difficulties of this approach.
The Department of the Prime Minister and Cabinet (the department) responded
that the numbering 'was a drafting issue' but that it should be remembered that
this is the first part of the drafting process and concluded:
...once the entire Privacy Act is rewritten it will flow and
you will see the flow better in terms of the section numbering et cetera.
The committee considers that the placement of the APPs properly reflect
the information cycle. The committee also notes that while the NPPs are listed
in a schedule to the Act, the IPPs are included in the Privacy Act. The committee
considers that there are advantages in having the APPs within the Act as it
places the APPs at the forefront of the legislation and underscores their
importance to the reforms envisaged by the Government.
The committee also notes that section 18 of the exposure draft has been
included to ensure that while the APPs are set out in sections, a reference in
the Act to an APP by number is a reference to the APP with that number and not
the section in which it appears.
This makes it clear that the APPs are to be referred to by their number and
part rather than by the sections of the Act within which they appear.
In addition, the committee acknowledges the department's comments that
the APP exposure draft is only the first stage of the drafting process.
As indicated in the Companion Guide, the Government agreed with the
ALRC's finding that the privacy of individuals will be best protected through a
technologically neutral privacy regime.
The ALRC welcomed the adoption of a technologically neutral approach
taken in the exposure draft.
Other submitters also agreed that the APPs should be written in such a way as
to apply regardless of the specific technology used in the collection, use and
management of personal information.
The Australian Direct Marketing Association (ADMA), for example, commented:
The rapid onset of technologies makes it vitally important
that the Australian privacy framework applies and protects personal information
regardless of the types of technologies that emerge in the future.
In the event that a technology is developed in the future that is
particularly privacy intrusive, Privacy Victoria argued that specific
legislation should be enacted to regulate it effectively.
The department commented that the ALRC made particular recommendations
around keeping the principles and the Act technologically neutral. The department
considered that the APPs reflected the Government's agreement with those
recommendations, in particular, that the area of technology should be the
subject of guidance from the OPC. The department concluded:
Certainly the government accepted that that was the way to go
and not to try to legislate for technology developments because you really
cannot. As soon as you do them, you are 10 years out of date immediately.
The committee considers that the APPs meet the aim of technological
neutrality and notes that the Government supports a 'renewed role for the
Privacy Commissioner to conduct research, and to guide and educate Australians on
technologies that impact on or enhance privacy'.
Definitions and consistency
The committee received a range of comments in relation to definitions
and the consistent use of terms in the APP exposure draft.
Use of the term 'reasonably
It was noted that the term 'reasonably necessary' is used extensively in
the exposure draft. The OPC submitted that it had a number of 'significant
concerns' regarding the use of this term rather than the term 'necessary'. The
concerns related to:
the introduction of 'reasonably necessary' in the new collection
test in APP 3(1) (APP 3–collection of solicited information);
multiple interpretations of 'reasonably necessary' in different
varied formulations of tests relating to necessity in the exposure
The OPC observed that while the Companion Guide states that 'reasonably
necessary' is intended to be interpreted objectively, the ALRC report suggested
that determining what is 'necessary' is already an objective test. In relation
to the use of 'reasonably necessary' in APP 3(1), for example, the OPC
considered that it could add a qualification to 'necessary' which
unintentionally broadened the scope for collection and thus lessened
protections provided in the current IPP and NPP requirements, both of which use
'necessary'. The OPC went on to state that it did not agree that 'reasonably
necessary' adds a further objective requirement to APP 3(1) or that such a
requirement is needed.
The second matter noted by the OPC was that there appeared to be
different meanings of the term 'reasonably necessary' in different APPs. While
the Companion Guide provides an explanation of the term in relation to
APP 3(1), the OPC argued that the Companion Guide does not provide
guidance about the use of the term in other APPs. For example, the use of
'reasonably necessary' in APP 6(2)(e), which relates to the disclosure of
personal information without consent for enforcement related activities, may
reflect a different meaning of 'reasonably necessary'. The OPC suggested that
'reasonably necessary' be removed from draft APP 3(1) to minimise
confusion and complexity.
The final matter in relation to the term 'reasonably necessary' raised
by the OPC concerned varied formulations of tests involving 'necessary'. The OPC
provided a table which shows that APP 3(3) contains three different tests
across seven provisions and stated that:
It may be unclear to an individual, business or agency
reading APP 3(3) what the various different formulations mean, which is
intended to be more restrictive, and which more permissive.
While supporting distinctions to add clarity, the OPC argued that the
tests could be streamlined so that inconsistent and confusing language is
The OPC concluded that, in order to improve clarity and simplicity, the term
'reasonably necessary' be replaced with 'necessary' throughout the APPs and
that, if further clarity is required, an objective test for 'necessary' be
included in the Explanatory Memorandum.
The committee raised this issue with the department which put the view
that the while word 'reasonably' qualifies the word 'necessary', it did not do
so in an inappropriate way. Rather, the department stated:
The elements of the test are cumulative. So, first, the
proposed activity must, from the perspective of a reasonable person, be
legitimate for the entity and the intent of purpose; and then, second, the
action has to be genuinely necessary for the entity to pursue the intended
function or activity. So you have to think of it in two stages.
The department went on to state that it saw the 'reasonably necessary'
test as enhancing the privacy aspects rather than diminishing privacy
protections as argued by some submitters.
Reasonable steps test
The OPC noted that many of the APPs use the term 'such steps as are
reasonable in the circumstances' and that this term is based on the older
language of the IPPs while the NPPs use the term 'reasonable steps'. The OPC
submitted that it is preferable to use the 'reasonable steps' term for the APPs
rather than the term 'take steps as are reasonable in the circumstance' as:
it is shorter and simpler and would thus reduce complexity and
length of most of the APPs;
it can be implied from a plain reading that 'reasonable steps'
has an equivalent meaning to 'such steps as are reasonable in the
circumstances' as well being emphasised in explanatory material and the Office's
guidance (or if necessary, a note on first use in the APPs);
organisations are already familiar with the concept of 'reasonable
steps', and agencies (currently regulated by the longer terminology) will not
need to adjust their practices in moving to 'reasonable steps'; and
in some APPs, the words '(if any)' are added in cases where it
may be reasonable not to take any steps, depending on the circumstances.
In response to comments on the use of the term 'such steps as are
reasonable in the circumstances', the department stated that in its view, the
term used ensures that the specific circumstances of each case have to be
considered when determining the reasonableness of the steps in question. The
While it is arguable that it is implicit in the expression
'reasonable steps' that the surrounding circumstances must be considered, the changed
reasonableness formulation makes this explicit. This Department believes this
additional clarity and focus on the circumstances surrounding an entity's
specific privacy obligation, will have the overall effect of promoting greater
compliance with privacy obligations which will be to the benefit of
The Law Council of Australia also commented on the 'reasonable steps'
test and noted an inconsistency throughout the APPs, with an entity sometimes
required to 'take such steps as are reasonable' and other times required to
'take such steps (if any) as are reasonable'. The Law Council submitted that
the latter phrase should be adopted consistently throughout the APPs.
The committee has noted the comments provided by the Office of the
Privacy Commissioner in relation to the use of the term 'such steps as are
reasonable in the circumstances'. While the committee agrees that the use of a
term to make meaning explicit has benefit, it also adds to the complexity and
length of many of the APPs. On balance, the committee leans towards the use of
the term 'such steps as are reasonable in the circumstances' to ensure that the
meaning is clear. However, the committee suggests that the use of this term
should be reviewed in the overall re-assessment of the draft APPs as recommended
in recommendation 1.
In relation to the Law Council's comments on the 'reasonable steps'
test, the committee notes that the Companion Guide commented on the requirement
to take reasonable steps and stated that:
In some cases the words "(if any)" are used to
ensure that, in that particular case, if there are no steps that an entity
needs to take to fulfil its obligations, it need not take any steps.
Definition of 'personal
Following its examination of the meaning of the term 'personal
information', the ALRC concluded that, as information handling is highly
contextual, a significant margin for interpretation and implementation is
created and thus:
...elements of the definition of 'personal information' will continue
to give rise to theoretical uncertainty. While much information will fall clearly
inside or outside the definition, there will be a need for ongoing practical guidance
in relation to areas of uncertainty. The OPC has suggested that it issue
further guidance on the meaning of 'personal information'. The ALRC agrees that
such guidance will be necessary to indicate how the definition operates in
specific contexts. In particular, the ALRC recommends that the OPC develop and
publish guidance on the meaning of 'identified or reasonably identifiable'.
The ALRC went on to recommend that 'personal information' should be
defined as 'information or an opinion, whether true or not, and whether recorded
in a material form or not, about an identified or reasonably identifiable
The Government accepted this recommendation and commented that the
proposed recommendation did not significantly change the scope of what is
considered to be 'personal information'.
The Companion Guide provides commentary on the definition of 'personal
information' and states that the scope of the definition is not changed; rather
there is a conceptual difference revolving around the concepts of 'identity',
as used in the current definition, and 'identification', as referred to in the
The definition of 'personal information' is as follows:
personal information means information or an
opinion about an identified individual, or an individual who is reasonably
whether the information or opinion is true or not; and
whether the information or opinion is recorded in a material form or
The LCA commented that the definition of 'personal information' 'is a
central definition in that it determines the scope of the whole Act' and that
the definition proposed should only be supported if 'it is not intended to
change the scope of the existing concept'. Further:
This should be supported by an express and official statement
that would be available to assist in interpretation (under the Acts
Interpretation Act) to the effect that the change in drafting was not intended
to change the meaning.
The ADMA supported the new definition of personal information, in
particular the inclusion of a 'reasonable' test, and encouraged inclusion of an
explanation of the 'reasonable' test in the Explanatory Memorandum for the new
However, some submitters argued that the new definition of 'personal
information', and the explanation provided in the Companion Guide, have the
potential to substantially expand the scope of what is classified as 'personal
information', and thereby the scope of what is covered by the Act.
Submitters argued that an expanded scope of personal information would result
in more onerous requirements on entities, and potentially an increased cost
Submitters were concerned to ensure that any expansion of scope is
clearly expressed either in the legislation or in the explanatory material
accompanying the legislation. Google, for example, commented:
...the legislation should itself make clear that the context and
circumstances in which information is held is to be taken into account in determining
whether information is or is likely to be aggregated or combined so as to
enable an individual to be reasonably identifiable.
Yahoo!7 and the Law Institute of Victoria (LIV) commented on the
inclusion of 'opinion' in the definition of personal information. Yahoo!7
considered that the concept of 'information' is broad enough to incorporate
'opinion' and therefore did not believe that it was necessary to include
'opinion' in the definition.
The LIV expressed the view that while the APPs currently define 'personal
information' as both information and opinions about a person, this should be
split into two categories in order to specifically address the issue of
ownership and control of personal information. The two categories would be:
'primary personal information' which might include identity
information, biometric information etc, and which would be owned by the
individual, so that the individual can require an entity to destroy primary
personal information which it holds about them (subject, of course, to any
statutory obligations or rights of entities to collect or retain information);
'secondary personal information', which would be opinions held
about an individual.
Submitters also provided suggested amendments to the definition of 'personal
information' as follows:
Privacy NSW recommended that the words 'from the information or
opinion' be added after 'reasonably identifiable' to provide the appropriate
Privacy NSW recommended that the definition exclude certain
categories of information, such as information more than 30 years old, as is
the case in the NSW privacy legislation, thus removing repeated references to
Professor Graham Greenleaf and Mr Nigel Waters submitted that the
definition needs to be broadened by replacing 'reasonably identifiable' with
'potentially identifiable' to ensure that the Act covers 'information which, while
not in itself identifying an individual, allows interaction with persons on an
individualised basis, or the imparting of consequences on an individualised
Yahoo!7 also argued that as a person could be reasonably
identifiable to one entity and not another, the phrase 'by an entity' be added to
the first sentence of the definition so that it encompassed an individual who
is 'reasonably identifiable by an entity'. For example, 'an IP address could be
considered personal information by an ISP as they are capable of reasonably
identifying the person to whom that IP address resolves back to. An online
services provider who does not offer Internet access will not be able to use an
IP address to identify a person'.
Submitters supported the recommendation that the OPC develop guidance
on the interpretation of 'personal information' to assist entities in ensuring
that they have appropriate processes in place for their functions and
activities to comply with the Act.
The department provided a detailed response to concerns raised in
relation to the term 'personal information'. The department noted that inclusion
of the requirement that the individual be 'reasonably identifiable' ensures
that the definition continues to be based on factors which are relevant to the
context and circumstances in which the information is collected and held.
Generally, this would mean that the information must be able to be linked to
other information that can identify the individual thus limiting possible
identification based on the context and circumstances. In effect, while it may
be technically possible for an entity to identify a person by the information
it holds, it may be that it is not practically possible. The department
concluded that the 'test requires consideration of all the means that are
reasonably open for an information holder to identify an individual'.
The department reiterated that the inclusion of a 'reasonably
identifiable' element within the definition does mean that additional
information could fall within the new definition. It went on to state:
Some information on its own would not meet the current
definition which requires an individual's identity to be apparent or reasonably
ascertainable, from the information (e.g. an IP address). However, that
information would fall within the new definition if, in conjunction with other
information, it could be used to identify an individual. On that basis, it is
arguable that additional information would be subject to the privacy
protections in the APPs.
Nevertheless, as noted in the Companion Guide, the proposed
definition of 'personal information' does not significantly change the scope of
the existing concept in the existing Privacy Act. The key conceptual difference
revolves around the concepts of 'identity' as used in the current definition,
and 'identification' as referred to in the draft definition. The ALRC
considered that 'identification' was more consistent with international
language and international jurisprudence, and that explanatory material based
on the terms 'identified' and 'identifiable' will be more directly relevant.
The committee has noted the divergence of views in relation to the
definition of 'personal information' and agrees that guidance on this matter
should be provided as a matter of priority.
The committee recommends that the Office of the Australian Information Commissioner
develop guidance on the interpretation of 'personal information' as a matter of
The term 'Australian law'
Both Qantas and Google commented on the definition of, and use of, the
term 'Australian law'. This term is used in a number of APPs including
APPs 2, 3, 5, 6, 8, 9, 11 and 12. The Companion Guide states that the
definition of 'Australian law' is new and 'has been included to clarify the
scope of provisions that allow collection, use or disclosure where it is
required or authorised by or under law'.
Qantas commented that confining laws to 'Australian law' fails to
recognise that organisations operating in foreign jurisdictions are often
required to collect, disclose and use personal information under the laws of
Google raised the same matter and provided the example of where a foreign
country may mandate disclosure of personal information in response to a
subpoena issued by a court exercising jurisdiction over the operations of the
service provider in that foreign country. In papers submitted by Macquarie
Telecom, the storage of data offshore by Australian businesses was examined and
it was concluded that 'it is possible that storing data within the United States
may provide enough of a connection for a United States court to find
jurisdiction over an Australian company storing its data there and subject the
company to the US discovery obligations'. Further, data stored in the United States
is at greater risk of being accessed by government agencies as the Patriot Act
provides US government agencies with extensive powers.
Google commented that it would be inappropriate to place the service
provider in jeopardy under Australian law for responding to a valid court
process in a foreign jurisdiction.
Both Qantas and Google recommended amendment of the exposure draft so as
to recognise that entities may need to deal with personal information in ways
required under laws of other jurisdictions and that such dealings should not be
regarded as an interference with the privacy of an individual under Australian
law. Qantas submitted that the appropriate means of achieving this was to
replace the term 'Australian law' with the term 'applicable law', being laws
(including legislation, regulations, directions and rules) applicable in a
The department responded to these concerns as follows:
The Government's position is that an entity with an Australian
link must comply with the APPs relating to an act done, or practice engaged in,
within Australia. The existing policy achieved by subsection 6A(4) and section
13D of the Privacy Act will be retained to ensure that an act or practice that
is done or engaged in outside Australia will not be an interference with
privacy if it is required by an applicable law of a foreign country. For
example, an organisation would not breach the APPs if a foreign court judgment
required disclosure of personal information in that jurisdiction to assist in
investigating a criminal offence.
The committee notes the advice provided by the department and has no
further comment to add in relation to the use of the term 'Australian law'.
The ALRC considered 'consent' as it applies to the privacy principles in
the Privacy Act and other issues concerning 'consent'.
In considering how best to clarify the meaning of 'consent' in relation to
privacy, the ALRC did not support the option to amend the Privacy Act to set
out in detail what is required to obtain consent as this approach would require
a very large number of prescriptive rules. This would also be inconsistent with
a principles-based approach. Similarly, amending the definition of 'consent'
was not supported as the ALRC noted that the common law has an important role
to play in determining elements of consent and a statutory definition would not
capture the evolution of the meaning of 'consent' and may have unintended
The ALRC formed the view that the most appropriate way to clarify the
meaning of 'consent', as it applies to the privacy principles, is for the OPC
to provide further guidance. According to the ALRC, such guidance should
address the factors to be taken into account by entities in assessing whether 'consent'
has been given. The guidance should also cover express and implied consent as
it applies in various contexts; for example, in transactions concerning
financial services as well as 'bundled consent'.
Professor Croucher, President, ALRC, further commented:
In our report we recommended that the Office of the Privacy
Commissioner should develop and publish guidance about what is required of
agencies and organisations to obtain an individual's consent. This guidance
should, for instance, address a number of the things that I am grabbing at—the
factors to be taken into account by agencies and organisations in assessing
whether it has been obtained, which is kind of what you are asking about in
asking how. It should cover express and implied consent as it applies in
various contexts and include advice on when it is and is not appropriate to use
the mechanism of bundled consent—in other words, a consent to general use.
The Government response indicated that it encouraged the Privacy
Commissioner to develop guidance as recommended by the ALRC. In addition, the
response indicated that the definition of 'consent' would be expanded to
clarify that an individual may withdraw consent where it is lawful to do so.
The Companion Guide notes that term 'consent' is defined within the existing
Privacy Act and the new Privacy Act will contain a definition on the same
terms, that is, that 'consent' means express or implied consent. The Companion
Guide goes on to note that there are some circumstances where it will not be
possible for a person to withdraw their consent.
The issue of the definition of 'consent' was raised by some submitters.
Both Privacy NSW and the LIV suggested that the definition of 'consent' be
further developed. The LIV commented that individuals cannot consent to the
collection of sensitive personal information where consent is obtained in a
coercive or unreasonable way. The current definition does not preclude consent
being obtained unreasonably or in a way that undermines the objectives or
purpose of the APPs and should therefore be further developed.
Privacy NSW argued that separate definitions of, and references to, both
'implied consent' and 'express consent' are required as, under the existing
definition, entities may inappropriately rely on implied consent rather than
In particular, Privacy NSW considered that the collection of sensitive
information should be contingent on 'express consent' unless the entity can
reasonably rely on a relevant exception. Further:
In circumstances where an individual lacks the capacity to
provide express consent (for instance through disability or age), we suggest
that there be an exception which permits collection if the entity has obtained
express consent from an authorised representative who is empowered to make
substitute decisions on behalf of the individual. We suggest that there be an
Australian Privacy Rule which governs the means by which an entity be satisfied
it is dealing with an authorised representative.
The Public Interest Advocacy Centre called for the use of the phrase
'express and informed consent' throughout the APPs.
Professor Greenleaf and Mr Waters viewed the meaning of 'consent' as
ALRC, had not addressed 'one of the most significant weaknesses in the current
regime'. The main concern was that the interpretation of 'consent' could be
undertaken in ways that weaken the legislation by undermining the effect of a
number of principles. They argued that the concept of 'consent' is crucial and
should not be left to guidance by the Privacy Commissioner. Rather, the
definition should be amended to deal with key issues and other aspects should
be included in the Explanatory Memorandum. Professor Greenleaf and Mr Waters
considered that the following points should be made clear:
consent must be clear and unambiguous, regardless of whether it
is express or implied;
a failure to opt out, on its own, should not be taken as unambiguous
where an individual must disclose personal information to receive
a benefit, no consent can be implied for use beyond the purpose of collection –
only express consent should apply; and
every proposed purpose of use should require separate consent, to
prevent the misuse of the practice of 'bundled consent'.
In its response to the committee's questions on notice in relation to
consent, the department commented that under section 15 of the exposure draft,
'consent' means 'express consent or implied consent' and that the Privacy
Commissioner has previously stated that implied consent 'arises where consent
may reasonably be inferred in the circumstances from the conduct of the
individual and the organisation'. The department also stated:
The Government accepted the key thrust of [the ALRC's consent]
recommendation and stated that it would encourage the development and
publication of appropriate guidance by the Office of the Australian Information
Commissioner (AIC), noting that the decision to provide guidance is a matter
for the AIC.
While it is ultimately a matter for the AIC, we anticipate
that the guidelines will address matters such as those raised by the Law
Council of Victoria.
The issue of a definition of 'consent' was raised by many submitters.
The committee notes the Government's acceptance of the ALRC's recommendation in
relation to consent and considers that the matter of consent should be
considered by the Office of the Australian Information Commissioner as a matter
of priority to ensure that appropriate guidance is available concurrently with
the new Act.
The committee recommends that the Office of the Australian Information
Commissioner develop guidance on the meaning of 'consent' in the context of the
new Privacy Act as a matter of priority.
A number of submitters commented on the way in which the exposure draft
dealt with the issue of exemptions, in particular the continuation of the small
business exemption. In the APP exposure draft, the definition of organisation
explicitly excludes 'a small business operator' and 'a registered political
party', but the exposure draft does not include an express reference to the
exemption regarding employee records.
Further, the Companion Guide states that the small business exemption will be
retained for the time being; however, the Government will consider whether the
exemption should continue in its second stage response to the ALRC's review.
In its submission to the committee, the ALRC reaffirmed its view that the
exemptions under the current Privacy Act, pertaining to small business,
registered political parties, and employee records, should be removed.
Small business exemption
A number of submitters called for the removal of the small business
The ALRC commented that:
...beginning from first principles there is no logical reason
why somebody whose personal information is held by a small business should have
less privacy protection than somebody who works for a larger enterprise. I
would rather put the emphasis on privacy. As a right, obviously, all rights
have to be balanced, including against economic and financial considerations,
but that was always where our emphasis lies.
Submitters also pointed out that small business is the majority business
type in Australia, and, with the use of computer systems, small businesses are
able to collect, use and disclose relatively vast amounts of personal
information some of which may be very sensitive personal information.
Further, it was observed that government entities often outsource services
involving personal information, and protection is required when personal
information is passed on to the private and community sectors.
The LIV summed up the position of those who did not support the
retention of the exemption by stating that 'the nature of information
collected, and not the size of the organisation that collects the information,
should determine whether restrictions should be imposed on the collection of
information.' The LIV further argued that the exemption does not currently
diminish the regulatory burden on small business.
The ALRC noted that the cost of compliance with the legislation was a
significant concern for the small business community, who staunchly supported
the retention of the exemption. However, the ALRC observed that small
businesses are not exempt from the general privacy law in any 'other comparable
jurisdiction in the world'. Further, other stakeholders to the ALRC's review
argued that 'consumers have the right to expect that their personal information
will be treated in accordance with the privacy principles'. Given this support,
the ALRC maintained its recommendation that the small business exemption be
The ALRC also noted that its research had shown that the compliance costs may
not be as great as previously suggested and that the costs of continuing the
exemption in relation to international business may outweigh the compliance
costs. Professor Croucher, ALRC, stated:
The costs as presented to us at the time and as analysed by
our own independent research study were not as great as were suggested, and the
international context and the standing of our business community within the
context of the European directive was such that retaining the exemption, we
thought, was not justified.
Other submitters supported the retention of the exemption, arguing that
removal of the small business exemption would impose an additional compliance
and cost burden to small business, which is already subject to significant
regulation. It was also noted that there is provision for small businesses to
opt-in to the application of privacy legislations, and many small businesses do
so. Further, the Australian Hotels Association (AHA) supported the indexation
of the current $3 million annual turnover threshold, as fewer small businesses
qualify for the exemption every year.
The Catholic Education Office of the Archdiocese of Melbourne noted that
the small business exemption is currently inconsistently applied between
Catholic schools. They submitted that an exemption excluding application of the
Privacy Act to Catholic schools should be provided, as:
A Catholic school is not technically a 'business' in the
normal commercial sense. It does not strive to make a profit. It is supported
by the considerable voluntary efforts of the school community and the Catholic
Church and relies heavily on government funding for its revenue. The annual
turnover amount is an arbitrary sum, and in many cases the actual turnover of
the school varies from year to year, often around the exemption limit.
Registered political parties
The ALRC also recommended the removal of the exemption for registered
political parties both in report and its submission to the committee. While a
similar exemption exists in the United States and Canada, registered political
parties are not exempt in the United Kingdom, New Zealand or Hong Kong.
Professor Croucher, ALRC, commented:
The fundamental principle is the importance of the protection
of personal information. Consistent with the very first principle identified in
the Australian Privacy Principles, the 'open and transparent management of
personal information', there should not be an exemption of the kind that is
contemplated by the political party exemption.
Under the current Privacy Act, employee records are treated differently
by agencies and by organisations. While the existing Act does not require
Government agencies to treat employees' records any differently to other
personal information, private sector organisations are exempt from the
requirements of the Privacy Act where their acts or practices relate directly
to an employee record held by the organisation, or the employment relationship
between an individual and the organisation. The basis of the exemption of
employee records in the private sector is that the protection of such
information is more properly a matter for workplace relations legislation.
In its submission to the committee, the ALRC again called for the
removal of the employee records exemption. The ALRC noted that 'there is no
sound policy reason why privacy protection for employee records is available to
public sector employees but not private sector employees'. Further, as the majority
of Australian employees were employed in the private sector, the ALRC
considered the exemption resulted in 'a significant gap in privacy regulation'.
This position was supported by Privacy NSW.
The AHA argued for the retention of the exemption, as the collection of
information about employees for purposes directly related to their employment
is both reasonable and necessary:
Practices such as surveillance measures to prevent theft or
even 'mystery shopper' activities designed to improve service standards are
common practices in the industry which require the collection of personal information
for the purposes of managing the employment relationship. Records of
discussions held with employees over performances matters typically include
personal information as defined in the Draft Principles. The maintenance of
these sorts of records are necessary under workplace relations legislation if
the employer needs to discipline or terminate the employee. It should be
mentioned that these same records are also used to determine whether an
employee is fit for promotion or an increase in remuneration.
The committee notes that Companion Guide indicates that, at this stage,
the small business exemption will be retained. Ms Joan Sheedy, Department of
the Prime Minister and Cabinet, stated that in the second stage response to the
ALRC recommendations, the Government will consider the recommendations relating
to the removal of the exemptions currently in the Act. Ms Sheedy went on to
comment that 'there are no government decisions that have been taken yet in
relation to those exemptions'.
The committee considers that no further comment is required at this
stage in relation to exemptions from the Privacy Act.
Interaction with state and territory legislation
Both the Office of the Victorian Privacy Commissioner and the Health
Services Commissioner, Victoria (HSC), noted that the Companion Guide indicates
that no changes will be made to the Privacy Act provisions which preserve the
effect of any state or territory law that makes provisions about interferences
with privacy, if it is capable of operating concurrently with the existing
Privacy Act. However, they argued that this statement suggests that the
approach outlined in the Companion Guide does not reflect the ALRC review
recommendations or the approach outlined in the Government response,
particularly in relation to private sector health providers.
While the HSC welcomed the Government's position, as it argued that the interests
of consumers and organisations can best be served by having State and Commonwealth
regulators working co-operatively, the Office of the Victorian Privacy
Commission sought clarity on this issue.
Other submitters expressed disappointment that the reforms had not led to a
streamlining and harmonisation of privacy law in Australia.
Yahoo!7, for example, commented that a level of uncertainty had been introduced
'as we were hoping to operate under a single unified privacy regulation
ADMA went further and stated that the harmonisation:
...should not be done half heartedly and that states and
territories should not be permitted to create other, isolated privacy
requirements. The benefit to Australian business of knowing, without doubt,
that all privacy requirements are stated in a Commonwealth Privacy Act will to
a large extent be undone if this is permitted to occur.
The committee notes that it is stated in the Government response that 'there
are clear benefits of nationally consistent privacy regulation in the private
sector, including the health sector'.
The department also indicated that the first stage response will create a
platform from which the Commonwealth Government can pursue national harmonisation
through discussion with state and territory governments. Further:
All parties to those discussions will need to carefully
consider what changes are necessary to their respective privacy and
information-sharing regimes to ensure an effective harmonised system can be
The committee considers that the harmonisation of privacy regimes across
all jurisdictions is an important goal. However, the matters to be considered
are complex with examination of interactions with, and possible inconsistencies
between, Commonwealth and state and territory regimes requiring detailed
A number of submitters were concerned to ensure that the implementation
process for the new Privacy Act includes an appropriate transition period. It
was argued that an adequate transition period would allow for the
implementation of any necessary systems changes, staff training and updating of
relevant corporate policies required to comply with new obligations.
The Insurance Council of Australia, for example, commented that the most common
method of notifying insurance policyholders of information is through the
Product Disclosure Statement (PDS) that is required under the Corporations
Act 2001. The Council suggested an 18 month transition period would
allow general insurers to incorporate any required additional notifications in
their PDSs in the normal course of them being re-issued.
Other submitters called for a transition period of 12 or 18 months duration.
The AHA noted that following the amendments to the Privacy Act in 2001,
the private sector was granted a 12 month 'amnesty', and submitted that a
similar transition period should be granted to the business community/entities
following the passage of these amendments.
Some submitters also specifically stated that requirements under the new
legislation should only be applied prospectively.
The AHA also suggested that an education and awareness campaign will be
required to assist acceptance and compliance with the new obligations. Such a
campaign could be conducted by the Commonwealth in conjunction with relevant
The introduction of the reformed privacy regime may require significant change
to practices and policies. The committee considers that due consideration should
be given to the provision of an adequate transition period where appropriate.
The committee further considers that the Office of the Australian Information
Commissioner should be consulted in relation to the length of time of any
The committee recommends that the Government, in consultation with the
Office of the Australian Information Commissioner, give consideration to the
provision of a transition period for entities to fully comply with the
implementation of the new Privacy Act.
The ALRC undertook extensive consultation during its review of privacy
law as did the Government in formulating its response to the ALRC's
recommendations. However, the committee received comments in relation to
consultations during the development of the exposure draft. The Australian
Privacy Foundation (APF) for example, expressed concern that the exposure draft
details had 'not been negotiated with a body that includes representatives of
all interested parties'. The APF was of the view that the exposure draft
reflects the interests of the private sector and government agencies.
The committee notes, however, that Privacy NSW and the Public Interest
Advocacy Centre indicated that they had provided submissions in response to the
Government's consultation on the Unified Privacy Principles and related
The OPC further noted that it had provided 'informal input' during the
development of the exposure draft of the APPs and acknowledged the constructive
engagement of the department and its effort to take account of suggestions.
The committee is satisfied that the department undertook adequate
consultation in relation to the APP exposure draft.
Navigation: Previous Page | Contents | Next Page