Chapter 17


Chapter 17

Committee conclusions

17.1      The reform of privacy law in Australia is a substantial undertaking. The Australian Law Reform Commission's (ALRC) review took 28 months to complete, addressed a multitude of issues and resulted in the publication of a three-volume report. The Australian Privacy Principles (APP) exposure draft is the first stage of the reform process to be considered.

17.2      The Government accepted the majority of the ALRC's recommendations in relation to the privacy principles. Indeed, Professor Rosalind Croucher, President, ALRC, commented at the committee's hearing that the APPs 'are consistent with and flow from the recommendations that the ALRC made in For your information'.[1] Although the ALRC indicated that there were a number of matters where the APPs diverge from the recommendations made in the review report, Professor Croucher stated:

But the gist of the privacy principles is a very good one. It places the idea of privacy principles as a unified presentation. We congratulate the initiative and encourage the implementation of those privacy principles as a national initiative as a priority.[2]

17.3      While many submitters welcomed the reforms, the committee received a range of views on whether or not the APPs meet the objectives underpinning the need for reform and provide greater privacy protection. In addressing this point, the Office of the Privacy Commissioner (OPC) commented that the reform process should ensure that:

  • there is a streamlined, single set of principles for the public and private sectors, which promote national consistency;
  • privacy rights and obligations are simplified and therefore easy to understand and apply;
  • existing privacy protections are maintained, not diminished; and
  • a high‐level, principles‐based, technology‐neutral approach is adopted that is capable of protecting and promoting individuals' privacy into the future.[3]

17.4      The APP exposure draft provides for a single set of principles applying to all entities to replace the Information Privacy Principles which apply to agencies and the National Privacy Principles which apply to organisations. As noted by Professor Croucher:

Where you have two sets of principles, there is an opportunity for confusion about what, for instance, government agencies and also those employers covered by the existing principles have to do, and where there is confusion there is the possibility of an imperfect protection and an imperfect respect for the fundamental protection of personal information. In that context, the development of a unified set of principles would only improve the ability for those governed by it to discharge the responsibility under them.[4]

17.5      The committee acknowledges that drafting a single set of APPs was a particularly complex task. The need to consolidate the IPPs and the NPPs, while at the same time taking into account the ALRC's recommendations accepted by the Government and additional matters announced by the Government, has resulted in very long APPs. In itself, the length of the exposure draft is not of concern: short does not always mean simple or easy to understand. However, the committee is concerned that many submitters stated that the APPs are complex, dense, and difficult to understand. In particular, the committee has noted the view of the Office of the Privacy Commissioner (now the Office of the Australian Information Commissioner) that the APPs should be simplified to improve clarity. The committee considers that this is a significant issue: without clarity, agencies and organisations may find it difficult to comply with their privacy obligations and individuals may not understand how their privacy is protected. As a consequence, the committee has made recommendations to simplify the structure of the APPs, and to improve clarity.

17.6      Evidence received by the committee expressed the opinion that there had been a diminution of privacy protections in some instances. The committee has noted the comments of the Department of the Prime Minister and Cabinet that 'the comments in a lot of the submissions are really around alternative ways of how it might have been done' but the approach taken has not led to any diminution of protections for privacy in Australia. The department also pointed to particular examples of enhanced protections, for example the expansion to Commonwealth agencies of the cross-border disclosure of personal information principle (APP 8).[5]

17.7      While it is the case that there are alternative approaches to the way the principles could be framed, the committee was concerned that there may be some instances where privacy protection may have been inadvertently compromised, for example, APP 3 (collection of solicited information). Therefore, the committee has recommended the re-consideration of some principles to ensure that privacy protections are not diminished. However, on balance, the committee considers that privacy protections have not been weakened and welcomes the enhancement of the privacy regime through the new principles for open and transparent management of personal information and cross-border disclosure, more specific regulation of direct marketing activities and restrictions on the use of government issued identifiers.

17.8      A further matter of concern to submitters was the number of exceptions contained in some of the principles. Submitters commented that a large number of exceptions can undermine the privacy regime and limit accountability. The committee considers that in formulating a single set of privacy principles, that it was perhaps unavoidable that a large number of exceptions were required. However, in light of the concerns raised about the complexity of the APPs the committee has recommended that consideration be given to the suggestion that agency specific matters be dealt with in portfolio legislation. The committee also notes that guidance will be provided by the Office of the Australian Information Commissioner in relation to a range of exceptions. The committee considers that guidance will ensure that exceptions are used appropriately.

17.9      The committee considers that it is important that entities have in place internal policies and practices that enable compliance with the privacy principles. The new requirements for privacy policies will enable individuals to access additional information in relation to complaint handling processes and the countries where personal information is transferred to overseas recipients. There was considerable comment from organisations about these requirements and the compliance burden that may arise. The committee acknowledges that in some instances the compliance burden may increase however, the committee is of the view that the benefits of the additional requirements outweigh the compliance costs. In addition, the committee notes that many principles include a 'reasonableness' test for the matters or steps to be undertaken and, in some principles, the test also provides that no steps need be taken if it is reasonable in the circumstances. The committee considers that these provisions provide entities with sufficient flexibility in complying with the privacy regime.

17.10         In conclusion, the committee considers that notwithstanding the recommendations made by the committee, the APPs contained in the exposure draft reflect the intent of the ALRC review and the needs of the Government to ensure that standards are in place to address the risk of harm from the inappropriate collection, use and disclosure of personal information and to meet the expectations of individuals that personal information will be handled appropriately. The APPs also address community concerns arising from the cross-border disclosure of personal information and balance the public's and the individual's interest in efficient and effective service delivery and public safety.

Senator Helen Polley

Chair

Navigation: Previous Page | Contents | Next Page