Chapter 17
Committee conclusions
17.1
The reform of privacy law in Australia is a substantial undertaking. The
Australian Law Reform Commission's (ALRC) review took 28 months to complete,
addressed a multitude of issues and resulted in the publication of a three-volume
report. The Australian Privacy Principles (APP) exposure draft is the first
stage of the reform process to be considered.
17.2
The Government accepted the majority of the ALRC's recommendations in
relation to the privacy principles. Indeed, Professor Rosalind Croucher,
President, ALRC, commented at the committee's hearing that the APPs 'are
consistent with and flow from the recommendations that the ALRC made in For
your information'.[1]
Although the ALRC indicated that there were a number of matters where the
APPs diverge from the recommendations made in the review report, Professor
Croucher stated:
But the gist of the privacy principles is a very good one. It
places the idea of privacy principles as a unified presentation. We
congratulate the initiative and encourage the implementation of those privacy
principles as a national initiative as a priority.[2]
17.3
While many submitters welcomed the reforms, the committee received a
range of views on whether or not the APPs meet the objectives underpinning the
need for reform and provide greater privacy protection. In addressing this
point, the Office of the Privacy Commissioner (OPC) commented that the reform
process should ensure that:
- there is a streamlined, single set of principles for the public and
private sectors, which promote national consistency;
- privacy rights and obligations are simplified and therefore easy to
understand and apply;
- existing privacy protections are maintained, not diminished; and
- a high‐level,
principles‐based,
technology‐neutral
approach is adopted that is capable of protecting and promoting individuals'
privacy into the future.[3]
17.4
The APP exposure draft provides for a single set of principles applying
to all entities to replace the Information Privacy Principles which apply to
agencies and the National Privacy Principles which apply to organisations. As
noted by Professor Croucher:
Where you have two sets of principles, there is an
opportunity for confusion about what, for instance, government agencies and
also those employers covered by the existing principles have to do, and where
there is confusion there is the possibility of an imperfect protection and an
imperfect respect for the fundamental protection of personal information. In
that context, the development of a unified set of principles would only improve
the ability for those governed by it to discharge the responsibility under
them.[4]
17.5
The committee acknowledges that drafting a single set of APPs was a particularly
complex task. The need to consolidate the IPPs and the NPPs, while at the same
time taking into account the ALRC's recommendations accepted by the Government
and additional matters announced by the Government, has resulted in very long
APPs. In itself, the length of the exposure draft is not of concern: short does
not always mean simple or easy to understand. However, the committee is
concerned that many submitters stated that the APPs are complex, dense, and
difficult to understand. In particular, the committee has noted the view of the
Office of the Privacy Commissioner (now the Office of the Australian
Information Commissioner) that the APPs should be simplified to improve
clarity. The committee considers that this is a significant issue: without
clarity, agencies and organisations may find it difficult to comply with their
privacy obligations and individuals may not understand how their privacy is
protected. As a consequence, the committee has made recommendations to simplify
the structure of the APPs, and to improve clarity.
17.6
Evidence received by the committee expressed the opinion that there had
been a diminution of privacy protections in some instances. The committee has
noted the comments of the Department of the Prime Minister and Cabinet that 'the
comments in a lot of the submissions are really around alternative ways of how
it might have been done' but the approach taken has not led to any diminution
of protections for privacy in Australia. The department also pointed to
particular examples of enhanced protections, for example the expansion to
Commonwealth agencies of the cross-border disclosure of personal information
principle (APP 8).[5]
17.7
While it is the case that there are alternative approaches to the way
the principles could be framed, the committee was concerned that there may be
some instances where privacy protection may have been inadvertently compromised,
for example, APP 3 (collection of solicited information). Therefore, the
committee has recommended the re-consideration of some principles to ensure
that privacy protections are not diminished. However, on balance, the committee
considers that privacy protections have not been weakened and welcomes the enhancement
of the privacy regime through the new principles for open and transparent
management of personal information and cross-border disclosure, more specific
regulation of direct marketing activities and restrictions on the use of
government issued identifiers.
17.8
A further matter of concern to submitters was the number of exceptions
contained in some of the principles. Submitters commented that a large number
of exceptions can undermine the privacy regime and limit accountability. The
committee considers that in formulating a single set of privacy principles,
that it was perhaps unavoidable that a large number of exceptions were
required. However, in light of the concerns raised about the complexity of the
APPs the committee has recommended that consideration be given to the
suggestion that agency specific matters be dealt with in portfolio legislation.
The committee also notes that guidance will be provided by the Office of the
Australian Information Commissioner in relation to a range of exceptions. The
committee considers that guidance will ensure that exceptions are used
appropriately.
17.9
The committee considers that it is important that entities have in place
internal policies and practices that enable compliance with the privacy
principles. The new requirements for privacy policies will enable individuals
to access additional information in relation to complaint handling processes
and the countries where personal information is transferred to overseas
recipients. There was considerable comment from organisations about these
requirements and the compliance burden that may arise. The committee
acknowledges that in some instances the compliance burden may increase however,
the committee is of the view that the benefits of the additional requirements
outweigh the compliance costs. In addition, the committee notes that many
principles include a 'reasonableness' test for the matters or steps to be
undertaken and, in some principles, the test also provides that no steps need
be taken if it is reasonable in the circumstances. The committee considers that
these provisions provide entities with sufficient flexibility in complying with
the privacy regime.
17.10
In conclusion, the committee considers that notwithstanding the
recommendations made by the committee, the APPs contained in the exposure draft
reflect the intent of the ALRC review and the needs of the Government to ensure
that standards are in place to address the risk of harm from the inappropriate
collection, use and disclosure of personal information and to meet the
expectations of individuals that personal information will be handled
appropriately. The APPs also address community concerns arising from the cross-border
disclosure of personal information and balance the public's and the
individual's interest in efficient and effective service delivery and public
safety.
Senator
Helen Polley
Chair
Navigation: Previous Page | Contents | Next Page