Chapter 5 - Other issues

5.1 This chapter examines some of the other issues raised during the inquiry. These include:

the credit reporting provisions in Part IIIA of the Privacy Act;
privacy in the health sector;
the impact of the Privacy Act on medical research;
the impact of the Privacy Act on responses to overseas emergencies;
the impact of the Privacy Act on law enforcement issues;
the use of the Privacy Act as a means to avoid accountability and responsibilities; and
the impact of the Privacy Act on care leavers.

5.2 Each of these issues is considered below.

Consumer credit reporting

5.3 Part IIIA of the Privacy Act governs consumer credit reporting: that is, the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers.[539] The aim is to ensure that the use of this information is restricted to assessing applications for credit lodged with a credit provider and other legitimate activities involved with giving credit. Key requirements of Part IIIA include the following:

Limits on the type of information which can be held on a person's credit information file by a credit reporting agency. There are also limits on how long the information can be held on file.
Limits on who can obtain access to a person's credit file held by a credit reporting agency. Generally only credit providers may obtain access and only for specified purposes.
Limits on the purposes for which a credit provider can use a credit report obtained from a credit reporting agency. These include:
1. to assess an application for consumer credit or commercial credit;
2. to assess whether to accept a person as guarantor for a loan applied for by someone else;
3. to collect overdue payments;
A prohibition on disclosure by credit providers of credit worthiness information about an individual, including a credit report received from a credit reporting agency, except in specified circumstances.
Rights of access and correction for individuals in relation to their own personal information contained in credit reports held by credit reporting agencies and credit providers.

5.4 Part IIIA is supplemented by the Credit Reporting Code of Conduct issued by the Privacy Commissioner in accordance with the Privacy Act. The legally binding Code covers matters of detail not addressed by the Act. Among other things, it requires credit providers and credit reporting agencies to:

deal promptly with individual requests for access and amendment of personal credit information;
ensure that only permitted and accurate information is included in an individual's credit information file;
keep adequate records in regard to any disclosure of personal credit information;
adopt specific procedures in settling credit reporting disputes; and
provide staff training on the requirements of the Privacy Act.

Concerns raised during this inquiry in respect of Part IIIA

5.5 Submissions raised significant concerns relating to the operation of Part IIIA of the Privacy Act.[540] These included the following.

Lack of consent to the use and disclosure of personal information

5.6 The Privacy Act is generally predicated on individuals' consent to the use and disclosure of their personal information.[541] Concerns were therefore raised over industry's use of 'bundled consents' whereby consent to disclose personal information to a credit reporting agency is 'bundled' into a group of other consents in credit or loan applications. Consumer advocates argue that the relevant forms and disclosure statements can be unreadable, confusing and appear designed not to invite consumers to read it.[542] Others argued that the market power of credit providers effectively negates any notion that a person is genuinely 'consenting' to how their personal information is to be handled. Refusal to sign bundled consents may mean that they cannot obtain housing or a telephone.[543] For these reasons, it was argued that reform is required to mandate standards for privacy and consent clauses.[544]

5.7 In contrast, industry maintained that any prohibition on secondary use of data or on bundled consent would be an unwarranted and intrusive restriction on business. As discussed in chapter 4, Baycorp Advantage argued that practices such as bundled consent create more efficient processes for business.[545] Baycorp Advantage also highlighted the importance of efficient credit reporting in managing exposure to financial risk by providing comprehensive data about the past credit behaviour of potential customers. For example:

The production and provision of credit reports is in the public interest in a modern society which values the possibilities afforded by the easy availability of credit and the free flow of information. Moreover, the greater ability of businesses to assess and manage risk leads to the reduction of bad debt levels and to improved performance across the economy as a whole.[546]

Lack of procedural fairness and inaccurate records

5.8 Both industry and consumer advocates agree that credit reporting agencies' databases contain inaccurate data on consumers (although they differ on the extent to of this inaccuracy).[547] This is notwithstanding obligations imposed under Part IIIA for record keepers and credit reporting agencies to ensure that personal information contained in their records is accurate, up-to-date, complete and not misleading.[548] One reason for such requirements is that errors or inaccuracies can have a significant detrimental impact on individuals. As Legal Aid Queensland stated:

Where the information in credit reporting databases is inaccurate, incomplete or misrepresents the facts, the ability of individuals to obtain credit is severely limited. In our experience, it can have the effect of forcing consumers into poverty or severe financial hardship ... [and] cause severe emotional distress.[549]

5.9 Consumer advocates and representatives maintain that consumers are not informed of listings or inquiries made on their credit reports or even that they have a credit report. The fact that a credit report contains adverse information is generally only brought to consumers' attention when they are denied credit. This, it is argued, denies consumers the opportunity to check information held on them and to correct it.[550]

5.10 The committee was advised that credit reporting agencies – such as Baycorp Advantage – do provide a service whereby for a fee they will notify consumers if alterations are made to their credit reports.[551] The committee also understands that consumers are able obtain a copy of their credit report free of charge from credit providers such as BayCorp Advantage. However, it is also generally acknowledged that individuals are not utilising these services or taking an active interest in the management of their credit records. As Baycorp Advantage stated, 'until there is a problem, consumers typically do not look'.[552]

5.11 Consumer advocates maintain that a disincentive for consumers is the difficulties they can face in trying to correct inaccurate information held by credit reporting agencies.[553] It is argued that such difficulties stems in part from poor drafting and ambiguous provisions.[554] The lack of an effective complaint handling system is cited as another reason. Critics argue that there is no real requirement for entities such as credit providers to establish internal dispute resolution procedures for those consumers who wish to correct their records. Moreover, the dispute resolution procedures that are established by credit providers and/or credit reporting agencies lack transparency and fail to address complaints in relation to repeated problems or possible systemic issues.[555] Concerns were also raised that dispute resolution procedures generally place the onus of proving that listings are inaccurate on individual consumers who lack any real bargaining power. As the Consumer Credit Legal Centre stated:

... [it] relies on consumers having knowledge of the credit reporting agency, knowing how to access their individual report, accessing their individual report and making a complaint if unauthorised access or incorrect details are contained in the report. In most cases, the first time an individual [may become aware of or] may seek access to their credit report is when credit is refused on the grounds of an adverse credit report and or where the individual in threatened with a default listing.[556]

5.12 It would appear that the OPC as regulator can be of little assistance in this regard. The committee received evidence from both industry and consumer organisations indicating that the OPC is currently ill-equipped to respond to consumer complaints. Consumer advocates claim that the OPC's complaints handling process is inconsistent, inefficient and lacks transparency and procedural fairness, with the result that large numbers of individuals drop out of the system.[557] As explained elsewhere in this report, it can take six months or more before complaints can be heard by the OPC, and affected individuals may be unable to access credit during this period.[558] The OPC's ability to enforce the Act in cases of proven non-compliance is also questioned.[559] Baycorp Advantage confirmed that resourcing issues had led the OFPC to ask it to try to resolve consumer complaints in the first instance.[560] Critics argue that this in turn has prompted confusion over responsibility for resolution of complaints. As the Consumer Credit Legal Centre explained:

... a complaint is required to be made in writing 3 or 4 times, to Baycorp, then the OFPC, then the credit provider, then back to the OFPC. The OFPC requires written proof of complaint to the credit provider before the OFPC would investigate.[561]

5.13 Consumer concerns over the lack of a clear path for complaints resolution have been recognised by Baycorp, which is seeking to develop better dispute resolution mechanisms. It advised the committee that it is currently considering the establishment of an external dispute resolution mechanism in addition to its own internal processes and consumer recourse to the Privacy Commissioner.[562] It explained that:

... this is an area in which we are engaging heavily with our subscriber customers [ie, credit providers] — both to define clear responsibilities within our subscriber organisations for dispute resolutions raised by consumers and to provide an alternative dispute resolution mechanism that consumers can have access to speed up the process of resolution.[563]

5.14 Notwithstanding such developments, concerns remain that compliance with privacy laws and requirements will not be a priority for industry without the incentives provided by effective regulatory oversight. Consumer advocates and representatives argue that, unless the OPC is provided with greater resources to take enforcement action and then prioritise enforcement action, the legislation will remain ineffective.[564] Baycorp Advantage also agreed that 'overall effectiveness could be improved by the provision of additional resources to the Office of the Federal Privacy Commissioner, in particular to assist with complaint handling'.[565]

Increasing access to credit reporting

5.15 Concerns were raised that the problems outlined above have been compounded by the proliferation in entities accessing the credit reporting system. Determinations issued by the Privacy Commissioner under Part IIIA of the Privacy Act have extended access to the credit reporting system beyond traditional lenders such as banks to a wide range of retailers and service providers. Video store operators, legal services and healthcare providers, for example, are now deemed to be credit providers.[566] Part IIIA also allows consumers to be listed with credit reporting agencies for old and/or small debts (which some argue are irrelevant to any assessment of default risk). Consumer advocates maintain that such broad access and the ability to list small or old debts increases the number of listings being made with credit reporting agencies and, therefore, the capacity for errors if effective mechanisms are not in place to ensure details are accurate and up-to-date.[567]

5.16 Consumer advocates also maintain that such broad access has made the credit reporting system vulnerable to abuse. Legal Aid Queensland, for example, advised the committee that:

... [t]he use of credit reporting as a means for extracting payment for a disputed debt is rife. ... The single biggest issue that has arisen over the past few years is ... the threat of default listing or listing an individual as a means of forcing individuals to make payments on accounts where there is a dispute as to liability.[568]

5.17 The committee also received evidence suggesting that it is increasingly common for consumers to be denied credit on the basis of the number of inquiries made on their credit report, despite them having no adverse listing.[569]

Calls for reform

5.18 The concerns outlined above have prompted calls for a review of the credit reporting system, and particularly Part IIIA of the Privacy Act.[570] Reform proposals put forward by consumer groups have included the following:

that only debts of $500 or more may be listed;
that listing companies be required to demonstrate the existence of the debt and failure to pay;
that consumers be notified when adverse listings, such as defaults and clearouts, are added to their file;
that disputed debts be prevented from being listed while the dispute is being resolved;
that an industry-funded external dispute resolution scheme be established, similar to those operating in the financial sector and approved by the Australian Securities and Investment Commission under the Financial Services Reform Act 2001 (Cth); and
that credit providers only be allowed access upon demonstration of satisfactory internal dispute resolution procedures and membership of the external dispute resolution scheme.[571]

5.19 In light of the above, submitters were critical of the federal government's decision to exclude the credit reporting provisions from the OPC review of the private sector provisions of the Privacy Act.[572]

5.20 Industry representatives appear less sanguine about the need for a review or legislative reform. Baycorp Advantage advised the committee that, in its view, any formal review of Part IIIA or the related Code at this stage would impede the progress of measures underway to enhance effectiveness of the Privacy Act. As mentioned above, these measures include initiatives to enhance data quality and to improve consumer engagement, including the development of better dispute resolution mechanisms. An apparent concern for industry was that any proposals to further amend the privacy legislation had to be very carefully weighed against the accompanying compliance costs that legislative and regulatory change can cause, and which are ultimately borne by consumers.[573] Also highlighted was the credit reporting regime's important role in facilitating risk management (described above).

Positive reporting

5.21 The economic benefits of credit reporting were also cited in support of arguments that Part IIIA of the Privacy Act should be amended to permit positive credit reporting. The Privacy Act generally limits the range of personal information that can be contained in a credit report or file to 'negative' data, such as previous credit applications, defaults and credit infringements.[574] Submissions received by the committee indicated some debate on whether these restrictions should be removed in order to allow positive credit reporting. Positive credit reporting (also known as open file or comprehensive credit reporting) involves a much broader range of consumers' personal financial information being obtained and recorded by credit reporting agencies.[575]

5.22 Industry submissions stressed the economic advantages for Australia of moving to positive credit reporting. The current restricted regime, it is suggested, hinders credit providers from making fully informed decisions about credit applications. Positive credit reporting would enable a more accurate risk assessment and will thereby benefit both credit providers and consumers. As Baycorp Advantage stated:

It is fairly clear that comprehensive reporting improves the quality of credit decisions, improves the efficiency of the credit information system as a whole. ... It gives consumers the ability to manage their credit history in the most positive way, and that gives them the ability to shop for the best deals and really get the best out of the competitive environment that has been created in consumer lending. For business, there is a clear improvement to the quality of the credit books, and that is a benefit to the economy. There is a benefit to society generally through improved efficiency in the allocation of credit across the economy.[576]

The committee notes that these appear no different to industry claims made when the privacy provisions were first enacted.

5.23 In contrast, consumer advocates and representatives argue against any extension of Australia's current credit reporting regime. They question research cited by industry in support of positive credit reporting, pointing to other research and overseas experiences suggesting that there is no correlation between positive credit reporting and reduced levels of over indebtedness. Also questioned is the need for positive reporting in the Australian context given low default levels, current lending practices, the information currently available to credit providers and the fact that not all of this available information is used by credit providers.[577]

5.24 Baycorp Advantage advised the committee that, while it supported the introduction of positive credit reporting, it believed that there needs to be agreement with consumer groups that real progress has been made to improve the consistency and accuracy of data used for personal credit ratings and access to dispute resolution.[578] The committee also notes that there appears to be mixed views within industry on any move towards positive credit reporting. As the Chief Executive of the Australian Banking Association reportedly stated that:

The issues surrounding positive reporting are complex and there are stakeholder concerns which must be considered. The ABA's [Australian Banking Association's] position is [that] there needs to be more information in the public domain to support an informed public debate about the benefits and disadvantages of positive credit reporting. This is essential to the development of sound policy.[579]

5.25 The committee notes that experience with the current range of information has shown that industry has not run the system as well as would be expected and it is apparent that injustice can prevail. As well, positive reporting is also rejected on the basis that it would magnify the problems associated the accuracy and integrity of the current credit reporting system.[580] The privacy and security risks associated with the existence of large private sector databases containing detailed information on millions of people are of major concern.

Health information

Privacy protection - integral to health care

5.26 The importance of privacy in the provision of health care cannot be understated. As the Department of Health and Ageing stated:

Privacy is a fundamental principle underpinning quality health care. Without an assurance that personal health information will remain private, people may not seek the health care they need which may in turn increase the risks to their own health and the health of others. Indeed consumers regard health information as different to other types of information and consider it to be deeply personal.[581]

5.27 This is borne out by the OPC's research on community attitudes towards privacy, confirming the importance that individual Australians place on the protection of their health information.[582] It is also demonstrated by the possible consequences for Australians when their health information is inadequately protected. As the OPC recently acknowledged:

There are risks of serious harm arising from a failure to adequately protect an individual's health information, for example when handling genetic information that indicates an individual's susceptibility to a serious disease or information about an individual's sexual health. Some individuals may be stigmatised or discriminated against if their health information is mishandled.[583]

5.28 In light of the above, most, if not all, Australians recognise that a strong and effective privacy framework is required to regulate how and when an individual’s health information may be collected, stored and disclosed to others.[584]

5.29 However, evidence presented to the committee suggests that the privacy protection provided for health information in Australia – including that offered by the Privacy Act - is neither strong nor effective.

Overlapping, incomplete and inconsistent regulation

5.30 At present, the privacy of Australian's health information is protected by a patchwork of public and private sector legislation, common law and codes of conduct. These are outlined below.

Federal laws

5.31 The Privacy Act regulates the handling of health information by the private sector and by Commonwealth and ACT government agencies. The Act requires personal 'health information' to be afforded the highest privacy protection available, given the above-mentioned importance of such information and the sensitivity surrounding its collection and use.[585] This is also recognised by the fact that the Act's requirements apply to all private sector organisations that both hold health information and provide health services[586], regardless of annual turnover. As previously explained, a private sector organisation covered by the Act generally must not do anything that breaches an approved code binding on it. If not bound by an approved code, it must not do anything that breaches an NPP.[587]

5.32 For their part, Commonwealth and ACT government officials must comply with the IPPs as well as a range of other laws governing the disclosure of personal information by public sector agencies. Officers working in the federal health portfolio must consider the IPPs in conjunction with, for example, the secrecy provisions of the relevant public service, health and aged care legislation.[588]

State and territory privacy regimes

5.33 State and territory governments have implemented their own arrangements to ensure the privacy of health information. Some have enacted privacy legislation governing their public sectors' use of such information. Others have administrative arrangements for this purpose. For example, Queensland has established two administrative standards for privacy in its public sector (one scheme for health sector agencies, and one scheme for other government agencies). State governments have also enacted laws regulating the handling of health information in the private sector. Victoria, for example, has enacted the Health Records Act 2001 which aims to cover both the public and private sectors in that state and which is similar to the NPP provisions of the Privacy Act. New South Wales has similar legislation in place in the form of the Health Records and Information Records Privacy Act 2002.[589]

5.34 Federal privacy laws prevail over the state or territory privacy legislation, to the extent that these laws are inconsistent.

Industry, professional and common law privacy obligations

5.35 In addition, those involved in the provision of health care are bound by privacy obligations arising out of their common law confidentiality duties involved in the provider-patient relationship, as well as ethical and professional obligations (such as those imposed by codes of practice and professional service charters).[590]

Complexity and confusion for officials, heath care providers and patients

5.36 The result of the above-mentioned patchwork of legislation, common law and codes of conduct appears to be considerable confusion and undue complexity.

5.37 Differences exist in protection or coverage. Health information is subject to different protections depending on whether it is held by a federal agency, state or territory agency or private sector agency. Adding to this complexity are the different requirements that also apply to the information held by any one agency. As noted above, the Privacy Act itself imposes different requirements depending on whether the information held is personal information, health information and other sensitive information. Differences between jurisdictions compound the problem. As the OPC noted, 'each jurisdiction's scheme is slightly different, as are the principles on which they are based'.[591] Health information may also subject to different protections depending on which jurisdiction it is being held, collected or used in. As the Anti-Discrimination Board of New South Wales stated:

A complicating factor is that many different organisations may be responsible for delivery of health services to any one individual meaning that different legal regimes and privacy protection, with differing standards apply to different parts of the health information relating to a single individual. Practical difficulties can also arise when organisations are required to comply with a number of related but conflicting laws – especially if States and Territory have health privacy legislation purporting to cover the private sector (NSW, Victoria and the ACT).[592]

5.38 Others argue that the fragmented nature of privacy protection has left significant gaps in coverage, with, for example, state government agencies and universities falling outside the scope of the federal legislation.[593] In this regard, the absence of national standards governing the secure storage and transmission of electronic health information was also criticised. The AMA argued that this is an issue than can only be addressed at the federal level:

Stronger provisions and greater resources at the Federal level are required to properly address the security of electronic health records, and to prevent corporate misconduct for the on selling of health data. The push to make profits in GPs’ practices bought by corporate interests raises the risk of inappropriate ‘data-mining’ of personal data for commercial purposes.[594]

5.39 Differences in protection or coverage also create significant compliance costs, particularly for those health care providers which operate in more than one jurisdiction. The OPC, for example, cited the instance of a national medication service operating via a call centre that had to read different statements to obtain consent depending on the location of the individual (and the law that applies in that jurisdiction).[595]

5.40 It is argued that the problems of inconsistency, complexity and fragmentation are getting worse as states and territories increasingly introduce their own privacy legislation.[596]

5.41 In view of the above, deciphering who has what rights in respect of what health information about which individual can be challenging. As the AMA stated:

It is very difficult for medical practitioners and organisations that handle health information to comply with the public/private, Federal/State mishmash of regulation. This is being made more complex by emerging technologies.[597]

5.42 The LIV also highlighted the significant difficulties that many health providers face in trying to manage health information in a way that respects their patient’s privacy and confidentiality:

There is a significant degree of confusion surrounding the operation of the Privacy Act and other privacy laws in the health sector. ... Recent cases [brought against health care providers] demonstrate the lack of understanding of fundamental privacy concepts and principles within the health sector ... . We suggest that this confusion does not arise solely from a misunderstanding by health professionals of the Privacy Act. Rather, it is exacerbated by the variation between federal, state and territory legislation. Such legislation is broader than the Privacy Act and includes the various freedom of information, state privacy and other health legislation.[598]

5.43 The APF was particularly critical of the 'proliferation of health specific privacy rules and laws.' The Foundation argued:

The confused situation that many health service providers currently find themselves in – being covered by at least two separate health privacy laws - federal and State or Territory – represents a failure of good government and is definitely not in the interests of consumers.[599]

5.44 The Department of Health and Ageing agreed that the complex arrangements outlined above are confusing for consumers who are unsure which legislation applies under what circumstances.[600] This confusion can undermine the enforcements mechanisms contained within the Privacy Act, which some argue are already 'relatively weak'. As the Centre for Law and Genetics noted:

The federal privacy regime is complaints-driven and conciliation-based. In the first instance, health consumers have to be aware of their rights to be in a position to understand that they can bring a complaint under the legislation. The rights of aggrieved individuals are [already] limited under the existing legislation because in the event that orders are made by the Privacy Commissioner, such orders can only be enforced by court action.[601]

5.45 Conversely, the differing arrangements between jurisdictions can also lead to forum shopping, with potential plaintiffs shopping around to select the most suitable legislation to further their cause or grievance.[602]

5.46 It appears somewhat of a paradox that the various competing privacy laws, common law duties and codes of conduct that give rise to the above-mentioned problems all share the same objective; that is 'to regulate the handling of sensitive information, and to ensure its protection.'[603] Also incongruous is that the Privacy Act's private sector provisions – which had the objective of establishing a single comprehensive national scheme (provided through codes adopted by private sector organisations and the NPPs) – appear to have merely added to the problem. As the Department of Health and Ageing advised:

[I]t is our experience that the private sector provisions now form just one of several layers of privacy requirements and legislation applying to the health sector, thus contributing to the complexity faced by both public and private sectors when addressing health privacy issues.[604]

Impediment to national health initiatives

5.47 Submissions and witnesses argued that the patchwork of laws, regulations and rules of conduct governing the handling of health information privacy in Australia also present a barrier to much needed reform. For example, the lack of consistent national health privacy laws have been cited an impediment to efforts to establish a national health information network.

5.48 Federal, state and territory Governments are implementing a national health information network known as HealthConnect.[605] HealthConnect is a cooperative venture between the federal, state and territory governments to develop a national network of linked databases containing patient health records. It will provide for the electronic collection, storage and exchange of clinical information among health care providers.[606] Information recorded in HealthConnect about an individual may be downloaded by health service providers, subject to the individual’s consent, wherever and however they encounter health services across Australia. The aim is to integrate and better coordinate the flow of information across the different parts of the health sector (such as hospitals, general practitioners, specialist surgeries, pharmacies, pathology laboratories, etc) and thereby improve patient treatment.

5.49 Related initiatives are the development of the Medicare smartcard and an individual national health identifier. The Medicare smartcard is intended to ensure the accurate and safe identification of people participating in clinical e-health schemes. As discussed in chapter 3, the Smartcard will hold a consumer identifier or national health identifier for e-health initiatives such as HealthConnect. The Department of Health and Ageing explained the need to develop an identifier for each Australian as follows:

To fully harness the benefits of new information technologies in the health care sector, it is critical that the means are in place to ensure that the electronic exchange of clinical information is accurately and securely matched to the right individual. Failure to do so could result in clinical decision making being compromised. In this context, there has been growing recognition that a unique patient identifier is needed across the health sector as a key building block for the national e-health agenda.[607]

Possible risks to privacy

5.50 It is clear that e-health initiatives and technological change can offer significant benefits in the heath care sector and improve patient care. Yet at the same time they create significant potential risks. As the AMA explained:

New technology permits access to a wide range of information that can contribute to improvements in the delivery of healthcare and health outcomes for patients. The ultimate development of a national electronic health record has the potential to provide the means to share an individual’s health information for the purposes of their health care needs throughout their lifetime. Access to a reliable, historical record of an individuals’ encounters with the health system throughout their lifetime can contribute to safety and quality in the delivery of health care, particularly as the patient moves in and out of different parts of the health system. However, such systems also provide a source of data on individuals that has never before been available in a form that can be interrogated and linked so easily and so widely. This new environment, while creating the potential for significant positives in improving health care, has at the same time created significant potential risks to the privacy of individual health information and the independence of a medical practitioners’ clinical decision making.[608]

5.51 A range of privacy concerns have been raised with respect to e-health initiatives such as the initiatives outlined above. These include concerns over access to and use of electronic health information data for secondary, unrelated purposes, the accuracy and security of collected data, and the risk of function creep.[609] As the AMA noted, such concerns impact on confidence in, and acceptability of, the proposed electronic systems for both patients and providers.[610]

Need for new privacy rules

5.52 It is recognised that privacy protection will be a critical component of HealthConnect and the related initiatives outlined above. That is, 'ensuring the privacy, confidentiality and security of personal health information would be paramount to both consumer and health provider acceptance of such initiatives'.[611] Yet it was equally clear that, for the reasons outlined above, existing health specific privacy rules and laws cannot be relied upon to ensure acceptance. As the Department of Health and Ageing acknowledged:

The existing inconsistency in privacy regulation makes specific national projects such as HealthConnect difficult to implement, as there is confusion about which principles apply and under what conditions. As a national network, HealthConnect needs to have the same privacy rules in force across the private and public health sectors, and across all jurisdictions. This is particularly an issue in the health environment where individuals continually move between the private and public sectors and where providers will routinely deliver health care services in both sectors.[612]

5.53 That is, in contrast to the current privacy regime, a complete set of laws is required that provides uniform levels of protection and procedures nationwide. A readily accessible complaints system is also required to deal with privacy issues on an Australia wide basis.[613]

Development and implementation of a National Health Privacy Code

5.54 To this end, federal, state and territory governments have moved to develop a proposed National Health Privacy Code (the Code) as the national set of rules for the handling of personal health information by all HealthConnect participants in both sectors throughout Australia. The aim is to provide a set of health-specific privacy principles that can be implemented nationally, harmonising health privacy protection.[614]

5.55 Submissions generally supported the development of the Code.[615] However, this support appeared to be conditional on the Code achieving a higher standard of privacy protection and uniform application and enforcement.[616]

5.56 In this regard, it was argued that the status of the Code, its contents and how and where it would fit into the existing federal, state and territory legal frameworks had to be clarified.[617] The main concern appeared to be that the Code's success was dependent on the agreement of federal, state and territory governments. As the OPC noted:

The success of a national code will depend critically on how it is implemented. Achieving consistency would involve all jurisdictions implementing the code unamended and in the same manner.[618]

5.57 The APF also advised the committee that:

this initiative, which already appears to have stalled, will be wasted without a strong commitment by all interested parties to adopt the National Code as the basis for their own laws or rules, without further ‘tinkering’.[619]

5.58 The Australian Government can adopt the Code as a schedule to the Privacy Act or by amending the NPPs to incorporate the provisions of the Code.[620] However, the committee understands that either approach will in effect only apply the Code to the agencies subject to that Act – that is, Australian Government agencies and relevant private sector organisations that handle health information. To achieve a consistent national approach across all jurisdictions and all health care sectors, the Australian Government must seek the agreement of all other jurisdictions to adopt the code in the same way.[621]

5.59 In light of the above, the OPC has recommended that:

The Australian Government should consider adopting the National Health Privacy Code as a schedule to the Privacy Act. This would recognise the Australian Government's part in the consistent enabling of the Code. Should agreement not be reached by all jurisdictions about implementing the Code, the Australian Government should still consider adopting the Code as a schedule to the Act to provide greater consistency of regulation for the handling of health information by Australian Government agencies and the private sector.[622]

5.60 By taking this approach, the OPC considered that the Australian Government could provide national leadership in this complex area and, in the absence of unanimous intergovernmental agreement, set a de-facto national standard for health privacy.[623]

Amendments to the Privacy Act

5.61 Some submissions called for a number of changes to Privacy Act before the National Health Privacy Code is issued. These changes included those outlined below.

Amendment of the primary purpose / consent requirement.

5.62 As explained previously, NPP 2 regulates the use and disclosure of personal information, including health information. It provides that uses or disclosures of personal information are limited to the purpose for which the information was initially collected (the ‘primary purpose'), unless a prescribed exception applies.[624] In applying NPP 2, the OPC has interpreted the primary purpose of collecting health information by a health service provider to be the main or dominant reason why the patient is seeking assessment, treatment or care at that time. In doing so, the OPC has stressed that the current arrangements allow health service providers to provide care in the manner they consider appropriate for the individual they are treating, having regard to that person's needs and views. Doctors are free to ask - and patients are free to agree either explicitly or implicitly - that patients' health information be used in a more holistic manner.[625]

5.63 Submissions received by the committee argued that limiting the use and disclosure of health information to the collection and use for the single purpose of each episode of care is unworkable and counterproductive. Doing so, it is claimed, interferes with the delivery of holistic health care, obstructs the appropriate management of patients health (for example, by impeding the ability of treating doctors to consult with each other on clinically relevant information) and conflicts with doctors professional and legal obligations towards their patients. For these reasons, it is argued that NPP 2 should be amended to recognise that the 'primary purpose' of collection of health information by doctors is the 'health care and well being' of the patient.'[626]

5.64 The OPC considered these concerns in its review of the private sector provisions of the Privacy Act. It canvassed various options that might address such concerns – such as amending NPP 2 as recommended above or the OPC issuing binding or non-binding guidelines to re-interpret NPP 2 as required. However, the OPC concluded that the current approach was preferable as it provided the necessary flexibility to cover the myriad of relationships between health professionals and their patients. Broad concepts such as 'health care and well being' could also create problems in defining appropriate limits on future disclosure and use. The OPC was concerned that individuals (as patients) may lose the ability to negotiate and enforce alternate health information-handling arrangements.[627]

5.65 The OPC did, however, recognise that it had to provide more effective guidance to assist health services to understand how NPP 2 can operate.[628]

Patient access to medical records

5.66 The AMA expressed concern at the access rights granted to patients by the NPPs, especially when mental health issues are involved.[629] It argued that the NPPs need to take account of the potential for interference with the therapeutic relationship and the patient harm that can arise from patients accessing their medical records. NPP 6 currently allows organisations to withhold access if access would pose ‘a serious threat to the life or health of any individual’. The AMA argued that this threshold is too high. That is, it does not protect private or preliminary views recorded in diagnosis and development and formulation of a treatment program. These can be misinterpreted and access can have adverse consequences for patients.[630] The AMA therefore recommended the NPP should be amended to allow patient information to be withheld where access could cause patient harm or interfere with a treatment protocol.

5.67 The OPC has acknowledged that circumstances can exist when access to medical records may cause a breakdown in a therapeutic relationship, which may in turn constitute a serious risk to the patient's health. However, the OPC does not see this as justification to change the law. It noted that the NPPs allow organisations to deny access where it would have an unreasonable impact on the privacy of others. In its view, this extended to the private and preliminary views of therapists and doctors. Nevertheless, in light of the above-mentioned concerns, the OPC undertook to develop further guidance on the operation of NPP 6 to clarify that a serious threat to a therapeutic relationship could constitute 'a serious threat to life or health' for the purposes of that NPP.[631]

Access to health information by care givers

5.68 The AMA also argued the Privacy Act's access provisions, together with restrictions on third party access to health information, fail to account for the needs of care givers to access information about those under their care. Carers, for example, need to know what medication their patient is required to take, the patient’s condition on discharge from hospital, what problems they may encounter, and details of follow up appointments. Disclosure of this information to the carer, it is argued, is necessary for the patient’s ongoing care, whether or not the patient consents. Access, it is suggested, is especially difficult for informal arrangements where a person with a decision making disability is assisted by a spouse, carer, family members or a friend.[632]

5.69 These concerns were considered by the OPC in its review of the private sector provisions of the Privacy Act. The OPC concluded that the Privacy Act and NPPs made appropriate provision for the disclosure of an individual's health information to carers, family members and other 'responsible' persons. However, the OPC undertook to develop further and more practical guidance on the operation of these provisions.[633]

Parental access to children's medical records

5.70 The AMA also raised its concerns regarding the development of legislation by the Australian Government which would give parents access on request to all information held by Health Insurance Commission concerning their children aged less than 16 years. The committee was advised that this decision is based on the premise that, in the ordinary course of events, parents should have a right to access information about their children, especially when it relates to their children's health and welfare.[634] However, the AMA argued that:

The adverse consequences of this legislative proposal may outweigh the benefits. In circumstances where the parent wishes to access their child’s records without the consent of the child, there is a risk that legislating to grant access to such records may adversely affect the relationship between the young patient and his or her doctor. It could discourage some young people in need of help and advice from attending their doctor or being candid in the consultation.[635]

5.71 The OPC was prevented from considering issues concerning the privacy rights of children during its review of the private sector provisions of the Privacy Act, including provisions relating to health. The terms of reference expressly excluded 'children's privacy' from that review. However, the OPC's report of that review stated in its discussion of the access rights of carers, that, in respect of children, the child’s parents generally have responsibility for decision-making on their behalf.[636]

Incorporating Public Interest Determinations exemptions into the legislation

5.72 Submissions received by the committee argued that a number of Public Interest Determinations (PIDs) issued by the Privacy Commissioner should be made indefinite by incorporating the exemptions they provide into the legislation.[637] The PIDs concerned exempt health service providers, in certain circumstances, from complying with NPP 10.1, which limits the collection of sensitive information without consent. The concern is that these PIDs operate for only a finite time, but deal with an enduring element of providing quality health care. They relate to the collection of information on family and social histories and from the Health Insurance Commission’s Prescription Shopping Information Service.[638]

5.73 The OPC has reported that there is a general consensus that the PIDs concerning the collection of family, social or medical histories are necessary and that they are operating smoothly. It recommended that the Australian Government should consider amending NPP 10 to include an exception that mirrors their operation. Importantly, the OPC also recommended that the government also consider undertaking consultation on limited exceptions or variations to the collection of family, social and medical history information, particularly with regard to genetic information and the collection practices of the insurance industry.[639] The OPC did not appear to consider the PID concerning the Prescription Shopping Information Service.

Penalties for breaches of privacy

5.74 It was also argued that the Privacy Act should be amended to provide penalties for breaches of privacy, especially for unauthorised disclosure of personal health information. The Department of Health and Ageing advised that, 'given the highly sensitive nature of personal health information, and the potential for personal and social harm that can arise from misuse of such information, there is strong support among consumer and provider groups for penalties for breaches of privacy.'[640]

Deceased persons

5.75 It would appear that the Privacy Act effectively only applies to information concerning living persons.[641] The Department of Health and Ageing advised the committee that it supports the inclusion of deceased persons who have been dead for 30 years or less within the scope of the Act, as proposed in the above-mentioned National Health Privacy Code.[642] The Australian Law Reform Commission and the Australian Health Ethics Committee have also recommended that the Privacy Act be amended to cover an individual’s genetic information for 30 years after they die. State privacy laws and federal archival and freedom of information laws currently protect an individual’s personal information for up to 30 years after death. Extending coverage in the Privacy Act in similar terms would, it is argued, bring that Act into line with this legislation and create greater national consistency.[643]

5.76 The OPC has recommended that the Australian Government consider, as part of a wider review of the Privacy Act, whether the jurisdiction of that Act should be extended to cover the personal information of deceased persons. It did so as, in its view, there may need to be greater consideration of the policy rationale for protecting an individual’s personal information for up to 30 years after death.[644]

Contractor provisions

5.77 It was put to the committee that the provisions of the Privacy Act relating to contracted service providers require amendment. Section 95B of the Act generally requires Australian Government agencies to ensure Commonwealth contracts prohibit the contracted service provider from doing an act, or engaging in a practice, that would breach an IPP if done or engaged in by the agency itself. This extends to subcontracts.

5.78 The result is that organisations contracted by the Australian Government (or subcontracted by an Australian Government contractor) can be required to comply with three sets of privacy principles: the NPPs which apply to them in their capacity as private sector organisations; the IPPs which apply to them under contracts granted in accordance with section 95B of the Privacy Act; and any applicable state or territory privacy laws.[645]

5.79 As the Department of Health and Ageing explained, the application of these requirements are complex and confusing. The Department conceded that the NPPs and the IPPs have provisions in common so that compliance with one may ensures compliance with the other. However, it stressed that there are differences and that the above-mentioned combined regime is typically described as a 'minefield'. In the Department's view, it would be much simpler and practicable to require Australian Government contractors to abide by the NPPs.[646]

5.80 Similar concerns were raised with the OPC during its review of the Privacy Act's private sector provisions. The OPC recommended that the Australian Government consider reviewing the IPPs and the NPPs with a view to developing a single set of principles that would apply to both Australian Government agencies and private sector organisations. In its view, this would address the issues surrounding government contractors.[647]

Medical research

5.81 The Privacy Act generally provides health information may be collected, used and disclosed without consent for the purpose of research, provided certain criteria are met. The NPPs generally permit organisations to collect health information without consent in limited circumstances provided the information is required for: research (including compilation or analysis of statistics) relevant to public health or public safety; or the management, funding or monitoring of a health service. Health information may only be collected without consent for these purposes if obtaining consent is impracticable, and de-identified information (ie, information which cannot identify the persons it concerns) would not be sufficient. Where these preconditions exist, collection must be carried out either according to guidelines issued under the Privacy Act, or in accordance with binding rules of confidentiality issued by a competent health or medical body, or as required by law.[648]

5.82 The above-mentioned guidelines authorise Human Research Ethics Committees (HRECs) to permit identifiable health information to be used without consent for the purposes of approved research activities if the HREC is satisfied that the activities are substantially in the public interest and outweigh any concerns about privacy protection. Compliance with the guidelines is reported annually to NHMRC. In turn, the NHMRC reports this information to the OPC.

5.83 Submissions received by the committee maintained that the above requirements were unduly restrictive and were hindering important research.[649]As the OPC itself noted:

There is considerable evidence that key researchers, especially epidemiological researchers, consider that the current balance between privacy and the public benefit of research is too heavily weighted in favour of individual privacy to the detriment of research.[650]

5.84 Concerns raised by researchers include those listed below.

Undue restrictions on secondary use of data

5.85 Some submissions criticised the requirement that personal information only be used or disclosed for research relevant to 'public health or public safety' and only where it was 'impracticable' to seek consent. It was argued that research should be permitted under strict protocols where it is in 'the public interest.' It was also suggested that personal information should be able to be used or disclosed where obtaining consent is not viable, would cause unnecessary anxiety, or where the scientific value of the research would be prejudiced.[651] Submissions also noted that equivalent legislation overseas was less restrictive. The NHMRC explained that:

Canadian legislation permits agencies to disclose personal information without the individual’s consent, for research, if it is satisfied that the research cannot be achieved with non-identifying information and the researcher obtains an undertaking that the information will not be disclosed in an identifying way. The New Zealand Act and Code permit such disclosure if an agency believes on reasonable grounds that it is neither desirable nor practicable to seek consent and the information will not be used in an identifying way in research.[652]

Complexity and confusion

5.86 The committee also received evidence that the fragmented approach to privacy regulation in Australia (described elsewhere in this report) is a major impediment to medical research.[653] The Queensland Institute of Medical Research, for example, explained that research teams, especially those conducting multi-centre research, must deal with multiple different pieces of legislation, all with the same intent, but with subtly different wording that can have considerable impact upon the conduct of research.[654]

5.87 Similar concerns were raised with the OPC. It received evidence that the Privacy Act's private sector provisions have made the process of undertaking research more difficult. The provisions, it is argued, slow down approval processes and have an impact on gaining access to, and collecting, data. As the OPC explained:

Submissions ... point to the complexity of the privacy regime in Australia including both within the Privacy Act and between Commonwealth and state legislation and the impact this is having on health and medical research. They say, for example, that the co-existence of the NHMRC's section 95 (public sector) and section 95A (private sector) guidelines and the interaction between the IPPs and the NPPs has created some confusion for researchers and consumers. Also they say that that interpretation and implementation of Commonwealth and state privacy legislation is compromising individually and publicly beneficial research and health care. Problems include that private sector organisations are making incorrect decisions and adopting a highly conservative approach to privacy compliance.[655]

5.88 The committee also received evidence from the NHMRC that the reporting and decision making obligations imposed on HRECs were onerous. The OPC also noted evidence of inconsistencies in the way various HRECS exercised their obligation to weigh up the benefit of a research proposal versus the threat to individual privacy.

5.89 Compounding the above problems are the apparent difficulties researchers experience in determining what data or information is de-identified data and is therefore not subject to the Privacy Act or the NPPs.[656]

5.90 The Queensland Institute of Medical Research suggested that many of the difficulties experienced by medical researchers and members of HRECs in working within privacy provisions stem from inadequate training and a lack of knowledge or awareness. The importance of adequately resourced OPC was again raised as an issue. The Institute argued that 'a national education program and rapid access to advice from a well-resourced Federal Privacy Commissioner would be an extremely valuable service to groups in the health research sector'.[657]

5.91 The OPC report detailed a number of possible options for reform of the privacy provisions affecting medical research. However, noting the complex issues involved, it urged the Australian Government, as part of a wider review of the Privacy Act, to determine, with appropriate consultation and public debate, what is the appropriate balance between facilitating research for public benefit and individual privacy and right of consent.[658]

Responding to overseas emergencies

5.92 Another issue raised during the committee's inquiry related to impediments, under the Privacy Act, to the ability to respond to overseas emergencies. In particular, the committee received evidence from the Australian Red Cross (ARC) and DFAT in relation to the Privacy Act's impact on information-sharing between government and non-government agencies involved in response and recovery in emergency situations overseas.[659]

5.93 DFAT identified privacy-related impediments which had affected its administration of the Australian Government's response to overseas crises (including September 11, the Bali bombings and the recent Boxing Day tsunamis).[660] DFAT submitted that the privacy legislation had impeded DFAT's ability to:

access personal information held by other government agencies to assist in its location, identification and assistance efforts; and
provide personal information to other government agencies directly involved in the crisis response.[661]

5.94 For example, DFAT submitted that:

To meet our consular obligations, it would be useful to be able to access the records of airlines and travel agents regarding the travel plans, hotel reservations, and therefore general whereabouts, of Australians overseas. This information could, for example, confirm which Australians were booked in hotels directly affected by the Boxing Day tsunami. In response to inquiries, DFAT has been advised that airlines and travel agents are unable to disclose personal information because of restrictions in applicable privacy codes or the National Privacy Principles.[662]

5.95 DFAT also noted that the Privacy Act had impeded its ability to provide personal information to other government bodies who requested information to ensure inappropriate action is not taken against affected Australians. For example, Centrelink had wanted to avoid taking action to cancel regular social security payments to victims, or pursuing persons affected by the tsunami for overdue payments.[663]

5.96 DFAT concluded that:

The expectation of the Australian community is that there will be a whole-of-government response to the crisis and that government agencies are working collaboratively to achieve the best outcomes for affected Australians. Constraints under the Privacy Act limited DFAT’s ability to provide personal information to some bodies that requested it, particularly those without specific information-gathering powers and State or Territory bodies. Except in a few cases, the Privacy Act does not allow DFAT to automatically share information on those persons affected or unaccounted for in an overseas disaster with other government agencies, which deliver services to these individuals.[664]

5.97 A representative of DFAT expanded on the situation encountered in relation to the Boxing Day tsunamis:

We had about 87,000 phone calls from members of the Australian public expressing concern about the whereabouts of family members and friends. From that, we developed a list of about 14,000 Australians who we judged may have been in the areas affected by the tsunami. Tracking down 14,000 Australians and confirming their safety is an extremely difficult task. It is one that we could not do on our own. It was very important that we were able to get as much information as we possibly could about where those individuals might have been at the time to help us to get a clearer picture about the risk that they may have been in the immediate vicinity of the tsunami.[665]

5.98 The representative noted that information sharing between government agencies, such as with the Department of Immigration and Indigenous Affairs, was generally good. However, he also observed that there were some limitations, and that the information sharing 'was not always as quick as we would have liked' because they had needed to ensure that they had the appropriate authority under the Privacy Act for the exchange of information between agencies.[666] However, the representative noted that the situation in relation to the private sector was more problematic:

The real issue...was getting information from private sector organisations, particularly airlines and travel agencies. That is something we are looking into now. There is a working group process, being led by the Attorney-General’s Department, looking at the extent to which new flexibility needs to be built into the [A]ct or into the application of the [A]ct to help us with the management of information with privacy issues in times of crisis...We do have not a resolution to that yet, but that is something we are following up.[667]

5.99 The ARC argued that in emergency situations, the need for information sharing also extends to non-government organisations engaged in disaster recovery.[668] The ARC submitted that the Privacy Act had imposed significant impediments to its provision of disaster relief. In particular, it cited problems associated with the distribution of assistance by the ARC to Australian victims of the 2002 Bali bombings. In particular, the ARC submitted that some of the issues that it had encountered included:

the ARC was unable to access lists of deceased, injured and missing which were held by DFAT. While ARC liaised closely with DFAT, privacy legislation prevented sharing of this information;
the ARC was unable to share its own lists of deceased and injured although requested by some state and territory governments, which did not have comprehensive lists;
some victims were registered on the National Registration and Inquiry System (a computerised victim registration and inquiry system operated by ARC), but because of the extent of their injuries were unable to give permission to share this information; and
the ARC needed to seek individual client permission to share even basic information about assistance provided.[669]

5.100 The ARC argued that this inability to share information in such a crisis situation had resulted in an additional barrier to providing assistance to affected persons at a time when that assistance was most needed. The ARC also noted that it had to develop its own list of deceased and injured, compiled through advertisements, media, web searches, word of mouth and referral. Finally, the ARC observed that many affected Australians expressed surprise and concern about having to provide the same information to many different agencies and did not understand why this information could not be provided once and then shared across relevant agencies.[670]

5.101 Secretary General of the ARC, Mr Robert Tickner, put the problem in context:

...in the aftermath of the disaster that has occurred, someone with horrific injuries who has to tell their story to authorities and to others and who then seeks relief. The person’s injuries may range from modest to severe, across a range of possibilities, but, whatever the severity, they have been through a terrible trauma. They have told their story and telling the story just adds to their stress levels. The problem that people found is that they had to tell their story not once, but they had to tell it often to a range of different authorities who might be there to help them for one reason or another. I guess we are here, motivated by concern for the victims, to look for a simplified procedure that does not result in a sweeping away of people’s rights to privacy but, in the very limited circumstances of this kind of emergency, provides some practical pathway forward that assists in making people’s lives less stressful than it might otherwise be.[671]

5.102 The ARC argued that there is a need to amend the Privacy Act to enable sharing of information across agencies engaged in emergency response and ongoing disaster recovery functions.[672] Mr Greg Heesom of the ARC suggested that possible solutions could include a PID exemption by the Privacy Commissioner, or an amendment to IPP 11 to provide a specific limited exemption for emergency disaster situations.[673]

5.103 The OPC review also examined the issue of the Privacy Act's impact on responses to large scale emergencies.[674] For example, the OPC review noted the problems encountered during the aftermath of the tsunami disaster in December 2004:

In an attempt to locate missing family and friends, many Australians contacted airlines to find out whether the missing had continued flying after the tsunami hit. Such information, which is readily available to the airlines, if disclosed would normally appear to be a breach of NPP 2. The aftermath of the tsunami placed organisations in the position of balancing the right of an individual to privacy while also having the capacity to allay the fears of many relatives and friends of those missing. Disclosure of personal information by airlines in situations such as presented by the tsunami could therefore be in breach of NPP 2.[675]

5.104 The OPC review also observed that the Privacy Act received criticism in the media after the tsunami disaster 'for lacking commonsense and for being unable to anticipate and cope with the extent of the tsunami disaster.'[676]

5.105 After considering a number of options,[677] the OPC review concluded that:

Privacy laws should take a common sense approach. There needs to be an appropriate balance between the desirability of having a flow of information and protecting individual's right to privacy. In developing an exception to disclosure for cases of national emergencies, consideration should be given to the seriousness of the privacy breach versus that of protecting privacy.[678]

5.106 The OPC review also observed that:

In large scale emergencies, the consequences of disclosure should be compared to the consequences of non-disclosure. Consideration also needs to be given to the potential identity fraud that may occur during such a time, especially if disclosure is allowed to the media.[679]

5.107 The OPC recommended that the Australian Government consider:

amending NPP 2 to enable disclosure of personal information in times of national emergency to a 'person responsible'
extending the NPP 2.5 definition of 'person responsible' to include a person nominated by the family to act on behalf of the family
amending the Privacy Act to enable the Privacy Commissioner to make a Temporary Public Interest Determination without requiring an application from an organisation
defining 'National Emergency' as 'incidents' determined by the Minister under section 23YUF of the Crimes Act 1914.[680]

Use of the Privacy Act as a means to avoid accountability and transparency

5.108 The committee also received evidence about the use of the Privacy Act as a means to avoid accountability and transparency. For example, the Victorian Privacy Commissioner, Mr Paul Chadwick, described this as 'misuse of the Privacy Act', observing that:

There is a lot of what we call in the trade BOTPA...'Because of the Privacy Act.' You will find many incidents of people saying, “We can’t give you that, we can’t give you this, Because of the Privacy Act,” and it won’t be because of the Privacy Act. It will be something else.[681]

5.109 Similarly, Mr Ian Cunliffe believed that government departments and agencies have used the Privacy Act to avoid accountability and transparency. Mr Cunliffe argued that:

In large matters and small, government bodies routinely deny information to inquirers on the asserted basis that the Privacy Act prevents disclosure.[682]

5.110 Mr Cunliffe suggested that private sector entities can also be 'obstructive' when attempts are made to access to information, when often 'no real privacy issue is involved.'[683]

5.111 In the same vein, the APF was concerned that organisations often cited 'privacy laws' as a reason for not doing something they did not want to do for other reasons, even where there was no factual basis for the claim. The APF suggested there should be a sanction for wilful misrepresentation of the Privacy Act, although it acknowledged that it may be difficult to legislate against misrepresentation of a law's effect, and that some such claims may be based on genuine misunderstanding. The APF also suggested the Privacy Commissioner be empowered to issue 'corrective statements', to be published at the expense of the organisation concerned.[684]

5.112 Ms Anna Johnston of the APF explained further:

...the phrase 'because of the Privacy Act' has been used inaccurately by organisations, both government and business, as an excuse, usually for not doing something. That practice is frustrating enough for us as privacy advocates as it brings privacy protection into disrepute; however, an even more disturbing development has been the extent to which privacy-invasive proposals are justified or softened in the public’s eye through the mere existence of a Privacy Act. That is, the Privacy Act has been used as a shield behind which all sorts of intrusive practices are conveniently sheltered with a bland reassurance along the lines of: 'You can trust us because we are obligated to comply with the Privacy Act.' In this sense, a Privacy Act which is weak, either in its framework or in its enforcement can actually do harm as its mere existence can be used to shut down or sideline public debate or criticism.[685]

5.113 Ms Johnston put forward a current proposal by the Australian Bureau of Statistics (ABS) in relation to the census as an example of this problem. Ms Johnston believed that the proposal would:

...radically alter both the nature of the census and the role of the Australian Bureau of Statistics in handling personal data about every Australian. In case you are not aware of that proposal, it is for the ABS to replace the anonymous snapshot of the five-yearly census with instead a permanent movie of every Australian’s life. That is the language of the ABS itself—to replace the snapshot with a movie. The result will be a centralised, national population database holding the most extensive collection of data on every person, in an identifiable form. Everything from date of birth, sex, religion and occupation to people’s history of disease, their immigration movements and their family relationships will, for the first time, be held in the one place by the Australian government.[686]

5.114 Indeed, Ms Johnston argued that:

This new census proposal is the closest thing yet that we have seen to the old Australia Card scheme...We know that the Privacy Act alone in its current state can do nothing to prevent that proposal nor can the [A]ct alone stand in the way of the inevitable bears being attracted to the honey pot that a national population database presents. Legislation alone cannot protect Australians’ privacy. We need informed public debate and absolute political commitment if we are to avoid becoming a surveillance society.[687]

5.115 Ms Johnston believed that 'the ABS in its discussion paper on this proposal has sought to reassure the public by sheltering behind the mere existence of a Privacy Act.'[688]

5.116 However, the committee notes that the ABS census proposal has been released for public consultation and will also be subject to a privacy impact assessment, which will also be published.[689]

Law enforcement issues

5.117 The AFP submitted that it had encountered some practical law enforcement issues with regard to the AFP accessing information from organisations subject to the NPPs.[690] In particular, the AFP noted that some organisations, such as utility and service providers, have been reluctant, or have refused, to provide information requested by the AFP for law enforcement purposes.[691] The AFP suggested that this may have a number of causes:

organisations that are less familiar with the operation of NPPs can be reluctant to assist law enforcement as they are not aware the disclosure 'reasonably necessary for the enforcement of criminal law or a law imposing a pecuniary penalty' is a lawful disclosure;
provision of such information can be in conflict with business outcomes as it requires organisations to provide information that can be detrimental to commercial interests;
there are costs associated with complying with a request for information that organisations are reluctant to bear; and
some organisations are concerned about litigation being commenced by clients whose information has been disclosed to police.[692]

5.118 For example, Mr Trevor Van Dam of the AFP observed that:

...we do see cases where either organisations are concerned about a future commercial liability, for having passed information on, or they have been concerned about the impact on their commercial activities.[693]

5.119 The AFP noted that while education may have a role to play in raising awareness, this is unlikely to offer a complete solution. The AFP suggested that 'a legislative approach such as a "notice to produce", as is currently available to a number of other government entities, may be a potential solution to these difficulties.'[694]

5.120 Law enforcement issues were also considered by the OPC in its review of the private sector provisions of the Privacy Act.[695] The OPC review recommended that:

The Office will work with the law enforcement community, private sector bodies and community representatives to develop more practical guidance to assist private sector organisations to better understand their obligations under the Privacy Act in the context of law enforcement activities.[696]

5.121 The AFP supported this recommendation, but observed that 'notices to produce' may also be useful:

In the context of examining the possibility of notice[s] to produce, we are aware of the fact that such a facility already exists within other legislation and that operates quite comfortably beside the privacy legislation. In some respects, it helps to clarify for a provider of the information that they have a cover in the context of a formal notice that gives them some comfort against future claim.[697]

5.122 Mr Trevor Van Dam continued:

...we think it is appropriate to have a look at the application of that within some other legislative arrangements. Over the next period our view is that we would examine that and have a look at whether or not, for argument’s sake, changes to the [Australian Federal Police Act 1979] or Crimes Act might be required.[698]

Privacy issues for care leavers

5.123 Care Leavers of Australia Network (CLAN) raised concerns that the Privacy Act unduly restricts access to third-party (family) information which may assist care leavers (for example, people who grew up in orphanages and similar institutions) to identify their family and background. CLAN's submission highlighted for the committee the profound impact that the loss of contact with family, siblings and place of origin and the ensuing loss of identity can for those raised in care. Yet, as CLAN noted, the Privacy Act's 'provisions can be used to hinder those wishing to access information relating to their time spent in institutional and other forms of out-of-home care, especially that concerning their biological identities'.[699] As explained elsewhere in this report, privacy laws generally restrict third party access to personal information without consent. CLAN urged the committee to give consideration to Recommendation 16 of the Forgotten Australians report of the Senate Community Affairs Committee.[700] That Committee recommended, among other things, that:

That all government and non-government agencies agree on access guidelines for the records of all care leavers and that the guidelines incorporate ... the commitment to the flexible and compassionate interpretation of privacy legislation to allow a care leaver to identify their family and background.[701]

5.124 The committee notes that the Australian Government has yet to respond to that recommendation.[702]

Navigation: Previous Page | Contents | Next Page