Chapter 6 - Resourcing and powers of the office of the privacy commissioner
6.1
This chapter will consider issues raised in the course
of the committee's inquiry in relation to the resourcing of the OPC, and
whether current levels of funding and the powers available to the OPC enable it
to properly fulfil its mandate.
Resourcing of the Office of the Privacy Commissioner
6.2
The resourcing challenges faced by the OPC are
illustrated starkly by the evidence presented to the committee during the
course of its inquiry. On the one hand, there has been a steady increase in the
number of privacy-related issues which come within the functions of the OPC;
indeed, as the OPC has indicated: 'the
introduction of new technologies has increased the range of potential privacy
issues within the community'.[703] Yet,
on the other hand, there has been no corresponding increase of staff for the
OPC.
6.3
In response to a request by the committee to provide
staffing numbers for each financial year since 1994-1995, the OPC indicated
that it had the same number of staff during the most recent reporting year[704] as it did at the beginning of that
decade.[705] A temporary increase in
staff numbers during the years 2001-2003 was 'for the purpose of developing and
writing guidelines and other information for the commencement of the private
sector provisions of the Privacy Act.'[706]
6.4
Given the arguably exponential increase in matters
relevant to the functions of the OPC, it seems extraordinary that there has
been no corresponding increase in staff over the last decade.
6.5
Many submissions expressed concern that the OPC is
inadequately funded or resourced, and gave their support to increased funding
for the OPC.[707] For example, the AMA
believed that 'the OFPC has insufficient resources to investigate and take
action in respect of privacy breaches in a timely manner'.[708] The AMA submitted that:
The work of the OFPC has occurred despite the severe lack of
resources provided to it to investigate and rectify privacy complaints, carry
out educative campaigns, take action on its own initiative, and be proactive in
the administration of the Act.[709]
6.6
Mr Roger Clarke argued that the OPC has had its responsibilities increased in recent
years, without a corresponding increase in resources:
The OFPC has had its
responsibilities greatly increased, and has no more resources, and possibly
fewer resources, than prior to the addition of the private sector to its
purview.
...
The impact of this has
been that the OFPC is prevented from fulfilling its responsibilities. It
conducts few audits, its replies to complaints and submissions are very slow,
it is unable to respond quickly to sudden demands, and it is able to conduct
very little own-volition research and investigation.[710]
6.7
Some submissions suggested that technological
advancement would only exacerbate this situation.[711] For example, the AEEMA suggested
that the OPC itself needed a 'better understanding...of the rapid advancements in
technology and their obvious benefits to business efficiency and community
convenience'.[712]
Failure to address systemic issues
6.8
Several submitters noted that, due to resource
constraints, the OPC has been forced to concentrate on dealing with individual
consumer complaints, at the expense of other strategic functions, such as
audits, policy making, enforcement and education.[713] For example, the ACA suggested that
the OPC should be doing more in terms of enforcement action. However, it noted
that this would require greater resources to allow the OPC to meet its
complaints load and to discharge other duties.[714] Indeed, the OPC itself has reported
that resources have been reallocated from audit activities to other 'priority
areas'.[715]
6.9
The ACA's observation in relation to strategic
direction issues regarding the OPC was as follows:
...resource
constraints...have bound the Office tightly to one aspect of its compliance role,
dealing with complaints from individuals. Public sector audits, inputs to
policymaking and effective engagement of public education have all suffered,
while at the same time, speedy complaint resolution has proven difficult to
deliver. This is acknowledged in the Issues Paper by the OFPC into its review
of its own operations, which indicates that having identified complaint
handling as a priority the Office diverted resources from other areas of
responsibility. This clearly indicates that the strategic direction of the Office
has been subverted by short-term contingencies.[716]
6.10
The APF made a similar argument:
Both by design and by
failure to provide the Privacy Commissioner with adequate resources, the regime
relies largely on complaints. This is a completely inadequate way of seeking to
promote privacy compliance. Many interferences with privacy go unnoticed by the
particular individuals involved, and even where they are noticed, they rarely
cause such significant harm as to warrant the time and effort of complaining.
This does not mean that they are unimportant – the cumulative effect of
repeated small scale intrusions is just as corrosive of trust in organisations
as a few major privacy breaches.[717]
6.11
The APF contended further:
Problems that we see
constantly repeated over many years are not being adequately addressed. It
should not be necessary to keep bringing individual or even representative
complaints, which are a very inefficient way of addressing systemic problems.
...
Slavishly giving
priority to individual complaints helps fewer people in the long term than
using enquiries, complaints and third party referral of issues to identify
systemic issues which can then be addressed with own-motion investigation
powers (and audit powers in those jurisdictions where they are available).[718]
6.12
The APF
also made the point that there is currently no incentive for respondents to
make complaints to correct systemic flaws in the privacy regime since '(i)n
most cases, the worst outcome for a respondent, regardless of how bad the
conduct, is that they must amend the records'.[719] Further:
There is a lack of
information provided to complainants (or their advisers) when raising repeated
(or systemic) problems. While the specific complainant’s problem may be resolved,
the adviser is rarely informed whether there has been any response to what
might be a broader problem with a particular respondent. We understand that the
OFPC sometimes provides advice to major respondents that goes beyond anything
made public. Consumer advisers should be aware of what that advice is.[720]
6.13
At the public hearing in Melbourne,
Ms Loretta
Kreet from Legal Aid Queensland
also submitted that, in her view, limited resources have resulted in the OPC being
overwhelmed by individual complaints, at the expense of addressing more
strategic compliance issues:
I understand that, in a
climate where resources are limited, enforcement should be strategic so that
the successful enforcement action changes industry practice. If all the office
is capable of doing is handling individual complaints then industry practice
will not change, because there does not seem to be effective enforcement across
the industry.[721]
6.14
The
Privacy Commissioner's recent review of the private sector provisions of the
Privacy Act considered the OPC's capacity to respond to systemic issues raised
in complaints or identified by other means. The review noted evidence
suggesting that the OPC's limited focus on systemic issues and its lack of
power to deal with these issues 'is out of step with best practice for
complaint handlers'.[722] The review
also noted that '(a) greater focus on analysing complaints, following up leads,
conducting more own motion investigations to identify systemic issues and so on
could also feed into education and guidance activities'.[723]
6.15
The
review recommended that the OPC 'will consider options for providing more
feedback on systemic issues either in advice or guidance or in some form of
regular update to stakeholders.'[724]
Flaws in complaints handling process
6.16
Several submissions noted that, despite the OPC's
emphasis on the complaints handling process, even that process appears to be
under-resourced.[725] In particular,
several submissions expressed concern about certain aspects of complaints
handling by the OPC, particularly the delays in complaints handling.[726] The ACA suggested that the OPC's
funding needed to be commensurate with the volume of complaints coming to the
OPC.[727] Further, the ACA submitted
that:
...the OFPC has a high rate of discouraged complainants, abandoned
complaints and unhappy consumers. Consumers must have confidence that if their
rights are flouted, they can easily seek speedy and effective redress. This is
not the case for privacy rights in Australia
following the passage of the Act.[728]
6.17
EFA made some strong criticisms of the
complaint-handling process, arguing that it requires 'greater transparency and
considerably more information about the OFPC's views about application of the
NPPs needs to be made publicly available'. EFA also expressed concerns in
relation to the delays in dealing with complaints:
We consider the OFPC should be sufficiently well-funded to deal
with complaints promptly, and without need to remove staff from other important
areas such as policy and auditing of government agencies as has reportedly
occurred.
Without adequate complaints handling procedures, backed up
ultimately by strong legal sanctions, the P[rivacy] A[ct] will continue to be a
generally ineffective and token piece of legislation.[729]
6.18
In response to the committee's questions on notice in
relation to private sector provisions complaints, the OPC stated that in the
financial year to date, 'the average time it has taken for complaints...to be
resolved or closed is 88 working days or 4.5 months'.[730] Further, the OPC stated that in the
financial year to date, '99 complaints...have taken more than 12 months to
resolve; this represents 12% of all private sector complaints closed in this
period'.[731] However, the committee
notes that, since these figures only
relate to private sector complaints, they may not be an accurate representation
of the total number of complaints subject to delayed resolution.
6.19
At the Sydney
hearing, Mr Andrew
Want, Chief Executive Officer of Baycorp
Advantage, told the committee that his organisation is a strong supporter 'of a
significant investment in the capabilities...and in the resources of the [OPC]'.[732] In particular, Mr
Want spoke about the need for increased
resources in the area of complaints resolution:
Certainly in the area
of complaints resolution there need to be some additional resources. We feel
the commissioner’s office and the community would benefit from having
additional resources to aid in the policy debate—to help explore the areas that
we have been discussing about this very sensitive balance that needs to emerge
over the next couple of years between freedom of information and freedom of
anonymity, if you like.[733]
6.20
At the Sydney
hearing, Mr Timothy
Pilgrim from the OPC expanded on this point.
He noted the constraints placed on the OPC:
Under the Act currently
it states that, on receiving a complaint such as that, the Privacy Commissioner
shall investigate. As you can imagine, that has resource implications if we are
looking at that sort of issue. One of the things we would prefer to do is to be
able to advise the person that we have received that sort of complaint and will
monitor it to see if that is a particular systemic issue and look to see if
there is a broader systemic issue over time that we need to resolve rather than
having to devote immediate resources to that one particular issue. I am not
trying in any way to belittle an individual’s complaint—please understand
that—but that is just an example of an instance where there is something that
you probably would not want to devote an entire person to trying to resolve
that at that point.[734]
6.21
The FIA suggested an alternative – and, in its view, preferable – way of
dealing with complaints:
OFPC has acknowledged
that it does not have the capacity to deal with complaints within a reasonable
time and that the process may lack transparency (including the lack of right of
review).
...
Complaints are most
likely to be made to the offending organisation in the first instance.
Requiring their examination by the organisation, through a
self-audit-self-regulatory process sanctioned through standards of practice
that underlie the legislation would ensure appropriate consideration of the
complaint and enhancement of community awareness of their rights and methods by
which they can exercise them. These methods would be easier, cheaper and more
efficient than the current complaint handling by the OFPC.[735]
6.22
The ACA argued that one of the ways in which
greater community confidence in protection of privacy rights could be
encouraged is by 'more vigorous and apparent enforcement action'.[736] This would encompass further action than 'simple awareness-raising' in
order to 'convince consumers that there really is a viable avenue for privacy
complaints at the OFPC'.[737] The ACA
submitted that:
This would involve
establishment of a resource stream to the Office sufficient to meet the
complaints load and to discharge the other duties of the Office in providing
policy advice, researching and anticipating innovation, and conducting audits
and other active information seeking programs, such as shadow shopping perhaps.[738]
6.23
Further,
the ACA argued that:
...a mechanism should be
established that provides a funding stream to the dispute resolution activities
of the Office that is commensurate with and scales to meet the volume of
complaints coming to the OFPC. Preferably this funding would be provided by a
scheme whereby organisations complained against bear the cost. Indeed our
preference would be for a separation of the dispute resolution aspects of the
Office from its regulatory functions – the two do not always sit comfortably in
the same structure. As a regulator the OFPC should have a role in defining and
monitoring the effectiveness of A[lterative] D[ispute] R[esolution] functions
as well as being required to respond to systemic problems revealed by the
individual complaints data.[739]
6.24
The
increased availability of dispute resolution processes was a measure supported
by others. For example, Legal Aid Queensland submitted that:
...it would also assist
in easing the load on the Commissioner's Office if entities, particularly in
the credit reporting area were required to make available an approved internal
dispute resolution process. Aggrieved consumers should also have access to
efficient no cost external dispute resolution processes either via the Privacy
Commissioner or an industry scheme meeting the requirements for external
dispute resolution schemes contained in the Australia Securities and Investment
Commission Policy Statement 139.[740]
6.25
The ACA stressed that, in its view, the Privacy Act
imposes merely a 'bare bones' privacy framework with, for example, no required
reporting and no real capacity for the OPC to impose direct cost on industry.
However, the ACA raised an interesting point in relation to the resourcing
issues faced by the OPC and the efforts made by industry to comply with privacy
obligations:
Where we have sympathy
with industry is in the point that companies have in many sectors devoted some
not-inconsiderable effort to ensuring they meet the prescriptions of the Act in
a consistent and reliable way, while the resources assigned to the OFPC to
achieve its mission in the private sector are derisory. In our view, while the
OFPC has laboured mightily with the scant resources it has been given, the
overall impression is that the Government has actually taken its own
legislation a lot less seriously than the organisations to which it applies. If
this persists, it inspires an atmosphere of demolition by neglect, scarcely a
credible position for any organisation, let alone a regulator with an
enforcement role, albeit a restricted one.[741]
6.26
The committee
notes that the Privacy Commissioner's recent review of the private sector
provisions recommended that:
The Australian
Government should consider the strong calls by a wide range of stakeholders for
the Office to be adequately resourced to meet its complaint handling functions.[742]
6.27
The
Privacy Commissioner's review also recommended that the Australian Government
consider amending the Privacy Act to give the Privacy Commissioner a further
discretion not to investigate complaints where the harm to individuals is
minimal and there is no public interest in pursuing the matter.[743]
6.28
The APF
was particularly critical of this recommendation:
Although at first
glance this appears to be a reasonable position, possibly due to limited resources,
we do not agree that the Privacy Commissioner should be able to pick and choose
which complaints to investigate.[744]
6.29
Amongst
other things, the APF pointed out a practical issue that may arise if such an
approach were to be adopted:
...how would the Office determine
what ‘harm’ the person has suffered, or where the ‘public interest’ lies,
without conducting at least a preliminary investigation? The Office’s resources
may well be taken up debating the relative ‘harm’ and the ‘public interest’
between the two parties, instead of just getting on with resolving the matter.[745]
6.30
The APF
submitted that it did not support this recommendation. However, it made the
following concession:
...if recommendation 46
is to be followed, purely on the basis of a measure to allow the Office to
focus its resources on complaints that suggest systemic problems, we argue that
there must be a corresponding allowance for direct civil action by individuals
against organisations that breach the Act.[746]
Awareness and education
6.31
Several submissions noted that there appears to be a
low level of awareness among consumers about the privacy legislation and the OPC.[747] These submissions argued that the OPC
needs increased resources in order to play a greater role in promoting
education and awareness of the Privacy Act.[748]
6.32
For example, the NHMRC noted that the Australian Health
Ethics Committee had worked in collaboration with the OPC to develop and
conduct a series of training workshops in every capital city to assist ethics
committees and researchers to understand relevant guidelines under the Privacy
Act.[749] The NHMRC noted that it alone
had provided funding for these workshops. It argued that such privacy training
should be funded 'largely if not exclusively' by the Privacy Commissioner, as
the responsible agency.[750] The NHMRC
concluded by recommending that Privacy Commissioner be given sufficient
resources to ensure that education and awareness programs can be funded and
implemented.[751]
6.33
At the Sydney
hearing, the Privacy Commissioner, Ms Karen
Curtis, told the committee that her recent
review of the private sector provisions of the Privacy Act revealed a general
call by all sectors for increased resourcing for the OPC in a variety of areas:
It is clear throughout
the report that there has been a call by all sectors—business large and small,
individuals, consumer representatives—for increased resourcing for the office
in terms of our complaints handling and also for an education and awareness
program. I have made recommendations to the Attorney that he should take into
account those strong calls for increased funding for those areas in particular.
We have not developed an education and awareness program, so we have not costed
what that might be, so I cannot give you a specific figure.[752]
6.34
Ms Curtis reiterated the importance of promoting awareness and education at the
committee's May 2005 Budget Estimates hearing, in response to questioning by
the committee in relation to priority funding areas:
In the review that I
recently completed about the private sector provisions it was clear that there
was a general call by industry, as well as by the consumers and the government
departments and agencies, for increased awareness and education about both the
right of individuals and the responsibilities and obligations of business. So I
think an education and awareness program would be a priority.
...
Within our current
funding we do provide advice and we do have education and awareness. We
maintain a web site. We have lists of people that we send information to. We
try to communicate as effectively as possible with the wider community, but an
integrated education awareness program would be of use.[753]
Powers of the Office of the Privacy Commissioner
6.35
Some submissions and witnesses argued that the powers
of the Privacy Commissioner are inadequate. For example, the ACA was of the
view that the powers of the OPC are 'too restricted', and argued that the Privacy
Commissioner should have greater powers including:
- an audit power in relation to the private
sector;
- the capacity to address systemic privacy
problems outside the context of resolving an individual complaint;
- the power to fine an organisation that breaches
privacy provisions;
- ability to enforce any directions given in
relation to findings after an own motion investigation;
- ability to seek court enforceable undertakings;
and
- power to issue a standard or binding code to
address systemic failings.[754]
6.36
The ACA stated that, while not advocating 'a draconian
or a legalistic "black letter" approach', it was of the opinion that
'a credible set of powers and penalties connects the regulator with the legal
framework of enforcement, and ensures that more "light handed"
interventions have the weight of possible further action attached to them'.[755]
6.37
Moreover, while acknowledging that its suggested
changes may have considerable resource implications, the ACA noted that if
changes were implemented, this may result in long-term cost saving measures:
The prospect of more
vigorous regulatory action may well lower the number of complaints over time,
while enforceable fines would in fact yield revenue, albeit to consolidated
government funds. Coupled with a more industry funded A[lternative] D[ispute] R[esolution]
scheme as outlined above, these changes could well mean the OFPC becoming a far
more cost-effective instrument.[756]
6.38
The Victorian Privacy Commissioner submitted that the
powers, independence, resources and accountability for the OPC should be
commensurate with the significance of the right to privacy as a basic human
right; and the complexity of OPC’s tasks in the contemporary and foreseeable
governmental, commercial, social and technological context. The Victorian
Privacy Commissioner also suggested that Privacy Commissioner should be able to
table reports directly in Parliament.[757]
6.39
The APF submitted that the functions and powers of the
Privacy Commissioner are generally adequate, but ineffective due to lack of
resources. Nevertheless, the APF recommended a number of extended or additional
powers for the Privacy Commissioner, including:
- extending the audit function to compliance by private
sector organisations with the NPPs;
- the power to initiate a code of practice to deal
with particular issues affecting the private sector;
- the power to selectively require agencies and
organisations to publish details of major projects or proposals with
significant privacy implications;
- an express role in relation to privacy impact
assessments;
- the power to issue or require corrective
statements; and
- a more systematic and streamlined complaints
process.[758]
6.40
The Centre for Law and Genetics submitted similarly
that current enforcement powers in the Privacy Act are 'relatively weak'.[759] At the Canberra
hearing, Dr Dianne
Nicol from the Centre for Law and Genetics
provided the committee with more information on this point and suggested how
this might be changed:
Certainly, at the
moment, determinations of the commissioner are not binding on either of the
parties. So it is then up to the commissioner or the complainant to bring a
further action to the Federal Court and there is another hearing de novo, so it
is a fairly lengthy process to get anything in the form of enforceable
requirements. One area that might be instructive is schedule 5 of the
Broadcasting Services Act relating to censorship of the internet. The
provisions in schedule 5 relate to determinations of the Australian
Broadcasting Authority. They define them as online provider rules, and those
rules are binding such that, if the rules are not followed, it becomes an
offence, so it is an offence not to follow the determinations of the Australian
Broadcasting Authority. Perhaps a similar procedure could be put in place for
the Privacy Commissioner so as to give the determinations of the Privacy
Commissioner some binding force.[760]
6.41
The AEEMA also observed that, compared to European Union
jurisdictions, the enforcement powers and procedures under the Australian
regime 'engender a more subtle approach to breaches.'[761]
6.42
At the Melbourne
hearing, Ms Irene
Graham from EFA argued that a more
prescriptive approach than is currently set out in the Privacy Act would be a
preferable approach to enforcing privacy rights:
...it is [currently]
almost impossible for an individual to enforce their supposed privacy rights...So
at the moment for an individual to enforce their alleged rights, it is a very
complex and expensive exercise. You may be lucky and have the commissioner make
a decision quickly and the business just agree to do that—and that certainly
does happen with some smaller aspects. But if you have a serious breach of
privacy, it is more likely that you will end up having to go to the Federal
Court to get the decision heard again. We think that is too hard for most
people—too hard and too expensive.[762]
6.43
The
Privacy Commissioner's recent review of the private sector provisions also
considered many of these issues.[763]
The review recommended, amongst other things, that:
- the OPC
will consider promoting privacy audits by private sector organisations;[764]
- the OPC
will review its complaints handling processes;[765]
- the OPC
will consider measures to increase the transparency of its complaints processes
and complaint outcomes;[766]
- the
Australian Government should consider amending the Privacy Act to provide for
enforceable remedies following own motion investigations where the Privacy
Commissioner finds a breach of the NPPs;[767]
and
- the
Australian Government should consider amending the Privacy Act to provide a
power for the development of binding codes and/or binding guidelines in certain
circumstances.[768]
6.44
The APF's
response to the Privacy Commissioner's review noted that:
...less timidity in the
presentation of many of the recommendations could have spurred more action by
the Government, such that instead of being encouraged to just
"consider" doing something...it could have been given the permission as
a result of this review to just "do it".[769]
6.45
This is
particularly pertinent to many of the recommendations set out above in
paragraph 6.43.
6.46
The APF
also argued that 'there are few recommendations that could bring about genuine
and systemic improvements, such as private sector auditing powers for the
[OPC]'.[770]
Navigation: Previous Page | Contents | Next Page