Chapter 2 - Background
2.1
This chapter provides some background to the Privacy
Act, including:
- concepts of privacy;
- privacy under international and common law;
- history of the Privacy Act;
- key provisions of the Privacy Act; and
- community attitudes towards privacy.
Concepts of privacy
2.2
As the Law Reform Commission (as it was then known) noted
in its 1983 report on privacy, 'the very term 'privacy' is one fraught with
difficulty. The concept is an elusive one.'[5]
Privacy is often referred to as the 'right to be let alone'.[6] Professor
Zelman Cowen, in the 1969 Boyer lectures,
observed that:
A man without privacy is a man without dignity; the fear that
Big Brother is watching and listening threatens the freedom of the individual
no less than the prison bars.[7]
2.3
Similarly, Mr Bill
O'Shea of the Law Institute of Victoria (LIV)
remarked during this inquiry that 'an individual's privacy is fundamental to
their human dignity'.[8] Mr
Paul Chadwick,
the Victorian Privacy Commissioner, addressed the committee on the purpose of
privacy:
Firstly, it [privacy] is understood to be essential to
selfhood—to the creation of the self. It is as fundamental as that, and it is
why humans retreat to solitude at times or keep their reserve in the company of
others. Secondly, it is understood to be fundamental to the creation and
maintenance of intimacy between humans. Unless the privacy of your relationship
with your nearest and dearest is observed by the partners, trust is lost. So
privacy as essential to intimacy is the second purpose of privacy among humans.
Thirdly, not to be downplayed but also not to be overplayed, is privacy as
liberty.[9]
2.4
'Privacy' is often broken down into different elements.
Mr Chadwick
discussed five dimensions of privacy as including: privacy of the body; privacy
of the home; privacy from surveillance; privacy from eavesdropping; and
information privacy.[10] However, the
Privacy Commissioner, Ms Karen
Curtis, pointed out to the committee in Sydney
that:
...while our Privacy Act is about the protection of personal
information or sensitive information, it is really about data protection. It is
not about privacy in the broader sense of bodily privacy or privacy in other
areas. I think ‘privacy’ is often seen as a catch-all, and so our Privacy Act
does not address all aspects of territorial privacy or bodily privacy. The
Privacy Act addresses the collection, use, disclosure and storage of personal
information held by Commonwealth government departments and agencies, ACT
government departments and agencies and also the private sector across Australia.[11]
2.5
Despite this, the Australian Privacy Foundation (APF) urged
this inquiry:
...to consider what additional protection needs to be put in place
to deal with contemporary threats, going beyond information privacy principles
to limit the development of a surveillance society and protect individuals from
assaults on their physical integrity such as mandatory drug and DNA testing and
increasingly prevalent and intrusive searches, and from other intrusions (such
as by telemarketing or media harassment). These forms of privacy invasion may
not involve the creation of a record of personal information, and yet are just
as important in terms of a more general “right to be let alone”.[12]
2.6
Mr Paul
Chadwick argued the significance of privacy
is growing, for three key reasons.[13]
The first reason was technological developments; the second related to
international obligations and developments. Finally, Mr
Chadwick argued that we are going through a
'recalibration of liberty and security':[14]
The third factor that explains why the Privacy Act is growing in
significance is 11 September 2001
and what has flowed from that in terms of public policy. We are now
recalibrating the balance between liberty and security. Privacy is legitimately
a subset of liberty, and those of you who have had to address things like the
ASIO [Australian Security Intelligence Organisation] legislation et cetera will
be aware of those arguments.[15]
2.7
Similarly, Mr Andrew
Want of Baycorp Advantage suggested that,
among other things, one of the emerging challenges in the area of privacy:
...is the balance between identity management and anonymity in the
context of terrorism and security. There is an obvious societal push for
greater security following September 11. The risk is that the pendulum might
swing too far and individual privacy might be lost in the mix. There needs to
be a serious debate about what the benefit for society is and what the policy
objective of privacy regulation is in this new context. So it is not just about
economic efficiency; it is also about the balance of individual liberty in the
face of the challenges society is now dealing with out of the remnants of
September 11.[16]
2.8
However, Ms Anna
Johnston of the APF raised concerns about
the impact of recent events on the Privacy Act, and especially:
...the extent to which the so-called war on terror is used to
justify an abandonment of any rationality in our policy process, such that new
proposals are not calmly weighed in terms of necessity, proportionality or
reasonableness, effectiveness and looking at alternative options.[17]
2.9
In particular, Ms
Johnston strongly expressed the view that:
...we reject the notion that we are somehow living in a new age of
terror, justifying the abandonment of long-cherished values or hard-won
liberties...
...post September 11, we do not believe the world actually
changed that much. Even more so, we utterly reject any suggestion that privacy
or indeed other human rights somehow stand in the way of security or good
government. Privacy ensures the freedom of speech and freedom of association
necessary for stable and democratic government. Furthermore, privacy, like
openness, transparency and freedom of information, is about ensuring the
accountability of government and business. In doing so, respect for privacy and
the robust enforcement of privacy principles and privacy rights can only
strengthen the fair and expose the corrupt.[18]
2.10
Similarly, Mr Bill
O'Shea from the LIV observed:
The default position should be that we protect people’s privacy
and that you as legislators do the same...if we have a drift in this community
based on 9/11 or the US alliance or whatever else we are concerned about the
drift will inexorably be to take away people’s dignity and progressively take away
more rights by privacy infringement creep.[19]
2.11
As Mr Timothy
Pilgrim of the OPC remarked:
...it is the issue of the balance. We would say that in certain
circumstances privacy cannot be an absolute. There has to be that balance
achieved between the needs of the individual and the broader community.[20]
Privacy protection under international and other Australian law
International law
2.12
There are several key sources of international law and
standards relevant to privacy protection in Australia.[21] In particular, the International Covenant on Civil and
Political Rights (ICCPR) recognises the right to privacy in Article 17. It
states:
(1) No one shall be subjected to arbitrary or unlawful
interference with his privacy, family, home or correspondence, nor to unlawful
attacks on his honour and reputation.
(2) Everyone has the right to the protection of the law against
such interference or attacks.
2.13
Article 12 of the Universal
Declaration of Human Rights contains an almost identical provision.
2.14
The Organisation for Economic Cooperation and
Development's (OECD) Guidelines Governing
the Protection of Privacy and Transborder Flows of Personal Data (OECD
guidelines) were adopted in 1980. The guidelines set out eight `Basic
Principles of National Application' (guidelines 7 to 14) to be followed by OECD
countries. The guidelines set out the way personal information about
individuals should be collected, stored, used and disclosed – consistent with
the above mentioned international laws. They also set out mechanisms by which
individuals can gain access to, and have amended, information about them held
by others.[22]
2.15
According to the OPC, the Privacy Act gives effect to
Article 17 of the ICCPR and the OECD Guidelines. In particular, the OECD guidelines
provided the basis for the Information Privacy Principles contained in the
Privacy Act.[23] The Preamble to the
Privacy Act also specifically refers to the ICCPR and the OECD Guidelines:
WHEREAS Australia is a party to the International Covenant on
Civil and Political Rights, the English text of which is set out in Schedule 2
to the Human Rights and Equal Opportunity Commission Act 1986:
AND WHEREAS, by that Covenant, Australia has undertaken to adopt
such legislative measures as may be necessary to give effect to the right of
persons not to be subjected to arbitrary or unlawful interference with their
privacy, family, home or correspondence:
AND WHEREAS Australia
is a member of the Organisation for Economic Co-operation and Development:
AND WHEREAS the Council of that Organisation has recommended
that member countries take into account in their domestic legislation the
principles concerning the protection of privacy and individual liberties set
forth in Guidelines annexed to the recommendation:
AND WHEREAS Australia
has informed that Organisation that it will participate in the recommendation
concerning those Guidelines...
2.16
The European Union's (EU) Directive on the protection of individuals with regard to the
processing of personal data and on the free movement of such data (EU Data
Protection Directive)[24] is also
relevant to Australia
privacy law. In particular, the EU Data Protection Directive contains
provisions to ensure that European individuals do not lose privacy protection
rights when information about them is transferred to other jurisdictions
outside the EU. If the laws of the destination country do not provide
'adequate' data protection standards, as determined by the EU, then there are
restrictions on the transfer of information to that other jurisdiction.[25]
2.17
Indeed, one of the stated purposes of the Privacy Amendment (Private Sector) Act 2000
was to facilitate trade with EU members.[26]
However, to date, the EU has not recognised Australia's
privacy laws as "adequate" for the purposes of the EU Data Protection
Directive. Only a few countries, such as Canada,
Switzerland,
and the United States
have been recognised in this manner.[27]
Indeed, the issue of whether the Privacy Act meets the EU directive
requirements, and the extent to which this has had any impact on trade with the
EU, were issues raised in submissions and evidence to this inquiry. This issue is
considered later in this report.
2.18
Another recent international development is the endorsement
in November 2004 by Asia-Pacific Economic Cooperation (APEC) Ministers of the
APEC Privacy Framework. Again, this is discussed further later in this report.
Other Australian law
2.19
The Australian Constitution does not expressly protect
privacy nor does it contain a specific head of Commonwealth legislative power
on which to base legislative protection.[28]
As Mr O'Shea
of the LIV observed, there is no right to privacy under the Australian
Constitution.[29] Several submitters
expressed support for consideration of the incorporation of a right to privacy
in the Constitution, or a Bill of Rights.[30]
2.20
Until recently, there was also no general right of
privacy at common law in Australia.
However, in 2003, the District Court of Queensland recognised a tort of
invasion of privacy in the case of Grosse
v Purvis.[31] This case followed the
High Court case of Lenah Game Meats,
in which the High Court arguably left open the possibility of a tort of
invasion of privacy.[32]
2.21
It is also noted that a number of State and Territory
jurisdictions have also enacted their own privacy legislation.[33]
History of the Privacy Act
2.22
The Privacy Act was enacted in 1988, following the
demise of the 'Australia Card' proposal. The Privacy Act was initially directed
at the protection of personal information held by Commonwealth government
departments and agencies, as well as safeguards for the collection and use of
tax file numbers. In 1990, the Privacy Act was amended to insert Part IIIA,
which regulates credit reporting and information held by credit reporting
agencies and credit providers.[34]
2.23
The Privacy
Amendment (Private Sector) Act 2000 commenced in December 2001, with the
aim of strengthening privacy protection in the private sector by establishing
national standards for the handling of personal information by the private
sector. Before this, the private sector was covered by a voluntary system of 'National
Principles for the Fair Handling of Personal Information'. Among other things,
the Privacy Amendment (Private Sector)
Act 2000 established the 'National Privacy Principles' and provided for
approved privacy codes. As noted above, extending privacy protection to the
private sector was partly in response to the EU Data Protection Directive.
Other aims of the Privacy Amendment
(Private Sector) Act 2000 included: ensuring that Australia
business and consumers take full advantage of the opportunities presented by
electronic commerce and the information economy; and allaying concerns about
the security of personal information when doing business online.[35]
Key provisions of the Privacy Act 1988
2.24
The Privacy Act protects personal information in four
key ways:
- The Information
Privacy Principles (IPPs) in section 14 of the Privacy Act govern the
collection, storage, use and disclosure of an individual's personal
information. They also provide for individual access to, and correction of,
their own personal information. These principles are based on the OECD
guidelines and apply to personal information handled by Commonwealth and ACT
Government agencies.
- The National
Privacy Principles (NPPs) in schedule 3 of the Privacy Act regulate the way
private sector organisations handle personal information (unless replaced by a
code approved by the Commissioner under section 18BB of the Privacy Act). These
principles cover the collection, storage, use and disclosure, and access
obligations of organisations.
- The Act also prevents individuals' Tax File
Numbers (TFNs) from being used as a national identification system and gives
individuals the right to withhold this information. Where a TFN is provided,
its use is limited to purposes relating to taxation, government assistance or
superannuation. Under the Act, the Privacy Commissioner issues and enforces
legally binding guidelines.[36]
- Part IIIA of the Privacy Act places safeguards
on the handling of individuals' consumer credit information by the credit
industry. Unlike other provisions of the Privacy Act, strict penalties apply
where these provisions are knowingly breached.[37]
2.25
A key definition in the Privacy Act is that of 'personal
information', which is defined in section 6 to mean:
information or an opinion (including information or an opinion
forming part of a database), whether true or not, and whether recorded in a
material form or not, about an individual whose identity is apparent, or can
reasonably be ascertained, from the information or opinion.
2.26
Section 6 also defines 'sensitive information' to mean:
(a) information or an opinion (that is also personal
information) about an individual's racial or ethnic origin; political opinions;
membership of a political association; religious beliefs or affiliations; philosophical
beliefs; membership of a professional or trade association; membership of a trade
union; sexual preferences or practices; or criminal record; or
(b) health information about an individual.
2.27
Part IV of the Privacy Act provides for the establishment
of the Office of the Privacy Commissioner and the appointment of a Privacy
Commissioner. The Privacy Commissioner has several specific powers and
functions under the Privacy Act. These include: complaint handling;
investigating breaches of the Act; compliance auditing; providing policy advice
and promoting community awareness.[38]
2.28
Part VI of the Privacy Act gives the Privacy
Commissioner the power to issue 'public interest determinations'. That is, to determine
that an act or practice of a Commonwealth or ACT government agency, or a
private sector organisation, which may otherwise constitute a breach of an
Information Privacy Principle, a National Privacy Principle or an approved
privacy code, shall be regarded as not breaching that principle or approved
code. The Privacy Commissioner has also released a number of guidelines, both
binding and advisory, to assist organisations to comply with the Act.[39]
2.29
The Privacy Act also contains many exemptions and
exceptions. For example, the legislation does not apply to:
- certain small businesses (for example,
businesses with an annual turnover of less than $3 million and not disclosing
personal information for a benefit);[40]
- political acts and practices;[41]
- employee records held by current or former
employers;[42] or
- acts and practices of the media in the course of
journalism.[43]
Community attitudes towards privacy
2.30
The OPC has commissioned surveys to gauge community
attitudes towards privacy, as well as community knowledge of their privacy
rights. The most recent survey, conducted in 2004, contained some interesting
findings.[44] The survey showed that there
appear to be low levels of knowledge about rights to protect privacy:
Sixty per cent [of respondents] claimed to be aware that Federal
privacy laws existed, up from 43% in 2001. By contrast, only 34% of respondents
were aware the Federal Privacy Commissioner existed. When asked to whom they
would report the misuse of their personal information, 29% said they didn't
know.[45]
2.31
In its submission, the Australian Direct Marketing
Association (ADMA) noted that it conducted research which also indicated a low
level of awareness of the Privacy Act and the Privacy Commissioner.[46]
2.32
However, the survey commissioned by OPC also found that
most respondents considered the following hypothetical situations as an
invasion of privacy:
- a business that you don't know gets hold of your personal
information (94%);
- a business monitors your activities on the internet, recording
information on the sites you visit without your knowledge (93%);
- you supply your information to a business for a specific
purpose and the business uses it for another purpose (93%); and
- a business asks for irrelevant personal information that
doesn't seem relevant to the purpose of the transaction (94%).[47]
2.33
However, only 16% of respondents considered that being
asked to show identification, such as a driver’s license or passport, to
establish your identity would be an invasion of privacy.[48]
2.34
In relation to interactions with government:
Just over half (53%) of respondents were in favour of being
issued with a unique number to be used for identification when accessing all
Australian government services, slightly fewer (41%) were against. The majority
of respondents agreed governments should be allowed to cross reference or share
information, but only in some circumstances (62%) ... To prevent or reduce crime
(68%) was the scenario under which most respondents felt it was acceptable to
cross reference information, followed by the purpose of updating basic information
like address details (58%) and to reduce costs, or improve efficiency (51%).[49]
2.35
With health services, 57% of respondents agreed that to
enable the government to better track the use of health care services,
individuals should have a number assigned to them for use when accessing any
health service.[50]
2.36
Further details of the 2004 survey commissioned by the
OPC are contained in the OPC's report on the private sector provisions.[51]
Navigation: Previous Page | Contents | Next Page