review of private sector provisions of the privacy act 1988

7/30/2019 Review of Private Sector Provisions of the Privacy Act 1988

1/355

Ge tting in on the A c t:

The Review of the Private Sector Provisions ofthe Priva c y Ac t 1988

March 2005


2/355

Copyright Office of the Privacy Commissioner 2005ISBN 1-887079-46-4

This work is copyright. Apart from any use as permitted under the Copyright

Act 1968, no part may be reproduced by any process without prior writtenpermission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should beaddressed to:

Copyright OfficerCorporate and Public AffairsOffice of the Privacy CommissionerGPO Box 5218SYDNEY NSW 2001

E-mail: [email protected]


3/355

The Review of the Private Sector Provisions of the Privacy Act 1988

The Hon Philip Ruddock MP

Attorney-GeneralParliament HouseCANBERRA ACT 2600

Dear Attorney-General

I refer to your request of 13 August 2004 asking me to undertake a review ofthe private sector provisions of the Privacy Act 1988.

I have pleasure in presenting to you the report: Getting in on the Act: TheReview of the Private Sector Provisions of the Privacy Act 1988.

Yours sincerely

Karen CurtisPrivacy Commissioner

31 March 2005


4/355

Office of the Privacy Commissioner

The Review of the Private Sector Provisions of the Privacy Act 1988 i

Table of Contents

Foreword ............................................................................................................. vi ii

Overv iew and Executive Summary.......................................................................... 1Approach to the review........................................................................................... 1

Terms of reference................................................................................................. 1Participants in the review....................................................................................... 1

Timing of the review............................................................................................... 1Provisions work well on balance ............................................................................ 2A single national scheme ....................................................................................... 4Main recommendations.......................................................................................... 6Recommendations: ................................................................................................ 8Recommendation: Wider review of Privacy Act..................................................... 8Recommendations: National consistency.............................................................. 8Recommendations: Telecommunications consistency.......................................... 9

Recommendations: Health consistency................................................................ 9Recommendations: Residential tenancy databases.............................................. 9Recommendation: EU adequacy and APEC ..................................................... 10Recommendation: NPP 9.................................................................................... 10Recommendations: Control over personal information ....................................... 10Recommendations: Direct marketing.................................................................. 11Recommendations: Consumer education........................................................... 11Recommendations: Access generally ................................................................. 11Recommendations: Transfer of health records ................................................... 12Recommendations: Health service ceases to operate........................................ 12Recommendations: Complaints handling and compliance.................................. 13Recommendation: Approved privacy codes........................................................ 14

Recommendations: Business awareness............................................................ 14Recommendations: Small business exemption................................................... 15Recommendations: Private sector contracting.................................................... 15Recommendation: Due diligence ........................................................................ 15Recommendations: Media exemption................................................................. 15Recommendations: Research............................................................................. 16Recommendations: Decision-making where capacity is impaired....................... 16Recommendation: Law enforcement................................................................... 17Recommendation: Private investigations ............................................................ 17Recommendations: Alternative dispute resolution schemes............................... 17Recommendations: Large scale emergencies .................................................... 18Recommendations: New technologies ................................................................ 18

Recommendation: NPP 1.3(d)............................................................................. 19Recommendation: Reasonable steps for NPP 1.3 and 1.5................................. 19Recommendation: NPP 1.5 Someone............................................................ 19Recommendations: Primary purpose and health information.............................. 20Recommendation: NPP 3 Data quality............................................................. 20Recommendation: NPP 7 - Identifiers ................................................................. 20Recommendations: NPP 10 Public Interest Determinations............................ 20Recommendations: NPP 10.2(b)......................................................................... 21Recommendations: Deceased persons............................................................... 21

1 Background ........................................................................................................ 221.1 This Inquiry

.................................................................................................. 22Background to the review..................................................................................... 22Terms of Reference.............................................................................................. 22


5/355


The Review of the Private Sector Provisions of the Privacy Act 1988 ii

Matters not included in the review........................................................................ 22Other relevant privacy related reviews and processes......................................... 23Research.............................................................................................................. 23Framework for assessing issues.......................................................................... 23Conduct of the review- overview of consultation.................................................. 24Issues Paper ........................................................................................................ 25Consultation Meetings.......................................................................................... 25Written Submissions............................................................................................. 26Structure of report ................................................................................................ 261.2 Private Sector Provis ions of the Privacy Act............................................ 27History of Commonwealth Privacy Legislation..................................................... 27What do the Private Sector Provisions cover? ..................................................... 29

2 National Consistency......................................................................................... 322.1 National consistency overall ...................................................................... 32National consistency was goal of legislation........................................................ 32Issues................................................................................................................... 32

Other law impacting on privacy............................................................................ 33Submissions favour national consistency............................................................. 35What submissions say - issues ............................................................................ 37What submissions say addressing the issues................................................... 42Options for reform................................................................................................ 452.2 Recommendations: National cons istency ............................................... 482.3 Consistency in telecommunications ......................................................... 49Law and policy...................................................................................................... 49Complaints and enquiries..................................................................................... 51What the submissions say - issues ...................................................................... 53What submissions say addressing the issues................................................... 57Options for reform................................................................................................ 58

2.4 Recommendations: Telecommunications consistency.......................... 632.5 Consistency in protection of health information...................................... 64Law and policy...................................................................................................... 64What the submissions say - issues ...................................................................... 65Options for reform................................................................................................ 682.6 Recommendations: Health Consistency .................................................. 712.7 Resident ial tenancy databases .................................................................. 72What are residential tenancy databases? ............................................................ 72Application of the Privacy Act............................................................................... 72Issues................................................................................................................... 72Options for reform................................................................................................ 722.8 Recommendations: Residential tenancy databases ............................... 73

3 International issues and ob ligations ................................................................ 743.1 EU Adequacy and APEC ............................................................................. 74Law and Policy..................................................................................................... 74Issues................................................................................................................... 75What submissions say - issues ............................................................................ 753.2 Recommendation: EU adequacy and APEC .......................................... 763.3 NPP 9 ............................................................................................................ 76Law and policy...................................................................................................... 76Issues................................................................................................................... 77What submissions say issues ........................................................................... 77What submissions say addressing the issues................................................... 78Options for reform................................................................................................ 793.4 Recommendation: NPP 9........................................................................... 80


6/355


The Review of the Private Sector Provisions of the Privacy Act 1988 iii

4 Protecting individuals right to privacy............................................................ 814.1 Control over personal information ............................................................ 81Law and policy...................................................................................................... 81Issues................................................................................................................... 81Community attitudes survey................................................................................. 82What submissions say - issues ............................................................................ 83What submissions say addressing the issues................................................... 89Options for reform................................................................................................ 914.2 Recommendations: Control over personal information ......................... 934.3 Direct marketing .......................................................................................... 94What is direct marketing? ..................................................................................... 94Law and policy...................................................................................................... 94Rationale.............................................................................................................. 95Community attitudes survey................................................................................. 96Issues................................................................................................................... 96What submissions say the issues...................................................................... 96

What submissions say addressing the issues................................................. 100Options for reform.............................................................................................. 1024.4 Recommendations: Direct marketing ..................................................... 1034.5 Awareness of, conf idence in and capacity to exercise rights .............. 104Law and policy.................................................................................................... 104Issues................................................................................................................. 104Role of the Office................................................................................................ 105Role of organisations.......................................................................................... 105Community awareness survey........................................................................... 105Demographic information about complainants ................................................... 106What submissions say - issues .......................................................................... 107What submissions say addressing the issues................................................. 108

Options for reform.............................................................................................. 1104.6 Recommendations: Consumer education ............................................. 1114.7 Access generally ....................................................................................... 112Law and policy.................................................................................................... 112Issues................................................................................................................. 112What submissions say - issues .......................................................................... 113What submissions say addressing the issues................................................. 115Options for reform.............................................................................................. 1174.8 Recommendations: Access generally .................................................... 1184.9 Transfer of health records to another health service provider............. 119Law and policy.................................................................................................... 119What submissions say........................................................................................ 119

Options for reform.............................................................................................. 1194.10 Recommendations : Transfer of health records................................... 1214.11 Access to health records when health service ceases to operate ..... 122Law and policy.................................................................................................... 122Health services ceasing to operate .................................................................... 122What submissions say........................................................................................ 123Options for reform.............................................................................................. 1234.12 Recommendations : Health service ceases to operate ....................... 124

5 Enforcing indiv idual rights and ensuring compliance ................................. 1255.1 Introduction ............................................................................................... 1255.2 Law and pol icy ........................................................................................... 125Approach to compliance..................................................................................... 125Complaints process............................................................................................ 126


7/355


The Review of the Private Sector Provisions of the Privacy Act 1988 iv

Review rights...................................................................................................... 1285.3 Issues ......................................................................................................... 1305.4 What submissions say issues............................................................... 130Approach to compliance..................................................................................... 130Level of compliance............................................................................................ 131Office does not use existing powers................................................................... 134Systemic issues not being addressed................................................................ 134Complaints process............................................................................................ 1375.5 What submissions say addressing issues .......................................... 142

Transparency..................................................................................................... 142Fairness.............................................................................................................. 144More help to complainants streamline process ............................................... 145Improving levels of compliance .......................................................................... 145Are levels of compliance adequate? .................................................................. 1465.6 Options for reform ..................................................................................... 151More education and awareness ......................................................................... 151Increase transparency in complaints process .................................................... 151

More external review.......................................................................................... 153Fairer process .................................................................................................... 154Make better use of existing powers.................................................................... 154Power to enforce own motion investigations...................................................... 155Power to audit private sector.............................................................................. 157Other power to address systemic problems in complaints ................................. 157Improve liaison with overlapping complaint handlers ......................................... 159Advice about complaint rights............................................................................. 160Address delay in handling complaints ................................................................ 160Review practices ................................................................................................ 1615.7 Recommendations: Complaints handling and compliance ................. 162

6 Balancing individual privacy interests with business efficiency ................ 1646.1 Introduction ............................................................................................... 164Law and policy.................................................................................................... 164Issues................................................................................................................. 164Striking the balance............................................................................................ 164Principles or rules............................................................................................... 165Principles may need some illumination.............................................................. 1656.2 Approved Privacy Codes .......................................................................... 166Law and policy.................................................................................................... 166Issues................................................................................................................. 166What submissions say - issues .......................................................................... 167What submissions say addressing the issues................................................. 169

Options for reform.............................................................................................. 1706.3 Recommendation: Approved Privacy Codes ......................................... 1716.4 Compliance costs ...................................................................................... 171Law and policy.................................................................................................... 171Issues paper....................................................................................................... 171What submissions say........................................................................................ 1726.5 Business awareness ................................................................................. 175Issues................................................................................................................. 175What submissions say........................................................................................ 175Options for reform.............................................................................................. 1776.6 Recommendations : Business awareness.............................................. 1786.7 Small business exemption ....................................................................... 179Law and policy.................................................................................................... 179Issues................................................................................................................. 179


8/355


The Review of the Private Sector Provisions of the Privacy Act 1988 v

What submissions say........................................................................................ 180Options for reform.............................................................................................. 1836.8 Recommendations: Small business exemption .................................... 1856.9 Private sector contracting ........................................................................ 186Law and policy.................................................................................................... 186What submissions say........................................................................................ 186Options for reform.............................................................................................. 1886.10 Recommendations: Private sector contracting ................................... 1896.11 Due diligence on sale or purchase of business ................................... 189What is due diligence? ....................................................................................... 189Information Sheet 16.......................................................................................... 189Issues................................................................................................................. 190What submissions say........................................................................................ 190Options for reform.............................................................................................. 1916.12 Recommendation: Due diligence.......................................................... 191

7 Balancing individual rights and other social interests ................................. 192

7.1 Media exemption ....................................................................................... 192Introduction......................................................................................................... 192Law and policy.................................................................................................... 192Issues................................................................................................................. 195What submissions say issues ......................................................................... 195Options for reform.............................................................................................. 1977.2 Recommendations: Media exemption .................................................... 1997.3 Medical research ....................................................................................... 199Law and Policy................................................................................................... 199What submissions say - issues .......................................................................... 201What submissions say addressing the issues................................................. 206Options for reform.............................................................................................. 209

7.4 Recommendations: Research ................................................................. 2127.5 Decision-making where capacity is impaired ......................................... 213Introduction......................................................................................................... 213Relevant privacy principles................................................................................. 214What submissions say - issues .......................................................................... 215Options for reform.............................................................................................. 2177.6 Recommendations: Decision-making where capacity is impaired...... 2197.7 Law enforcement ....................................................................................... 219Law and policy.................................................................................................... 219Issues paper....................................................................................................... 221What submissions say - issues .......................................................................... 221Options for reform.............................................................................................. 223

7.8 Recommendation: Law enforcement...................................................... 2237.9 Private investigation ................................................................................. 224Introduction......................................................................................................... 224What submissions say issues ......................................................................... 224Private detectives and other jurisdictions........................................................... 227Options for Reform............................................................................................. 2287.10 Recommendation: Private investigations ............................................ 2317.11 Alternative Dispute Resolut ion .............................................................. 231Alternative Dispute Resolution........................................................................... 231What submissions say issues ......................................................................... 231What submissions say addressing the issues................................................. 233Options for Reform............................................................................................. 2337.12 Recommendations: Alternative dispute resolution schemes ............ 2347.13 Responding to large scale emergencies ............................................... 234


9/355


The Review of the Private Sector Provisions of the Privacy Act 1988 vi

Introduction......................................................................................................... 234Law and policy.................................................................................................... 234Issues................................................................................................................. 235What submissions say addressing the issues................................................. 235Options for reform.............................................................................................. 2357.14 Recommendations: Large scale emergencies .................................... 237

8 New technologies............................................................................................. 2398.1 Developments ............................................................................................ 239

Telecommunications and internet....................................................................... 239Data aggregation and mining............................................................................. 240Biometrics........................................................................................................... 240Electronic health records.................................................................................... 241Role of technology in protecting privacy............................................................. 241Issues................................................................................................................. 2428.2 What submissions say the issues ........................................................ 2428.3 What submissions say addressing the issues .................................... 249

8.4 Options for reform ..................................................................................... 2528.5 Recommendations : New technologies................................................... 257

9 Clarifying how the National Privacy Principles work ................................... 2589.1 NPP 1.3(d) .................................................................................................. 258Law and Policy................................................................................................... 258

The issue............................................................................................................ 258Options for Reform............................................................................................. 2599.2 Recommendation: NPP 1.3(d) ................................................................. 2609.3 NPP 1.3 and 1.5 reasonable steps ...................................................... 260Law and Policy................................................................................................... 260

The issue............................................................................................................ 260

Options for Reform............................................................................................. 2619.4 Recommendation: Reasonable steps for NPP 1.3 and 1.5.................. 2619.5 NPP 1.5 collection f rom someone else............................................... 261Law and Policy................................................................................................... 261Options for Reform............................................................................................. 2629.6 Recommendation: NPP 1.5 Someone............................................... 2639.7 NPP 2 primary purpose and the collection of health information ..... 263Background........................................................................................................ 263Options for Reform............................................................................................. 2659.8 Recommendations: Primary purpose and health information ............ 2669.9 NPP 3 .......................................................................................................... 267Law and Policy................................................................................................... 267

What submissions say issues ......................................................................... 267Options for Reform............................................................................................. 2689.10 Recommendation: NPP 3 Data quality .............................................. 2689.11 NPP 4 ........................................................................................................ 2699.12 NPP 5 ........................................................................................................ 2699.13 NPP 6 ........................................................................................................ 2699.14 NPP 7 ........................................................................................................ 269Law and policy.................................................................................................... 269Issues................................................................................................................. 270What the submissions say issues.................................................................... 270Options for reform.............................................................................................. 2719.15 Recommendation: NPP 7 - Identifiers .................................................. 2739.16 NPP 8 ........................................................................................................ 2739.17 NPP 9 ........................................................................................................ 273


10/355


The Review of the Private Sector Provisions of the Privacy Act 1988 vii

9.18 NPP 10 Collection of Family History Information PID 9 and 9A.... 273Law and Policy................................................................................................... 273What the submissions say issues.................................................................... 275Options for Reform............................................................................................. 2769.19 Recommendations : NPP 10 Public Interest Determinations ........... 2779.20 NPP 10.2 Collecting health information without consent ................. 277Law and Policy................................................................................................... 277Scope of the exception....................................................................................... 278Options for Reform............................................................................................. 2799.21 Recommendations: NPP 10.2(b) .......................................................... 280

10 Other issues with the private sector provis ions of the Privacy Act........... 28110.1 Information of deceased persons .......................................................... 281Law and Policy................................................................................................... 281What submissions say issues ......................................................................... 282Options for Reform............................................................................................. 28310.2 Recommendations: Deceased persons ............................................... 284

10.3 Employee Records Exemption ............................................................... 285Law and Policy................................................................................................... 285What submissions say........................................................................................ 28510.4 Political Exemption ................................................................................. 285Law and Policy................................................................................................... 285What submissions say........................................................................................ 286

Appendix 1 287Terms of Reference............................................................................................ 287

Appendix 2 288Review Reference Group................................................................................... 288

Appendix 3 290

Submissions Received....................................................................................... 290Appendix 4 293

National Privacy Principles................................................................................. 293Appendix 5 305

Information Privacy Principles............................................................................ 305Appendix 6 311

Community Attitudes towards Privacy 2004....................................................... 311Appendix 7 317

Information Sheet 13:......................................................................................... 3172001 Privacy Commissioners Approach to Promoting Compliance .................. 317

Appendix 8 321Summary of complaint handling provisions, including powers to investigate..... 321

Appendix 9 326Complaints Statistics.......................................................................................... 326

Appendix 10........................................................................................................... 335Own Motion (section 40 (2)) power .................................................................... 335

Appendix 11........................................................................................................... 337Current Powers to enforce determinations......................................................... 337

Appendix 12........................................................................................................... 338Decision Appeal Processes in comparable legislation....................................... 338

Appendix 13........................................................................................................... 340Demographic information about complainants ................................................... 340

Appendix 14........................................................................................................... 342Complainant and respondent satisfaction survey............................................... 342


11/355


The Review of the Private Sector Provisions of the Privacy Act 1988 viii

Foreword

This report is the first major examination of how the laws governing the use of

personal information by the private sector in Australia have worked in theirfirst years of operation.

It has been a significant project for the Office and leadership team since lastAugust. The project team was headed by Robin McKenzie.

The report has drawn on information and views from a wide range of sourcesincluding individuals, businesses, industry organisations, interest groups, andgovernment agencies across the Commonwealth, and states and territories.

The review has benefited from discussions, consultations and material

contained in submissions. I thank all those involved for contributing theirideas and views, and for the constructive way in which those views wereconveyed.

I particularly thank the members of the Steering Committee and theReference Group for their advice and guidance.

Many members of staff contributed in various ways preparation of theIssues Paper, organising meetings for the Steering Committee and ReferenceGroup, organising public consultations, analysing submissions, developingpolicy options, putting submissions on the website, undertaking surveys,

writing sections of the report, editing and formatting. The Corporate andPublic Affairs Section of the Office was involved in all aspects of the reviewprocess.

While I hesitate to single out individuals, it would be remiss if I did notacknowledge the major contributions of Robin McKenzie, Pauline Kearney,Paul Armstrong, Chris Cowper and Timothy Pilgrim. Suzanne Christian wasresponsible for the report compilation, formatting and editing.

To my staff, I express my gratitude for their contribution to this importantreview and I look forward to further improving the operation of the privatesector provisions for the benefit of the community and business.

Karen CurtisPrivacy Commissioner

March 2005


12/355


The Review of the Private Sector Provisions of the Privacy Act 1988 1

Overview and Executive Summary

Approach to the review

Terms of reference

The Office has undertaken a review of the operation of the private sectorprovisions of the Privacy Act to see whether they meet their objectives. Theobjects are outlined in the terms of reference from the Attorney-General whichare at Appendix 1.

Participants in the review

In the course of the review, information has been considered from a widerange of sources. They are:

136 written submissions 12 stakeholder workshops in all capital cities the Review Steering Committee, which includes members of the Privacy

Advisory Committee the Review Reference group, which includes over 40 representatives from

community, business and government the Offices Community Attitudes Research

research conducted by other stakeholders, for example, the NationalHealth and Medical Research Council and the Australian Direct MarketingAssociation

statistics collected by this Office either specifically for this review, or fromits complaints management system

Office staff experience in the course of providing policy advice tostakeholders, or managing complaints

meetings with stakeholders.

A wide range of stakeholders have participated in the review. They includemajor business and industry sectors, including banking, insurance, finance,private detectives and debt collection, credit reporting, marketing, fundraising,health and allied care, manufacturing, retail, small business, housing, realestate, superannuation, internet, hospitality and welfare. There has also beeninput from consumer and privacy advocacy groups including consumer, credit,health and academia. In addition, the Office has received input from state andfederal government agencies, including health, law enforcement agencies andother regulators, and also dispute resolution bodies.

Timing of the review

The private sector provisions have been in operation since 21 December2001, or just over three years for non-small business operators, and since


13/355



21 December 2002, or just over two years for small businesses that do notqualify for the small business exemption. Given that implementing a privacyscheme, particularly for some sectors, involves complex attitude change andunderstanding rather than simply complying with clear, black letter law, this isa relatively short period of time to be assessing the operation of the

provisions.

In addition, it was not possible to conduct the kind of detailed quantitativeresearch that might give a clearer indication of the actual level of businesscompliance with its obligations under the scheme. Further, because thescheme is complaint based and the Office has only limited powers toinvestigate practices on its own initiative, it is possible that there are areas ofnon-compliance of which the Office is not aware. As a result, although theOffice has sought to gain and draw upon quantitative evidence to the extent itis possible and available, it is in the end relying to a considerable extent onanecdotal evidence as well as its own complaint statistics for its conclusions.

Provisions work well on balance

Overview

The review process shows that the private sector provisions have met withtheir objectives in some areas and not in others. In some areas it has failed tomeet with an objective, but in practice the impact may not have been

significant. In others, objectives were met in a way quite different from thatenvisaged at the time the legislation was implemented. In some, theprovisions have not met the objective.

Indeed, it could be argued for example that the private sector provisions havenot met the two objectives of a national scheme or international concerns.But this does not take away from the overall effect that the National PrivacyPrinciples (NPPs) have worked well and delivered to individuals protection ofpersonal and sensitive information in Australia in those areas covered by theAct.

No fundamental flaw

Although 85 recommendations have been made, this does not equate todissatisfaction with the provisions. Rather, it means with the benefit of threeyears experience it has become apparent there are ways to improve existingelements of the regime, and there are external influences which haveimpacted on the efficacy of the legislation.

Although there were a few calls from privacy advocates for the Government to

go back to the drawing board entirely on the provisions, the Office has no


14/355



substantive evidence to suggest that the private sector scheme has anysignificant flaws to warrant dramatic changes.

Provisions have generally worked well for business

The overall view from the business sector is that the scheme has worked wellfor them, and that there is considerable support for it as it currently stands.Generally speaking, it appears that in most areas, the scheme has met itsobjective of not unduly impeding the free flow of information, or the right ofbusiness to achieve their objectives in an efficient way.

Consumers are less satisfied

Generally speaking however, those representing the consumer and privacyadvocate groups were less satisfied that the private sector provisions had mettheir objectives of adequately providing for the privacy rights of individuals.

International concerns

One area where the private sector provisions have not met their objectives inthe way that was anticipated is the objective of meeting international concernsand Australias international obligations relating to privacy. It appears that thishas been less of a concern to many stakeholders than might have been

expected at the time the provisions were enacted. A particular example ofthis is achieving European Union (EU) adequacy to enable businesses toengage in trade involving personal information with European businesses.

Despite the fact that the private sector provisions have not yet been foundadequate by the EU, in general, business does not report a major impedimentto trade. In addition, the issue of global trade beyond the EU has meant thatthe need to address consistency in privacy regulation at a global level hasbecome important. The APEC initiatives on privacy are evidence of this shift.

Approved NPP Codes

Another area where the objectives of the private sector provisions have notbeen achieved in the way that was anticipated is the adoption of industry andorganisation codes by the private sector to regulate their collection, use anddisclosure of personal information. There are only three approved codesunder the Privacy Act. However, there is no call for the repeal of the codeprovisions of the Act despite the very low level of take-up. Most businessesappear content to be regulated by the NPPs and to have the Office as theirexternal complaints handling body.


15/355



A single national scheme

There is significant inconsistency

There is evidence that the failure of the privacy sector provisions to meet theirobjective of achieving national consistency in privacy regulation has hadconsequences for business efficiency. There is also some evidence that thishas posed some impediments in the way of individuals seeking to be awareof, and have respected, their privacy rights. The inconsistency operates at anumber of levels, including within the Privacy Act itself, within Commonwealthregulation impacting on privacy, and between state and Commonwealthlegislation. The area of privacy involving health information, including healthresearch has been clearly identified as being greatly affected by all theselevels of inconsistency. Other areas affected include employee privacy and

tenancy databases.

Reasons for the inconsistency

These inconsistencies have emerged for a number of reasons, some of whichrelate directly to the formulation of the private sector provisions. Others are aconsequence of the rapidly changing environment in which the provisions areoperating, and in particular, the heightened security concerns followingSeptember 11, and the developments in new technology.

One factor contributing to inconsistency is that within the Privacy Act, thereare two sets of slightly different privacy principles, one for the Australianpublic sector and one for the private sector. As the Government hasincreasingly drawn upon the private sector - for example, welfareorganisations - to carry out activities that were once performed by itsagencies, this has become more of an issue.

Another factor appears to be the presence of exemptions in the Act.Submissions and consultations suggest that areas of inconsistency are arisingbecause states and territories are legislating in areas covered by theexemptions. A key example of concern to business is the area of surveillancein the workplace. In the absence of privacy protection in this area in thefederal Privacy Act, states and territories are legislating and each in a slightlydifferent way.

There are also problem areas such as the regulation of tenancy databases bystates and territories. As the NPPs do not totally regulate tenancy databasesstates and territories are legislating in this area, once again, in a slightlydifferent way.

The desire for more detailed and binding guidance for health care providers

together with inconsistency between private sector provisions and state publicsector privacy principles, could also be considered reasons for states to


16/355



legislate in the health area. Submissions from business and consumers, andconsultations indicate overwhelmingly that this has created a range ofdifferent rules that is confusing for health care providers, other businessesholding health information and consumers.

The Offices complaints caseload that is larger than expected as a result ofthe private sector provisions has meant that the Office has not clarified theapplication of the NPPs in some of these areas (for example, tenancydatabases) as speedily as it would like. In the mean time, states have movedto address what was emerging as a community need to ensure that tenantswere not denied housing as a result of inaccurate and unfair listings.

Finally, rapidly changing technology has resulted in Commonwealth legislationthat is outside of, but overlaps with, the Privacy Act. The Spam Act 2003 isan example. Spam was less of a concern in 1999 when the private sectorprovisions were formulated and the private sector provisions did not address

this issue. This situation may arise again with the (future) development ofnew pervasive technologies. Businesses are concerned to ensure that whenit does, the provisions fit well with the private sector provisions.

Approach to recommendations

This report makes a range of recommendations including strategies toaddress these inconsistencies. But as indicated by the complex factorscontributing to these, there is no easy or single fix, especially in a federal

system of government. Resolving the issues will involve commitment from alllevels of government and a willingness to focus on the big picture.

One thing that became clear in conducting the review is that many of theissues that arise in relation to the operation of the private sector provisionsare inter-related. This inter-relation has to be taken into account inrecommendations. Recommendations on one aspect of operation will alsohave the potential to address issues on other aspects of operation.

It is also the case that there are a number of ways that issues arising out ofthe review could be addressed. Which approach is taken in one area, may

affect what approach is best taken in other areas. For this reason, in anumber of areas, this report has made recommendations as options thatcould be taken up depending on the approach taken in addressing otherissues.

Resourcing implications of reform

In developing recommendations as part of this review, the Office has beenaware of the resource implications of reform. Since the implementation of theprivate sector provisions, the Office has shifted resources from its guidanceand advice role to its compliance role to try to better manage and resolve the

complaints received. Even so, there is an unacceptably long waiting list ofcomplaints to be handled. This satisfies neither business, who have invested


17/355



in compliance and in whose interest it is to have complaints against themsettled quickly, nor consumers.

Submissions from all sectors discuss funding for the Office1. A number ofsubmissions expressly support an increase in resources being granted to the

Office2

. Many of these submissions are particularly concerned by the backlogof complaints and subsequent delay in resolving complaints3.

There was also a general call for more resources to ensure consumers andbusinesses are educated about their rights and obligations under privacylaws.4

In this review recommendations are made that, if implemented, will impactupon the operation of the Office. This has implications in terms of resources,for both staff and program delivery.

Main recommendations

This report makes recommendations about how the operation of the privatesector provisions could be improved. Recommendations are primarily writtenas either actions that the Australian Government should consider doing, or asmeasures that the Office could or intends to undertake. A small number ofrecommendations involve measures that could be taken by state and territorygovernments.

Some recommendations involve broad high level principles around the

operation of the private sector provisions, for example, recommendations toimprove national consistency in privacy regulation, including health privacyregulation, and to ensure that the private sector provisions adequately protectprivacy in the face of rapidly developing new technologies.

Recommendations for measures to raise awareness of both consumers andbusiness on a range of topics are found in a number of places in the report.These particular recommendations could be regarded as forming the lynchpin for a scheme that is intended to operate in a way that benefits individualswhile recognising the right of businesses to achieve their objectives in anefficient way.

1 See for example ANZ 40, Business SA 92, Australian Medical Association 29, AustralianPrivacy Foundation 90, Baycorp Advantage 86, Consumers Federation of Australia 65,Consumer Credit Legal Centre (NSW) Inc 62, Coles Myer 60, Xamax 3, AustralianBankers Association 70, Australian Finance Conference 63, Australian ConsumersAssociation 15, Graham Greenleaf 47, Tenants Union of Qld Inc 69, Fundraising Instituteof Australia Ltd 52.

2 90, 86, 60, 63, 40.3 For example 90, 29, 65, 62, 63, 15, 47, 69 The AMA submission says that a number of

patients lodge privacy complaints with the AMA as well as the Office. The AMA suggests

that this may be attributed to the Office being unable to respond in a timely or satisfactorymanner.

4 29, 65, 62, 60.


18/355



Other recommendations aim to increase the control that individuals have overtheir personal information, particularly in relation to information collectedabout them indirectly or used or disclosed for other purposes such as directmarketing. These include measures to promote short form privacy notices,and a general opt-out right for direct marketing.

The report makes recommendations about the small business exemptionaimed at simplifying its application while suggesting that some sectors thathave higher privacy risks should be covered by the private sector provisions.

The report also makes recommendations aimed at improving thetransparency and fairness of the Offices complaints process, and to enable itto better identify and address systemic issues.

Some issues raised are complex and need further consideration by theAustralian community. The Office identified the application of the private

sector provisions to research, in particular medical research, and to newtechnologies as warranting further debate. The main recommendations onthese issues are that they should be considered in the context of a widerreview of the Privacy Act.

In response to concerns that organisations need more guidance or that theNPPs may need amending to ensure that they are applied in a commonsenseway, recommendations are made on such matters as alternative disputeresolution schemes, access to health records and major national emergences.

The report makes a number of more technical recommendations that aim toincrease certainty about the application of the NPPs, which in many casesclarify what is already existing practice.

Throughout the report, but particularly in the recommendations, there hasbeen careful consideration of the balance between protecting individual rightswhile recognising the collective needs of the community including thebusiness community.

Finally, it became apparent that while the private sector provisions work well,it may be appropriate for the Government to undertake a wider review of

privacy for Australians in the 21

st

century.

The NPPs are based on principles developed in the 1970s and it may befitting to consider how the operating environment has changed over the last30 years. For example: Is our definition of personal information stillappropriate given technological advances? Do we need different sets ofprivacy principles covering the private and public sectors? Should thelegislation make a distinction between data controllers and data operators?Should the legislation only cover protection of data about living persons? In achanged security environment what are peoples expectations about theirpersonal information?


19/355



In some of the 85 recommendations there is a reference to this wider reviewof privacy. Given that it is a recurring theme throughout the report to givemore considered thought to bigger picture issues, a recommendation hasbeen made here in the Overview Section. It is the first recommendation listedbelow, and is followed by the recommendations as identified in each chapter.

Recommendations:

Recommendation: Wider review of Privacy Act

1 The Australian Government should consider undertaking a widerreview of privacy laws in Australia to ensure that in the 21st century thelegislation best serves the needs of Australia.

Recommendations: National consistencyThe Privacy Act has not achieved its object of establishing a singlecomprehensive national scheme for the protection of personal information.As submissions reveal, national consistency is important to business, tocharities and to individuals. The lack of national consistency contributessignificantly to the costs imposed on business.

2 The Australian Government should consider amending section 3 of thePrivacy Act to remove any ambiguity as to the regulatory intent of theprivate sector provisions.

3 The Australian Government should consider asking the Council ofAustralian Governments (COAG) to endorse national consistency in allprivacy related legislation.

4 The Australian Government should consider setting in placemechanisms to address inconsistencies that have come about, or willcome about, as a result of exemptions in the Privacy Act, for example,in the area of workplace surveillance.

5 The Australian Government should consider commissioning a

systematic examination of both the IPPs and the NPPs with a view todeveloping a single set of principles that would apply to both AustralianGovernment agencies and private sector organisations. This wouldaddress the issues surrounding Australian Government contractors.

6 The Australian Government should consider changing, by legislativeamendment, the name of the Office of the Privacy Commissioner to theAustralian Privacy Commission.

7 The Australian Government should consider amending the Privacy Actto provide for a power to make binding codes.


20/355



Recommendations: Telecommunications

consistency

8 The Australian Government should consider amending the Privacy Act

and the Telecommunications Act to clarify what constitutes authoriseduses and disclosures under the two Acts, and to ensure that thePrivacy Act cannot be used to lower the standard of privacy protectionin the Telecommunications Act.

9 The Australian Government should consider making regulations undersection 6E of the Privacy Act to ensure that the Privacy Act applies toall small businesses in the telecommunications sector, includingInternet Service Providers and Public Number Directory Producers.

10 The Office will discuss with the Australian Communications Authority

the development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and Part 13 of theTelecommunications Act.

11 The Office will discuss with the Australian Communications Authoritythe development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and the Spam Act.

Recommendations: Health consistency

12 The Office urges the National Health Ministers Council to finalise theNational Health Privacy Code. This should include agreement by alljurisdictions on the contents of the code and on its consistentimplementation in each jurisdiction.

13 The Australian Government should consider adopting the NationalHealth Privacy Code as a schedule to the Privacy Act. This wouldrecognise the Australian Governments part in the consistent enablingof the Code. Should agreement not be reached by all jurisdictionsabout implementing the Code, the Australian Government should stillconsider adopting the code as a schedule to the Act to provide greaterconsistency of regulation for the handling of health information byAustralian Government agencies and the private sector. (See alsorecommendations 29, 33 and 35.)

Recommendations: Residential tenancy databases

14 The Australian Government should advance as a high priority the workcurrently being undertaken by the Working Group on ResidentialTenancy Databases of the Ministerial Council on ConsumerAffairs/Standing Committee of Attorneys-General.


21/355



15 The Australian Government should consider, depending on theoutcome of the Ministerial Council on Consumer Affairs/StandingCommittee of Attorneys-General, making the Privacy Act apply to allresidential tenancy databases. This could be done by using theexisting power under section 6E to prescribe them by regulation, or by

amending the consent provisions (section 6D(7) and section 6D(8))that apply to the small business exemption. (See recommendation 53.)

16 If the Privacy Act is amended to provide for a power to make a bindingcode, (see recommendation 7), and depending on the outcome of theMinisterial Council on Consumer Affairs/Standing Committee ofAttorneys-General, the Privacy Commissioner could make a bindingcode that applies to tenancy databases.

Recommendation: EU adequacy and APEC17 There is no evidence of a broad business push for adequacy. Given

the increasing globalisation of information, however, there may be longterm benefits for Australia in achieving EU adequacy. Certainly theglobalisation of information makes the implementation of frameworkssuch as APEC important. The Australian Government should continueto work with the European Union on the adequacy of the Privacy Actand to continue work within APEC to implement the APEC PrivacyFramework.

Recommendation: NPP 9

18 The Office will provide further guidance to assist organisations complywith NPP 9 by issuing an information sheet outlining the issues thatshould be addressed as part of a contractual agreement and how tomore easily assess whether a privacy regime is substantially similar.

Recommendations: Control over personal

information

19 The Australian Government should consider amending NPP 5.1 toprovide for short form privacy notices. This could also clarify theobligations on organisations to provide notice, and to clarify the linksbetween NPP1.3 and NPP 5.1.

20 The Office will encourage the development of short form privacynotices. It will also play a more active role in assisting businessesdevelop their notices by developing template notices for differentsectors, in consultation with them, and by issuing example of both

satisfactory and unsatisfactory notices


22/355



21 The Office will develop guidance to the effect that privacy noticesshould be dated.

22 The Office will develop guidance on bundled consent, noting thepossible tension between the desirability of short form privacy notices

and the desirability of lessening the incidence of bundled consent.

Recommendations: Direct marketing

23 The Australian Government should consider amending the Privacy Actto provide that consumers have a general right to opt-out of directmarketing approaches at any time. Organisations should be requiredto comply with the request within a specified time after receiving therequest.

24 The Australian Government should consider amending the Privacy Actto require organisations to take reasonable steps, on request, to advisean individual where it acquired the individuals personal information.

25 The Australian Government should consider exploring options forestablishing a national Do Not Contact register.

Recommendations: Consumer education

26 The Australian Government should consider specifically funding the

Office to undertake a systematic and comprehensive educationprogram to raise community awareness of privacy rights andobligations.

27 The Office will continue to collect demographic information aboutcomplainants. It will seek to identify and then remove any barriers thatprevent sectors of the community from knowing about and exercisingtheir privacy rights.

Recommendations: Access generally

28 The Australian Government should consider amending NPP 6 toprovide that when an individuals personal information is corrected inresponse to a request from the individual, the organisation should beobliged to notify third parties, where practicable, that they havereceived the inaccurate information.

29 The Australian Government should consider adopting the AustralianHealth Ministers Advisory Council (AHMAC) Code as a schedule to thePrivacy Act (see recommendation 13). This will address the issue ofintermediaries, and the issue of fees for access. (See alsorecommendations 13, 33 and 35.)


23/355



30 The Office will develop further guidance on the operation of NPP 6.1 onserious threat to life or health, explaining that a serious threat to atherapeutic relationship could be a serious threat to a persons health.This will go some way towards addressing what appears to be a toonarrow interpretation of NPP 6.1(b) by some practitioners.

31 The Office will develop guidance on fees for access to personalinformation.

32 The Office will develop guidance on the meaning of NPP 6.5 whichrequires than an individual establish that information is not accuratebefore the organisation need to take reasonable steps to correct it.

Recommendations: Transfer of health records

33 The Australian Government should consider adopting the AustralianHealth Ministers Advisory Council (AHMAC) code as a schedule to thePrivacy Act. This will address the issue of the transfer of health recordsto another health service provider. (See also recommendations 13, 29and 35.)

34 The Australian Government should consider, if the AHMAC Code is notadopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 11 in theAHMAC Code.

Recommendations: Health service ceases tooperate

35 The Australian Government should consider adopting the AHMACcode as a schedule to the Privacy Act. This will address the issue ofaccess to health records when a health service ceases to operate.(See also recommendations 13, 29 and 33.)

36 The Australian Government should consider, if the AHMAC Code is not

adopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 10 in theAHMAC Code.


24/355



Recommendations: Complaints handling and

compliance

Approach to compliance

37 The Office will maintain its current approach to compliance includingthe focus on attempting to conciliate complaints in the first instance asset out in Information Sheet 13. However, the Office will considerwhether it might be appropriate in some circumstances to use its otherpowers earlier, such as the determination making power.

38 The Office will consider options for providing more feedback onsystemic issues either in advice or guidance or in some form of regular

update to stakeholders.

39 The Office will consider promoting privacy audits by private sectororganisations, including by providing information on the value ofauditing as evidence of compliance in the event of complaints and bydeveloping and providing privacy audit training for organisations.

Review rights for complaint decisions


to give complainants and respondents a right to have the merits ofcomplaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

41 The Australian Government should consider amending NationalPrivacy Principle 1.3 to require organisations to tell individuals howthey can complain to the organisation; and that, if the complaint is notresolved, they can also complain to the Privacy Commissioner or(where relevant) the code adjudicator.

42 The Office will review its complaints handling processes and willconsider the circumstances in which it might be appropriate to makegreater use of the Commissioners power to make determinationsunder section 52 of the Privacy Act.

43 The Office will also consider measures to increase the transparency ofits complaints processes and complaint outcomes.


25/355



Additional powers

44 The Australian Government should consider amending the Privacy Actto:

expand the remedies available following a determination undersection 52 to include giving the Privacy Commissioner power torequire a respondent to take steps to prevent future harm arisingfrom systemic issues

provide for enforceable remedies following own motioninvestigations where the Commissioner finds a breach of the NPPs

provide a power for the development of binding codes and/orbinding guidelines in cases where there is a strong public interest,where more detailed guidance is warranted or complaints revealrecurrent breaches (see recommendation 7).

Resourcing implications and complaint handling

45 The Australian Government should consider the strong calls by a widerange of stakeholders for the Office to be adequately resourced tomeet its complaint handling functions.

46 The Australian Government should consider amending the Privacy Actto give the Commissioner a further discretion not to investigate

complaints where the harm to individuals is minimal and there is nopublic interest in pursuing the matter.

Recommendation: Approved privacy codes

47 The Office will review the Code Development Guidelines dealing withthe processes relating to code approval with a view to simplifying them.

Recommendations: Business awareness

48 The Australian Government should consider the benefits of greaterbusiness and community awareness of privacy and specifically fundthe Office to undertake a systematic and comprehensive educationprogram to raise business awareness.

49 The Office will review existing information sheets and developinformation sheets on key issues identified in submissions.

50 The Office will develop strategies for communication with stakeholders,including establishing a privacy contact officer network for private

sector organisations.


26/355



Recommendations: Small business exemption

51 The Australian Government should consider retaining but modifying thesmall business exemption by amending the Privacy Act so that thedefinition of small business is to be expressed in terms of the ABSdefinition, currently 20 employees or fewer, rather than annualturnover.

52 The Attorney-General should consider using the power to prescribeunder section 6(E) of the Privacy Act, the tenancy databases andtelecommunications sectors including Internet Service Providers andPublic Number Directory Producers as businesses to be covered bythe Act. (See recommendations 9 and 15.)


to remove the consent provisions (sections 6D(7) and 6D(8)).

Recommendations: Private sector contracting

54 The Australian Government should consider amending NPP 4 toimpose an obligation on an organisation to ensure personal informationit discloses to a contractor is protected.

55 The Australian Government should consider, in the context of the widerreview of the Privacy Act, (see recommendation 1) whether there

should be a distinction between data controllers and data operators.

56 The Office will amend the Guidelines to the National Privacy Principlesto clarify that businesses that give personal information to contractorsfor the purpose of performing a function on their behalf should imposecontractual obligations on the contractor to take reasonable steps toprotect the information.

Recommendation: Due diligence

57 The Australian Government should consider amending the NPPs totake into account the practice of due diligence.

Recommendations: Media exemption

58 The Australian Government should consider amending the Privacy Actso that:

the Australian Broadcasting Authority (ABA) and media bodies mustconsult with the Privacy Commissioner when developing codes that

deal with privacy and


27/355



the term in the course of journalism is defined and the term mediaorganisation is clarified.

59 The Office will, in conjunction with the ABA, provide greater guidanceto media organisations as to appropriate levels of privacy protection,

especially in relation to health issues, and make organisations awarethat the media exemption is not a blanket exemption.

Recommendations: Research

60 As part of a broader inquiry into the Privacy Act (see recommendation1), the Australian Government should consider:

how to achieve greater consistency in regulating research activitiesunder the Privacy Act

whether regulatory reform is needed to address the issue ofde-identification in the context of research and the handling ofhealth information

where the balance lies between the public interest incomprehensive research that provides overall benefits to thecommunity, and the public interest in protecting individuals privacy(including individuals having choices about the use of theirinformation for such research purposes)

whether there is a need to amend NPP 2 to permit the use and

disclosure of personal information for research that does not involvehealth information

undertaking further research and education work with the broadercommunity to ensure that the balance between research andprivacy accords with what the community expects and understands.

61 The Office will issue guidance in relation to NPP 2 to clarify thatorganisations can disclose health information for the management,funding and monitoring of a health service.

62 The Office will work with the National Health and Medical ResearchCouncil to simplify the reporting process for human research ethicscommittees under the section 95A guidelines.

Recommendations: Decision-making where

capacity is impaired

63 The Australian Government should consider, in order to ensure that thePrivacy Act does not prevent individuals with a decision-makingdisability from receiving a range of utilities and other services,

amending NPP 2 to permit the disclosure of non-health information to aclass of persons the same, or similar, to that described in NPP 2.5,


28/355



where an organisation considers the disclosure to be necessary for themanagement of the persons affairs in a way that their financial or otherinterests are secured or safeguarded.

It would be appropriate to consider developing such an amendment in

consultation with the Australian Guardianship and AdministrationCommittee.

64 The Office will, in recognition that disclosures of health informationunder NPP 2 are appropriately permitted in law but may not occur inpractice, develop further and more practical guidance.

Recommendation: Law enforcement

65 The Office will work with the law enforcement community, private

sector bodies and community representatives to develop more practicalguidance to assist private sector organisations to better understandtheir obligations under the Privacy Act in the context of lawenforcement activities.

Recommendation: Private investigations

66 The Australian Government, through the Attorney-General, shouldconsider requesting that the Standing Committee of Attorneys General(SCAG) consider the issues raised by the Australian Institute of Private

Detectives as they are broader than the Privacy Act.

Recommendations: Alternative dispute resolution

schemes

67 The Australian Government, in recognising the important role played byAlternative Dispute Resolution (ADR) schemes, and in an attempt toformalise advice already given by the Office, should consider:

amending NPP 2 to enable use and disclosure of personalinformation to ADR schemes in the course of handling disputes amending NPP 10 to enable collection of sensitive information

where it is necessary for the investigation and resolution of claimsunder an ADR scheme

defining the term Alternative Dispute Resolution Scheme for thesepurposes in the Act.


29/355



Recommendations: Large scale emergencies

68 Privacy laws should take a common sense approach. There needs tobe an appropriate balance between the desirability of having a flow of

information and protecting individuals right to privacy. In developingan exception to disclosure for cases of national emergencies,consideration should be given to the seriousness of the privacy breachversus that of protecting privacy.

In large scale emergencies, the consequences of disclosure should becompared to the consequences of non-disclosure. Consideration alsoneeds to be given to the potential identity fraud that may occur duringsuch a time, especially if disclosure is allowed to the media.

The Australian Government should consider:

amending NPP 2 to enable disclosure of personal information intimes of national emergency to a person responsible

extending the NPP 2.5 definition of person responsible to include aperson nominated by the family to act on behalf of the family

amending the Privacy Act to enable the Privacy Commissioner tomake a Temporary Public Interest Determination without requiringan application from an organisation

defining National Emergency as incidents determined by theMinister under section 23YUF of the Crimes Act 1914.

Recommendations: New technologies

69 The Australian Government should consider, in the context of a widerreview of the Privacy Act (see recommendation 1) reviewing theNational Privacy Principles and the definition of personal information toassess whether they remain relevant in the light of technologicaldevelopments since the OECD principles were developed. This shouldensure that the private sector provisions remain technologically neutraland relevant to protect data privacy in the main contexts in which

information about people is currently collected, used and disclosed.

70 The Australian Government should consider initiating discussionsthrough appropriate international forums about how to deal with majorinternational jurisdictional issues arising from global reach of newtechnologies such as Voice over Internet Protocol (VoIP).

71 The Australian Government should consider developing specificenabling legislation to underpin any national electronic health recordssystem. The legislation should be consistent with the National HealthPrivacy Code, but also include enhancing protections for matters such

as the voluntariness of the system and limitations upon the uses ofpeoples health records.


30/355



72 The Office will issue further guidance, consistent with the current law,on what is personal information which takes into account the fact that inthe current environment it is more difficult to assume that anyinformation about people cannot be connected.

73 The Office could use, if necessary, any new powers to develop bindingcodes (see recommendation 7) to deal with technologically specificsituations.

Recommendation: NPP 1.3(d)

74 The Australian Government should consider amending NPP 1.3(d) tomake clear that an organisation collecting personal information from anindividual must take reasonable steps to notify them of likely

disclosures generally, including to public sector agencies of theAustralian Government, state or local governments, other bodies andprivate individuals.

Recommendation: Re

review of private sector provisions of the privacy act 1988

Documents