ALRC submission to the inquiry into exposure drafts of Australian privacy amendment legislation

Ms Christine McDonald
Secretary, Legislation Committee
Senate Standing Committee on Finance and Public Administration

23 July 2010

Dear Ms McDonald

Inquiry into exposure drafts of Australian privacy amendment legislation

The Australian Law Reform Commission (ALRC) welcomes the release of the Australian Privacy Principles Exposure Draft and Companion Guide as a major plank in the implementation of the raft of reforms recommended by the ALRC in its report, For Your Information—Australian Privacy Laws and Practice, Report 108 (May 2008).

The consolidation of the current Information Privacy Principles and National Privacy Principles into one set of privacy principles, the ‘Australian Privacy Principles’ (APPs) reflects Recommendation 18–2, which proposed ‘Unified Privacy Principles’ (UPPs). The ALRC congratulates the Government on the proposed consolidation and the proposed name of the unified principles. The manner in which the structure reflects the information cycle also provides great integrity to the structure of the proposed amendments.

The inclusion, as the first principle, the open and transparent management of personal information, provides a conceptual mirror to Freedom of Information legislation and is to be commended. It reflects some of the foundational ideas contained in UPP 4, but sits well as part of the first of the APPs.

The ALRC also welcomes the adoption of a technologically-neutral approach and the adoption of recommendations in this respect.[1]

The ALRC provides the following comments with respect to matters where there is a divergence of approach from that recommended in For Your Information.

Missing Persons

The addition of a provision dealing with missing persons is a point of difference from the approach recommended in For Your Information. The Issues Paper in the inquiry asked whether agencies and organisations should be permitted expressly to disclose personal information to assist in the investigation of missing persons.[2] While a number of stakeholders supported the amendment, others were concerned that sometimes a missing person does not wish to be located.[3] In the Discussion Paper the ALRC expressed the preliminary view that the privacy principles did not need to be amended expressly to allow agencies and organisations to use or disclose personal information to assist in the investigation of missing persons, given that other proposed principles should facilitate the disclosure of information in appropriate circumstances (eg in relation to serious threats to a person’s life, health or safety). After further consultation the ALRC maintained this conclusion:

Authorising the disclosure of personal information to assist in missing persons investigations raises complex issues and competing policy considerations. Those involved in seeking to locate missing persons may be assisted by an express exception in the Privacy Act, authorising disclosure. In some cases, an express authorisation may assist in locating missing persons, and in delivering positive results where the missing persons want to be located.

On the other hand, the creation of an express exception may result in adverse consequences in cases where missing persons do not wish to be located. As a number of stakeholders pointed out, sometimes missing persons have not committed an offence and may be seeking to hide—not from the authorities but from others. For example, individuals for personal reasons may choose to disassociate themselves from family and friends, or may seek to conceal their whereabouts in order to protect their safety. Examples of the latter are where an individual has fled from a violent relationship, or has witnessed a violent crime and fears retaliation. To create a general exception in respect of all missing person investigations risks interfering with the privacy of certain missing individuals and, possibly, endangering their lives.

On balance, therefore, it is undesirable for a new exception to the ‘Use and Disclosure’ principle to be created to allow expressly for disclosure of personal information to assist in missing persons investigations. Where an agency or organisation has a legitimate reason to search for a missing person, it may be able to avail itself of one of the other exceptions to the general prohibition in the ‘Use and Disclosure’ principle, or it may seek a public interest determination.

Some of the ALRC’s recommendations concerning other exceptions in the ‘Use and Disclosure’ principle, if implemented, would assist in broadening the scope of situations in which disclosure of personal information in missing persons investigations would be authorised. In particular, the ALRC’s recommendation that agencies and organisations should be authorised to use or disclose personal information where there is a serious threat to an individual’s life, health or safety would allow the disclosure of personal information in some missing persons investigations. The fact that agencies and organisations would no longer need to establish that the threat to a missing individual is imminent will increase the likelihood of the applicability of the exception.

Depending on the circumstances of a matter, the law enforcement exception in the ‘Use and Disclosure’ principle also may serve to authorise the disclosure of personal information in a missing person investigation.[4]

After the Report in the privacy inquiry the ALRC conducted an inquiry into secrecy provisions in Commonwealth laws.[5] A number of participants made comments or submissions that were about privacy, not secrecy provisions. For example, the ability to assist in the location of missing persons was a matter on which a number of not-for-profit agencies commented expressly during the phone-in conducted in the inquiry. While not a matter that sat within the terms of reference for that inquiry, it related directly to the concerns reflected in the proposed amendment to the Privacy Act. This suggests that a number of stakeholders would welcome the inclusion of express exceptions in relation to missing persons.

Given the concerns expressed by some stakeholders in the privacy inquiry, and the competing policy considerations discussed by the ALRC in coming to the conclusion against an express exception to the ‘Use and Disclosure’ principle in relation to missing persons, the ALRC emphasises strongly the importance of the proposed Australian Privacy Rules proposed in paragraph 21 of the Exposure Draft, as these provide the important constraints around the collection and use of information to assist ‘any entity, body or person to locate a person who has been reported as missing’.[6]

Exemptions

One particular matter targeted in the Report concerned exemptions, in particular that complete exemptions should only be permitted ‘where there is a compelling policy basis for so doing’ and that, in particular, the existing exemptions for small businesses, employee records and registered political parties should be removed.[7]

Small business exemption

The ALRC notes that it is proposed that the small business exemption is to remain ‘at this stage’, although it is noted that ‘the Government has committed to considering whether the exemption should be retained as part of the second stage response to the ALRC’.[8] As the Exposure Draft defines organisation as not including ‘a small business operator’,[9] the ALRC considers it appropriate to comment on this continued exclusion of small businesses from the privacy framework.

In For Your Information, the ALRC noted that the exemption for businesses with an annual turnover of $3 million or less was granted in December 2000 at the time that the provisions of the Privacy Act were extended to cover the private sector. The exemption was explained, at that time, by the desire to achieve widespread acceptance for privacy regulation from the private sector, and a reluctance to impose additional compliance burdens on small businesses.

The ALRC commends consideration of this matter, especially given that no other comparable jurisdiction in the world exempts small businesses from the general privacy law—and the European Union specifically has cited this unusual exemption as a major obstacle to Australia being granted ‘adequacy’ status under the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the EUDirective).^[10] Although not specifically raised in the exposure drafts, except to signal that it was a matter for future consideration, it is instructive to repeat the arguments made and the conclusions reached in For Your Information to assist the Government in considering whether the exemption should be retained as part of the second stage response to the ALRC.

Stakeholders in the ALRC’s privacy inquiry provided a divided response.  On the one hand, the business community argued strongly for the retention of the exemption, principally on the basis of the cost of compliance. However, almost all other stakeholders supported removal of the exemption arguing that there is no compelling justification for a blanket exemption for small businesses, as consumers have the right to expect that their personal information will be treated in accordance with the privacy principles. The ALRC concluded, and recommended, that this exemption be removed.

Removal of the small business exemption would bring privacy laws into line with laws in similar jurisdictions, such as the United Kingdom (UK), Canada and New Zealand, and could facilitate trade by helping to ensure that Australia’s privacy laws are recognised as ‘adequate’ by the European Union. The removal of the small business exemption would have the additional benefits of simplifying the law and removing uncertainty for many small businesses that have difficulty establishing whether they are required to comply with the Privacy Act.

The ALRC appreciates that the removal of the small business exemption will have cost implications for the sector—although nowhere near as great as is sometimes predicted. An independent research study commissioned by the ALRC indicated that a lower proportion of organisations will be affected—since not all small businesses collect personal information from customers—and the costs should be considerably more modest—about $225 in start-up costs and $301 per year thereafter for each small business—than the predicted $842 and $924 per year respectively cited in the Office of Small Business costing. Further, the ALRC is confident that additional savings will be achieved by the substantial simplification and harmonisation of privacy laws recommended in this Report.

Nevertheless, the ALRC remains attentive to the economic concerns of small business owners, and recommends a number of other initiatives aimed at supporting small businesses and minimising the compliance burden. Before the exemption is removed, the OPC should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Privacy Act. This should include a national hotline for small businesses, education materials and templates to assist in preparing privacy policies.[11]

The ALRC contemplated that, before the implementation of the recommended removal of the small business exemption, certain things should occur. The ALRC commends this as an interim strategy, pending further consideration of the matter, namely as set out in Recommendation 39–2:

Recommendation 39–2 Before the removal of the small business exemption from the Privacy Act comes into effect, the Office of the Privacy Commissioner should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Act, including by:

1. establishing a national hotline to assist small businesses in complying with the Act;
2. developing educational materials—including guidelines, information sheets, fact sheets and checklists—on the requirements under the Act;
3. developing and publishing templates for small businesses to assist in preparing Privacy Policies, to be available electronically and in hard copy free of charge; and
4. liaising with other Australian Government agencies, state and territory authorities and representative industry bodies to conduct programs to promote an understanding of the privacy principles. 

Registered political parties

The Exposure Draft exempts a ‘registered political party’ from being an organisation and subject to the Privacy Principles.[12] The ALRC recommended that the exemption for registered political parties should be removed,[13] and that, like the transitional arrangements proposed in relation to the removal of the small business exemption, that

the Office of Privacy Commissioner should develop and publish guidance to registered political parties and others to assist them in understanding and fulfilling their obligations under the Act.[14]

The basis of the current exemption is based upon the sophisticated databases of information compiled by major political parties in Australia, as in other western countries, containing a great deal of information about the contact details, concerns and preferences of individual voters. As noted in For Your Information, arguments supporting the exemption ‘generally are based on the importance of freedom of political communication to Australia’s robust democratic process’.[15] It was also noted that while political parties are similarly exempt in the United States and Canada, they are not in the UK, New Zealand and Hong Kong.[16]

The response of stakeholders in the privacy inquiry was considerably in favour of removing the exemption in Australia.

There was considerable support in the general community, however, for removing the exemption. Some stakeholders argued that the preferential treatment accorded registered political parties undermines public trust in the political process. Others were concerned that because of the exemption: political parties can collect information about constituents from third parties that could be inaccurate; individuals do not know what information has been collected by the parties; and have no right of access to, or correction of, personal information in electoral databases.[17]

The ALRC concluded that the exemption should be removed.

Employee records

The Exposure Draft does not include express reference to this current exemption, which treats public sector and private sector employees differently. For Australian Government agencies the Privacy Act does not distinguish between the handing of employee records and the handling of other ‘personal information’ as defined. In contrast, private sector organisations are exempt were their acts or practices relate directly to: the employment relationship between the organisation and the individual; and an employee record held by the organisation.[18] While this type of information was considered ‘deserving of privacy protection’ when the privacy legislation was extended to the private sector in 2000, the Government noted that ‘such protection is more properly a matter for workplace relations legislation’.[19]

In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC noted that employee records may contain a significant amount of personal information about employees, including sensitive information. In such circumstances it was considered that there is a real potential for individuals to be harmed if employees’ personal information is used or disclosed inappropriately. The ALRC stated that the lack of adequate privacy protection for employee records in the private sector is of particular concern because employees may be under economic pressure to provide personal information to their employers. The ALRC therefore put forward the preliminary view that there is no sound policy reason why privacy protection for employee records is available to public sector employees but not private sector employees. In addition, treating employees’ personal information differently from other personal information also cannot be justified. The ALRC proposed, therefore, that the employee records exemption should be removed.[20]

Stakeholders were divided on the issue. Most employers and employer groups were in favour of retaining the exemption, while privacy authorities, privacy advocates, an employee group and others supported removing it.[21]

Given that, according to the Australian Bureau of Statistics, 84% of Australians were employed in the private sector, the ALRC concluded that the consequent lack of privacy protection for the majority of Australian employees ‘is unjustifiable and represents a significant gap in privacy regulation’. It was noted that, at the time, workplace relations legislation still did not provide the protection anticipated at the time of the introduction of the 2000 amendments.[22]

The ALRC therefore recommended that the employee records exemption be removed:

Removing the exemption would ensure that the privacy of employee records held by organisations is protected under the Privacy Act, and that employees’ sensitive information, such as health and genetic information, is given a higher level of protection under the Act. This protection should be in addition to that provided by other laws, such as the relevant provisions in the Workplace Relations Regulations.

Having regard to the various concerns raised by employers and employer groups, the OPC should develop and publish specific guidance on the application of the UPPs to employee records to assist employers in fulfilling their obligations under the Privacy Act. This guidance should address, in particular, concerns about when it is and is not appropriate to disclose to an employee concerns or complaints by third parties about the employee.[23]

Consistently with this approach, the ALRC recommended that s 7B(3) of the Privacy Act be amended to remove the employee records exemption. Coupled with the recommended removal of the small business exemption, employee records would then receive the same privacy protection as other information covered by the proposed UPPs—and consistent with that proposed in the APPs. The Exposure Draft does not refer to employee records, hence suggesting that this exemption will continue in the Privacy Act. If this is the case the ALRC refers to the recommendations in For Your Information that this exemption be removed.

We trust that the above comments may assist the Committee in its consideration of the Exposure Draft. The ALRC looks forward to the implementation of the work in this major inquiry—one of the largest in the ALRC’s history.

Yours sincerely,

Professor Rosalind Croucher