The costs of inconsistency and fragmentation

13.2 Chapter 14 discusses some specific problems caused by inconsistency and fragmentation. These problems include unjustified compliance burden, multiple privacy regulators, impediments to information sharing and issues related to government contractors.

13.3 The ALRC makes a number of recommendations throughout this Report directed at dealing with problems caused by inconsistency and fragmentation in privacy regulation. Perhaps the most significant of these recommendations is the adoption of the model Unified Privacy Principles (UPPs), any relevant regulations that modify the application of the UPPs and relevant definitions used in the Privacy Act at the federal, state and territory level.[1] In the ALRC’s view, these recommendations will deal with many of the problems identified in Chapter 14.

Compliance burden and cost

13.4 The Terms of Reference for this Inquiry require the ALRC to consider ‘the desirability of minimising the regulatory burden on business’. The ALRC received a large number of submissions that claimed that the proliferation and fragmentation of privacy laws have increased compliance burden and cost for both agencies and organisations. Others submitted, however, that there is little evidence of the existence or extent of any unwarranted compliance burden.

13.5 It was noted in submissions that inconsistency and fragmentation in privacy regulation are particularly problematic for organisations that operate in more than one Australian jurisdiction, and complicate the implementation of programs and services at a national level. While stakeholders focused on the financial costs of this complexity, costs can also include social costs, such as delays in the provision of health services.

13.6 Inconsistency and fragmentation in the regulation of personal information at the federal, state and territory level create an unjustified additional compliance burden. The ALRC’s recommendations for reform, including those highlighted in this chapter, would help reduce compliance costs, including through the adoption of a single set of privacy principles at the federal, state and territory level, and a redraft of the Privacy Act to minimise its complexity.

Multiple regulators

13.7 Some industries are required to comply with multiple layers of privacy regulation, which are overseen by more than one regulator. In submissions to the Inquiry, it was noted that the lack of consistency of federal and state and territory privacy regimes leads to confusion about where and how to complain in the event of an interference with an individual’s privacy. Other submissions identified advantages in having multiple privacy regulators.

13.8 The ALRC considers that it is preferable to have privacy regulators at the federal, state and territory level.[2] This ensures that people in each jurisdiction have a regulator they can approach for advice and to make a complaint. It also ensures that agencies and organisations have access to a regulator who is aware of their local circumstances and can provide advice and training on implementing the legislation. Further, industry-specific regulators, such as the Telecommunications Industry Ombudsman and the Banking and Financial Services Ombudsman, provide industry expertise that the Office of the Privacy Commissioner (OPC) cannot provide.

13.9 There is evidence to suggest that multiple privacy regulators can create problems for individuals, agencies and organisations. The ALRC makes a number of recommendations aimed at improving the operation of multiple privacy regulators. These recommendations include: the development of memorandums of understanding between the OPC and other bodies with responsibility for information privacy;[3] amending the Privacy Act to empower the Privacy Commissioner to delegate all or any of his or her complaint-handling powers;[4] and the development and publication of complaint-handling policies, enforcement guidelines and educational material that address the role and functions of the various bodies with responsibility for information privacy.[5]

Sharing information

13.10 In submissions to the Inquiry, a wide range of examples were provided to illustrate how inconsistent, fragmented and multi-layered privacy laws have prevented or impeded information sharing. For example, the ALRC heard numerous examples of agencies and organisations using ‘because of the Privacy Act’ as an excuse for not providing information. Stakeholders also noted that inconsistent, fragmented and multi-layered privacy laws can act as a barrier to information sharing between federal, state and territory government agencies. This was identified as a particular issue in the areas of child protection, service provision to vulnerable persons, law enforcement and medical research.

13.11 It is undesirable that inconsistent and fragmented privacy laws prevent appropriate information sharing. Information-sharing opportunities, which are in the public interest and recognise privacy as a right to be protected, should be encouraged. Rather than preventing appropriate information sharing, privacy laws and regulators should encourage agencies and organisations to design information-sharing schemes that are compliant with privacy requirements.

13.12 A number of the ALRC’s recommendations are directed at achieving greater transparency in information-sharing arrangements. The ALRC recommends that agencies that are required or authorised by legislation or a public interest determination to share personal information should develop and publish documentation that addresses the sharing of personal information.[6] The ALRC also recommends the development and publication of a framework relating to cross-border sharing of personal information within Australia by intelligence and law enforcement agencies.[7]

Government contractors

13.13 The Privacy Act imposes obligations on agencies entering into contracts to provide services to, or on behalf of, the agency. The Act requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider or a subcontractor does not do an act or engage in a practice that would breach the IPPs.

13.14 The ALRC, reflecting the view of the majority of stakeholders that commented on this issue, has concluded that the Privacy Act provisions relating to Commonwealth contractors remain appropriate and effective. The ALRC notes that some stakeholders have commented that the provisions are unclear. While the ALRC does not share this view, the redraft of the Privacy Act recommended in Chapter 5 may deal with these concerns.

13.15 Some state and territory privacy regimes require organisations that provide contracted services to a state or territory government agency to be bound by the relevant state privacy principles for the purposes of the contract. Other state regimes provide that compliance with the state privacy regime is subject to outsourcing arrangements, or are silent on this issue.

13.16 There are concerns that state or territory government contractors, who are otherwise private sector organisations, may not be bound by the Privacy Act or equivalent standards when performing functions under state or territory contracts. In Chapter 14, the ALRC considers whether the Privacy Act should be amended to include a ‘roll-back provision’ to cover state contractors. In the ALRC’s view, however, such a law would intrude too heavily on state and territory government business. Instead, the ALRC recommends that state and territory privacy legislation should include provisions relating to state and territory contractors.

[1] See Ch 3 and Rec 3–4.

[2] See Rec 17–2.

[3] Recs 17–3 and 73–8.

[4] Rec 49–3.

[5] Rec 73–9.

[6] Rec 14–1.

[7] Rec 14–2.