State and territory regulators

17.37 In Australia there are multiple privacy regulators in particular industry sectors as well as across jurisdictions. As noted in Chapter 14, a number of issues may arise because more than one body is responsible for the regulation of personal information.

17.38 The Privacy Act and other federal legislation provide the Privacy Commissioner with a number of powers and functions, including powers to investigate and conciliate complaints, and approve and monitor privacy codes and guidelines.^[44] Most states and territories have privacy regulators, but their nature and functions vary widely. For example, New South Wales and Victoria have full-time privacy regulators with a similar range of powers and functions to those of the federal Privacy Commissioner.^[45] The Privacy Committee of South Australia’s powers and functions, however, are limited compared to the federal, New South Wales and Victorian privacy commissioners.^[46] Some jurisdictions, such as Tasmania and the Northern Territory, have regulators with functions other than oversight of the regulation of personal information.^[47]

17.39 A number of intergovernmental cooperative schemes employ a single national regulator to enforce compliance with the scheme. For example, the corporations law scheme is enforced by the Australian Securities and Investments Commission, and the gene technology scheme is enforced by the Gene Technology Regulator.

17.40 In DP 72, the ALRC considered whether all formal complaints about privacy should be dealt with by the Privacy Commissioner, rather than by industry ombudsmen and other federal, state and territory regulators. The ALRC also considered whether:

• all formal complaints about privacy under federal legislation could be referred to the Privacy Commissioner; or

• the various regimes governing the regulation of privacy at the federal, state and territory levels could be amended to clarify the jurisdiction of each of the bodies that regulate the handling of personal information.

17.41 The ALRC noted that some stakeholders had argued that a single national regulator was desirable to prevent unnecessary costs due to duplication and avoid inconsistencies arising under a national law. Others vigorously opposed a body, such as the OPC, regulating state and territory public sectors.

17.42 The ALRC expressed the preliminary view that there are advantages in having a number of agencies and bodies with responsibility for information privacy. The ALRC proposed, therefore, that the states and territories should enact legislation that regulates the handling of personal information in that state or territory’s public sector, and that this legislation should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territory’s public sector.^[48]

Submissions and consultations

17.43 Only a few submissions addressed this issue. A number of stakeholders supported the retention of state and territory privacy regulators.^[49] The Office of the Victorian Privacy Commissioner (OVPC) submitted that maintaining privacy regulators in each jurisdiction fosters greater access to justice by those seeking redress, enables advice to be provided by offices that have developed local expertise, and allows for compliance actions to be undertaken in response to issues and concerns that arise within particular jurisdictions. The OVPC noted that a single national privacy regulator is likely to experience resourcing problems, particularly in relation to complaint handling and education. The OVPC also highlighted that a national privacy regulator would lack expertise in other relevant state and territory laws.^[50]

17.44 The Government of South Australia supported the proposal for an independent regulator to be established in South Australia, but noted that the structure of the regulator should be left up to each state and territory.^[51]

ALRC’s view

17.45 The ALRC has concluded that there are advantages in having a number of agencies and bodies with responsibility for information privacy. These advantages are discussed in Chapter 14, and include: the pooling of resources; peer review and the promotion of high standards in the performance of regulators; the ability of individuals to approach a local regulator for advice and to make a complaint; and the additional expertise that an industry-specific dispute resolution body can provide. The ALRC recommends, therefore, that state and territory privacy legislation should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territory’s public sector.

17.46 However, the jurisdiction of the various bodies with responsibility for privacy needs to be clarified. Chapter 3 outlines a model for national consistency that seeks to clarify the scope of federal, state and territory information privacy laws. The jurisdiction of the various federal, state and territory bodies with responsibility for information privacy will be clarified once the scheme recommended in this Report is in place.

17.47 There also should be greater cooperation between: the OPC; state and territory privacy regulators; and other bodies with responsibility for information privacy in Australia, such as the Office of the Health Services Commissioner (Victoria) and the Banking and Financial Services Ombudsman. Greater cooperation among regulators will help promote a national and consistent approach to enforcement of privacy laws.

17.48 One method of achieving greater cooperation is the development of MOUs between privacy regulators in relation to enforcement of privacy laws. The ALRC recommends that the OPC develop and publish MOUs with each of the bodies with responsibility for information privacy in Australia, including industry-specific dispute resolution bodies and state and territory bodies with responsibility for privacy.^[52] The ALRC notes that the OPC has already entered into a number of MOUs with such bodies, including Privacy NSW.

17.49 To clarify further the jurisdiction of each of the bodies, these MOUs should outline the roles and functions of each of the bodies. They also should outline when a matter will be referred to, or received from, each of the bodies.

17.50 The MOUs should also help to promote consultation between privacy regulators when issuing public interest determinations (PIDs), temporary PIDs, and codes. This will minimise the risk of these instruments introducing inconsistent approaches to the UPPs and any relevant regulations that modify the application of the UPPs. The MOUs should also include a process for the development and publication of joint guidance on the UPPs and any relevant regulations. This will promote a nationally consistent approach to the interpretation of the privacy principles.

17.51 In Chapter 64, the ALRC recommends that the Privacy Commissioner issue one set of rules under the research exceptions to the UPPs to replace the Guidelines Under Section 95 of the Privacy Act 1988 and the Guidelines Approved Under Section 95A of the Privacy Act 1988. The MOUs could also address how the OPC should consult with relevant state and territory bodies when developing these rules.