Application of the Unified Privacy Principles

Background

18.90 What is the extent of the application of the UPPs? In particular, when can they be displaced by other obligations concerning the handling of personal information?

18.91 Under the ALRC’s recommended regulatory model, regulations, consistent with the objects of the Privacy Act, can be introduced to provide greater specificity and certainty in regulating privacy in relation to particular activities. Those regulations would be more detailed and specific than the privacy principles and, where appropriate, they would be able to derogate from the requirements in the privacy principles by providing different (that is, more or less stringent) requirements than are provided for in the principles.[120]

Submission and consultations

18.92 In DP 72, the ALRC proposed that the model UPPs should apply to information privacy except to the extent that the Privacy Act, subordinate legislation under the Privacy Act, or another piece of Commonwealth legislation imposes different or more specific requirements in a particular context.[121]

18.93 This proposal received general support.[122] Some stakeholders, however, expressed concern that the proposal could allow less stringent requirements to be imposed and, therefore, legitimate a progressive ‘watering down’ of the UPPs through other Commonwealth legislation and subordinate legislation.[123] Views were expressed that any different or more specific requirements should offer an equivalent[124] or more stringent level of protection than the UPPs.[125]

18.94 The Cyberspace Law and Policy Centre supported the proposal but only

to the extent that such differences or greater detail are justified. If it is possible for the UPPs to cover a situation, it is desirable that they do so. Even where differences of substance or detail are justified on some specific points, it is generally desirable for the UPPs to apply, and for a separate specific provision to provide the amending difference or detail. This will maximise the consistent application of interpretations by Courts and tribunals.[126]

18.95 National Archives of Australia noted that the disposal authority regime under the Archives Act 1983 (Cth) could be undermined. It was concerned that the authorities under this regime would not qualify as pieces of Commonwealth legislation.[127]

18.96 BPAY opposed the proposal insofar as it dealt with other pieces of Commonwealth legislation.

BPAY disagrees with this proposal to have numerous separate pieces of legislation. To the extent possible, the aim of this privacy review should be to construct the privacy regime in one piece of legislation. In recognition of the benefits of simplifying privacy, BPAY supports privacy legislation consolidated at federal level in the PrivacyAct.[128]

ALRC’s view

18.97 For the reasons discussed in Chapters 4 and 5, the model UPPs should apply to information privacy, except to the extent the Privacy Act, subordinate legislation under the Privacy Act or another piece of Commonwealth legislation imposes different or more specific requirements in a particular context.[129] This approach is necessary to allow for flexibility in specific situations.

18.98 By acknowledging that another piece of Commonwealth legislation may displace the operation of the UPPs, the ALRC is not intending to encourage the unbridled proliferation of Commonwealth statutes dealing with privacy. Rather, this approach recognises that it is legitimate for other pieces of Commonwealth legislation to deal with aspects of information privacy in specific contexts, including telecommunications. Discrete examples of such types of legislation include the Telecommunications Act 1997 (Cth), the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).[130]

18.99 Further, regulations made under the Privacy Act that impose different or more specific requirements, of either greater or less stringency than those imposed by the UPPs, would nonetheless need to be consistent with the objects of the Privacy Act.[131]

[120] See Chs 4, 5. See also Rec 5–1.

[121] Australian Law Reform Commission, Review of Australian Privacy Law: An Overview of Discussion Paper 72 (2007), Proposal 15–3.

[122] Australian Privacy Foundation, Submission PR 553, 2 January 2008; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[123] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[124] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[125] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[126] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[127] National Archives of Australia, Submission PR 414, 7 December 2007. Section 24(1) of the Archives Act 1983 (Cth) provides, in part, that a person must not engage in conduct that results in the destruction, disposal or alteration of a Commonwealth record. However, s 24(2) provides that this does not apply to anything done with the permission of National Archives or in accordance with a practice or procedure approved by National Archives.

[128] BPay, Submission PR 566, 31 January 2008.

[129] See Rec 5–1.

[130] See discussion in Part J of this Report.

[131] See discussion in Ch 5.