Level of detail, guidance and protection

Background

18.32 Existing models of privacy principles vary in the level of detail and guidance that they provide. For example, the OECD Guidelines are pitched at a high level—they are relatively broad and aspirational—while the Victorian health privacy principles are considerably more detailed and comprehensive.[32]

18.33 An advantage of high-level principles is that they allow for greater flexibility. They can more easily accommodate unforeseen circumstances and a changing technological environment. For example, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework states that the high-level nature of the OECD Guidelines ‘makes them still relevant today’.[33]

18.34 A disadvantage of high-level principles, however, is that they can fail to provide adequate guidance. In turn, this may promote a proliferation of guidelines and information sheets, which may not be legally binding. In contrast, detailed rules provide more guidance, thereby promoting certainty and consistency in application.

18.35 The choice about how prescriptive the principles should be also reflects, to some degree, a wider policy choice about the degree to which the regulation of personal information should be ‘light-touch’. The private sector provisions of the Privacy Act introduced what the then Attorney-General described as a ‘light-touch’ co-regulatory approach to information privacy protection, which was intended to be responsive to business and consumer needs.[34] This was to be achieved, in part, by adopting high-level principles rather than prescriptive rules.[35] It is generally more difficult to establish a breach of high-level principles than provisions imposing detailed and specific obligations.

18.36 Another issue is whether the privacy principles should contain a minimum, intermediate or maximum level of protection of personal information. Commentators have noted that there is a choice between two broad dynamics in modelling privacy principles in a globalised environment:

On the one hand, countries [could] progressively fashion their privacy protection policies according to the highest standard, a ‘trading up’ or a ‘race to the top’. Conversely, countries might consider that a less-regulated climate would attract global business that would want to circumvent the higher standards at work elsewhere. This competitive deregulation would lead to a race to the bottom, as countries progressively weaken their standards to attract global investment in the information technology and services industries.[36]

Submissions and consultations

Level of detail

18.37 In the Issues Paper, Review of Privacy (IP 31), the ALRC asked:

Should federal privacy principles be prescriptive or should they provide high level guidance only? Should they aim for a minimum or maximum level of protection of personal information or aim to adopt a best practice approach?[37]

18.38 In response to IP 31, a very large number of stakeholders favoured privacy principles that provide high-level guidance, as distinct from those prescribing in detail what is and is not permissible.[38] Stakeholders submitted that such an approach permits greater flexibility;[39] and, by emphasising the objectives of the law rather than its detail, promotes technological neutrality and makes the law more resilient to change.[40] The OPC submitted that this also aids in ensuring the law is clear and easy to apply.[41]

18.39 Further, it was argued that principles-based regulation is more appropriate in a co-regulatory environment.[42] For example, the OPC submitted:

Principle-based law is aimed at encouraging organisations to understand the values behind the law and change their behaviour accordingly; not just to prevent action from being taken against them by a regulator, but because they understand why the law is there, what its objectives are and that it may benefit its business outcomes.[43]

18.40 The Australian Government Department of Employment and Workplace Relations submitted that using language that is not overly prescriptive will make it easier to move to a unified set of privacy principles, applicable to the public and private sectors.[44]

18.41 Some stakeholders, however, suggested that a balance should be struck between high-level guidance and the more detailed prescription associated with traditional legislative regulation.[45] Others suggested that it is necessary to adopt a more prescriptive approach. Professor William Caelli submitted:

Privacy Principles MUST be prescriptive or else they will be largely ignored … There is no evidence that the private or public sector alike have embraced advanced information security systems WITHOUT legal obligation. This could also be clearly stated even for many matters of safety, eg, seat belts being made compulsory for inclusion in any manufactured or imported car, etc.[46]

18.42 In the Discussion Paper, Review of Australian Privacy Laws (DP 72), the ALRC proposed that the:

(a) obligations in the privacy principles generally should be expressed as high-level principles;

(b) privacy principles should be simple, clear and easy to understand and apply; and

(c) privacy principles should impose reasonable obligations on agencies and organisations.[47]

18.43 This proposal received general support from a majority of stakeholders.[48] Stakeholders expressed the view that a high-level principle approach works well in practice, and emphasised the adaptability and flexibility of such an approach.[49] It was also noted that a prescriptive approach would increase compliance costs.[50] Optus noted:

Optus fully supports the high level principle approach to specifying obligations via the use of the privacy principles. In practice, this approach works well, and has provided the necessary guidance to organisations when creating privacy safeguards for a multitude of different circumstances and emerging technologies.[51]

18.44 Similarly, Microsoft Asia Pacific submitted that

a principles based approach to regulation allows for the achievement of regulatory objectives while giving regulated entities the flexibility to determine how to do so. Principles based regulation is also more robust and adaptable to changing information handling practices.[52]

18.45 Medicare Australia stated:

(a) We agree that high level principles are preferable to a more rigid detailed-rule regime, given the vast array of circumstances and contexts they will apply to. A detailed-rule regime would result in long, complex instructions because they would need to cover off all possible permutations of interactions. By setting the principles to express desired outcomes rather than prescribed processes, this allows particular agencies and organisations the flexibility to implement their processes to meet the objectives of the principles in the most appropriate way for their environments …

(b) It will be vital that the principles [be] … simple, clear, easy to understand and … apply to avoid ambiguity and the risk that they will be interpreted widely differently. This will provide confidence that they will be applied in a consistent manner.[53]

18.46 Privacy advocates generally supported the proposal, and submitted that it was desirable to adopt principles which also are consistent within Australia, and represent best practice in internationally accepted privacy standards.[54]

18.47 Some stakeholders that supported a high-level principle approach also expressed the need for some level of prescription, where necessary. For example, the Social Security Appeals Tribunal (SSAT) recognised the importance of providing greater precision and certainty in particular instances, such as those covered in NPP 2 regulating use and disclosure of personal information. It expressed the view that the current hybrid regulatory model underpinning privacy protection should be maintained.[55] The Public Interest Advocacy Centre (PIAC) submitted that there needs to be guidance about how high-level principles operate, and that such guidance ideally should be contained in the Privacy Act in the form of more prescriptive provisions.[56]

18.48 Liberty Victoria opposed outright the approach proposed in DP 72, and submitted that privacy principles should be prescriptive and detailed. It stated that:

We believe that the starting point for protection of privacy is recognising that people have a human right to privacy, rather than considerations about burdening the private or public sectors. The intrusive technology available today and likely to be more sophisticated in the future demands a more stringent rather than light-touch approach to privacy protection.[57]

Minimum standards or maximum protection?

18.49 In response to IP 31, a number of stakeholders submitted that the privacy principles should continue to articulate minimum standards, as distinct from attempting to provide maximum privacy protection.[58] Some stakeholders linked this with the intention to adopt a ‘light-touch’ regulatory approach.[59] The Australian Bankers’ Association argued that the current approach is working well and that those who favour more onerous regulation should first be required to ‘establish the case for additional regulation and to demonstrate the benefits’.[60] It was also noted that the imposition of more onerous obligations would strengthen arguments for retaining an exemption for small businesses in the Privacy Act.[61]

18.50 While acknowledging the importance of having privacy principles, a number of stakeholders noted that this does not preclude some aspects of privacy from being regulated in a more prescriptive manner, where this is required by the particular situation.[62] The OPC observed that the NPPs and IPPs were always intended to be ‘minimum standards’ that ought properly to be supplemented in appropriate circumstances.[63] Similarly, other stakeholders observed that the current approach whereby the IPPs and NPPs are supplemented by codes of practice and other guidance operates effectively.[64]

18.51 As noted above, the ALRC in DP 72 proposed that an objective to be pursued in drafting the privacy principles in the Privacy Act should be to impose reasonable obligations on agencies and organisations.[65] This approach was generally supported.[66]

18.52 PIAC expressed some concern about the drafting of the proposed objective because of uncertainty concerning the meaning of ‘reasonable’. It submitted that:

The word ‘reasonable’ is open to many different interpretations. What is ‘reasonable’ from a business perspective may be very unreasonable from a consumer perspective. PIAC would prefer the following wording: ‘the privacy principles should impose reasonable obligations on agencies and organisations that effectively protect the privacy interests of individuals.[67]

18.53 Medicare Australia stated that it assumed the term ‘reasonable obligations’ would be interpreted as meaning obligations that are reasonable in the circumstances, and that guidance on this would be useful.[68]

18.54 The Office of the Victorian Privacy Commissioner expressed the view that ‘obligations placed on agencies and organisations should be of the highest possible standard that is reasonable and practicable’.[69] In contrast, the SSAT preferred that the principles continue to reflect a minimum level of privacy protection.[70]

ALRC’s view

Level of detail

18.55 A principles-based approach should continue to be at the heart of the Privacy Act, and this should remain the starting point for the regulation of privacy. The ALRC favours such an approach because it is more flexible and able to adapt to the multitude of circumstances in which agencies and organisations must take account of individuals’ privacy rights. These features make the Privacy Act more resilient to change, especially in response to technological developments that impact on privacy. Further, the privacy principles, as far as practicable, should be drafted in technology-neutral terms.[71] This is the best way to ensure that the principles can continue to be relevant in the face of technological change.

18.56 It must be stressed, however, that the IPPs and NPPs are not constituted exclusively by archetypal high-level principles. Some of the principles such as IPP 9 (Personal information to be used only for relevant purposes) and NPP 8 (Anonymity) are relatively brief, expressing broad and general obligations or objectives to be achieved. On the other hand, principles such as IPP 5 (Information relating to records kept by record-keeper) and NPP 2 (Use and disclosure) are more detailed, specifying with greater precision the obligations that apply in the relevant circumstances. In other words, the IPPs and NPPs represent a compromise.

18.57 A compromise or hybrid approach is desirable because it enables Parliament to respond more flexibly to the needs of individuals, agencies and organisations at the various stages of the information cycle. Relying solely on either rules-based or principles-based regulation would not provide agencies and organisations with sufficient flexibility or certainty in the application of the principles.

18.58 Commentators have noted that an advantage of a hybrid system is that it seeks to take the advantages of both a principles-based and a rules-based system in order to achieve regulatory clarity, enforceability and flexibility.[72] The continuation of a hybrid regulatory scheme will allow agencies and organisations to understand the purpose of the law and to drive organisational behaviour towards best practice. It therefore strikes an appropriate balance between flexibility and certainty. The overall regulatory structure should provide more detailed guidance and regulation where it is necessary to deal with particular issues.

18.59 The ALRC therefore recommends that the obligations in the privacy principles generally should be expressed as high-level principles. This should remain a broad objective, rather than a strict rule, in the drafting of the privacy principles. As demonstrated by the ALRC’s approach in determining the content of the UPPs, some principles—such as anonymity and pseudonymity, collection, and data quality—contain high-level obligations; whereas others—such as use and disclosure, and access and correction—are more prescriptive.

18.60 The privacy principles should also be drafted with the objective of making them simple, clear and easy to understand and apply.

18.61 The ALRC notes the view expressed in submissions that the privacy principles should be consistent within Australia. This view is accommodated within recommendations in Chapter 3 of this Report dealing with national consistency, as well as the recommendation that one of the objects of the Privacy Act should be ‘to provide the basis for nationally consistent regulation of privacy and the handling of personal information’.[73]

Minimum standards or maximum protection?

18.62 The ALRC affirms the longstanding policy position that the Privacy Act should be light-touch, in the sense that it should provide only such regulation as is required to protect individuals’ privacy without unreasonably burdening the public or private sectors. To further this goal, the privacy principles should impose reasonable obligations on agencies and organisations that provide adequate protection of individuals’ privacy rights and help to promote best practice, without creating an excessive compliance burden.

18.63 Determining whether an obligation is reasonable will involve a consideration of the impact of imposing the obligation on all the participants in the regulatory regime, including the agencies and organisations that are regulated, and the individuals intended to benefit from that regulation. Assessments of whether obligations are reasonable invariably require consideration, and often a balancing, of many factors. These factors include the privacy protection that will be afforded to individuals by imposing the obligation, the compliance burden, and the need to ensure that agencies and organisations can exercise properly their lawful functions while complying with the obligation. A consideration and balancing of such factors may result in a principle which allows for specified exceptions to an obligation or which provides that an obligation arises only where it is reasonable and practicable in the circumstances.

18.64 The benefits and costs of privacy protection to society as a whole are also relevant considerations in framing privacy principles. Professor Fred Cate has stated that:

Data protection is not an end in itself, but rather a tool for enhancing individual and societal welfare. To be effective, data protection must rest on the recognition that both information flows and individual privacy have value and are necessary in a democratic society and market economy. That value benefits individuals as well as society as a whole. Therefore, the goal of any privacy regime must be to balance the value of accessible personal information with the value of information privacy to maximize both individual and public benefits.[74]

18.65 By stipulating that the obligations to be imposed on agencies and organisations are to be reasonable, it is unnecessary to recommend obligations in every privacy principle that uniformly represent either minimum or maximum levels of protection. The ALRC’s approach in this regard is consistent with a hybrid regulatory approach, and with the goal of maintaining flexibility. In certain areas, it may be necessary to provide more detailed regulation that imposes either stricter or more lenient obligations.[75] In some situations, the obligations in the privacy principles will be displaced by more specific obligations that apply in a particular area—for instance, in credit reporting, health services and research, and in the telecommunications industry.[76]

Recommendation 18-1 The privacy principles in the Privacy Act should be drafted to pursue, as much as practicable, the following objectives:

(a) the obligations in the privacy principles generally should be expressed as high-level principles;

(b) the privacy principles should be technology neutral;

(c) the privacy principles should be simple, clear and easy to understand and apply; and

(d) the privacy principles should impose reasonable obligations on agencies and organisations.

[32]Health Records Act 2001 (Vic) sch 1.

[33] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), fn 1.

[34] Commonwealth, Parliamentary Debates, House of Representatives, 8 November 2000, 22370 (D Williams—Attorney-General).

[35] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 164.

[36] C Bennett and C Raab, The Governance of Privacy: Policy Instruments in Global Perspective (2006), xv.

[37] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–36.

[38] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Queensland Government, Submission PR 242, 15 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Government of South Australia, Submission PR 187, 12 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007; Veda Advantage, Submission PR 163, 31 January 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Investment and Financial Services Association, Submission PR 122, 15 January 2007; AXA, Submission PR 119, 15 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 85, 12 January 2007.

[39] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Veda Advantage, Submission PR 163, 31 January 2007; AAMI, Submission PR 147, 29 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 85, 12 January 2007.

[40] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Veda Advantage, Submission PR 163, 31 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[41] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[42] Ibid; Law Council of Australia, Submission PR 177, 8 February 2007; Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[43] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[44] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007.

[45] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; AAMI, Submission PR 147, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[46] W Caelli, Submission PR 99, 15 January 2007.

[47] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 15–1. Submissions and consultations on limb (c) of the proposal are addressed separately below.

[48] BPay, Submission PR 566, 31 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; National Transport Commission, Submission PR 416, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[49] See, eg, Optus, Submission PR 532, 21 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; National Transport Commission, Submission PR 416, 7 December 2007.

[50] Investment and Financial Services Association, Submission PR 538, 21 December 2007.

[51] Optus, Submission PR 532, 21 December 2007.

[52] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[53] Medicare Australia, Submission PR 534, 21 December 2007.

[54] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[55] Social Security Appeals Tribunal, Submission PR 478, 17 December 2007.

[56] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007

[57] Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007.

[58] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Queensland Government, Submission PR 242, 15 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; National Association for Information Destruction, Submission PR 133, 19 January 2007.

[59] Veda Advantage, Submission PR 163, 31 January 2007; Australian Retailers Association, Submission PR 131, 18 January 2007; National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 85, 12 January 2007.

[60] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007. See also Government of South Australia, Submission PR 187, 12 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.

[61] Government of South Australia, Submission PR 187, 12 February 2007. The exemptions in the Privacy Act are discussed in Part E.

[62] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007.

[63] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[64] Veda Advantage, Submission PR 163, 31 January 2007; Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[65] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 15–1(c).

[66] BPay, Submission PR 566, 31 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[67] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007 (emphasis added).

[68] Medicare Australia, Submission PR 534, 21 December 2007.

[69] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[70] Social Security Appeals Tribunal, Submission PR 478, 17 December 2007.

[71] The merits of technology-neutral principles are discussed in Ch 10.

[72]O Krackhardt, ‘New Rules for Corporate Governance in the United States and Germany—A Model for New Zealand’ (2005) 36 Victoria University of Wellington Law Review 319, 332.

[73] See Rec 5–4. The ALRC has also recommended that one of the objects of the Privacy Act should be to implement, in part, Australia’s obligations at international law in relation to privacy. This accommodates, to some extent, the view expressed by some that the privacy principles should represent best practice in internationally accepted privacy standards: Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[74] F Cate, ‘The Failure of Fair Information Practice Principles’ in J Winn (ed) Consumer Protection in the Age of the ‘Information Economy’ (2007) 341, 369.

[75] J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science, 12.

[76] For those more detailed requirements, see Parts G, H and J of this Report.