Scope and structure of Unified Privacy Principles

Scope of Unified Privacy Principles

18.100 In considering the content of the privacy principles, the first question is: what should be the scope of the UPPs? In other words, should the scope of the UPPs match that of the IPPs, NPPs or both; or should the scope be narrower or broader?

18.101 Taken together, the IPPs and NPPs cover the following aspects of privacy in relation to personal information: collection; use and disclosure; data quality; data security; openness; access and correction; the adoption, use and disclosure of identifiers; the principle of anonymity; the regulation of transborder data flows; and the special protections that should apply to sensitive information.

18.102 At a minimum, the UPPs should cover the same aspects of privacy as are currently covered by the IPPs and NPPs, when taken together. This coverage is broadly consistent with the privacy regimes of other jurisdictions and at international law. The question whether the scope of the UPPs should be expanded to cover additional aspects of privacy is discussed in Chapter 32.

Structure of a single set of privacy principles

Background

18.103 Assuming the IPPs and the NPPs are consolidated to create a single set of privacy principles, a question arises as to how the UPPs should be structured. Specifically, should the UPPs be based on the NPPs, the IPPs or neither?

18.104 The privacy statutes of Victoria, Tasmania and the Northern Territory are largely based on the NPPs—although they are not ‘word for word’ replicas.[132] In each case, the NPPs have been used as a basis for the principles that are to apply to public sector bodies—although the Tasmanian provisions also apply to ‘any body, organisation or person who has entered into a personal information contract relating to personal information’.[133] In addition, the South Australian Department of Health and Department for Families and Communities have both adopted the NPPs, which ‘demonstrates the ability of the NPPs to be applied in a public sector setting’.[134] On the other hand, the privacy legislation of New South Wales and the privacy schemes in Queensland and South Australia resemble more closely the IPPs.[135]

18.105 One key consideration in determining the model of privacy principles to be applied is the compliance burden that will be imposed on agencies and organisations that have tailored their compliance systems to the requirements of the IPPs and the NPPs. Departing radically from those principles would increase the consequential compliance burden imposed on those entities that are to be subject to the UPPs. The OPC concluded that the NPPs ‘have worked well and delivered to individuals protection of personal and sensitive information in Australia in those areas covered by the Act’.[136] The Senate Committee privacy inquiry, however, disagreed with the OPC’s conclusion that the private sector provisions are ‘working well’.[137]

Submissions and consultations

18.106 Before the release of DP 72, a number of stakeholders expressed the view that the NPPs—though capable of improvement—are superior to the IPPs and should form the model for any set of UPPs.[138]A small number of stakeholders stated that, if there were to be one set of privacy principles, it would be preferable to develop a new set of principles rather than merely merging and modifying the existing NPPs and IPPs.[139]

18.107 In DP 72, the ALRC proposed that the NPPs should provide the general template in drafting and structuring the proposed UPPs.[140] This proposal was widely supported.[141] Reasons for support included that:

  • the NPPs were developed in consultation with stakeholders;[142]

  • departure from the NPPs in the UPPs is likely to increase compliance costs for organisations that have already invested significant resources in ensuring compliance with the NPPs;[143]

  • the NPPs are simpler, more concise, and more user-friendly than the IPPs;[144] and

  • the ability of the NPPs to translate well into the public sector has already been demonstrated by the privacy statutes of Victoria, Tasmania and the Northern Territory.[145]

18.108 A small number of stakeholders expressed concerns that a move to UPPs based on the NPPs would impose a considerable transitional burden and cost for the public sector.[146] Some agencies also expressed the view that the wording of the IPPs is clearer and more concise than that of the NPPs.[147]

18.109 Other stakeholders put forward alternative models for drafting the UPPs. The Office of the Victorian Privacy Commissioner submitted that:

Any template used to draft the UPPs should be set at the highest standard of privacy protection. While the NPPs generally set a high standard of privacy protection, they do not provide the same level of protection as the Victorian IPPs, particularly where the privacy principle concerning ‘sensitive information’ and ‘unique identifiers’ are concerned.[148]

18.110 The Australian Federal Police supported the proposal in principle but expressed the view that

the more recent privacy legislation enacted in NSW, Victoria and Queensland should be considered as well—for example, their approach to dealing with law enforcement requirements.[149]

ALRC’s view

18.111 The general structure of the NPPs has been largely effective. This is borne out by the response of stakeholders to this Inquiry, the majority of which have indicated that they are generally satisfied with the structure of the NPPs. It is also noted that adopting a radically different structure from the NPPs would involve a greater compliance burden, particularly on organisations that have to update their privacy protection regimes.

18.112 Consequently, the NPPs should form the general template in drafting and structuring the UPPs. Having drafted model UPPs, and made other recommendations concerning their content, there is no need to make a specific recommendation in this regard.

18.113 In adopting this approach, two important points should be made. First, the ALRC’s general view that the NPPs should form the template for the UPPs is not intended to impact on the substantive content of the UPPs; rather it is intended only to guide the general form or framework of the UPPs. Secondly, the ALRC does not consider it appropriate for the statutory drafters to follow strictly the NPPs structure or wording where it is obvious that amendments can be made that would improve on the status quo. It would be entirely appropriate for the UPPs to depart from the general structure of the NPPs in such circumstances. This general approach is reflected in the way in which the model UPPs have been drafted by the ALRC in this Report.

[132] See Information Privacy Act 2000 (Vic) sch 1; Personal Information Protection Act 2004 (Tas) sch 1; Information Act 2002 (NT) sch 2.

[133] See Personal Information Protection Act 2004 (Tas) s 3.

[134] Government of South Australia, Submission PR 187, 12 February 2007.

[135] See Privacy and Personal Information Protection Act 1998 (NSW) pt 2, div 1; Queensland Government Department of Justice and Attorney-General, Privacy <www.justice.qld.gov.au/40.htm> at 5 May 2008; South Australian Government Department of Premier and Cabinet, PC012—Information Privacy Principles Instruction (1992).

[136] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 2–3.

[137] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.27].

[138] See, eg, Government of South Australia, Submission PR 187, 12 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; AAMI, Submission PR 147, 29 January 2007; D Antulov, Submission PR 14, 28 May 2006.

[139] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; R Clarke, Consultation PC 14, Canberra, 30 March 2006.

[140] Australian Law Reform Commission, Review of Australian Privacy Law: An Overview of Discussion Paper 72 (2007), Proposal 15–4.

[141] Government of South Australia, Submission PR 565, 29 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[142] Australian Finance Conference, Submission PR 398, 7 December 2007.

[143] BPay, Submission PR 566, 31 January 2008; Optus, Submission PR 532, 21 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007. The Centre for Law and Genetics expressed a similar view that adopting the NPPs would minimise compliance burden and costs: Centre for Law and Genetics, Submission PR 497, 20 December 2007.

[144] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[145] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. One stakeholder expressed the view that the UPPs should be identical to the NPPs unless there were compelling reasons not to adopt that approach: BPay, Submission PR 566, 31 January 2008.

[146] Medicare Australia, Submission PR 534, 21 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[147] Australian Government Centrelink, Submission PR 555, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007.

[148] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[149] Australian Federal Police, Submission PR 545, 24 December 2007.