Towards a single set of privacy principles

Background

18.66 The ALRC considered whether it is preferable to maintain two separate sets of similar, but sometimes inconsistent, privacy principles, or to create a unified set of privacy principles.[77]

18.67 The existence of two sets of privacy principles may cause difficulties for agencies and organisations seeking to comply with the Privacy Act. There are circumstances when an organisation or agency is subject to both the IPPs and the NPPs. For example, an Australian Government contractor may be bound under the Act to comply with the NPPs but also may be bound by contract to comply with the IPPs.[78] Some government business enterprises—such as Australia Post—are, for the purposes of the Privacy Act, both an agency in respect of their non-commercial activities, and an organisation in respect of their commercial activities.[79]

18.68 As noted above, the OECD Guidelines apply to personal data in both the public and private sectors. Similarly, the principles in the APEC Privacy Framework and in the European Parliament’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995) (EU Directive) also apply to both the public and private sectors.[80]

18.69 There is precedent in other jurisdictions for having a single set of principles applying both to the public and private sectors,[81] as well as for having separate principles or provisions regulating the public and private sectors.[82]

Previous privacy inquiries

18.70 The question whether to move to some form of unified privacy principles has been the subject of considerable debate in previous privacy inquiries.[83] In 2005, the OPC expressed its preference for a single set of principle principles:

There seems no clear rationale for applying similar, but slightly different, privacy principles to public sector agencies and private sector organisations and certainly no clear rationale for applying both to an organisation at the same time. There is no clear policy reason why they are not consistent. The time may have come for a systematic examination of both the IPPs and the NPPs with a view to developing a single set of principles that would apply to both Australian Government agencies and private sector organisations.[84]

18.71 Stakeholders making submissions to the Senate Legal and Constitutional References Committee inquiry into the Privacy Act (Senate Committee privacy inquiry), and to the Taskforce on Reducing Regulatory Burdens on Business, expressed concern about the inconsistency within the Privacy Act resulting from two sets of principles.[85] It was also noted that the existence of two separate regimes caused particular difficulties in the health sector, where public and private health organisations often work closely together.[86]

18.72 The Taskforce on Reducing Regulatory Burdens on Business recommended the development of a single set of privacy principles, applicable across the public and private sectors.[87] Similarly, the Senate Committee privacy inquiry ultimately recommended that the ALRC develop a single set of privacy principles.

The committee recommends the development of a single set of privacy principles to replace both the National Privacy Principles and Information Privacy Principles, in order to achieve consistency of privacy regulation between the private and public sectors. These principles could be developed as part of the review by the Australian Law Reform Commission, as proposed in recommendations 1 and 2.[88]

Submissions and consultations

Responses to IP 31

18.73 The ALRC asked in IP 31 whether the IPPs and NPPs should be consolidated to create a single set of privacy principles applicable to both the public and private sectors and, if so, what model should be used. A related question was asked as to whether any particular principles, or exceptions to principles, should apply only to either the public or private sector.[89] It was noted in IP 31 that the number of similarities between the IPPs and NPPs appear to make the task of rationalisation feasible.[90]

18.74 In response to IP 31, a very large number of stakeholders submitted that it would be desirable to consolidate the IPPs and NPPs to create a single set of privacy principles, which would generally be applicable to organisations and agencies.[91] Stakeholders expressed support on the basis that maintaining separate sets of privacy principles creates complexity and confusion in a number of areas. It was submitted that a consolidation of the principles would simplify compliance requirements and, therefore, enhance administrative convenience.[92] In addition, stakeholders expressed the view that establishing a single set of privacy principles would help achieve the desirable goal of national consistency,[93] as well as consistency with a number of key international instruments, such as the EU Directive, the OECD Guidelines and the APEC Privacy Framework.[94]

18.75 A smaller number of stakeholders opposed moving to a single set of privacy principles.[95] Some stakeholders focused on the fact that sometimes it is necessary to impose different requirements on organisations and agencies.[96] Specifically, there was concern that the objects and functions of agencies differ from those of organisations and so it is appropriate to impose different privacy requirements on each.[97] For example, special principles may need to apply to the public sector because it can compel the production of personal information.[98] It was also suggested that it may be necessary to create a specific principle dealing with direct marketing that should apply only to the private sector.[99]

Discussion Paper proposal

18.76 In DP 72, the ALRC proposed that the Privacy Act should be amended to consolidate the IPPs and NPPs into a single set of privacy principles—the UPPs—that would be generally applicable to agencies and organisations, subject to such exceptions as required.[100]

18.77 This proposal received overwhelming support,[101] with a number of stakeholders expressing strong support for such an approach.[102] Reasons for support included that unification would: enable easier compliance for organisations required to comply with both sets of principles;[103] result in administrative efficiencies;[104] and reduce complexity for organisations in areas where they contract to agencies and act as commercial operators.[105]

18.78 For example, IBM Australia submitted that it was very supportive of the proposal.

As a large private organisation, IBM is required to comply with the NPPs. A major provider of IT products and services to the federal government, IBM is also required to comply with the IPPs as a ‘contracted service provider’ to the Commonwealth. Having only one privacy regime with which to comply will be much simpler for organisations such as IBM.[106]

18.79 PIAC submitted that:

It makes no sense to continue the artificial dichotomy that exists in privacy regulation between the public and private sectors. This dichotomy is historically based, and appears to have no sound basis in policy …

Having a single set of principles would reduce confusion and help to achieve national consistency as well as making Australian privacy regulation more consistent with international regimes.[107]

18.80 The National Transport Commission submitted that:

Considering the increasing trend in regulatory reform towards utilising specialised external entities, particularly in the area of remote compliance monitoring (speed camera providers, external auditors etc) to provide services which the regulator is unable or unwilling to provide for various reasons (for example cost efficiencies) the consolidation of privacy principles would have positive benefits for regulators and those promulgating reforms which require the incorporation of privacy principles.[108]

18.81 Privacy NSW submitted that the proposed set of unified privacy principles represented

a major step forward in harmonising Australian privacy laws and in eradicating the areas of overlap between the Commonwealth and the States … A common set of principles will allow for greater cooperation and pooling of resources among privacy agencies throughout Australia. It will also result in more cohesive decision-making across Australia and will make compliance by agencies and organisations more straightforward and therefore more comprehensive.[109]

18.82 Some stakeholders supported the proposal, but expressed reservations about either the drafting, implementation or administration of the UPPs. Namely:

  • the Australian Federal Police expressed reservations about whether it would be possible to draft UPPs that address adequately the information collection, use, storage, destruction and disclosure needs of both the private and public sectors;[110]

  • the Australian Institute of Company Directors emphasised that ‘care needs to be taken [to ensure] that differences in structure and operations are taken into account’;[111]

  • Centrelink acknowledged the challenges of developing a single set of unified principles while maintaining a reasonable level of simplicity and clarity;[112]

  • the Department of Agriculture, Fisheries and Forestry submitted that the development of one set of principles would present challenges in implementation;[113] and

  • the Law Society of New South Wales submitted that the Privacy Act should also deal with the administration of the UPPs, stating that the public sector is generally better equipped than the private sector to administer privacy principles.[114]

18.83 Anglicare Tasmania expressed the view that, while the unification of the NPPs and IPPs would be of value, there is still a place for specific guidelines or codes for particular sectors.[115]

18.84 Only a very small number of stakeholders opposed the proposal. The Australian Direct Marketing Association (ADMA) submitted that it

rejects expensive, unnecessary, radical and revolutionary wholesale reform, including the creation of Unified Privacy Principles (UPPs).

In ADMA’s view, the ALRC has not made the case that such a change would provide any great benefit to consumers or any great improvements to the private sector privacy regime which is, by and large, working well.[116]

18.85 A number of stakeholders expressed concern about naming the privacy principles the ‘Unified Privacy Principles’ on the basis that such a name would become irrelevant with the passage of time.[117]

ALRC’s view

18.86 The overwhelming majority of stakeholders that expressed a view on this issue were in favour of consolidating the IPPs and NPPs to create a single set of privacy principles that generally would be applicable to organisations and agencies. In addition, there was support for the proposal from each of the various categories of stakeholder—that is, organisations, agencies and others. In the ALRC’s view, the IPPs and NPPs should be consolidated to establish the UPPs that generally would be applicable to agencies and organisations.

18.87 A large number of benefits would flow from such a reform. For example, the move to a set of UPPs would foster national and international consistency in privacy regulation. Such a reform also would clarify and simplify the obligations of agencies and organisations with respect to information privacy. This would be advantageous for individuals who interact with these entities, and also for the agencies and organisations themselves, as they would not have to differentiate between the overlapping requirements of the IPPs and NPPs. Where an organisation is acting as a contracted service provider or is involved in a public-private partnership, it would reduce significantly the problems associated with the organisation having to comply with both the IPPs and NPPs. This simplification may go some way to offsetting costs associated with implementing a new regime for privacy regulation.[118]

18.88 The UPPs, however, should not apply rigidly to both agencies and organisations. As explained in the remaining chapters in this Part, some principles in the UPPs should apply only to organisations.[119]

18.89 As explained earlier in this chapter, the ALRC, for the purposes of this Report, refers to the single set of privacy principles as the model ‘Unified Privacy Principles’. It is not, and never was, the ALRC’s intention for that term to be adopted in the Privacy Act. If the ALRC’s recommendation to adopt a single set of principles in the Privacy Act is adopted, it is likely to be appropriate to use a different term to describe the privacy principles. The ALRC agrees that the term model ‘Unified Privacy Principles’ will be otiose in the future. The decision of how best to describe the single set of privacy principles for the purposes of the Privacy Act will be a matter for the Office of Parliamentary Counsel.

Recommendation 18-2 The Privacy Act should be amended to consolidate the current Information Privacy Principles and National Privacy Principles into a single set of privacy principles, referred to in this Report as the model Unified Privacy Principles.

[77] See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4­–34.

[78] See Privacy Act 1988 (Cth) ss 95B, 6A(2).

[79] Australia Post, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 21 December 2004. See Privacy Act 1988 (Cth) s 7(c); Freedom of Information Act 1982 (Cth) sch 2, div 1, pt II.

[80] See Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005); European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995).

[81] See, eg, Privacy Act 1993 (NZ); Data Protection Act 1998 (UK); Personal Data (Privacy) Ordinance (Hong Kong).

[82] See, eg, Privacy Act RS 1985, c P-21 (Canada) (regulation of public sector); Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) (regulation of private sector).

[83] See, eg, Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005); Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005); Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006).

[84] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 46.

[85] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.35]; Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), 56.

[86] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.37].

[87] See Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), 56.

[88] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 4, [7.9].

[89] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–34.

[90] Ibid, [4.193].

[91] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Australian Commission on Safety and Quality in Health Care, Submission PR 252, 14 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Law Institute of Victoria, Submission PR 200, 21 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Australian Government Department of Families‚ Community Services and Indigenous Affairs, Submission PR 162, 31 January 2007; Australian Health Insurance Association, Submission PR 161, 31 January 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AAMI, Submission PR 147, 29 January 2007; National E-health Transition Authority, Submission PR 145, 29 January 2007; Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; I Turnbull, Submission PR 82, 12 January 2007; Australia Post, Submission PR 78, 10 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007; National and State Libraries Australasia, Submission PR 68, 21 December 2006; The Mailing House, Submission PR 64, 1 December 2006.

[92] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007.

[93] Australian Commission on Safety and Quality in Health Care, Submission PR 252, 14 March 2007; Queensland Government, Submission PR 242, 15 March 2007; Fundraising Institute—Australia Ltd, Submission PR 138, 22 January 2007.

[94] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[95] For example, Australian Direct Marketing Association, Submission PR 298, 29 June 2007; Confidential, Submission PR 165, 1 February 2007; AXA, Submission PR 119, 15 January 2007.

[96] It should be noted, however, that some stakeholders argued that such inconsistencies as these could be accommodated by the Privacy Act: see Law Institute of Victoria, Submission PR 200, 21 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007.

[97] Confidential, Submission PR 165, 1 February 2007.

[98] Australian Direct Marketing Association, Submission PR 298, 29 June 2007; Confidential, Submission PR 165, 1 February 2007; Law Council of Australia, Submission PR 177, 8 February 2007.

[99] Privacy Commission Victoria, Consultation PC 20, Melbourne, 9 May 2006. Direct marketing is dealt with in Ch 26.

[100] Australian Law Reform Commission, Review of Australian Privacy Law: An Overview of Discussion Paper 72 (2007), Proposal 15–2.

[101] BPay, Submission PR 566, 31 January 2008; Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; Google Australia, Submission PR 539, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Medical Association, Submission PR 524, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Abacus–Australian Mutuals, Submission PR 456, 11 December 2007; Arts Law Centre of Australia, Submission PR 450, 7 December 2007; Australia Post, Submission PR 445, 10 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007; National Transport Commission, Submission PR 416, 7 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007; IBM Australia, Submission PR 405, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007; S Hawkins, Submission PR 382, 6 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[102] For example, Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Australia Post, Submission PR 445, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[103] Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[104] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[105] Optus, Submission PR 532, 21 December 2007.

[106] IBM Australia, Submission PR 405, 7 December 2007.

[107] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[108] National Transport Commission, Submission PR 416, 7 December 2007.

[109] Privacy NSW, Submission PR 468, 14 December 2007.

[110] Australian Federal Police, Submission PR 545, 24 December 2007.

[111] Australian Institute of Company Directors, Submission PR 424, 7 December 2007.

[112] Australian Government Centrelink, Submission PR 555, 21 December 2007

[113] Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.

[114] Law Society of New South Wales, Submission PR 443, 10 December 2007.

[115] Anglicare Tasmania, Submission PR 514, 21 December 2007.

[116] Australian Direct Marketing Association, Submission PR 543, 21 December 2007. ADMA’s submission was supported by Axicom Australia: Acxiom Australia, Submission PR 551, 1 January 2008.

[117] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; K M Corke and Associates, Submission PR 447, 10 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007. Some of these stakeholders submitted that such names as the ‘Australian privacy principles’ or ‘Uniform privacy principles’ were more appropriate.

[118] The ALRC considers that the NPPs should form the general template in drafting and structuring the UPPs. This approach, which is discussed further below, should also help to minimise the transitional costs for organisations.

[119] See Chs 26, 30.