A separate ‘Openness’ principle

24.5 The ALRC has considered whether the requirements relating to openness should continue to be dealt with in a discrete privacy principle. As noted in Chapter 23, in response to the Issues Paper, Review of Privacy (IP 31), some stakeholders expressed the view that the notification and openness requirements should be located within the same principle.[3] Specifically, some stakeholders suggested an ‘awareness principle’, which would cover ‘notification requirements at the time of collection and more general information provision’.[4] It was stated that attention should be given to the respective roles of proactive notice and obligations to respond to inquiries.[5]

24.6 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that the model Unified Privacy Principles (UPPs) should contain a discrete principle called ‘Openness’ that sets out the requirements on agencies or organisations to operate openly and transparently by providing general information on how they collect, hold, use and disclose personal information.[6]

24.7 This proposal generally was supported.[7] For example, Privacy NSW expressed the view that an openness principle would not only ‘increase the transparency of organisations’ and agencies’ dealings with regard to … personal information’, but would also ‘assist in identifying and remedying compliance issues’. It also expressed the view that the principle should be entitled ‘Privacy Policy’ in order to distinguish it from the ‘Notification’ principle. [8]

24.8 The Public Interest Advocacy Centre (PIAC) stated that the ALRC’s approach would consolidate and simplify the existing requirements, and that:

A separate UPP dealing with ‘Openness’ will also serve to highlight the importance of this principle as a mechanism for ensuring open and transparent handling of personal information by agencies and organisations.[9]

ALRC’s view

24.9 The requirements on an agency or organisation to operate openly and transparently by providing general information on how it manages personal information should be dealt with in a discrete principle in the model UPPs.

24.10 It is not appropriate to deal with requirements relating to openness and notification in the same principle because of their important conceptual differences. Openness provisions require agencies and organisations to make their general practices relating to the handling of personal information transparent. The requirement is not targeted exclusively for the benefit of those whose personal information has been, or is to be, collected. The obligation attaches regardless of whether an agency or organisation has actually collected personal information from a particular individual, or plans to do so.

24.11 In contrast, the requirement to notify or otherwise ensure an individual is aware of specified matters under the ‘Notification’ principle applies only when an individual’s personal information has been, or is to be, collected. Further, the ‘Notification’ principle is directed to informing the particular individual how the agency or organisation will, or is likely to, handle his or her personal information, or personal information of the kind collected from the individual.

24.12 The benefits that flow from compliance with the openness requirements therefore can be distinguished in their nature and scope from those relating to notification. The publication of explanations as to how agencies and organisations deal with personal information generally benefits the regulatory system as a whole. It allows, for example, the Office of the Privacy Commissioner (OPC) to monitor an agency’s or organisation’s compliance with the Privacy Act and also to recommend changes to the personal information management practices of the agency or organisation.[10] Openness, therefore, plays a key role in promoting best practice in the handling of personal information.

24.13 It is preferable for the principle to be given a name which reflects its goal—that is, ‘openness’—rather than one that describes the regulatory mechanism by which that goal is to be achieved—such as ‘Privacy Policy’. This approach better reflects the high-level nature of the privacy principles.

[3] See, eg, G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[4] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[5] Ibid.

[6] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 21–1.

[7] Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. The Australian Direct Market Association stated that ‘it did not disagree’ with the proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[8] Privacy NSW, Submission PR 468, 14 December 2007.

[9] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[10] This is discussed in greater detail in Part F.