Regulatory mechanism: ‘Privacy Policies’

24.14 The IPPs and NPPs set out different regulatory mechanisms by which openness is to be achieved. Currently, agenciesare requiredto:

  • take such steps as are, in the circumstances, reasonable to enable any person to ascertain specified matters;[11]

  • maintain a record setting out a number of matters relating to the agency’s handling of personal information;[12] and

  • make the record available for inspection by the public and give a copy annually to the OPC, which uses this to create the Personal Information Digest.[13]

24.15 Organisations are required to:

  • produce a document, available to anyone on request, which sets out the organisation’s policies on its management of personal information; and

  • take reasonable steps, on request, to inform a person generally about: what sort of personal information it holds; for what purposes; and how it collects, holds, uses and discloses that information.[14]

Submissions and consultations

24.16 In response to IP 31, strong concern was expressed that the Personal Information Digest mechanism applicable to agencies is not operating effectively.[15] Some stakeholders suggested that the Personal Information Digest is of limited utility and the information could be disseminated better in other ways.[16] For example, AAMI stated that requiring organisations to submit their documents annually to the OPC ‘would be unlikely to add any real value’.[17] The Australian Federal Police suggested that such information could be made available ‘through self publishing on agency websites in line with guidelines issued by the Privacy Commissioner’.[18]

24.17 In DP 72, the ALRC proposed that the ‘Openness’ principle should set out the requirements on an agency or organisation to operate openly and transparently by providing general notification in a Privacy Policy of how it manages, collects, holds, uses and discloses personal information.[19]

24.18 This proposal received general support.[20] For example, Medicare Australia expressed the view that the Privacy Policy mechanism ‘would provide clear detail for both the agency and the individual’ and is ‘much more useful than the current [Personal Information Digest arrangements] under IPP 5’.

24.19 The Australian Privacy Foundation stated that, although ‘there has been relatively little use’ of the Personal Information Digest, it remains a ‘potentially valuable resource for the media and public interest groups to make comparisons and hold governments to account’. It therefore supported a requirement for an agency to provide to the Privacy Commissioner an electronic copy of its Privacy Policy at least once a year.[21]

24.20 PIAC made the point that, in order to be effective, a policy must be implemented. It submitted that the ‘Openness’ principle should make it clear that agencies and organisations should take reasonable steps to implement their Privacy Policies.[22]

ALRC’s view

24.21 The openness requirements, currently located in the IPPs and NPPs, should be consolidated and simplified in the model UPPs. The ‘Openness’ principle should make it clear that a Privacy Policy is the regulatory mechanism by which agencies and organisations are to achieve openness. Agencies and organisations should be required to set out in Privacy Policies clearly expressed policies on their handling of personal information.[23]

24.22 The development of Privacy Policies will have a positive impact on the regulatory system as a whole. It will assist in the OPC’s auditing process,[24] and in promoting best practice in the handling of personal information. By requiring agencies and organisations to express in their Privacy Policies how they handle personal information at each stage of the information cycle, agencies and organisations will be encouraged to consider how the UPPs apply to their activities. This may assist agencies and organisations to structure their operations so as to comply with the UPPs.

24.23 The development and publication of Privacy Policies will promote the accountability of agencies and organisations. If agencies and organisations do not adhere to their Privacy Policies, the policies expressed in such documents may be used as a benchmark against which actual practices relating to the handling of personal information may be judged.

24.24 Privacy Policies also will increase the transparency of the information-handling practices of particular agencies and organisations. This will allow individuals to make more informed choices about whether they wish to transact with particular agencies or organisations.

24.25 Agencies should not be required to submit their Privacy Policies to the OPC each year for the purposes of the Personal Information Digest.[25] The posting of Privacy Policies on the websites of agencies, and the requirement that such policies be made available in hard copy, on request, makes it unnecessary for agencies to submit their Privacy Policies to the OPC for the purpose of the ‘Openness’ principle.[26] The removal of this requirement will ease the compliance burden on agencies.

24.26 It is important that agencies and organisations implement their Privacy Policies. Staff should be trained to ensure that they are aware of the contents of Privacy Policies, and the obligations that ensue.

[11] See Privacy Act 1988 (Cth) s 14, IPP 5.1.

[12] See Ibid s 14, IPP 5.3.

[13] See Ibid s 14, IPP 5.4. See also s 27(1)(g). In New South Wales, agencies are required to prepare privacy management plans, which describe the agency’s policies and practices to ensure compliance with privacy legislation. These plans are to be provided to the Privacy Commission after preparation and whenever amended: See Privacy and Personal Information Protection Act 1998 (NSW) s 33.

[14] See Privacy Act 1988 (Cth) sch 3, NPP 5.

[15] The concerns about the Personal Information Digest system are described in detail in Ch 47.

[16] See Australian Federal Police, Submission PR 186, 9 February 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007.

[17] AAMI, Submission PR 147, 29 January 2007.

[18] Australian Federal Police, Submission PR 186, 9 February 2007.

[19] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 21–1.

[20] Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[21] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[22] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[23] The content and availability of Privacy Policies are addressed below.

[24] The OPC’s audit function is discussed in Part F.

[25] This is discussed in Ch 47.

[26] The availability of Privacy Policies is discussed below.