16.08.2010
‘Covering the field’
3.53 In DP 72, the ALRC expressed the view that many of the problems associated with inconsistent privacy laws would be dealt with effectively if the Privacy Act was amended to ‘cover the field’ in relation to the handling of personal information in the private sector. Organisations should be required to comply with only a single set of privacy principles.
3.54 The ALRC proposed, therefore, that the Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by the private sector. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations: Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); and the Health Records (Privacy and Access) Act 1997 (ACT).[83]
3.55 The ALRC noted that other state and territory laws may be introduced that seek to regulate the handling of personal information in the private sector. The ALRC therefore proposed that regulations made under the Privacy Act should be used to exclude future state and territory laws that purport to regulate the handling of personal information by organisations.[84]
3.56 The ALRC also proposed that states and territories with information privacy legislation that purports to apply to organisations should amend that legislation so that it is no longer expressed to apply to organisations.[85]
Submissions and consultations
3.57 A large number of submissions supported the ALRC’s proposals.[86] Privacy NSW, for example, supported the proposals, acknowledging that it would mean the repeal of the Health Records Information Privacy Act 2002 (NSW) and the amendment of the Privacy and Personal Information Protection Act 1998 (NSW) to regulate dealings with health information by NSW government agencies.[87]
3.58 The Queensland Government stated that the proposals would ensure that the rights of individuals are not dependent on the jurisdiction in which they live, and would prevent organisations from ‘jurisdiction shopping’ to take advantage of the least onerous privacy obligations.[88]
3.59 The Cancer Council of Australia and the Clinical Oncological Society of Australia strongly supported the proposals, noting that inconsistent privacy laws impede evidence-based epidemiological health research and create cross-border barriers to monitoring of familial cancer risks.[89]
3.60 The National Health and Medical Research Council (NHMRC) strongly supported the ALRC’s proposals for national legislation, but stated that unless the proposals were enacted with other structural reforms proposed by the ALRC, the complexity in the regulation of the healthcare and health and medical research sectors would not be ameliorated. It argued that it is essential that state public sectors adopt privacy regulatory regimes that deliver consistent compliance obligations across the public and private sectors. This would address the confusion and inconsistencies which impact on information exchange between the public and private sectors.[90]
3.61 The Public Interest Advocacy Centre (PIAC) supported the proposals but not the removal of state-based private sector privacy legislation, if this results in a lowering of standards of privacy protection.[91]
3.62 The Health Services Commissioner Victoria and the OVPC opposed the proposals, stating that the exclusion of the three state and territory health privacy Acts would not be necessary if federal, state and territory legislation contained uniform privacy principles and key definitions.[92]
3.63 The OVPC was concerned that, under the ALRC proposals, entirely state-owned corporations could be subject to federal jurisdiction. It also submitted that there should be a statutory obligation to consult with relevant states and territories before regulations are made to exclude laws that regulate the handling of personal information by organisations. The OVPC also argued that state contracted service providers should continue to be subject to state jurisdiction.[93]
3.64 Some stakeholders continued to argue for a single national law that would cover the state and territory public sectors, as well as the private sector and the Australian Government public sector.[94] For example, the Law Council of Australia suggested that the ALRC’s proposed regime was unnecessarily complicated:
If the Commonwealth has the necessary Constitutional power (and to the extent it does not, the States could refer such power to the Commonwealth) does the case for a complementary law regime with multiple regulators outweigh the benefit of a single, national unified privacy regime with a single, national regulator?[95]
ALRC’s view
3.65 The problems associated with overlapping and inconsistent federal, state and territory laws that regulate the handling of personal information are documented throughout this Report. These problems include unjustified compliance burden and cost, impediments to information sharing and national initiatives and confusion about who to approach to make a privacy complaint.
3.66 The most appropriate way to respond to these problems is through:
the enactment of federal legislation to regulate the handling of personal information, to the exclusion of state and territory privacy laws operating in the private sector; and
an intergovernmental agreement that establishes an intergovernmental cooperative scheme. The scheme would provide that the states and territories should enact legislation to regulate the handling of personal information in the state and territory public sectors, applying key uniform elements such as a set of uniform privacy principles, any relevant regulations that modify the application of the principles, and relevant definitions.
3.67 Although there are a number of advantages to having a single, national privacy law administered by a single regulator, the ALRC sees merit in the arguments put forward by state governments and others that the states and territories should be left to regulate the handling of personal information in their public sectors. In particular, the ALRC notes concerns relating to the need for state and territory privacy legislation to respond to local conditions, and to interact with existing state and territory information laws such as freedom of information and public records legislation. Further, the ALRC acknowledges the advantages of having state and territory privacy regulators deal with complaints, provide advice, and perform educational functions.[96]
3.68 While a single national privacy law could accommodate many of these concerns, the ALRC’s view is that, for the time being,[97] the Australian Parliament should exercise its legislative power only in relation to the handling of personal information by the private sector and the Australian Government public sector. The ALRC recommends below an intergovernmental cooperative scheme in relation to state and territory public sectors.
3.69 Many stakeholders focused on inconsistency in the regulation of personal information in the private sector. In particular, it was suggested in submissions that various problems arise because the handling of health information in the private sector is regulated by the Privacy Act and state and territory legislation in NSW, Victoria and the ACT.
3.70 These issues would be dealt with effectively if organisations were required to comply with a single set of principles, and any relevant regulations that modify the application of those principles, in relation to the handling of health information. This view is consistent with the Report, Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), where the ALRC and the Australian Health Ethics Committee recommended that:
As a matter of high priority, the Commonwealth, States and Territories should pursue the harmonisation of information and health privacy legislation as it relates to human genetic information. This would be achieved most effectively by developing nationally consistent rules for handling all health information.[98]
3.71 The Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by the private sector. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations: Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); and the Health Records (Privacy and Access) Act 1997 (ACT).
3.72 A number of federal laws include provisions that state the Commonwealth’s intention to ‘cover the field’. Section 16(1) of the Workplace Relations Act 1996 (Cth) states that the Actis intended to apply to the exclusion of a number of listed laws of a state and territory so far as they would otherwise apply in relation to an ‘employee’ or ‘employer’.[99] The ALRC has adopted this provision as a model for its recommendation to exclude the operation of state and territory laws dealing with the handling of personal information by organisations.
3.73 While some stakeholders argued that state and territory laws—that apply key elements of the Privacy Act—should continue to regulate the handling of health information in the private sector, many private sector organisations that handle personal information and health information operate across more than one jurisdiction. These organisations should be subject to a single set of privacy principles. Greater national consistency will be achieved if the Privacy Act alone regulates the handling of health information in the private sector.
3.74 Other state and territory laws may be introduced that seek to regulate the handling of personal information in the private sector.[100] The Privacy Act should operate to exclude the operation of such laws. The ALRC has therefore recommended that regulations made under the Privacy Act should operate to exclude future state and territory laws that purport to regulate the handling of personal information by organisations.
3.75 States and territories with information privacy legislation that purports to apply to organisations should amend that legislation so that it is no longer expressed to apply to organisations.
3.76 The ALRC notes the observation made by the NHMRC that the complexity in the regulation of health information will not be ameliorated unless this recommendation is implemented with other structural reforms proposed by the ALRC. This is particularly the case in relation to the movement of information between the private and the public health sectors. The recommendations in this chapter are part of a package of reforms. They will need to be implemented in total if national consistency is to be achieved.
Recommendation 3-1 The Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by organisations. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations:
(a) Health Records and Information Privacy Act 2002 (NSW);
(b) Health Records Act 2001 (Vic);
(c) Health Records (Privacy and Access) Act 1997 (ACT); and
(d) any other laws prescribed in the regulations.
Recommendation 3-2 States and territories with information privacy legislation that purports to apply to organisations should amend that legislation so that it no longer applies to organisations.
Preserving some state and territory laws
3.77 There are various state and territory laws that regulate the handling of personal information in the private sector that would need to be preserved if the Australian Government enacted national privacy legislation. For example, state and territory public health Acts require health service providers (including health service providers in the private sector) to collect and record certain information about health consumers with ‘notifiable diseases’, such as tuberculosis, Creutzfeldt-Jakob disease and HIV/AIDS.[101] Other state and territory laws contain provisions that require mandatory reporting for children suspected of being at risk of harm.[102] These provisions usually apply to persons who work in both the public and private sectors in areas such as health care, welfare, education, children’s services, residential services, or law enforcement.
3.78 The Government of Victoria noted that there are a number of state laws that regulate the handling of personal information by both the private sector and the state public sector, for example the Infertility Treatment Act 1995 (Vic) and the Adoption Act 1984 (Vic).[103] The Australian Government Department of Health and Ageing also noted that a number of state laws would need to be preserved or incorporated into national legislation, such as child protection, disability and public health legislation.[104]
3.79 Stakeholders suggested a range of other state and territory laws that should be preserved under national privacy laws. These include laws mandating reporting to coroners (which may involve reporting personal information of living and deceased persons); legislation mandating reporting of ill health of health practitioners to professional registration bodies; legislative provisions that prevent disclosure of certain information relating to quality assurance activities or committees;[105] and quarantine laws that have privacy implications.[106]
3.80 In DP 72, the ALRC noted that the model UPPs would accommodate most of these laws. For example, the exception to the ‘Use and Disclosure’ principle in the model UPPs for use and disclosure that is ‘required or authorised by or under a law’ would effectively preserve many of these laws. To ensure clarity, however, the ALRC proposed that the Privacy Act should not apply to the exclusion of a law of a state or territory so far as the law deals with any ‘non-excluded matters’ set out in the Privacy Act.[107]
Submissions and consultations
3.81 Some stakeholders agreed that a number of state laws that regulate the private sector would need to be preserved under national privacy legislation regulating the private sector.[108]
3.82 Other stakeholders submitted, however, that the ALRC’s proposal was too complex and would cause confusion.[109] PIAC supported the proposal in principle, but expressed concern that the consultation process would be cumbersome, time consuming and likely to delay indefinitely implementation of the proposed amendments to the Privacy Act.
PIAC sees no reason why the amendments can’t simply be drafted in a way that lists broad categories of laws that have already been identified in submissions to the ALRC as appropriate ‘non-excluded matters’. As well as laws dealing with reporting for child protection purposes and public health purposes, the list of ‘non-excluded matters’ should include laws regulating adoption, infertility treatment and disability service provision.[110]
3.83 The OPC was unsure of the merits of the proposal. It submitted that the state and territory laws described in the proposal will generally fall under the various ‘required by or under law’ exceptions to the model UPPs; or will be authorised information handling practices and therefore meet the ‘authorised by or under law’ exceptions. In the OPC’s view, prescribing a list of non-excluded matters may promote confusion as to the status of those state and territory laws that may otherwise satisfy an exception in the privacy principles, but which are not included on the prescribed list.[111]
ALRC’s view
3.84 There are good public interest reasons why certain state and territory laws should continue to operate under national privacy legislation. For example, state and territory public health Acts require health service providers (including private sector health service providers) to collect and record certain information about health consumers with ‘notifiable diseases’; and other state and territory laws contain provisions that require mandatory reporting when a child is suspected of being at risk of harm. These provisions usually apply to persons who work in both the public and private sectors.
3.85 The model UPPs would generally preserve these laws under the ‘required or authorised by or under law’ exception. The ALRC is concerned, however, that amending the Privacy Act to ‘cover the field’ could unintentionally exclude state and territory laws that are not preserved by any of the exceptions to the model UPPs or an exemption under the Privacy Act. A list of ‘preserved matters’[112] will create certainty as to the state and territory laws that are preserved if the Privacy Act is amended to ‘cover the field’.
3.86 Prescribing a list of non-excluded matters may promote confusion as to the status of those state and territory laws that may otherwise satisfy a ‘required or authorised by or under law’ exception in the privacy principles, but which are not included on the prescribed list. The list of ‘preserved matters’ should only include matters which are not covered adequately by an exception or exemption under the Privacy Act.[113]
3.87 The Privacy Act should not apply to the exclusion of a law of a state or territory so far as the law deals with any ‘preserved matters’ set out in the legislation. The ALRC has adopted s 16 of the Workplace Relations Act 1996 (Cth) as a model to deal with state and territory laws that should be preserved under the Privacy Act. That section provides that the Workplace Relations Act operates to the exclusion of state and territory law, except in relation to a list of ‘non-excluded matters’. The non-excluded matters are broad categories of laws such as ‘superannuation’, ‘long service leave’ and ‘child labour’.
3.88 In DP 72, the ALRC gave a number of examples of state and territory laws that should be included in a list of ‘preserved matters’, including ‘reporting for child protection purposes’ and ‘reporting for public health purposes’. While these were only examples of the kinds of matters that could be included on the list, most of them would be accommodated by the ‘required or authorised by or under law’ exception. The ALRC does not recommend examples of laws that should be included in the ‘preserved matters’ list.
3.89 If the Privacy Act is amended to ‘cover the field’, however, provisions under state and territory privacy laws that regulate the handling of personal information by organisations that contract with state and territory government agencies would be preserved. In Chapter 14, the ALRC recommends that state and territory privacy legislation should include provisions that regulate the handling of personal information by organisations when contracting with state and territory government agencies. These laws would not be covered by an exception to the model UPPs or an exemption, and should be preserved under an extended Privacy Act.
3.90 There are a range of other state and territory laws that regulate the handling of personal information in the private sector that should be preserved under national privacy laws. It is vital that the Australian Government consult with state and territory governments about the laws that should be preserved under an extended Privacy Act.
3.91 New state and territory laws may need to be preserved following the initial process of identifying ‘preserved matters’. The list of preserved matters should be able to include matters prescribed in regulations to allow other matters to be added to the list from time to time.
Recommendation 3-3 The Privacy Act should not apply to the exclusion of a law of a state or territory so far as the law deals with any ‘preserved matters’ set out in the Act. The Australian Government, in consultation with state and territory governments, should develop a list of ‘preserved matters’. The list should only include matters that are not covered adequately by an exception to the model Unified Privacy Principles or an exemption under the Privacy Act.
[83]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 4–1(a)–(c).
[84]Ibid, Proposal 4–1(d).
[85]Ibid, Proposal 4–1.
[86] See, eg, Australian Privacy Foundation, Submission PR 553, 2 January 2008; Investment and Financial Services Association, Submission PR 538, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.
[87]Privacy NSW, Submission PR 468, 14 December 2007.
[88]Queensland Government, Submission PR 490, 19 December 2007.
[89]Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007.
[90]National Health and Medical Research Council, Submission PR 397, 7 December 2007. See also Microsoft Asia Pacific, Submission PR 463, 12 December 2007.
[91]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[92]Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[93]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[94] Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007. Microsoft Asia Pacific stated, however, that if a single national law is not possible for constitutional reasons or otherwise, then there is merit in a Commonwealth-state cooperative scheme: Microsoft Asia Pacific, Submission PR 463, 12 December 2007.
[95]Law Council of Australia, Submission PR 527, 21 December 2007.
[96] This issue is discussed in Ch 14.
[97] The ALRC has recommended that the Australian Government should initiate a review in five years to consider whether national consistency has been achieved and whether it would be more effective for the Australian Parliament to exercise its legislative power in relation to information privacy in the state and territory public sectors. See Rec 3–6.
[98] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 7–1.
[99] Another model is the Corporations Act 2001 (Cth) pt 1.1A.
[100] For example, the Information Privacy Bill 2007 (WA) proposes to regulate the handling of health information by the private sector in Western Australia. Further, the Information Privacy Act 2000 (Vic) could potentially regulate the handling of personal information by private sector organisations that are declared to be ‘organisations’ for the purposes of the Act: Information Privacy Act 2000 (Vic) s 9.
[101] See, eg, Public Health Act 1991 (NSW) s 14; Health (Infectious Diseases) Regulations 2001 (Vic) reg 6.
[102] See, eg, Children, Youth and Families Act 2005 (Vic) pt 4.4; Child Protection Act 1999 (Qld); Children’s Protection Act 1993 (SA) pt 4; Children Young Persons and Their Families Act 1997(Tas) pt 3.
[103] Government of Victoria, Submission PR 288, 26 April 2007. See also Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.
[104] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.
[105] See, eg, Health Insurance Act 1973 (Cth) pt VC: National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[106] Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.
[107]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 4–3.
[108] See, eg, Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Tasmanian Government Department of Health and Human Services, Submission PR 436, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[109]Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[110] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[111] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[112] Some stakeholders advised the ALRC that they found the phrase ‘non-excluded matters’ confusing. The ALRC has substituted ‘non-excluded matters’ with the phrase ‘preserved matters’ to avoid any confusion.
[113] An exception applies where a requirement in the privacy principles does not apply to any entity in a specified situation or in respect of certain conduct. An exemption applies where a specified entity or a class of entity is not required to comply with any requirements in the Privacy Act. The distinction between exceptions and exemptions is discussed further in Ch 33.