Other methods to achieve national consistency

3.164 This section of the chapter summarises various methods for dealing with inconsistency and fragmentation in the regulation of personal information. Some of these methods are discussed in detail in other chapters of this Report.

Codes made under privacy legislation

3.165 In Chapter 48, the ALRC states that organisations and industries should retain the ability to flesh out the requirements of the privacy principles in privacy codes approved by the Privacy Commissioner under Part IIIAA of the Privacy Act; and that codes could be made binding under the regulation-making power recommended by the ALRC.[177]

3.166 State and territory privacy commissioners have the power to develop codes under some state and territory privacy legislation.[178] The ALRC notes the potential for inconsistency in privacy regulation to occur as a result of different privacy commissioners issuing privacy codes in different jurisdictions.

3.167 In Chapter 17, the ALRC recommends that the OPC and state and territory privacy regulators and agencies with responsibility for privacy regulation should develop and publish a memorandum of understanding. In the ALRC’s view, this memorandum of understanding should set out a process for consultation with privacy commissioners in other jurisdictions when the OPC is developing codes under the Privacy Act, or when state and territory privacy commissioners are developing codes under state or territory privacy legislation.[179]

Joint guidance

3.168 In its submission to this Inquiry, the OPC noted that providing greater guidance on the operation of existing laws, and how they relate to other regulations, will help harmonise current privacy laws.[180] In DP 72, the ALRC made a number of proposals for the OPC and other bodies to develop and publish guidance. For example, the ALRC proposed that the OPC provide further guidance on the model UPPs. The OVPC responded to these proposals noting that such guidance should be prepared jointly or in consultation with state and territory privacy commissioners, so that both the content of legislation and the interpretation and procedures of privacy commissioners can be as consistent as possible.

3.169 In the ALRC’s view, a memorandum of understanding between the OPC and state and territory privacy regulators could outline a consultation process when developing guidance on the UPPs and the Privacy (Health Information) Regulations. In Chapter 17, the ALRC recommends that the OPC and state and territory privacy regulators and agencies with responsibility for privacy regulation should develop and publish a memorandum of understanding that includes a process for the development and publication of joint guidance.

Rules and guidelines

3.170 The potential for inconsistency and complexity to arise because of the development of privacy rules and guidelines by agencies and organisations is discussed in Chapter 17. Organisations and agencies should consult with the OPC when developing privacy rules and guidelines.

Privacy impact statements

3.171 In DP 72, the ALRC considered whether a ‘privacy impact statement’ should accompany any federal, state and territory government proposal to introduce legislation that impinges on privacy.[181] Such a statement could include a privacy impact assessment and an analysis of whether the government proposal is consistent with existing federal, state and territory laws relating to the regulation of privacy. This may include consideration of privacy matters other than the protection of personal information.

3.172 The ALRC has not recommended that a privacy impact statement should accompany every federal, state and territory government proposal to introduce legislation that impinges on privacy. A mandatory requirement of this kind would involve an unjustified compliance burden and cost.

3.173 The ALRC has recommended, however, that the Privacy Act should be amended to empower the Privacy Commissioner to direct an agency to provide to the Privacy Commissioner a Privacy Impact Assessment (PIA) in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information.[182]

3.174 New government projects will often require the enactment of legislation. When a government agency is conducting a PIA of a new project that is supported by legislation, the assessment should address how the new legislation will interact with existing federal, state and territory privacy laws. This should help to maintain national consistency. PIAs are considered in detail in Chapter 47.

 

[177] See Chs 4, 48.

[178] See Ch 2.

[179] See Rec 4–6.

[180] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[181] N Waters, Consultation PC 17, Sydney, 2 May 2006; Australian Privacy Foundation, Consultation PC 4, Sydney, 27 February 2006. See also G Greenleaf, Consultation PC 5, Sydney, 28 February 2006.

[182] Rec 47–4.