‘Accountability’ principle

Background

32.3 Accountability principles provide a framework through which requirements for the handling of personal information can be enforced. Most commonly, accountability principles require a regulated entity to identify a person or persons who will take responsibility for that entity’s compliance. For example, the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (OECD Guidelines) provide that ‘a data controller should be accountable for complying with measures which give effect to the [other] principles [in the OECD Guidelines]’.[4]

32.4 Accountability principles also may require a regulated entity, in certain circumstances, to retain responsibility for personal information that it transfers to third parties. For example, Canadian privacy law provides:

An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organisation shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.[5]

32.5 The IPPs and the NPPs do not include a specific privacy principle dealing with accountability. Some other provisions of the Privacy Act 1988 (Cth), however, are relevant to an accountability framework. In particular, ss 13 and 13A establish that, where an agency or organisation is in breach of the privacy principles, this constitutes an interference with privacy. Such a breach triggers the availability of a number of avenues to enforce compliance.[6]

32.6 Under IPP 4, agencies are required to take steps to protect personal information that they transfer to third parties. This principle provides, in part, that:

if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper [must be] done to prevent unauthorised use or disclosure of information contained in the record.[7]

32.7 Section 95B of the Privacy Act also requires an agency that enters into a Commonwealth contract to take contractual measures to ensure that a service provider acts in accordance with the IPPs.[8]

32.8 The NPPs do not include an equivalent ‘contractors’ requirement. NPP 9, however, prohibits an organisation from transferring personal information overseas unless a number of conditions are satisfied. These include where the organisation:

  • reasonably believes that the recipient of the information is subject to principles for fair handling of the information that are substantially similar to the NPPs; or

  • has taken steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient inconsistently with the NPPs. [9]

Submissions and consultations

32.9 Some stakeholders supported the inclusion of a specific privacy principle in the model UPPs dealing with accountability.[10] Smartnet, for example, noted that individuals do not want their personal information to be passed on or used for an unintended purpose. It suggested that the most appropriate solution to this

is to require the initial collecting organisation to remain accountable for the use and protection of all information it collects, even when that information has been transferred to another party.[11]

32.10 The Australian Federal Police and the National Health and Medical Research Council, however, specifically opposed the addition of an ‘Accountability’ principle.[12] The Office of the Privacy Commissioner (OPC) submitted that

agencies and organisations [should] incorporate privacy into their decision-making, policies and culture through non-legislative solutions. For example … agencies [may] nominate … a ‘privacy contact officer’ to provide expert guidance on privacy issues and serve as the first point of contact for privacy questions within the agency. In the private sector, the privacy connections network provides a forum for developing and promoting good privacy practice.[13]

32.11 The Cyberspace Law and Policy Centre questioned the practical utility of an ‘Accountability’ principle and commented that the existing models of this principle ‘seem to add little substance’ to current privacy protections.[14]

ALRC’s view

32.12 The ALRC does not support the inclusion of a discrete ‘Accountability’ principle in the model UPPs. Ensuring that agencies and organisations are accountable for their handling of personal information can be better achieved in other ways.

32.13 In this Report, the ALRC makes a number of recommendations to improve compliance with the Privacy Act by agencies and organisations—in particular, by enhancing the powers of the Privacy Commissioner to investigate and resolve privacy complaints.[15] In addition, the ALRC recommends establishing a statutory cause of action for serious invasions of privacy.[16] Accountability for personal information handling also will be promoted through the ALRC’s recommended data breach notification provisions.[17]

32.14 Issues of accountability often arise where an agency or organisation subcontracts the handling of personal information to an entity that is not bound by the Privacy Act. In this Report, the ALRC recommends removing a number of the current exemptions from the Privacy Act—most relevantly, the small business exemption.[18]

32.15 Accountability also is central to the ALRC’s recommended ‘Cross-border Data Flows’ principle. In particular, this principle establishes accountability as the default position in relation to cross-border data flows. An agency or organisation will be responsible under the Privacy Act for the acts and practices of a recipient of personal information that is the subject of a cross-border transfer unless one of the three exceptions applies.[19]

32.16 Provided these recommendations are implemented, there will be few, if any, situations where an agency or organisation is not responsible for handling personal information in accordance with the Privacy Act.

[4] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 14. See, also: Federal Data Protection Act 1990 (Germany) ss 4f, 4g; Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) sch 1, Principle 4.1.

[5] See Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) sch 1, Principle 4.1.

[6] Compliance with, and enforcement of, the requirements in the privacy principles are discussed in Part F.

[7]Privacy Act 1988 (Cth) s 14, IPP 4.

[8] Commonwealth contracts are discussed in Ch 14.

[9]Privacy Act 1988 (Cth) sch 3, NPP 9. This principle is discussed in Ch 31.

[10] National Association for Information Destruction, Submission PR 133, 19 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; NSW Disability Discrimination Legal Centre (Inc), Submission PR 105, 16 January 2007.

[11]Smartnet, Submission PR 457, 11 December 2007.

[12]Australian Federal Police, Submission PR 186, 9 February 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[13]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[14]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[15] See Chs 49, 50.

[16] See Ch 74.

[17] See Ch 51.

[18] See Ch 39.

[19] See Ch 31.