Location of the exemption provisions

33.64 The exemptions from the Privacy Act are contained in a number of provisions throughout the Act, including ss 6C–7C, 12A, 12B, 13A–13D and 16E. Setting out these exemptions together in one part of the Act arguably would make the exemption provisions more accessible. For example, exemptions under the FOI Act are set out in a schedule to that Act.

33.65 Some overseas jurisdictions—such as the United Kingdom, New Zealand and Hong Kong—set out most of their exemption provisions in a specific part of the legislation.[119] Other jurisdictions, such as the United States and Canada, group exemption provisions together in one section or consecutive sections.[120]

Submissions and consultations

33.66 In DP 72, the ALRC noted the OPC’s submission that a two-pronged approach to locating the exemption provisions should be adopted. Where exemptions exist for certain categories of entities, the exemptions should be grouped together in one part of the Act. Where exemptions exist for specific, named entities, they should be listed in a schedule to the Privacy Act. This listing should distinguish between entities with a full exemption and those with a partial exemption.[121]

33.67 The ALRC expressed the preliminary view that, in the interest of accessibility and clarity, the two-pronged approach to locating exemption provisions suggested by the OPC should be adopted. The ALRC therefore proposed that the Privacy Act be amended to: group together in a separate Part of the Act exemptions for certain categories of entities or types of acts and practices; and set out in a schedule to the Act exemptions for specific, named entities.[122] The proposed schedule would distinguish between entities that are completely exempt and those that are partially exempt from the Privacy Act. For those entities that are partially exempt, the schedule would specify those acts and practices that are exempt.[123]

33.68 Most of the stakeholders who commented on the location of exemption provisions supported the approach proposed in DP 72.[124] There was specific support in submissions for grouping together in a separate part of the Act exemptions for certain categories of entities or types of acts and practices.[125] Stakeholders suggested that this would simplify the Act,[126] make it more accessible,[127] and facilitate compliance by agencies and organisations.[128] Some stakeholders also supported specifically the proposal to set out in a schedule to the Privacy Act exemptions for specific, named entities.[129]

33.69 The OVPC and the Australian Privacy Foundation supported the general approach to exemptions proposed in DP 72, but submitted that, in principle, agencies or organisations should not be exempt completely from the obligation to comply with privacy principles.[130]

33.70 The REIA submitted that both exempt entities and those entities specifically made subject to the Privacy Act should be listed in subordinate legislation, on the basis that ‘regular legislative reviews and changing community concerns are likely to result in ongoing changes to the status of [these] entities’. It stated that this would ‘aid the modification of the Act over time, in recognition of the need for the Privacy Act to stay abreast of technological, social and political developments’.[131]

33.71 It was suggested that, where possible, exemptions should be located within the privacy principles to which they relate, which would avoid misleading impressions of the coverage of the privacy principles and prevent exempt organisations from making claims about their compliance with a principle.[132] Telstra and the ABC, on the other hand, submitted that the exemptions should remain where they are, on the basis that stakeholders are now familiar with the layout of the Act,[133] and the cost of complying with amendments to the Privacy Act would outweigh any benefit that would result from a redrafting of the Act.[134]

33.72 Privacy NSW also considered that there was value in placing exemptions within the privacy principles. It submitted that, where an exemption relates to categories of information, it should appear as exceptions to the definition of ‘personal information’ rather than be linked to the agency or organisation itself.[135]

ALRC’s view

33.73 Where exemptions for certain categories of entities or types of acts and practices exist, they should be grouped together in a separate part of the Act. Privacy legislation in some overseas jurisdictions groups exemptions under a separate part of the legislation—for example, Part IV of the Data Protection Act 1998 (UK) and Part VIII of the Data Protection (Privacy) Ordinance (Hong Kong). The categories of entities or types of acts and practices that should be grouped together in a part of the Privacy Act include: federal courts; Royal Commissions; the exemption relating to personal use; the journalism exemption; and exemptions applying to related bodies corporate, change in partnership, and an act or practice that is required by foreign law.

33.74 Specific, named entities that are exempt from the Privacy Act—such as ASIO; the IGIS; specified federal tribunals, commissions or boards; the ACC and the Integrity Commissioner—should be set out in a schedule to the Act. The schedule should set out clearly the scope of any such exemption. Thisis consistent with the approach in the FOI Act. In relation to specific agencies that are exempt from both the Privacy Act and the FOI Act, such as the Australian Transaction Reports and Analysis Centre, theyshould be specified in the schedule to the Privacy Act,instead of by reference to their exempt status under the FOI Act. This would avoid the need to refer to other legislation when determining the exempt status of particular agencies under the Privacy Act.

33.75 This two-pronged approach will increase the accessibility and clarity of the exemption provisions. The alternative approach, of locating partial or full exemptions within specific privacy principles, has the potential to render the principles overly complex and unwieldy. Since all of the exemptions relate to specific functions or activities of an agency or organisation, rather than categories of information, locating exemptions within the definition of ‘personal information’ also would not be appropriate.

Recommendation 33-1 The Privacy Act should be amended to group together in a separate part of the Act exemptions for certain categories of agencies, organisations and entities or types of acts and practices.

Recommendation 33-2 The Privacy Act should be amended to set out in a schedule to the Act exemptions for specific, named agencies, organisations and entities. The schedule should distinguish between agencies, organisations and entities that are completely exempt and those that are partially exempt from the Privacy Act. With respect to partially exempt agencies, organisations and entities, the schedule should specify the particular acts and practices that are exempt.

[119] See, eg, Data Protection Act 1998 (UK) Part IV—Exemptions; Privacy Act 1993 (NZ) Part 6—Codes of practice and exemptions from information privacy principles; Data Protection Act 1988 (Ireland) s 1(4)(c); Personal Data (Privacy) Ordinance (Hong Kong) Part VIII—Exemptions.

[120]Privacy Act 1974 5 USC § 552a (US) (j), (k); Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) s 4(2).

[121] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[122] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 30–1, 30–2.

[123] Ibid, Proposal 30–2.

[124] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Optus, Submission PR 532, 21 December 2007 Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[125] BPay, Submission PR 566, 31 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007s; Australian Taxation Office, Submission PR 515, 21 December 2007; P Youngman, Submission PR 394, 7 December 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[126] BPay, Submission PR 566, 31 January 2008; Australian Taxation Office, Submission PR 515, 21 December 2007.

[127] BPay, Submission PR 566, 31 January 2008; Australian Taxation Office, Submission PR 515, 21 December 2007.

[128] BPay, Submission PR 566, 31 January 2008.

[129] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. See also Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Confidential, Submission PR 143, 24 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[130] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[131] Real Estate Institute of Australia, Submission PR 84, 12 January 2007. See also Real Estate Institute of Australia, Submission PR 400, 7 December 2007.

[132] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[133] Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.

[134] Telstra, Submission PR 185, 9 February 2007.

[135] Privacy NSW, Submission PR 468, 14 December 2007.