16.08.2010
The number of exemptions
33.37 The Privacy Act has been criticised for the large number of exemptions it contains.[67] In the public sector, there are three classes of agencies—federal courts, ministers and royal commissions—and more than 20 specific, named agencies that are partially or completely exempt from the operation of the Act. In the private sector, in addition to the four exempt classes of entities—namely, small business operators, registered political parties, state and territory authorities, and prescribed state and territory instrumentalities—there are eight categories of organisations that are exempt from the Act.[68]
33.38 The OECD Guidelines state that exceptions to the privacy principles should be ‘as few as possible’.[69] Similarly, under the APEC Privacy Framework, exceptions to the principles are to be ‘limited and proportional to meeting the objectives to which the exceptions relate’.[70]
33.39 One commentator has expressed the view that keeping exemptions to a minimum, and limiting them to particular provisions of the law whenever possible, is important to ensure that privacy protection applies as widely as possible throughout the community.[71] Another commentator argued that the effect of the large number of private sector exemptions in the Privacy Act is to validate the data processing practices of certain organisations, thus failing to protect the privacy of individuals adequately.[72]
33.40 Privacy legislation in some jurisdictions contains significantly fewer exemptions than the Privacy Act. For example, there are four exemptions in the privacy legislation in force in the United Kingdom,[73] 15 in New Zealand,[74] and three in Hong Kong.[75] Although there are some exemptions common to both Australia and comparable jurisdictions—such as exemptions relating to personal use, national security, defence and journalism—a number of exemptions from the Privacy Act are not provided for in other jurisdictions. For example, contrary to the position in Australia, legislation in the United Kingdom, Canada and Hong Kong does not contain exemptions for specified government bodies, such as defence agencies and Auditors-General.[76] In the United Kingdom, Canada and New Zealand, there is no exemption that applies to small businesses, employee records, registered political parties, or political acts and practices.[77]
33.41 In DP 72, the ALRC noted that stakeholders often expressed the concern that there are too many exemptions from the Privacy Act.[78] The Office of the Privacy Commissioner (OPC) submitted that exemptions under the Privacy Act should be minimised in order to achieve uniformity and consistency of application of privacy legislation, and that a clear public interest for the exemptions should exist to support their creation or continuation. The OPC suggested that ‘existing exemptions contained in the Privacy Act have developed over time and in some instances may require review to assess their continuing suitability’.[79]
33.42 The Centre for Law and Genetics also submitted that the substantial number of exemptions have the potential to undermine the operation of the privacy principles and compromise the privacy of individuals.[80] Similarly, the Legal Aid Commission of New South Wales submitted that ‘the Act would be more effective if there were fewer exemptions, but a more flexible approach to applying the principles to different circumstances’.[81]
The scope of the exemptions
33.43 In relation to the public sector, the acts and practices of some agencies—namely, the Australian Crime Commission (ACC), the Integrity Commissioner or a staff member of the Australian Commission for Law Enforcement Integrity, royal commissions, the Commission of inquiry into the 2007 equine influenza outbreak and certain intelligence agencies—are completely exempt from the Privacy Act.[82] The relevant intelligence agencies are defined as the Australian Secret Intelligence Service (ASIS), ASIO and the Office of National Assessments (ONA).[83]
33.44 In relation to the private sector, certain entities are excluded specifically from the definition of ‘organisation’ and therefore are exempt from compliance with the NPPs, unless they fall within one of the conditions under which the exemption does not apply. These entities include small business operators, registered political parties, state and territory authorities, and prescribed state and territory instrumentalities.[84] As a result, a large number of entities are exempt from the Privacy Act. The Australian Government Department of Employment, Workplace Relations and Small Business has estimated that approximately 94% of businesses may be exempt from the private sector provisions of the Act.[85]
33.45 Professor Graham Greenleaf and Nigel Waters have suggested that blanket exemptions for whole classes of agencies and organisations are undesirable.[86] Clarke has argued that any form of exemption creates a risk insofar as ‘it creates a void within which uncontrolled abuses can occur’.[87]
33.46 It also has been suggested that some of the exemption provisions are expressed too broadly.[88] For example, acts and practices of a media organisation done ‘in the course of journalism’ are exempt from the Privacy Act.[89] Under the Act, a ‘media organisation’ is an organisation that collects, prepares or disseminates materials having the character of news, current affairs, information or documentaries to the public; or commentary or opinion on, or analysis of, these materials.[90] The terms ‘in the course of journalism’, ‘news’, ‘current affairs’ and ‘documentary’ are not defined. Waters has argued that the lack of definitions and the inclusion of ‘information’ separately from news, current affairs and documentaries, allow any organisation publishing material to take advantage of the exemption.[91] The exemption that applies in the course of journalism is discussed further in Chapter 42.
33.47 In submissions to this Inquiry, a number of stakeholders suggested that exemptions should be justified and limited to the extent possible;[92] and emphasised the need for a clear rationale for each exemption.[93]
33.48 The Social Security Appeals Tribunal stated that ‘agencies should not be excluded from the operation of the Privacy Act by genus’.[94] By contrast, the OPC emphasised the need to ensure the consistent coverage of entities that have a similar nature and function, submitting that the consistent application of exemptions would ‘foster greater clarity as to the intention and coverage of exemptions’.[95]
33.49 Some stakeholders submitted that it is preferable for exemptions to be targeted at either: specific acts and practices;[96] particular types of information; or specific information handling purposes.[97] One individual suggested that entities should apply for an exemption from the Privacy Act on a case-by-case basis, and that any exemption should be limited in time and circumstances.[98] The AFP and the Insurance Council of Australia, on the other hand, submitted that the current exemptions are appropriate.[99]
33.50 The OPC, the Commonwealth Ombudsman and Privacy NSW considered that exempt entities should be encouraged to adopt information-handling standards that are similar to those contained in the Privacy Act.[100] Privacy NSW stated that it has formally adopted the Data Protection Principles developed by the New South Wales Privacy Committee in 1991 as a best practice standard in dealing with complaints against entities in New South Wales that are not covered by privacy law.[101]
33.51 As noted above, there are more exemptions from the Privacy Act than from privacy legislation in other comparable jurisdictions. More importantly, some of the exemptions contained in the Privacy Act do not appear to be justified as a matter of public policy, or are framed too broadly. For example, the justification for the exemption that applies to some of the agencies listed under the FOI Actis unclear.[102] One of those exempt agencies, the National Health and Medical Research Council, has acknowledged that it was not aware of the reason for its partial exemption from the operation of the Privacy Act and would not object to the removal of the exemption.[103] Similarly, there does not appear to be any sound policy basis for leaving unprotected the personal information contained in employee records.[104]
33.52 Even where an exemption may be justified, sometimes its scope under the existing provisions of the Privacy Act is too wide. For instance, media organisations are exempt in relation to activities done ‘in the course of journalism’, provided that they are publicly committed to certain privacy standards. The term ‘journalism’ and other key terms, however, are not defined. In addition, ‘media organisation’ is defined to mean an organisation the activities of which consist of collecting, preparing or disseminating news, current affairs, information or documentary (and related commentary, opinion and analysis) to the public. Arguably, the use of the word ‘information’ separately from ‘news’, ‘current affairs’ and ‘documentary’, makes the exemption too wide. The lack of criteria for media privacy standards also means that public commitment to any privacy statement—even one that has little substance—may allow an individual or organisation to take advantage of the exemption.[105]
33.53 Consistent with international standards, exemptions should be limited to the extent possible and justified on sound policy grounds. The ALRC agrees with the submissions by stakeholders that, even when partial or full exemptions from the Privacy Act are justified, the exempt entities should be encouraged to adopt information-handling practices that are, to the extent possible, consistent with the privacy principles. In the remaining chapters in Part E, the ALRC makes a number of recommendations for reform that are intended to give effect to this policy position.
[67] R Clarke, The Australian Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines (1989) Australian National University <www.anu.edu.au/people/Roger.Clarke/DV
/PActOECD.html> at 14 April 2008; Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional Legislation Committee’s Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000, 3 September 2000.
[68]Privacy Act 1988 (Cth) s 7B(1) (individuals acting in a non-business capacity), s 7B(2) (contracted service providers for a Commonwealth contract), s 7B(3) (current or former employers of an individual), s 7B(4) (media organisations), s 7B(5) (contracted service providers for a state contract); s 7C (political representatives); s 13B (related bodies corporate); s 13C (partnerships).
[69] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 4(a).
[70] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [13].
[71] N Waters, ‘Essential Elements of a New Privacy Act’ (1999) 5 Privacy Law & Policy Reporter 168, 168.
[72] H Lloyd, ‘Are Privacy Laws More Concerned with Legitimising the Data Processing Practices of Organisations than with Safeguarding the Privacy of Individuals?’ (2002) 9 Privacy Law & Policy Reporter 81.
[73]Data Protection Act 1998 (UK) s 30(2) (personal data in respect of which the data controller is a proprietor of, or a teacher at, a school; or an education authority in Scotland), s 30(3) (personal data processed by government departments, local authorities, voluntary organisations or other bodies in the context of carrying out social work), s 31 (personal data processed for the purposes of discharging functions relating to regulatory activity), s 36 (personal data processed by individuals for the purposes of their family or household affairs, including recreational purposes). Note that, although Schedule 7 to the Act is entitled ‘Miscellaneous Exemptions’, the provisions in that schedule are exceptions to specific data protection principles, rather than exemptions.
[74]Privacy Act 1993 (NZ) s 2(1) (the term ‘agency’ does not include: the Sovereign; the Governor-General or the Administrator of the Government; the House of Representatives; a member of Parliament in his or her official capacity; the Parliamentary Service Commission; the Parliamentary Service (with certain exceptions); in relation to its judicial functions, a court; in relation to its judicial functions, a tribunal; an Ombudsman; a Royal Commission; a commission of inquiry appointed under the Commissions of Inquiry Act 1908 (NZ); a commission, board, court or committee of inquiry appointed by statute to inquire into a specified matter; or in relation to its news activities, any news medium), s 56 (personal information held by individuals for the purposes of their personal, family, or household affairs), s 57 (information held by intelligence organisations).
[75]Personal Data (Privacy) Ordinance (Hong Kong) s 52 (personal data held by individuals for the management of their personal, family or household affairs or for recreational purposes), s 57 (personal data held by or on behalf of the government for the purposes of safeguarding security, defence or international relations in respect of Hong Kong), s 61 (personal data held by a data user whose business consists of a news activity and solely for the purpose of that activity). Note that, although Part VIII of the Ordinance is entitled ‘Exemptions’, some of the provisions in that part are exceptions to the data protection principles, rather than exemptions: see, eg, Personal Data (Privacy) Ordinance (Hong Kong) s 53 (employment—staff planning), s 60 (legal professional privilege), s 62 (statistics and research).
[76]Data Protection Act 1998 (UK); Privacy Act RS 1985, c P-21 (Canada); Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada); Personal Data (Privacy) Ordinance (Hong Kong).
[77]Data Protection Act 1998 (UK); Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada); Privacy Act 1993 (NZ).
[78] Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.
[79] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[80] Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[81] Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.
[82]Privacy Act 1988 (Cth) s 7(1)(a)(i)(B), (iiia), (iv)–(vi), (f), (ga), (h); s 7(2)(a), (c).
[83] Ibid s 6(1).
[84] Ibid s 6C(1).
[85] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), [2.20]. The estimate was based on Australian Bureau of Statistics, Business Growth and Performance Survey, Financial Year 1997/1998 (1999), which has been discontinued since then. There are no further official statistics on the number of Australian small businesses with an annual turnover of $3 million or less. The Australian Bureau of Statistics, however, does publish data on the number of businesses with an annual turnover of less than $2 million. As at June 2007, there are 1,890,213 businesses with an annual turnover of $2 million or less, which represents 94% of all businesses: Australian Bureau of Statistics, Counts of Australian Businesses, 8165.0 (2007), 20. The small business exemption is discussed in Chapter 39.
[86] G Greenleaf, ‘Reps Committee Protects the “Privacy-Free Zone”’ (2000) 7 Privacy Law & Policy Reporter 1, 1; N Waters, ‘Essential Elements of a New Privacy Act’ (1999) 5 Privacy Law & Policy Reporter 168, 168.
[87] R Clarke, Flaws in the Glass; Gashes in the Fabric (1997) Australian National University <www.anu.
edu.au/people/Roger.Clarke/DV/Flaws.html> at 31 March 2008.
[88] See, eg, T Dixon, Government Tables New Privacy Legislation (2000) AustLII <www.
austlii.edu.au/au/other/CyberLRes/2000/6/> at 31 March 2008; Australian Privacy Foundation, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004; Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional Legislation Committee’s Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000, 3 September 2000; Australian Privacy Charter Council, Submission to the Senate Legal and Constitutional Affairs Committee Inquiry on the Privacy Amendment (Private Sector) Bill 2000, 20 August 2000.
[89]Privacy Act 1988 (Cth) ss 7(1)(ee), 7B(4).
[90] Ibid s 6(1).
[91] N Waters, ‘Can the Media and Privacy Ever Get On?’ (2002) 9 Privacy Law & Policy Reporter 149.
[92] Commonwealth Ombudsman, Submission PR 202, 21 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[93] Commonwealth Ombudsman, Submission PR 202, 21 February 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Australian Broadcasting Corporation, Submission PR 94, 15 January 2007.
[94] Social Security Appeals Tribunal, Submission PR 106, 15 January 2007.
[95] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[96] Australian Broadcasting Corporation, Submission PR 94, 15 January 2007; SBS, Submission PR 112, 15 January 2007.
[97] Government of South Australia, Submission PR 187, 12 February 2007.
[98] K Pospisek, Submission PR 104, 15 January 2007.
[99] Australian Federal Police, Submission PR 186, 9 February 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007.
[100] Privacy NSW, Submission PR 468, 14 December 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Commonwealth Ombudsman, Submission PR 202, 21 February 2007.
[101] Privacy NSW, Submission PR 468, 14 December 2007. The data protection principles correspond closely to the IPPs in the Privacy Act 1988 (Cth): Privacy NSW, Data Protection Principles <www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_03_dpps> at 31 March 2008.
[102] See Ch 36.
[103] National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[104] See Ch 40.
[105] See Ch 42.