Should state and territory authorities be exempt from the operation of the Act?

38.34 The report of the Senate Legal and Constitutional References Committee inquiry into the Privacy Act noted that there was concern that the exemption of state and territory authorities from the operation of the Privacy Act represented a significant gap in the Act’s coverage.[42]

38.35 In IP 31, the ALRC asked whether state and territory authorities should be exempt from the privacy principles in the Privacy Act.[43] The ALRC also asked whether, in addition to the energy distributors owned by the New South Wales Government (which are the only state authorities prescribed under the Privacy (Private Sector) Regulations 2001 (Cth)), there were any other state or territory authorities that should be covered by the privacy principles in the Privacy Act.[44]

State and territory authorities generally

38.36 Some stakeholders were of the view that state and territory authorities should be exempt from the Act.[45] For example, the Office of the Information Commissioner (Northern Territory) submitted that it is the responsibility of the state and territory governments to ensure that the privacy of personal information handled by state and territory authorities is protected.[46] The Victorian Office of the Health Services Commissioner stated that:

Although it is unfortunate that certain state and territory statutory bodies fall outside both the federal and the state privacy regimes … this is not a sufficient reason for the Federal Government to attempt to regulate state and territory public sector agencies.[47]

38.37 Others submitted that certain state and territory authorities should continue to be exempt from the operation of the Privacy Act.[48] The New South Wales Guardianship Tribunal submitted that state and territory guardianship tribunals should remain exempt.[49] The Australian Guardianship and Administration Committee submitted that public trustees should be exempt ‘from appropriate provisions of the Privacy Act … where the Public Trustee is seeking information about a person, from either the private or public sector, in the ordinary course of the Public Trustee’s business as trustee’.[50]

38.38 Other stakeholders considered that state and territory authorities should not be exempt from the Privacy Act.[51] For instance, the Insurance Council of Australia submitted that state and territory authorities should not be exempt as this creates the potential for conflict between federal and state and territory laws.[52]

38.39 Some stakeholders submitted that state and territory authorities should be exempt to the extent that they are subject to state and territory privacy laws.[53] The Office of the Victorian Privacy Commissioner (OVPC) stated that federal privacy law should not bind state authorities when they are already subject to state privacy laws, because this would result in unnecessary fragmentation and confusion. The OVPC also did not support state referral of power to the Commonwealth

as it would remove the state’s ability to provide enhanced protection and, while dealing with the constitutional impediment, continues to suffer from the problem of how it is to interact with other state based laws (FOI, archives, human rights etc).[54]

38.40 The OVPC, however, was in favour of federal minimum standards that apply to state and territory public sectors.

Given that not all jurisdictions have privacy laws in place, there is some merit in the proposal to have minimum standards apply to state and territory public sectors which can be ‘rolled back’ once that jurisdiction enacts privacy legislation that conforms to the specified federal standard—provided that this allowed for better protection to be adopted by the state and territory governments.[55]

38.41 In addition, the OVPC suggested that the opt-in mechanism in s 6F of the Privacy Act should remain, because ‘while it appears not to have been used, it may be in the future and this type of mechanism maintains control by and independence of the states’.[56]

38.42 Some stakeholders expressed concern that some state-owned statutory corporations are excluded from both the state and the federal privacy regimes.[57] In addition, some stakeholders noted that the question of the exemption of state and territory authorities from the operation of the Privacy Act would fall away if a uniform privacy scheme were adopted.[58] One stakeholder submitted that state and territory agencies should be exempt only on a case-by-case basis.[59]

38.43 It was also suggested that the following state and territory bodies should be regulated by the Privacy Act:

  • bodies established by administrative arrangements, including on a cooperative basis between jurisdictions; [60]

  • universities established under state or territory legislation;[61] and

  • federally funded state entities, such as hospitals, research institutes, universities, schools, environment management agencies and road authorities.[62]

Government business enterprises

38.44 Some stakeholders were of the view that government businesses that compete with private sector organisations should be subject to the Privacy Act.[63] In its submission, the OPC stated that

the acts and practices of state and territory bodies that are responsible for policy development and implementation, and for the making of laws, should generally be subject to the oversight of the respective Parliament, and thus ultimately accountable to the electorate of that jurisdiction. This includes Ministers and departments of state in those jurisdictions and bodies, as well as bodies established for a public purpose by or under a law of that state or territory.[64]

38.45 The OPC submitted, however, that state-owned statutory corporations that function as government businesses should be covered by the Privacy Act, because not all states and territories have enacted privacy legislation, and the lack of privacy protection for personal information handled by these statutory corporations may be inconsistent with community expectations. It also submitted that ‘applying privacy regulation to state and territory statutory corporations is likely to be consistent with the principle of competitive neutrality’.[65] On this basis, the OPC suggested that:

  • the Australian Government should work with all states and territories to implement privacy regulation that is consistent with the Privacy Act or adopt the Privacy Act as model legislation;

  • the Privacy Act should apply to all incorporated bodies, including state and territory statutory corporations, except where there is equivalent privacy legislation in the relevant jurisdiction; and

  • where it is considered necessary that state and territory incorporated bodies be exempted from coverage of the Privacy Act on public interest grounds, that consideration be given to applying a provision such as s 6C(4) to give effect to the exemption.[66]

38.46 Professor Graham Greenleaf, Nigel Waters and Associate Professor Lee Bygrave submitted that:

There is no reason why State or Territory business enterprises should have an arguable commercial advantage over private sector organisations because they can avoid the costs of compliance with privacy laws. On the other hand, there is no reason why the Commonwealth should monopolise power to establish appropriate privacy standards. Consistency in privacy standards across Australia is desirable, but that is a separate issue. The best balance is struck simply by ensuring that some enforceable privacy standard applies …

The law should make provision for coverage of any state or territory authorities ‘by agreement’ (effected through Regulations) to cover the increasing number of ‘hybrid’ organisations involved in the delivery of public services and to ensure no organisation can ‘fall between the gaps’.[67]

Options for reform

38.47 In DP 72, the ALRC noted that the exemption of state and territory authorities from the operation of the Privacy Act represented a significant gap in privacy regulation in Australia, and expressed the view that state-owned statutory corporations that compete with organisations should not have a competitive advantage over organisations.[68]

38.48 The ALRC considered that one option for reform would be to require state and territory authorities to comply with the Privacy Act unless they were covered by a state or territory law that was ‘substantially similar’ to the Act. In Canada, the Governor in Council may,

if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.[69]

38.49 The Privacy Commissioner of Canada has advised that, in assessing whether provincial legislation is ‘substantially similar’ to the federal legislation, the Commissioner would

interpret substantially similar as equal or superior to the [Personal Information Protection and Electronic Documents Act]in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial privacy law must be at least as good, or it is not substantially similar.[70]

38.50 Another option would be to be to require state and territory authorities to comply with the Privacy Act unless the Privacy Commissioner determines that a particular state or territory authority should be exempt from compliance with the Act.

38.51 The Privacy Commissioner currently performs a similar function in relation to privacy codes. Under the Privacy Act, the Privacy Commissioner currently has the power to approve privacy codes.[71] An organisation that is bound by a privacy code is not required to comply with the NPPs.[72] Section 18BB of the Privacy Act provides that the Privacy Commissioner must be satisfied of a number of matters before he or she approves a privacy code. In particular, s 18BB(2)(a) provides that the Privacy Commissioner must be satisfied that ‘the code incorporates all the National Privacy Principles or sets out obligations that, overall, are at least the equivalent of all the obligations set out in those Principles’.

38.52 The OPC’s Guidelines on Privacy Code Development provide guidance on how the Privacy Commissioner assesses whether the condition in s 18BB(2)(a) is met.

In deciding if this condition has been met, the Commissioner requires code proponents to include a statement of claims detailing:

i) how the obligations under the code differ from the obligations under the [NPPs];

ii) the rationale for the change to any obligation provided in the NPPs; and

iii) how, in the opinion of the code proponent, the obligations set out in the code are at least equivalent of all the obligations set out in the NPPs.[73]

The Discussion Paper proposals

38.53 In DP 72, the ALRC proposed that the states and territories enact legislation applying the proposed Unified Privacy Principles (UPPs) and the proposed Privacy (Health Information) Regulations to state and territory agencies.[74] The ALRC noted, however, that the implementation of such a scheme would take time.[75] The ALRC therefore proposed that, before the enactment of similar legislation in the states and territories, the Privacy Act should be amended to apply to all state and territory incorporated bodies, including statutory corporations, except where they are covered by state or territory privacy law setting out obligations that, overall, are at least the equivalent of the relevant obligations in the Privacy Act.[76]

38.54 In deciding the approach for determining whether a state or territory has equivalent privacy law, the ALRC expressed a preference for it to be modelled on s 18BB(2)(a) of the Privacy Act, on the basis that the Privacy Commissioner already has experience in assessing equivalence under this provision.

38.55 In addition, the ALRC considered that the Privacy Act should provide a mechanism for regulations to be made to exclude certain state and territory bodies from the coverage of the Act on public interest grounds.[77] The ALRC expressed the view that this mechanism should be modelled on s 6C(4) of the Privacy Act, which lists the criteria for excluding a state or territory instrumentality from the coverage of the Act.[78]

Submissions and consultations

38.56 A number of stakeholders supported the ALRC’s proposed approach.[79] Privacy NSW supported the proposal because state-owned corporations in New South Wales are not subject to either federal or state privacy legislation.

Given that some of these corporations are utility providers and as such hold large amounts of high value identity information about NSW customers there is a compelling need to make them subject to privacy regulation.[80]

38.57 The Public Interest Advocacy Centre (PIAC) observed that the proposal would fill the current gap in the coverage of state-owned statutory corporations until states and territories enact legislation applying the UPPs to state and territory agencies. PIAC also supported the proposal to empower the Governor-General to make regulations to exempt state and territory incorporated bodies on public interest grounds, provided that there was ‘a mechanism for making proposed exemptions public and allowing privacy advocates and consumer groups an opportunity to make submissions’.[81]

38.58 The Cancer Council Australia and the Clinical Oncological Society of Australia supported the proposed approach, on the basis that it

would facilitate national uniformity and consistency in the management of health information and the enabling of federal law to override state or territory laws in relation to health data, where clearly in the public interest in terms of individual or community health outcomes.[82]

38.59 The Queensland Government noted that government-owned corporations in Queensland are currently covered the Privacy Act and stated that it had ‘no objection to the continuation of the situation’. It noted further that it is currently converting all statutory government-owned corporations into company form, which would bring them within the coverage of the Privacy Act. The Queensland Government indicated, however, that it would not support extending the coverage of the Privacy Act to other statutory bodies, on the basis that this would create a situation where those bodies would have to comply with two sets of privacy obligations. Further, this approach ‘would also impinge on the independence of the states and territories to determine how best to carry on the business of the state or territory’.[83]

38.60 The Government of South Australia did not support the proposal to apply the Privacy Act to all state and territory bodies. It was concerned that if it did not enact privacy legislation applying the UPPs and the proposed Privacy (Health Information) Regulations, its state-owned incorporated bodies may have to comply with both the Privacy Act and the Information Privacy Principles under PC012—Information Privacy Principles Instruction.

This would also mean there would be effectively two reporting and complaints mechanisms applying to State owned incorporated bodies. It would seem unnecessary to have this provision when the [PC012] IPPs already provide an adequate level of privacy protection.[84]

ALRC’s view

38.61 The exemption of state and territory authorities from the operation of the Privacy Act means that only those state and territory authorities that are subject to state and territory privacy laws are covered by privacy regulation. Accordingly, this exemption represents a gap in privacy regulation in Australia in those jurisdictions that have no privacy regulation or where that regulation does not extend to state and territory authorities.

38.62 In Chapter 3, the ALRC recommends that the Australian Government and state and territory governments develop and adopt an intergovernmental agreement in relation to the handling of personal information. This agreement should establish an intergovernmental cooperative scheme whereby the states and territories enact legislation regulating the handling of personal information in the state and territory public sectors. This legislation should apply the model UPPs, any regulations modifying the application of the UPPs, and relevant definitions used in the Privacy Act. Further, it should contain certain minimum provisions, including provisions regulating state and territory incorporated bodies (including statutory corporations).[85] The enactment of such legislation will resolve issues concerning the inadequate or inconsistent regulation of state and territory incorporated bodies.

38.63 The implementation of the recommended intergovernmental scheme is likely to take time. The ALRC is no longer of the view, however, that in the interim the Privacy Act should be amended to apply to all state and territory incorporated bodies that are not covered by obligations under a state or territory law that are the equivalent of the relevant obligations in the Privacy Act. The ALRC notes the concerns raised by some stakeholders that this could create further inconsistency and fragmentation in privacy regulation in Australia. The ALRC agrees that it is not desirable to implement a scheme that may require some state or territory incorporated bodies to comply with both state or territory privacy obligations and obligations imposed by the Privacy Act.

38.64 In Chapter 3, the ALRC recommends that the Australian Government initiate a review in five years from the commencement of the amended Privacy Act to consider whether the recommended intergovernmental cooperative scheme has been effective in achieving national consistency. This review should consider whether it would be more effective for the Australian Parliament to exercise its legislative power in relation to information privacy to cover the field, including in the state and territory public sectors.[86] The nature and extent of the regulation of state and territory incorporated bodies should be considered during this review.

38.65 Finally, the ALRC agrees that the ‘opt-in’ mechanism contained in s 6F of the Privacy Act is a useful mechanism to bring state and territory bodies under the operation of the Privacy Act and should be retained in the Act.

[42] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [5.38].

[43] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 5–4.

[44] Ibid, Question 5–5.

[45] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[46] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[47] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[48] New South Wales Guardianship Tribunal, Submission PR 209, 23 February 2007; Australian Guardianship and Administration Committee, Submission PR 129, 17 January 2007.

[49] New South Wales Guardianship Tribunal, Submission PR 209, 23 February 2007.

[50] Australian Guardianship and Administration Committee, Submission PR 129, 17 January 2007.

[51] Insurance Council of Australia, Submission PR 110, 15 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007; W Caelli, Submission PR 99, 15 January 2007; K Handscombe, Submission PR 89, 15 January 2007; I Turnbull, Submission PR 82, 12 January 2007.

[52] Insurance Council of Australia, Submission PR 110, 15 January 2007.

[53] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[54] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[55] Ibid.

[56] Ibid.

[57] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Public Interest Advocacy Centre, Consultation PC 29, Sydney, 16 May 2006.

[58] Queensland Government, Submission PR 242, 15 March 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[59] K Pospisek, Submission PR 104, 15 January 2007.

[60] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[61] Ibid; D Antulov, Submission PR 14, 28 May 2006.

[62] I Turnbull, Submission PR 82, 12 January 2007.

[63] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[64] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[65] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See National Competition Council, Compendium of National Competition Policy Agreements (1998), cl 3.

[66] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[67] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[68] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [34.111]–[34.112].

[69] Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) s 26(2)(b).

[70] Privacy Commissioner of Canada, Report to Parliament Concerning Substantially Similar Legislation (2002), 2.

[71]Privacy Act 1988 (Cth) pt IIIAA. Privacy codes are discussed in Ch 48.

[72] Ibid s 16A.

[73] Office of the Federal Privacy Commissioner, Guidelines on Privacy Code Development (2001), 30.

[74] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 4–4.

[75] Ibid, [34.113].

[76] Ibid, Proposal 34–5(a).

[77]Ibid, Proposal 34–5(b).

[78] Ibid, Proposal 34–6.

[79] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[80] Privacy NSW, Submission PR 468, 14 December 2007.

[81] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[82] Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007.

[83] Queensland Government, Submission PR 490, 19 December 2007.

[84]Government of South Australia, Submission PR 565, 29 January 2008.

[85] Rec 3–4.

[86] Rec 3–6.