Privacy Advisory Committee

Composition

46.72 The Privacy Act establishes a Privacy Advisory Committee (Advisory Committee) consisting of the Commissioner and not more than six other members, of which the Commissioner is convenor.[93] The Governor-General appoints members (other than Privacy Commissioner) as part-time members who hold office for up to five years. Members are not remunerated for their service, but enjoy similar protections as the Commissioner against removal,[94] and have an obligation to disclose any conflicts of interest.[95]

46.73 The Privacy Act provides membership criteria for the Advisory Committee in two ways. First, it specifies that officers, employees and staff of the Commonwealth must never be in the majority on the Advisory Committee.[96] Secondly, it provides a list of membership criteria.[97] The Advisory Committee is currently constituted by the Commissioner and six members.[98] Membership of the Committee was developed ‘to represent a variety of community interest groups’[99] and must include representatives with experience in industry, commerce or government, trade unions, electronic data processing, social welfare and the promotion of civil liberties.[100]

46.74 No changes or additions were made to the membership criteria of the Advisory Committee following the introduction of the credit reporting provisions in 1990 or following the inclusion of the private sector provisions in 2000.

Functions

46.75 The Privacy Act specifies that the Advisory Committee has functions to advise the Commissioner (whether or not requested) on matters relevant to the Commissioner’s functions and recommend material for inclusion in guidelines to be issued by the Commissioner. It is also empowered to engage in and promote community education and consultation for the protection of individual privacy, subject to any directions given by the Commissioner.[101]

46.76 The OPC sets out on its website the terms of reference for the Advisory Committee, which are based on the functions set out in the Privacy Act. The OPC notes that the terms of reference ‘assume a strategic advisory role’ for the Advisory Committee and include:

  • advising the Privacy Commissioner on privacy issues, and the protection of personal information;

  • providing strategic input to key projects undertaken by the Privacy Commissioner;

  • fostering collaborative partnerships between key stakeholders to promote further the protection of individual privacy;

  • promoting the value of privacy to the Australian community, business and government; and

  • supporting office accountability to external stakeholders.[102]

46.77 In its most recent annual report, the OPC described the Advisory Committee as acting ‘as an external reference point that supports the Commissioner in gaining access to the broad views about privacy in the private sector, government and the community at large’.[103] In the past, the Advisory Committee has assisted the OPC by providing strategic advice about such matters as the review of the private sector provisions of the Privacy Act in 2004–05,[104] and the 25th International Conference of Data Protection and Privacy Commissioners in 2003–04.[105] The Advisory Committee has also provided input into guidelines developed by the OPC, as well as advice about the OPC’s complaint processes and the publication of complaint case notes.[106]

46.78 The Privacy Commissioner can convene such meetings of the Advisory Committee as he or she considers necessary for the performance of the Committee’s functions.[107]

Submissions and consultations

46.79 In DP 72, the ALRC noted that there was some dissatisfaction with the structure and functions of the Advisory Committee, however, stakeholders in general supported its continuation.

46.80 In relation to the general functions and powers of the Advisory Committee, the OPC submitted that it supported the continuation of the Advisory Committee in its current role as an independent advisory body. The OPC considered that the Committee’s powers and functions are appropriate and found that the Committee provides valuable input into policy development and general strategic discussion.[108]

46.81 The Australian Privacy Foundation submitted that:

The Privacy Advisory Committee may perform a useful function ‘behind the scenes’, but it is almost invisible to the public. Members do not seem to have seen themselves as accountable to the constituencies which might be inferred from the criteria for appointment and have rarely sought to consult with constituencies.

The objectives of the Advisory Committee might be better performed by separate committees representing business, government and consumer interests respectively, with independent secretariats and public reporting requirements.[109]

46.82 In terms of additional functions, the National Association for Information Destruction submitted that the Advisory Committee could have a role in establishing a standard for secure document destruction.[110]

46.83 Stakeholders also commented on the membership criteria of the Advisory Committee. The OPC submitted that such criteria should be reviewed and updated to reflect current business, community and government environments. In particular, the OPC expressed strong support for the introduction of an explicit requirement that a health sector representative be included on the Advisory Committee given the community concern regarding health privacy.[111] Another stakeholder went further and suggested there be two designated positions for the health sector: a consumer (from an advocacy organisation) and a practitioner.[112]

46.84 The OPC also suggested that the criteria be amended to require separately the inclusion of a member with high-level experience in industry or commerce and a member with experience in public administration or government, rather than combining these categories.[113]

Inclusion of a health representative

46.85 Following a number of suggestions that the categories of persons for appointment be expanded—and in particular, by the inclusion of a representative from the health sector—the ALRC proposed that the requirements for the composition of the Privacy Advisory Committee be amended to require the appointment of a person to represent the health sector and expand the number of members on the Privacy Advisory Committee, in addition to the Privacy Commissioner, to not more than seven.[114]

46.86 All stakeholders who commented on the addition of a health sector representative to the Committee supported the proposal.[115] For example, Avant Mutual Group Ltd submitted that ‘given the very significant amount of health information generated by Australia’s health sector and the important areas of scientific/medical research and genetics it is necessary to have a person represent the health sector’.[116]

46.87 While strongly supporting the appointment of a health representative to the Privacy Advisory Committee, one stakeholder suggested that the terminology of ‘representative’ in relation to members of the Committee should be reconsidered. Rather than appointing representatives, it was suggested that members with expertise relevant to a particular sector should be appointed to bring their particular knowledge and experience to the Committee. Importantly, such members should ‘be required to exercise their functions so as to promote the achievement of the objects of the Privacy Act more broadly, rather than simply “representing” a sectoral view’.[117]

46.88 Stakeholders also suggested other members that should be included in the composition of the Committee, including a law enforcement representative[118] and a consumer sector representative.[119]

Updating language

46.89 In its submission to IP 31, the OPC suggested that the terminology used in the membership criteria—such as requiring a person with extensive experience in ‘electronic data-processing’—should be updated to reflect better current data-handling practices.[120] Having regard to the fact that the term ‘electronic data-processing’ is not a term used throughout the Privacy Act,[121] the ALRC canvassed some alternative terminology, including ‘information technology’ or ‘information and communication technologies’.

46.90 The term ‘information technology’ is generally understood to mean ‘the use of computers to produce, store and retrieve information’[122] and encapsulates the notion of ‘electronic data-processing’.[123] ‘Information and communication technologies’ is a modern development on ‘information technology’ and is intended to broaden the term explicitly to include all types of electronic communications. The term has been used to describe how information is ‘produced, collected, sorted, filtered, transmitted, communicated, interpreted and stored’[124] and is used by a number of organisations throughout the world, including the European Commission, the World Bank, and the Organisation for Economic Co-operation and Development. The ALRC proposed that the term ‘electronic data-processing’ should be changed to ‘information and communication technologies’, to reflect more contemporary practices and parlance.[125]

46.91 Several stakeholders expressed support for the proposal to change the wording of ‘electronic data-processing’ to ‘information and communication technologies’.[126]

ALRC’s view

46.92 The Privacy Advisory Committee should continue in its current form, but with some amendments to the membership criteria. As statutory appointees, the members enjoy independence and protection from removal, allowing them to express views without fear or favour. Leaving the members as statutory appointments by the Governor-General insulates the Commissioner from allegations of bias in relation to a particular appointment. The Commissioner, however, may still make recommendations for appointments to the appropriate minister.

46.93 In order to give the Commissioner additional flexibility, however, the ALRC recommends that the Commissioner be given an express power to establish expert panels to assist with specific projects. This is discussed further below.

46.94 In terms of changes to the existing structure of the Privacy Advisory Committee, given the significance of privacy in the health sphere and the impact of health privacy on every member of the community, it is appropriate that a health perspective is represented on the Advisory Committee.[127]

46.95 It is not necessary that the membership criteria in s 82(7)(a) (industry or government representative) be separated. While the ALRC sees a benefit in having a government and industry representative on the Committee, representatives from both government and business can be appointed under the current membership structure. The Act only specifies five categories of members but allows the appointment of six members. Specifying six categories of membership (that is, including the new health category) and allowing for the appointment of seven members in addition to the Commissioner could be used to achieve the same result.

46.96 There are, however, two alternative approaches on this issue that could be adopted. The first is to separate the membership criteria and allow for one appointment per category (that is, specify seven categories and allow for seven members). The second is to separate the membership criteria, which would create seven categories of membership, and allow for the appointment of one member per category plus one member at large—equalling eight members together.

46.97 If the membership category in s 82(7)(a) was separated, the second option is preferable to the first, as it retains the flexibility to appoint persons beyond the confines of the membership criteria in the Act and allows for the appointment of more than one person to a membership category. The ALRC is concerned, however, that the second option increases the size of the Committee, which may affect the functioning and flexibility of the body itself, and may shift the preponderance of views on the Committee to the regulated entities—that is, to the government, business, health and data-processing sectors. While the Act specifies that a majority of appointed persons cannot be officers or employees of the Commonwealth, there is no such limitation against business or industry views.

46.98 Given the recommended objects of the Act, it is important that the Advisory Committee provide the Commissioner with a balanced range of views from both the regulated entities and from consumer and privacy advocates. The current compound category in s 82(7)(a), therefore, should be retained.

46.99 In relation to the other membership criteria put forward by stakeholders, those suggestions could be addressed under the existing membership criteria. It is important to keep the criteria at a high level. This enables representation from a variety of backgrounds and stakeholders discussed below. If specific expertise is required for a particular project, expert panels could be utilised.

46.100 With regard to terminology, the reference to ‘electronic data-processing’ in the membership criterion should be replaced with ‘information and communication technologies’, to reflect more contemporary practices and parlance. The ALRC prefers ‘information and communication technologies’ to ‘information technology’, as it is broader and encapsulates more clearly the notion of electronic communications.

Recommendation 46-4 The Privacy Act should be amended to make the following changes in relation to the Privacy Advisory Committee:

(a) expand the number of members on the Privacy Advisory Committee, in addition to the Privacy Commissioner, to not more than seven;

(b) require the appointment of a person who has extensive experience in health privacy; and

(c) replace ‘electronic data-processing’ in s 82(7)(c) with ‘information and communication technologies’.

[93]Privacy Act 1988 (Cth) s 82(1)–(5). See alsos 87 regarding meetings of the Advisory Committee.

[94] Ibid s 85.

[95] Ibid s 86.

[96] Ibid s 82(6).

[97] Ibid s 82(7).

[98] See Office of the Privacy Commissioner, Privacy Advisory Committee <www.privacy.gov.au/act/pac> at 14 May 2008.

[99] Explanatory Memorandum, Privacy Bill 1988 (Cth), 4.

[100] See Office of the Privacy Commissioner, Privacy Advisory Committee <www.privacy.gov.au/act/pac> at 14 May 2008. Members of the Advisory Committee have been drawn from universities, PIAC, the Australian Consumers’ Association, the Australian Chamber of Commerce and Industry, the Australian Information Industry Association and the HREOC.

[101]Privacy Act 1988 (Cth) s 83.

[102] Office of the Privacy Commissioner, Privacy Advisory Committee <www.privacy.gov.au/act/pac> at 14 May 2008.

[103] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), 38–39.

[104] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2004–30 June 2005 (2005), 29.

[105] Office of the Federal Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2003–30 June 2004 (2004), 47.

[106] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2004–30 June 2005 (2005), 29; Office of the Federal Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2003–30 June 2004 (2004), 47; Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2005–30 June 2006 (2006), 23.

[107]Privacy Act 1988 (Cth) s 87.

[108] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[109] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[110] National Association for Information Destruction, Submission PR 133, 19 January 2007.

[111] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[112] Confidential, Submission PR 134, 19 January 2007. The Australian Privacy Foundation’s submission to the Senate Legal and Constitutional Reference Committee inquiry into the Privacy Act also recommended that a separate position be ‘reserved’ for a representative of health issues, given the importance of the issue: Australian Privacy Foundation, Supplementary Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988 concerning the Privacy Advisory Committee, 1 March 2005, 3.

[113] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[114] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 43–4.

[115] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Confidential, Submission PR 519, 21 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007. The Australian Direct Marketing Association ‘does not disagree’ with this proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[116] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[117] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[118] Australian Federal Police, Submission PR 545, 24 December 2007.

[119] Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[120] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[121] ‘Electronic data-processing’ is in fact only used in s 82(7)(c) of the Privacy Act 1988 (Cth). ‘Data processing’ is used once in the Privacy Act, in s 27(1)(c). The use of ‘processing’ has its heritage in the Council of Europe Convention: see Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 28 January 1981, Council of Europe, CETS No 108, (entered into force generally on 1 October 1985).

[122]Macquarie Dictionary (online ed, 2007).

[123] The ALRC notes that the OPC website already refers to ‘information technology’ in describing the range of perspectives on the Advisory Committee: see Office of the Privacy Commissioner, Privacy Advisory Committee <www.privacy.gov.au/act/pac> at 14 May 2008.

[124] Commonwealth Scientific and Industrial Research Organisation, Information and Communication Technology Overview (2007) <www.csiro.au/org/ICTOverview.html> at 31 July 2007.

[125] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 43–4.

[126] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.

[127] The ALRC notes that under the current criteria, a health representative could be appointed within the ambit of the social welfare representative. However, it is the ALRC’s view that it would be more beneficial to fill this criterion with a representative from the social and community welfare sector more generally, and to require, in addition to that member, a further member representing the health sector.