Structure, functions and powers

Legislative structure

46.2 The role and position of Privacy Commissioner was originally established in the Privacy Act 1988 (Cth). The Commissioner was initially a member of the Human Rights and Equal Opportunity Commission (HREOC), before the OPC was established as a separate office in July 2000. It was suggested that a separate office was consistent with the approach taken in other countries and that it would provide ‘an opportunity to further increase the profile, and thus the effectiveness, of the work of the Privacy Commissioner and of the office of the Privacy Commissioner’.[1]

46.3 The Privacy Amendment (Office of the Privacy Commissioner) Act 2000 (Cth) amended the Privacy Act to establish the ‘Office of the Privacy Commissioner’, defined to consist of the Privacy Commissioner and staff appointed under s 26A.[2] The Privacy Act provides that the Commissioner is appointed by the Governor-General for a period of up to seven years,[3] on such terms and conditions as imposed by the Governor-General and the Act.[4] The Commissioner’s appointment may be terminated because of misbehaviour, or physical or mental incapacity, and must be terminated in circumstances of bankruptcy, extended absence or unapproved outside employment.[5]

46.4 The Privacy Act does not provide for a Deputy or Assistant Commissioner (as a statutory appointee), but does provide for the appointment of an Acting Commissioner during any vacancy in the office or absence of the Privacy Commissioner.[6] Although this is similar to the approach taken in Australian states, both Canada and New Zealand provide for the appointment of additional statutory officers.

46.5 For instance, in New Zealand, the Governor-General may, on the recommendation of the Minister, appoint a Deputy Commissioner, who is entitled to all the protections, privileges and immunities of the Commissioner and, subject to the control of the Commissioner, has and may exercise all the powers, duties and functions of the Commissioner under the Act.[7] In Canada, the Governor in Council may, on the recommendation of the Privacy Commissioner, appoint one or more Assistant Privacy Commissioners. The Assistant Privacy Commissioners hold office during good behaviour for a term not exceeding five years and are to engage exclusively in such duties or functions of the office of the Privacy Commissioner under the Privacy Act or any other Act as are delegated by the Privacy Commissioner to the Assistant Privacy Commissioner.[8]

Functions and powers of the OPC

46.6 Part IV, Division 2 of the Privacy Act vests a range of functions in the Commissioner. These functions are examined in Chapters 47–49 and are divided in the Act into functions relating to interferences with privacy, tax file numbers and credit reporting.[9] The Privacy Commissioner also has functions under other Acts, which are examined further in Chapter 47 and Part J.

46.7 The Privacy Act invests the Commissioner with power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions.[10] The Commissioner also has an ancillary function in s 27(1)(s) to do anything incidental or conducive to the performance of any of the Commissioner’s other functions in s 27(1).[11]

Delegation

46.8 There are two matters to note about the Commissioner’s legislative functions and powers. The first is that the Privacy Act invests functions in the Privacy Commissioner personally, rather than in the OPC generally, and only the Commissioner has the power to do all things necessary or convenient to be done in connection with the performance of his or herfunctions.

46.9 Secondly, the Privacy Commissioner can delegate all or any of his or her powers either to a member of the Commissioner’s staff or a member of the staff of the Commonwealth Ombudsman, with two exceptions. The Commissioner cannot delegate the powers conferred by s 52, which sets out the Commissioner’s power to make determinations, and the Commissioner cannot delegate his or her power under s 17 to issue guidelines relating to tax file number information.[12]

Regulatory structure

46.10 The Privacy Commissioner, supported by the OPC, is an individual, independent regulator, rather than a regulatory agency or commission.[13] There has been some discussion by regulatory theorists about the distinction between an independent individual regulator, such as the Privacy Commissioner, and a commission-style regulator. It has been noted that the rationale for attaching regulatory powers to an individual is

‘to seek to develop a quicker and less bureaucratic system of regulation. This was centred on the idea of a single, independent regulator for each industry, operating without undue bureaucracy and supported by a small staff.’ It was considered, further, that personal responsibility for regulation would reassure the public who could identify regulation with an individual protector of their interests rather than some vague commission of faceless persons.[14]

46.11 The disadvantages of an individual regulator include: the possibility that significant political pressures may be directed at one person; a lack of accountability to a board or equivalent; and the potential for unpredictable decision making.[15] An individual regulator structure means ‘important decision making functions which are material to the rights and privileges of third parties’ are vested in one individual, which could result in one individual being responsible for advising organisations and adjudicating disputes involving the same organisation.[16] This can raise the danger that the regulator will, or will be seen to, ‘fall between stools’ such that its enforcement actions are seen as tainted by its policy-making concerns, and vice versa.[17]

46.12 An alternative structure to an individual regulator is a commission. Proponents of commissions argue that a commission structure: helps reduce the danger that regulators will feel vulnerable and behave defensively; creates a sense that decisions follow internal debate; increases legitimacy and accountability; and spreads the workload involved in regulating complex industries.[18] Critics, however, argue that a commission structure may lead to: inconsistent decisions, as decisions would be made by a commission whose composition may change; slower decision making; and possible loss of clarity of responsibility.[19]

Submissions and consultations

46.13 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC identified support in submissions and consultations for the current legislative structure of the OPC.[20] The OPC noted in particular that the OPC’s structure as a statutory body with a Commissioner appointed for a specified term is consistent with international standards regarding privacy regulation.[21]

46.14 The OPC raised several issues, however, in relation to the OPC’s legislative structure. First, the OPC noted that the delegation power prohibits the Commissioner from delegating the power under s 52 to make determinations (or as the power to issue tax file guidelines under s 17). In the OPC’s view, this restriction meant the exercise of the determination power is necessarily limited to the individual Commissioner’s availability, which, given the OPC’s commitment to making more determinations, was problematic. Consequently, the OPC suggested that the Privacy Act be amended to allow the power in s 52 to be exercised by senior staff members (such as the Deputy or Assistant Privacy Commissioner).

46.15 Secondly, the OPC reiterated its recommendation that the name of the Office should be changed to the ‘Australian Privacy Commission’.[22] The OPC argued that the similarity of names between state privacy regulators and the OPC causes confusion for consumers who are trying to work out to whom they should make a complaint. The OPC also argued that renaming the office as suggested would be more consistent with other federal regulators, such as the ‘Australian Competition and Consumer Commission’ and the ‘Australian Securities and Investments Commission’.[23]

Discussion Paper proposals

46.16 In DP 72, the ALRC made a number of proposals to amend the legislative structure of the OPC. The ALRC supports the independent nature of the OPC and proposed that the number of statutory officers at the OPC be extended to include one or more Deputy Privacy Commissioners, who, subject to the Privacy Commissioner’s oversight, could exercise all the functions conferred on the Privacy Commissioner.[24] In the ALRC’s view, this would enable more than one person to exercise important functions such as the determination power in s 52 of the Privacy Act, and would also facilitate an expansion of the OPC to a commission-style body.

46.17 The move to a commission-style body was also supported by the proposal to change the OPC’s name to the ‘Australian Privacy Commission’.[25]

Submissions and consultations on DP 72

46.18 The ALRC received a number of submissions on both of these proposals. In relation to the proposed name change, all stakeholders that commented on the proposal were in support of changing the OPC’s name to the ‘Australian Privacy Commission’.[26] The inclusion of ‘Australian’ in the name change was thought to be more consistent with other federal regulators and ‘is a more appropriate name for the office to have in the context of its function of engaging in the international privacy arena’.[27] The change of name was also thought to reflect the expansion of the OPC’s functions and purview.[28]

46.19 Support was also expressed by several stakeholders for the ALRC’s proposal to allow for the appointment of Deputy Privacy Commissioners as statutory officers.[29] The Law Society of New South Wales commented that ‘[a]n effective infrastructure for the regulation of privacy matters needs a properly structured and constituted responsible body to promote the legislative purposes of the Privacy Act and to protect the privacy of individuals’.[30]

46.20 The Public Interest Advocacy Centre (PIAC) welcomed the ability of the Deputy Commissioners to exercise the determinations function, describing the exercise of the determinations power as ‘fundamental to the effective operation of the Act’. PIAC also noted that ‘multiple statutory officers will allow for greater separation of the functions of the Office, thus avoiding perceived conflicts between these functions’.[31] The Australian Privacy Foundation supported, in principle, the expansion of the OPC to include at least two statutory officers but expressed concern that the relationship between the Deputy Privacy Commissioner and the Privacy Commissioner required further clarification.[32]

46.21 In contrast, the OPC strongly opposed the appointment of further statutory officers to the OPC. While agreeing that officers in addition to the Commissioner should have the ability to exercise all of the powers, duties and functions of the Privacy Commissioner, including those conferred by ss 52 and 28(1)(a), the OPC did not believe it was necessary that such officers be statutorily appointed in order to exercise effectively those powers, duties and functions. In relation to the ALRC’s suggestion that the significance of the determinations power is such that it should be exercised only by independent, statutory officers, the OPC submitted:

The exercise of the determination power in s 52 is significant, however its proper use is not impacted by the method by which an officer was appointed, but rather by the capacity of that officer to exercise the power in accordance with principles of administrative law. This Office does not consider that the statutory appointment of one or more Deputy Commissioners is necessary for the independent, transparent and accountable exercise of those powers.[33]

46.22 The OPC submitted that, consistently with the CEO responsibilities of the Commissioner, ‘it is more appropriate that the Commissioner appoint and manage senior staff’.[34]

Office of the Information Commissioner

46.23 During the 2007 federal election, the Australian Labor Party proposed bringing together the functions of privacy protection and freedom of information in an ‘Office of the Information Commissioner’. This office would preserve the existing role of the Privacy Commissioner and appoint a Freedom of Information Commissioner as a statutory office holder responsible for freedom of information law.[35] At the time this Inquiry was completed, this policy had not yet been implemented.

46.24 Smartnet expressed a preference for a combined office of Information Commissioner and Privacy Commissioner, as proposed by the Australian Labor Party. Smartnet suggested that by creating a combined Office of Information Commissioner, the government has the ‘opportunity to coherently and consistently deal with both privacy and data protection’.[36]

46.25 Following the release of DP 72, on 24 September 2007, the former Attorney-General of Australia referred to the ALRC for inquiry and report matters relating to the extent to which the Freedom of Information Act 1982 (Cth) and related laws continue to provide an effective framework for access to information in Australia.[37] Some of the interaction between privacy and freedom of information laws may be considered by this inquiry, including the location of an office holder with responsibility for freedom of information law.[38]

ALRC’s view

46.26 The legislative structure of the OPC is an integral part of building an effective infrastructure for privacy regulation in Australia. It is critical that the body responsible for regulating the personal information-handling practices of the federal public sector and applicable organisations is named, structured and constituted in a manner that best helps it achieve its legislative purpose to promote and protect privacy in Australia.[39]

46.27 The approach of compliance-oriented regulation adopted by the ALRC in its regulatory model requires the Commissioner to play a pivotal role in securing the compliance of regulated entities with the Privacy Act, monitoring that compliance, and enforcing compliance. While the remit of the Privacy Act is already very wide, the ALRC makes several recommendations in this Report which will widen it further. These include the recommendation to remove the small business exemption and for further expansion and exercise of the OPC’s powers to enable it to monitor and enforce compliance more effectively.[40] These recommendations are likely to increase significantly the workload of the OPC. It is important to consider, therefore, whether the current legislative structure of the OPC is adequate to fulfil these roles and meet the needs of the community.

46.28 The OPC should be renamed the ‘Australian Privacy Commission’ and the Privacy Act should be amended to provide for the appointment by the Governor-General of one or more Deputy Privacy Commissioners. These Deputy Privacy Commissioners would be able to exercise all the powers, duties and functions of the Privacy Commissioner under the Privacy Act—including a power conferred by s 52 and a power in connection with the performance of the function of the Privacy Commissioner set out in s 28(1)(a)—or any other enactment.

46.29 Privacy is a growing international and local issue, manifested in many different areas, including cross-border information flows, the internet, e-commerce and e-health issues. The international dimension of privacy regulation requires a well-resourced and prominent regulator to contribute and influence the development of international regulatory relationships and responses to emerging issues. Providing for the appointment of one or more Deputy Privacy Commissioners, as statutory office holders with the attendant rights and protections, is an important step to expand the size of the federal privacy regulator, and should encourage a commensurate increase in the perception of the importance of the privacy regulator and privacy regulation in Australia.

46.30 This recommendation to appoint further statutory officers would facilitate a move to a commission-style body, which would have a flatter distribution of responsibility across a number of individuals. This is consistent with the renaming of the OPC to the ‘Australian Privacy Commission’.

46.31 Increasing the number of statutory officer holders also allows for greater collegiate decision making, encouraging greater accountability and transparency in operations, but still ensuring there is a ‘head’ governing the body as a whole. If the Privacy Commissioner desired, the office could be divided formally into Divisions, with a Deputy Commissioner heading each division and with the Privacy Commissioner continuing to oversee the entire operation of the Commission. As noted by some stakeholders, this would help avoid perceived conflicts between the different arms of the office.[41]

46.32 Importantly, the ALRC’s recommended legislative structure retains the benefits of having a visible and prominent ‘head’ of the organisation, as the Privacy Commissioner would remain paramount given the oversight role of the Commissioner. The ALRC notes that there have been several Deputy Privacy Commissioners appointed in Canada, to guarantee ‘ethical decision-making and values-based management’.[42]

46.33 Increasing the number of statutory appointees would provide a means to address the delegation issue raised by the OPC in its submission to the Issues Paper, Review of Privacy (IP 31). The Act currently prohibits the Privacy Commissioner from delegating his or her power to make determinations under s 52 (as well as the power to issue tax file number guidelines under s 17). In the ALRC’s view, the determination power is significant and should be exercised only by statutory officers appointed under Privacy Act. Although—following the High Court’s decision in Brandy v Human Rights and Equal Opportunity Commission[43]—determinations are no longer binding and conclusive between parties, the power to issue determinations is still one of the most significant powers vested in the Commissioner.

46.34 The recommendation to appoint more statutory officers who are expressly authorised to exercise all the powers of the Privacy Commissioner—including a power under s 52—respects the significance of the power in s 52 and ameliorates the problem of it being limited to one person’s availability. Having additional statutory officers with power to make determinations should also give the OPC the means to address concerns about the rare use of the determinations power. It would also facilitate implementation of the ALRC’s recommendation to give complainants and respondents the right, in certain circumstances, to require the Commissioner to issue a determination in relation to their complaint.[44]

46.35 The ability to appoint more than one statutory officer would enable the OPC to develop strong expertise in emerging areas of regulation. For example, a Shared National Electronic Health Record system[45] could require the OPC to allocate significant resources towards its oversight. In such circumstances, it may be useful to appoint a Deputy Commissioner with health privacy expertise to head a health privacy division in the OPC.

Recommendation 46-1 The Privacy Act should be amended to change the name of the ‘Office of the Privacy Commissioner’ to the ‘Australian Privacy Commission’.

Recommendation 46-2 The Privacy Act should be amended to provide for the appointment by the Governor-General of one or more Deputy Privacy Commissioners. The Act should provide that, subject to the oversight of the Privacy Commissioner, the Deputy Commissioners may exercise all the powers, duties and functions of the Privacy Commissioner under the Act or any other enactment.

[1] Commonwealth, Parliamentary Debates, House of Representatives, 9 December 1998, 1660 (D Williams—Attorney-General), 1660.

[2]Privacy Act 1988 (Cth)s 19.

[3] Ibidss 19A(1), 20(1).

[4] Ibids 20.

[5] Ibids 25.

[6] Ibids 26.

[7]Privacy Act 1993 (NZ) s 15.

[8]Privacy Act RS 1985, c P-21 (Canada) ss 56–57.

[9] The Commissioner’s functions and powers in relation to general interferences with privacy are set out in detail in Ch 47. The Commissioner’s functions in relation to credit reporting are discussed in Part G.

[10]Privacy Act 1988 (Cth) ss 27(2), 28(2), 28A(2).

[11] Ibid s 34 limits the Commissioner’s powers ‘in connection with the performance of the functions referred to in section 27’ in relation to documents exempt under the Freedom of Information Act 1982 (Cth).

[12]Privacy Act 1988 (Cth) s 99.

[13] Note that s 26A of the Privacy Act provides that the Commissioner and the Australian Public Service employees assisting the Commissioner constitute a Statutory Agency for the purposes of the Public Service Act 1999 (Cth) and the Commissioner is the Head of the Statutory Agency.

[14] R Baldwin and M Cave, Understanding Regulation: Theory, Strategy and Practice (1999), 71: quoted in United Kingdom Government National Audit Office, The Work of the Directors General of Telecommunication, Gas Supply, Water Services and Electricity Supply (2006), [2.3].

[15] R Baldwin and M Cave, Understanding Regulation: Theory, Strategy and Practice (1999), 324.

[16] United Kingdom Director General of Telecommunications, Submission to the Review of Utility Regulation, 1 September 1997, [5.31].

[17] R Baldwin and M Cave, Understanding Regulation: Theory, Strategy and Practice (1999), 70–71.

[18] Ibid, 324.

[19] Ibid, 324–325.

[20] See Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[21] See Criteria and Rules for Credentials Committee and the Accreditation Principles, (Adopted on 25 September 2001 during the 23rd International Conference of Data Protection Commissioners held in Paris, 24–26 September 2001 and as amended on 9 September 2002 during the 24th International Conference of Data Protection and Privacy Commissioners held in Cardiff 9–11 September 2002).

[22] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 6.

[23] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 47.

[24] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 43–2.

[25] See Ibid, Proposal 43–1.

[26] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007. The Australian Direct Marketing Association ‘does not disagree’ with this proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[27] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. See also Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[28] See Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007.

[29] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007. The Australian Direct Marketing Association ‘did not disagree’ with this proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[30] Law Society of New South Wales, Submission PR 443, 10 December 2007.

[31] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[32] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[33] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[34] Ibid.

[35] K Rudd and J Ludwig, Government Information: Restoring Trust and Integrity—Election 2007 Policy Document (2007) Australian Labor. This proposal is discussed further in Ch 15.

[36] Smartnet, Submission PR 457, 11 December 2007.

[37] The Terms of Reference are available on the ALRC website at <www.alrc.gov.au/inquiries
/current/foi/terms.htm>.

[38] This issue is discussed further in Ch 15.

[39] Office of the Privacy Commissioner, About the Office <www.privacy.gov.au/about/> at 14 April 2008.

[40] Rec 39–1.

[41] See Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[42] Office of the Privacy Commissioner of Canada, ‘Interim Privacy Commissioner Responds to OAG and PSC Audits’ (Press Release, 30 September 2003).

[43]Brandy v Human Rights and Equal Opportunity Commission (1995) 183 CLR 245. Following Brandy, the Human Rights Legislation Amendment Act 1995 (Cth) removed the Commissioner’s power to register determinations in the Federal Court.

[44] Rec 49–5.

[45] See Ch 61.