Guidelines

47.25 As discussed in Chapter 4, in a principles-based regime, guidance is often necessary to make the rights and obligations in the Act sufficiently certain and clear.[42] Guidance can be provided in a number of forms, including website information, ‘frequently asked questions’, education programs, and the Commissioner’s oversight functions, discussed above. It also can be provided through the Commissioner’s power to issue non-binding and binding guidelines under the Privacy Act and other legislation.

Power to issue non-binding guidelines

Section 27(1)(e) guidelines

47.26 The Commissioner has the power to prepare and publish guidelines to assist agencies and organisations to avoid acts or practices that may be interferences with, or affect adversely, the privacy of individuals.[43] The s 27(1)(e) guidelines are advisory only and are not legally binding. The guidelines are based on the OPC’s understanding of how the Privacy Act works and indicate some factors the Commissioner may take into account when handling a complaint. Nothing in the guidelines limits how the OPC can handle complaints.[44]

47.27 The Audit Manual for the IPPs, published by the OPC, also addresses the status of guidelines and provides that ‘in any privacy audit, the auditors may, at the discretion of the Privacy Commissioner, examine and report on the level of adherence to any such additional guidelines’.[45] Therefore, while guidelines issued under s 27(1)(e) are not determinative, they are often highly persuasive.

Privacy code guidelines

47.28 Specific provision is made for the Commissioner to prepare and publish guidelines regarding privacy codes. These may assist organisations to develop or apply approved privacy codes; relate to the making of, and dealing with, complaints under approved privacy codes; or discuss matters the Commissioner may consider in deciding whether to approve a code or a variation of an approved code.[46] The OPC published Guidelines on Privacy Code Development in September 2001.[47] These guidelines are binding in relation to complaint handling under a code but otherwise are advisory only.[48]

Power to issue binding guidelines

Tax file numbers

47.29 In addition to the Commissioner’s powers to issue non-binding guidelines, the Commissioner can issue ‘binding’ statutory guidelines under the Privacy Act and other Acts. For example, under s 17 of the Privacy Act, the Commissioner must issue guidelines concerning the collection, storage, use and security of TFN information.[49] These guidelines are made binding by virtue of s 18, which prohibits a file number recipient from doing an act or engaging in a practice that breaches the guidelines.[50]

47.30 The OPC issued Tax File Number Guidelines in 1992 and it has published an annotated version of the guidelines (including all amendments as at March 2004) on its website.[51] The Commissioner has a general power to evaluate compliance with TFN guidelines and may investigate an act or practice of file number recipients that may breach the guidelines.[52] File number recipients also can be audited to ascertain whether records of TFN information maintained by the recipient are in accordance with the s 17 guidelines,[53] which are discussed below.

Medical research guidelines

47.31 The Privacy Act also invests the Commissioner with the power to approve guidelines issued by the NHMRC in relation to medical research and genetic information under ss 95, 95A and 95AA.[54] Once approved, these guidelines are binding.

Other Acts

47.32 The Commissioner is specifically given the power to formulate and issue binding guidelines under s 12 of the Data-matching Program (Assistance and Tax) Act 1990 (Cth) and s 135AA of the National Health Act 1953 (Cth).[55]

Submissions and consultations

47.33 In DP 72, the ALRC proposed that the Privacy Act be amended so that binding guidelines issued by the Privacy Commissioner are renamed ‘rules’, to reflect that a breach of the rules is an interference with privacy under s 13 of the Privacy Act.[56] This would ensure that the difference between non-binding guidelines and binding guidelines was appropriately reflected in the language of the Act.

47.34 Stakeholders were unanimous in their support for this proposal.[57] The OPC, for example, submitted that the proposal had ‘the potential to improve clarity regarding the binding nature of a document produced or recognised under the Privacy Act’.[58]

ALRC’s view

47.35 The power to issue guidance is a critical part of regulating a principles-based regime such as the Privacy Act.[59] The Commissioner’s function in s 27(1)(e), as currently drafted, is broad enough to enable the Commissioner to issue guidance on a range of matters, particularly when read in conjunction with the Commissioner’s powers to provide advice, promote an understanding of the NPPs and IPPs, and undertake education programs. For these reasons, the ALRC is not recommending any reform to the guideline function.

47.36 Consistently, however, with the recommendation that the Privacy Act be redrafted to achieve greater clarity,[60] the ALRC recommends that the language used in the Act should be changed to reflect more accurately the binding or non-binding nature of the guidelines issued. Non-binding guidelines should continue to be called ‘guidelines’, as they provide a voluntary guide on ways to achieve the outcome set by the relevant privacy principle, without compelling directly a particular course of action. In contrast, where the guidelines provide rules for compliance, a breach of which constitutes an interference with privacy, then they should be called ‘rules’. This recommendation will assist agencies and organisations to distinguish between guidelines that are merely advisory and those that operate as rules.

Recommendation 47-2 The Privacy Act should be amended to reflect that, where guidelines issued or approved by the Privacy Commissioner are binding, they should be renamed ‘rules’. For example, the following should be renamed to reflect that a breach of the rules is an interference with privacy under s 13 of the Privacy Act:

(a) Tax File Number Guidelines issued under s 17 of the Privacy Act should be renamed the Tax File Number Rules;

(b) Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs (issued under s 135AA of the National Health Act 1953 (Cth)) should be renamed the Privacy Rules for the Medicare Benefits and Pharmaceutical Benefits Programs;

(c) Data-Matching Program (Assistance and Tax) Guidelines (issued under s 12 of the Data-Matching Program (Assistance and Tax) Act 1990 (Cth)) should be renamed the Data-Matching Program (Assistance and Tax) Rules; and

(d) Guidelines on the Disclosure of Genetic Information to a Patient’s Genetic Relative should be renamed the Rules for the Disclosure of Genetic Information to a Patient’s Genetic Relative.

[42] J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science, 14.

[43]Privacy Act 1988 (Cth) s 27(1)(e). There is an analogous power to prepare guidelines for the avoidance of acts or practices of a credit reporting agency or credit provider that may or might be interferences with the privacy of individuals: see Privacy Act 1988 (Cth) s 28A(1)(e).

[44] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 26. A similar approach is taken in the Office of the Federal Privacy Commissioner, Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to Communicate or Transact with Individuals (2001), 25; Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), i; Office of the Federal Privacy Commissioner, The Use of Data Matching in Commonwealth Administration—Guidelines (1998), 3.

[45] Office of the Privacy Commissioner, Privacy Audit Manual—Part I (Information Privacy Principles) (1995), 5.

[46]Privacy Act 1988 (Cth) s 27(1)(ea).

[47] Office of the Federal Privacy Commissioner, Guidelines on Privacy Code Development (2001). The OPC has undertaken to review the Code Development Guidelines: Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 47.

[48]Privacy Act 1988 (Cth) s 18BB(3)(A)(ii).

[49] See also Ibid s 28(1)(a).

[50] A breach of these guidelines constitutes an interference with the privacy of the individual: Ibid s 13(b).

[51] Office of the Federal Privacy Commissioner, Tax File Number Guidelines (1992).

[52]Privacy Act 1988 (Cth) ss 28(1)(f), s 28(1)(b).

[53] Ibid s 28(1)(e).

[54] These guidelines are discussed further in Chs 64, 65.

[55]Privacy Act 1988 (Cth) s 27(1)(p)–(pa).

[56] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–2.

[57] Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[58] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[59] See also Ch 4.

[60] Rec 5–2. Note that, as the ALRC recommends that the existing ss 95 and 95A guidelines be abolished (see Ch 65), the ALRC has not included these guidelines in Rec 47–2 (although if they remain, they should be renamed ‘rules’ consistent with Rec 47–2). This language is also consistent with the approach taken in Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 229.