16.08.2010
47.2 The Commissioner’s functions in overseeing the operation of the Privacy Act include: giving advice; providing research on, and monitoring of, technological developments; and conducting education. The Commissioner also has oversight functions in relation to tax file numbers and credit reporting.[2]
Advice functions
47.3 The Commissioner has several advisory functions under the Privacy Act. These are to:
Provide advice to a minister, agency or organisation on any matter relevant to the operation of the Privacy Act.[3] A related function is to inform the Minister of action that needs to be taken by an agency to comply with the Information Privacy Principles (IPPs).[4]
Examine any proposal for data-matching or data linkage that may involve an interference with the privacy of individuals or may otherwise affect adversely the privacy of individuals, and to ensure that any adverse effects are minimised.[5]
Examine any proposed enactment that would require or authorise acts or practices of an agency or organisation that might, in the absence of the enactment, be an interference with the privacy of individuals or which may otherwise affect adversely the privacy of individuals and to ensure that any adverse effects are minimised.[6]
Make reports and recommendations to the Minister in relation to any matter that concerns the need for, or the desirability of, legislative or administrative action in the interests of individuals’ privacy.[7]
Provide advice to tax file number (TFN) recipients about their obligations under the Taxation Administration Act 1953 (Cth) and on any matter relevant to the operation of the Privacy Act.[8]
Provide advice to the adjudicator appointed under a privacy code on any matter relevant to the operation of the Privacy Act or the relevant privacy code.[9]
47.4 In 2006–07, the Commissioner used her advice functions to prepare 163 advices on significant policy issues, representing a 20% increase in the number of policy advices issued by the OPC in 2005–06. As described in the Annual Report of the Office of the Privacy Commissioner (OPC), the advices included: letters and emails to government departments, agencies and organisations on specific proposals; advice for guidance material published by the Commissioner; and advice for inclusion in other reports and published documents.[10] The OPC also provided 32 submissions to government departments and parliamentary inquiries on policy proposals or Bills before Parliament.[11]
Research and monitoring functions
47.5 Another aspect of the Commissioner’s functions in overseeing the Privacy Act is undertaking research into, and monitoring developments in, data processing and computer technology (including data-matching and data linkage) to minimise their adverse effects on the privacy of individuals and to report to the Minister about the results of such research and monitoring.[12] The Commissioner also has the function of monitoring and reporting on the adequacy of equipment and user safeguards.[13]
Education functions
47.6 The Commissioner’s oversight functions in relation to education include:
promoting an understanding and acceptance of the IPPs and National Privacy Principles (NPPs) and of the objects of those principles;[14] and
undertaking educational programs on the Commissioner’s own behalf or in cooperation with other persons or authorities acting on behalf of the Commissioner, for the purpose of promoting the protection of individual privacy.[15]
47.7 The OPC has said that a factor likely to increase community confidence that individuals’ rights are protected is ‘raising awareness about individuals’ privacy rights’.[16] To this end, the OPC provides information through its information hotline and its website (which contains various OPC publications). Visits to the OPC’s website have increased each year.[17]
47.8 Considerable attention was given to the Commissioner’s education power in the OPC review of the private sector provisions of the Privacy Act (OPC Review) and the Senate Legal and Constitutional References Committee inquiry into the Privacy Act 1988 (Senate Committee privacy inquiry). Overall, the submissions acknowledged that education by the OPC plays a vital part in promoting community awareness of privacy laws. It was suggested in several submissions that public awareness be raised, using either one-off or regular campaigns. It was also suggested that sectors of the community with low awareness of privacy rights be targeted, and that campaigns address not only individuals’ rights, but also the rights and obligations of organisations.[18]
47.9 Both reviews called for the OPC to be funded adequately. It was said that this would facilitate a shift in focus from complaint handling to education. In the OPC Review, the OPC noted that ‘since the implementation of the private sector provisions, the Office has shifted resources from its guidance and advice role to its compliance role to try to better manage and resolve the complaints received’.[19] It recognised, however, that ‘organisations need more guidance’[20] and recommended that the Government consider specifically funding the OPC to undertake a systematic and comprehensive education program to raise community awareness of privacy rights and obligations.[21]
47.10 Following the OPC Review, the then Coalition Government made a commitment in 2006 to provide additional funding to the OPC over the next four years. In response, the OPC has stated that this could
allow us to respond to calls from business and industry for greater assistance in meeting their obligations under the Privacy Act. Following on from recommendations made in my 2005 review of the private sector provisions of the Privacy Act, my Office will work closely with business and consumer representatives to develop guidance and educational material to assist organisations and individuals to better understand their rights and responsibilities under the Privacy Act.[22]
Submissions and consultations
47.11 In DP 72, the ALRC identified support in submissions and consultations for the OPC’s oversight, advice and education roles. Concern was expressed by the OPC, however, that the current research and monitoring power is limited to researching computer technology. The OPC submitted that the reference in s 27(1)(c) to ‘computer technology’ is outdated and ‘may inadvertently restrict the operation of this clause which the Office believes is intended to provide for research into technologies with a possible privacy impact, whether or not they are computer-based’.[23] Accordingly, the ALRC proposed that the power be broadened to include research more generally, by removing the word ‘computer’ in the function.[24]
47.12 The ALRC received a number of submissions in support of the proposal to widen the Commissioner’s research function to cover all technologies.[25] For example, the Department of Human Services submitted that the proposal ‘will help encompass all present technologies that could possibly impact on an individual’s privacy, thus making the Privacy Act more technology neutral’.[26]
47.13 DP 72 also identified concerns about the public nature of advice issued by the OPC and the exercise of the education function. In relation to the issuing of advice, the Consumer Credit Legal Centre (NSW) (CCLC) submitted that, while the Commissioner’s legislative power to provide advice is appropriate, ‘its exercise is not always effective nor does it always produce fair outcomes for consumers’.[27] In particular, the CCLC submitted that any advice given by the Commissioner in relation to any matter relevant to the operation of the Act should be made public, ‘in order to ensure the transparency and fairness of OPC’s operations’.
47.14 The exercise of the education function also drew comment from stakeholders. Several stakeholders commented on the apparent lack of priority given by the OPC to the education function and the need for more guidance from the OPC to encourage an understanding of, and compliance with, the privacy principles.[28] Stakeholders noted the preventative aspects of education—to reduce the potential for breaches of privacy and ‘ill-informed reliance on privacy as a reason for refusing to take particular action’.[29]
47.15 In relation to public education, stakeholders commented on the ‘utility of education materials in uplifting public confidence in, and awareness of, the OPC’s ability to enforce privacy rights’.[30] Another stakeholder observed that lack of understanding of privacy regulation is often the source of complaints, with more education identified as a way to address this problem.[31] The public forums and consultations conducted, and submissions received by the ALRC in this Inquiry, suggested low levels of awareness and understanding of privacy laws in the community. The ALRC received many stories of ‘BOTPA’ (‘because of the Privacy Act’) explanations being given as a reason for refusing a request for information or assistance from an agency or organisation.[32] While the extent to which such explanations are based on a proper understanding and application of the Act, rather than a deliberate excuse to avoid giving information, is not clear, education may help to increase understanding and lessen the reliance on BOTPA explanations.[33]
47.16 Some stakeholders suggested that industry bodies, schools and other institutions also should bear some responsibility to educate their members, students or constituencies about privacy obligations.[34] It was suggested, for example, that privacy should be taught in medical schools and in intern programs to ensure that medical students are aware of their obligations before they handle personal information about their patients.
47.17 The Cyberspace Law and Policy Centre submitted that the Privacy Commissioner’s power under s 27 to report to the Minister on the exercise of his or her functions also should be broadened to allow reports to the public or to Parliament on all of the matters listed in the section (except those dealing with national security or similar considerations of confidentiality).[35]
47.18 Stakeholders supported the role of the Commissioner in providing education and guidance. The Australasian Compliance Institute suggested that the OPC should continue to take ‘a leadership role’ in relation to guidance and education at an agency, industry, and consumer level and it should maintain a consultative approach.[36] Similarly, the Federation of Community Legal Centres (Victoria) emphasised that this power needs to be exercised more extensively and in a targeted fashion in consultation with disadvantaged individuals, communities and their advocates, so that those who are most vulnerable to privacy breaches gain a better understanding of their rights and how they may be exercised effectively.[37]
ALRC’s view
47.19 The Commissioner’s oversight functions provide important tools to: increase understanding of federal privacy law; contribute a privacy perspective to public debates; and establish dialogue on privacy issues between the OPC and agencies and organisations. These functions enable the Commissioner to be proactive in increasing awareness and understanding of privacy to prevent non-compliance. As discussed in Chapters 4 and 45, these functions enable the Commissioner to play a critical role in the ALRC’s recommended regulatory model for privacy. These functions should be interpreted broadly, and resourced effectively.
47.20 The ALRC recommends one amendment to the Commissioner’s oversight functions. The ALRC’s view is that, given the serious impact technology can have on invading privacy or enhancing privacy protection, the Commissioner’s research and monitoring function should be broad enough to enable the OPC to research and monitor all relevant technologies.[38] Some technologies may not come within an ordinary understanding of ‘computer technology’, yet still raise privacy issues. Biometrics is one example. The wording of s 27(1)(c) should be broadened to allow for research and monitoring of any pertinent technologies. This can be achieved most easily by removing the reference to ‘computer’. Such an amendment is also consistent with the ALRC’s recommendation that the privacy principles be technology neutral.[39]
47.21 As amended, this function provides the OPC with the specific power to call on its knowledge and expertise on privacy issues and conduct research into, for example, new and developing areas of technology. Research and reports to the Minister can provide an excellent medium to guide policy in these areas and to increase awareness of the issues raised by particular technologies. For these reasons, the ALRC recommends that the research power be broadened to explicitly empower the Privacy Commissioner to undertake research, and monitor developments in technology generally (as well as data-matching).
47.22 While the ALRC is not recommending reform of the OPC’s advice function, the ALRC notes the concerns of stakeholders that advice should be timely and public. It is preferable, therefore, that advice (or a generic form of it) is made public if it is relevant to a broader audience and would increase understanding of the Privacy Act. It would not be reasonable, however, to require that all advice given by the Commissioner in relation to any matter relevant to the operation of the Act be made public. A minister or an agency may approach the Commissioner for advice on a confidential basis about Cabinet proposals, or an organisation may seek advice on proposals that are commercial-in-confidence or disclose an innovation or new project. Requiring such advice to be made public may discourage agencies and organisations from approaching the OPC, which would undermine the Commissioner’s oversight and advisory functions.
47.23 The ALRC recognises the pivotal role education plays in a principles-based regime such as the Privacy Act. Compliance with such a regime is dependent on a shared understanding of what the principles mean and how they are to be applied. Education is also critical to raise awareness of privacy rights in the community; indeed, one of the recommended objects of the Privacy Act is to promote the protection of individual privacy.[40]
47.24 As compliance is ultimately the responsibility of the agency or organisation, it is important that industry groups and peak bodies perform a role in increasing awareness of privacy obligations and fostering compliance in their industries. The ALRC supports the involvement of industry bodies and authorities in undertaking education programs on the requirements of the Privacy Act, either in conjunction with, or in addition to, education programs undertaken by the OPC. Information sheets, fact sheets, and ‘frequently asked questions’ on industry websites can play an important role in assisting organisations understand their privacy obligations in an industry-specific manner.[41]
Recommendation 47-1 The Privacy Act should be amended to delete the word ‘computer’ from s 27(1)(c).
[2] The general approach of the Privacy Act is to state the Commissioner’s ‘functions’ and give the Commissioner ‘power to do all things necessary or convenient to be done for or in connection with the performance of his or her functions’: Privacy Act 1988 (Cth) ss 27(2), 28(2), 28A(2).
[3] Ibid s 27(1)(f). See also the equivalent function in credit reporting: s 28A(1)(f).
[4] Ibid s 27(1)(j). Currently, the minister with responsibility for the Privacy Act is the Cabinet Secretary.
[5] Ibid s 27(1)(k).
[6] Ibid s 27(1)(b). This power, and the related concept of privacy impact assessments, is discussed separately below.
[7] Ibid s 27(1)(r). Currently, the minister with responsibility for the Privacy Act is the Cabinet Secretary.
[8] Ibid s 28(1)(g).
[9] Ibids 27(1)(fa).
[10] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), 5.
[11] Ibid, 6.
[12]Privacy Act 1988 (Cth) s 27(1)(c). Currently, the minister with responsibility for the Privacy Act is the Cabinet Secretary.
[13] Ibid s 27(1)(q). The use of these powers in relation to new and developing technologies is discussed further in Part B.
[14] Ibid s 27(1)(d).
[15] Ibid s 27(1)(m).
[16] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 105.
[17] See Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), 32–33.
[18] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 107–111. See also Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), 145.
[19] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 5.
[20] Ibid, 7.
[21] Ibid, recs 26, 48. The Senate Committee privacy inquiry made a similar recommendation: Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 19.
[22] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2005–30 June 2006 (2006), 2–3.
[23] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[24] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–1.
[25] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.
[26] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.
[27] Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007. Similar comments were made in Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[28] Insolvency and Trustee Service Australia, Submission PR 123, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[29] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007. The NHMRC suggested that there is ‘considerable anecdotal evidence that the appropriate handling of health information for important health care and health and medical research purposes is jeopardised by a generally inadequate understanding of the law’: National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[30] Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007. See also Australian Direct Marketing Association, Submission PR 298, 29 June 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[31] Australian Finance Conference, Submission PR 294, 18 May 2007.
[32] Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; H Ruglen, Submission PR 39, 27 June 2006; K Bottomley, Submission PR 10, 1 May 2006; T de Koke, Submission PR 8, 5 April 2006. See also Privacy Commission Victoria, Consultation PC 20, Melbourne, 9 May 2006.
[33] See Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[34] See Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[35] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[36] Australasian Compliance Institute, Submission PR 419, 7 December 2007.
[37] Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007.
[38] The ALRC recommends that the Commissioner use this research and monitoring function to consider technologies that can be deployed in a privacy-enhancing way by individuals, agencies and organisations: Rec 10–1.
[39] Rec 18–1.
[40] Rec 5–4.
[41] An example of industry advice is a summary information sheet issued by the Real Estate Institute of Australia on Residential Tenancy Database Operators Regulations: see Real Estate Institute of Australia, Residential Tenancy Databases and the Privacy Act 1988 (2007) <www.reia.com.au/documents/
REIA_Summary_on_Amendments_Privacy_and_RTDs-August2007.doc> at 15 May 2008. The OPC has helped spread awareness of this information sheet by including a reference and a link to it on one of its Privacy Connections alerts.