Accountability and transparency

Background

49.74 A number of stakeholders to this Inquiry submitted that transparency and accountability in complaint handling under the Privacy Act should be improved. Two methods of improving transparency and accountability are merits review of the Commissioner’s determinations and providing more guidance on the OPC’s complaint-handling policies and procedures.

Merits review

Background

49.75 The right to merits review of determinations made by the Commissioner is limited to where the respondent is an agency, and is available only in relation to the Commissioner’s decision to include or not include a declaration for compensation or costs.[98] There is no right of appeal to the AAT in respect of determinations against organisations or determinations dismissing a complaint.

49.76 Some stakeholders making submissions to the OPC Review expressed the view that the narrowness of merits review available under the Privacy Act is one factor that prevents there being a useful legal jurisprudence on the Act on which people can rely.[99] It was suggested that the existing provisions were unfair to complainants because, while respondents have a de facto right to have the case heard afresh by refusing to comply with a determination and waiting for the Commissioner or complainant to enforce it in court, this strategy is not available to an aggrieved complainant.[100] The OPC Review concluded that the lack of merits review of determinations was out of step with the position applying to other government authorities and recommended that the Australian Government amend the Act ‘to give complainants and respondents a right to have the merits of complaint decisions made by the Commissioner reviewed’.[101]

Submissions and consultations

49.77 In DP 72, the ALRC identified strong support in submissions and consultations for a right to merits review of all complaint determinations.[102] To increase transparency and accountability, and to facilitate the growth of more jurisprudence on the Privacy Act, the ALRC proposed that the Act be amended to provide for merits review of all decisions made by the Commissioner under s 52.[103]

49.78 Almost all of the stakeholders that commented on this proposal expressed support for it, including the OPC.[104] PIAC expressed the view that restrictions on the ability of parties to seek merits review in the AAT ‘have long been a major deficiency in the Privacy Act’.[105] The AAT submitted that it would not oppose conferral of the proposed jurisdiction, although it noted that generally its jurisdiction to review decisions arising from complaints involved decisions imposing sanctions.[106]

ALRC’s view

49.79 The current right to merits review of determinations are not sufficient. To increase transparency and accountability, the Privacy Act should be amended to provide for merits review of all decisions made by the Commissioner under s 52. Implementation of this recommendation will have the ancillary benefit of facilitating the growth of more jurisprudence on the Act.

Recommendation 49–7 The Privacy Act should be amended to provide that a complainant or respondent can apply to the Administrative Appeals Tribunal for merits review of a determination made by the Privacy Commissioner.

Complaint-handling policies and procedures

Background

49.80 Another method of increasing transparency and accountability in the OPC’s processes and decision making is by publishing clear policies and procedures that outline how the OPC deals with complaints, and by publishing case notes.

49.81 Submissions from stakeholders calling for the OPC to produce a comprehensive manual on its complaint-resolution policies and procedures, in order to shed more light on the way it handles complaints, were considered in the OPC Review.[107] The OPC Review recognised that greater transparency was likely to benefit both complainants and respondents and would increase scrutiny of the OPC’s decisions. It found, however, that ‘it does not appear to be common practice for regulators to publish manuals which set out in great detail their complaint processes’.[108]

49.82 Case notes can help to make the OPC’s handling of complaints more transparent, which in turn improves accountability, by providing examples of how the principles have been interpreted and applied in practice. The OPC publishes case notes that describe the issues in, and outcomes of, selected complaints and has stated that, by providing this insight into how the privacy principles are being applied, the Commissioner aims to ‘ensure the Office is accountable and transparent in its processes and decision making’.[109] Case notes also play an important role ‘to assist individuals, organisations and agencies in deciding whether to pursue a complaint, or to decide if personal information is being handled appropriately’, and ‘to encourage good privacy practices and compliance with the Privacy Act’.[110]

Submissions and consultations

49.83 In DP 72, the ALRC identified concern about the lack of transparency and accountability in the OPC’s complaint-handling procedures.[111] In particular, stakeholders commented on the lack of transparency about complaint resolutions and the remedies being granted by the OPC,[112] and the lack of transparency around how the OPC screens complaints in the initial stages.[113] To remedy this situation, the ALRC proposed that the OPC should prepare and publish a document setting out its complaint-handling policies and procedures.[114]

49.84 Stakeholders supported the production of such a document.[115] A number of stakeholders expressed a view as to the issues that should be addressed. These included that the document should:

  • be clear, able to be comprehended easily and available in different languages;[116]

  • be widely accessible and subject to periodic review; [117]

  • include guidelines about confidentiality during the investigation and conciliation process;[118] and

  • specify timeframes for the resolution of disputes, including for the various steps of the process. [119]

49.85 The Cyberspace Law and Policy Centre submitted that, as well as a complaint-handling policy, the OPC should continue to improve its reporting of how complaints have been handled and settled—including statistics of the remedies obtained (including the number of cases in which compensation was paid and the amounts).[120]

49.86 Youthlaw suggested that the OPC should consider new approaches to make complaint mechanisms more ‘user-friendly’ for young people. These included:

  • setting up a specific contact/advice point for young people to access if they believe their rights to privacy may have been breached;

  • better resourcing and funding of youth specific legal services to assist young people to utilise existing complaints mechanisms;

  • training to youth workers regarding privacy and assisting young people to protect their privacy or provide outreach workers from the Privacy Commission to deliver information to youth services or schools.[121]

ALRC’s view

49.87 A valuable way of increasing transparency in complaint handling under the Privacy Act would be for the OPC to prepare and publish a document setting out its complaint-handling policies and procedures. This document could draw on existing resources and publications of the OPC, such as information included in the ‘Privacy Complaints’ section on the OPC website and in Information Sheet 13, which sets out the Commissioner’s approach to promoting compliance with the Privacy Act.[122] The recommended document also could include the OPC’s determination policy.[123] The guide should be easy to understand and readily accessible, and should indicate the timeframes involved in the complaint-resolution process, where possible.

49.88 Consolidating this information into one document should increase the accessibility and transparency of the complaint-handling process. It also would make a useful resource for agencies, organisations and individuals.

49.89 In Chapter 67, the ALRC recommends that the OPC should develop and publish educational material about privacy issues aimed at children and young people.[124] This material should include information about the role of the OPC and its complaint-handling processes in an accessible format.

Recommendation 49–8 The Office of the Privacy Commissioner should develop and publish a document setting out its complaint-handling policies and procedures.

[98]Privacy Act 1988 (Cth) s 61.

[99] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 137–138.

[100] Ibid, 138–139. See also G Greenleaf, Consultation PC 5, Sydney, 28 February 2006.

[101] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 153, rec 40.

[102] Queensland Government, Submission PR 242, 15 March 2007; Legal Aid Queensland, Submission PR 212, 27 February 2007; Privacy NSW, Submission PR 193, 15 February 2007; Telstra, Submission PR 185, 9 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 28, 6 June 2006. See also Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 24 February 2005 as affirmed in Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[103] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 45–7.

[104] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Optus, Submission PR 532, 21 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[105] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[106] Administrative Appeals Tribunal, Submission PR 481, 17 December 2007.

[107] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 137, 142, 151.

[108] Ibid, 151.

[109] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), 58. See Office of the Privacy Commissioner, Complaint Case Notes, Summaries and Determinations (2007) <www.privacy.gov.au/act/casenotes/index.html> at 15 May 2008.

[110] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), [3.5]. See Office of the Privacy Commissioner, ‘Commissioner’s Use of s 52 Determination Power’ (2006) 1(1) Privacy Matters 2, 2.

[111] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[112] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007. See also Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 24 February 2005 as affirmed in Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[113] AAMI, Submission PR 147, 29 January 2007.

[114] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 45–8.

[115] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australian Lawyers Alliance, Submission PR 528, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.

[116] Law Society of New South Wales, Submission PR 443, 10 December 2007.

[117] Ibid.

[118] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[119] Ibid.

[120] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[121] Youthlaw, Submission PR 390, 6 December 2007.

[122] See Office of the Privacy Commissioner, Privacy Complaints <www.privacy.gov.au/privacy_rights/
complaints/index.html> at 1 August 2007; Office of the Federal Privacy Commissioner, The Privacy Commissioner’s Approach to Promoting Compliance with the Privacy Act 1988, Information Sheet 13 (2001).

[123] Office of the Privacy Commissioner, ‘Commissioner’s Use of s 52 Determination Power’ (2006) 1(1) Privacy Matters 2.

[124] Rec 67–2.