16.08.2010
5.73 The Privacy Act is essentially limited in its scope to the protection of personal information. It does not regulate other elements of the right to privacy, for example, the right to be free from arbitrary or unlawful interference with one’s home or family life. The Privacy Commissioner, Karen Curtis, noted in evidence to the Senate Legal and Constitutional References Committee inquiry into the Privacy Act (Senate Committee privacy inquiry):
I think we should all remember that, while our Privacy Act is about the protection of personal information or sensitive information, it is really about data protection. It is not about privacy in the broader sense of bodily privacy or privacy in other areas. I think ‘privacy’ is often seen as a catch-all and so our Privacy Act does not address all aspects of territorial privacy or bodily privacy.[120]
5.74 The Australian Government is not alone in using this nomenclature for legislation that protects personal information. Both Canada and New Zealand have a Privacy Act. The Canadian Privacy Act 1985 regulates the handling of personal information by the public sector. The New Zealand Privacy Act 1993 regulates the handling of personal information in both the public and the private sector.
5.75 Names given to similar legislation in a number of other jurisdictions, however, indicate more accurately the scope of the legislation; for example:
- Privacy and Personal Information Protection Act 1998 (NSW);
- Information Privacy Act 2000 (Vic);
- Personal Information Protection Act 2004 (Tas);
- Information Act 2002 (NT);
- Data Protection Act 1998 (United Kingdom); and
- Personal Information Protection and Electronic Documents Act 2000 (Canada).[121]
5.76 Nomenclature in the legislative context is important because accurate descriptive names provide a snapshot of the content of the legislation. Names may also serve political purposes, for example, assisting the passage of a Bill through Parliament, and may act to publicise the legislation locally and internationally.[122] Names that do not accurately describe the scope of legislation may mislead the public into believing that a law covers particular areas that, in fact, it does not.
5.77 In DP 72, the ALRC proposed that the Privacy Act should be renamed the Privacy and Personal Information Act on the basis that the current name does not accurately reflect the main focus of the legislation, and has the potential to cause confusion.[123] This is a particular problem with a term such as ‘privacy’, which potentially covers a number of areas and is in general use in the community in relation to matters that are not covered by the Privacy Act. The ALRC suggested that the proposed name more clearly reflected the main focus of the Act, that is, the privacy of personal information, while at the same time being wide enough to indicate that the Privacy Commissioner has a number of functions that do not relate to personal information.
5.78 Alternatively, if the Act were amended to include a statutory cause of action for invasion of privacy, as proposed in DP 72,[124] the ALRC suggested that the name of the Act should remain the same.
Submissions and consultations
5.79 A number of submissions expressed support for the current name of the Privacy Act.[125] The OPC noted that the functions of the Privacy Commissioner set out in s 27 of the Act are wider than the protection of personal information. They include education to promote the protection of individual privacy[126] and recommendations to the Attorney-General on the need for legislative or administrative action in the interests of privacy.[127]
Moreover, the Office observes that information privacy can intersect with other categories of privacy. For example, location detection technologies, which collect information about an individual’s whereabouts, might be considered to cut across both information and physical privacy. In the view of the Office, the Privacy Act should therefore continue to be an instrument that can effectively respond to these broader privacy issues.[128]
5.80 The OPC suggested that the Act should be renamed the Australian Privacy Act to differentiate it more clearly from privacy legislation in other jurisdictions. The OPC was of the view that the ALRC’s proposed title, the Privacy and Personal Information Act,was similar to the New South Wales Privacy and Personal Information Protection Act and had the potential to cause confusion. The OPC stated that the Australian Privacy Act would be appropriate, whether or not the Act was amended to include a statutory cause of action for invasion of privacy. In the alternative, the OPC submitted that the current name, the Privacy Act, provides clear and simple branding that differentiates the legislation from privacy legislation in the states and territories.[129]
5.81 On the other hand, there was considerable support for renaming the legislation to focus more expressly on the protection of personal information. The OVPC commented that:
The inclusion of ‘Privacy’ in the title of the IPA [Information Privacy Act 2000 (Vic)] and its national and interstate equivalents, has, in my experience, created confusion on the part of enquirers and complainants. Many of those who contact my office are seeking information or assistance about matters outside of the jurisdiction of the IPA, including bodily and spatial privacy. If these matters remain outside of the coverage of the Privacy Act, then its name should be changed to reflect this.[130]
5.82 Alternative names suggested by stakeholders included:
- Information Privacy Act;[131]
- Personal Information Privacy Act;[132]
- Personal Information Privacy Protection Act;[133]
- Personal Information Regulation Act;[134]
- Protection of Personal Information Act;[135]
- Privacy and Information Protection Act;[136]
- Data Protection Act;[137] and
- Privacy and Data Protection Act.[138]
5.83 A number of stakeholders expressly supported the use of the term ‘data’ in the name of the legislation.[139] The Australian Direct Marketing Association noted that this would be in keeping with the European privacy information regime and the emerging Asia-Pacific Economic Cooperation (APEC) regime. In the Association’s view, adopting this terminology would be more accurate and would assist global consistency and recognition of Australian law.[140]
5.84 The Australian Privacy Foundation, however, did not support the use of the name Data Protection Act, put forward by a number of stakeholders, because it might imply that the legislation was limited to computerised information or was only concerned about security.[141]
5.85 The PIAC stated that it:
does not support the proposal that the Act should be renamed the Privacy and Personal Information Act as this suggests that the legislation is about personal information generally, when it is actually about the protection of such information. PIAC does agree, however, that it is important to retain the term ‘privacy’ in the title of the Act, as some of the functions of the Privacy Commissioner go beyond data protection. The use of this term also helps to maintain a rights-based context for the legislation. In PIAC’s view, a preferable name for the Act would be the Personal Information Privacy Protection Act.[142]
5.86 A number of stakeholders supported the ALRC’s proposed change.[143] Other stakeholders expressed support for this option as well as the alternative option of leaving the name unchanged if the Act is amended to include a statutory cause of action for invasion of privacy.[144]
ALRC’s view
5.87 If the Privacy Act is not amended to include a statutory cause of action, for the reasons stated above, the Act should be renamed the Privacy and Personal Information Act. This name reflects more clearly the main focus of the Act, that is, the privacy of personal information, while at the same time being wide enough to indicate that the Privacy Commissioner has a number of functions that do not relate to personal information.
5.88 The ALRC has considered the OPC’s suggestion that the Act should be renamed the Australian Privacy Act, however, this proposed title would not accurately reflect the scope of the legislation and that including the term ‘Australian’ in the title is not necessary. ‘Australian’ is often included in the title of legislation at the national level where it forms part of the name of the organisation established by the legislation, for example, Australian Law Reform Commission Act 1996 (Cth). Where this is not the case, the relevant jurisdiction is traditionally indicated by a bracketed abbreviation following the name of legislation: Privacy Act 1988 (Cth). This avoids the need to include the word ‘Australian’ in the name of all federal legislation.
5.89 In Chapter 74, the ALRC recommends that federal legislation provide for a statutory cause of action for invasion of privacy.[145] The statutory cause of action would arise in a range of situations, including where there has been an interference with an individual’s home or family life, an individual has been subjected to unauthorised surveillance, or an individual’s correspondence or private written, oral or electronic communication has been interfered with, misused or disclosed. While the ALRC has not expressly recommended that the statutory cause of action be included in the Privacy Act, it logically could be located there. If the Privacy Act is amended in this way, the name of the Act should remain the same.
Recommendation 5-3 The Privacy Act should be renamed the Privacy and Personal Information Act. If the Privacy Act is amended to incorporate a cause of action for invasion of privacy, however, the name of the Act should remain the same.
[120] Commonwealth, Parliamentary Debates, Senate Legal and Constitutional References Committee, 19 May 2005, 51 (K Curtis—Privacy Commissioner).
[121] ThePersonal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada) regulates the handling of personal information by the private sector.
[122] M Whisner, ‘What’s in a Statute Name?’ (2005) 97 Law Library Journal 169, 183.
[123] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–3.
[124] Ibid, Proposal 5–1.
[125] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007.
[126]Privacy Act 1988 (Cth) s 27(1)(m).
[127] Ibid s 27(1)(r).
[128] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[129] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[130] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[131] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Law Institute of Victoria, Submission PR 200, 21 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Veda Advantage, Submission PR 163, 31 January 2007; L Bygrave, Submission PR 92, 15 January 2007.
[132] National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[133] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[134] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[135] Confidential, Submission PR 143, 24 January 2007.
[136] National Association for Information Destruction, Submission PR 133, 19 January 2007.
[137] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; National Association for the Visual Arts, Submission PR 151, 30 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007.
[138] W Caelli, Submission PR 99, 15 January 2007.
[139] Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[140] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.
[141] Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[142] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[143] Centre for Law and Genetics, Submission PR 497, 20 December 2007; Arts Law Centre of Australia, Submission PR 450, 7 December 2007.
[144] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.
[145] Rec 74–1.