16.08.2010
5.63 Because the Privacy Act has been substantially amended on a number of occasions, the numbering and structure of the Act make it confusing and difficult to navigate. For example, while the IPPs are found in s 14 of the Act, the NPPs are found in Schedule 3. In addition, the Act refers to obsolete legislation such as the Conciliation and Arbitration Act 1904 (Cth) and to provisions such as s 46A of the Acts Interpretation Act 1901 (Cth) that have been repealed and replaced.
5.64 As discussed above, and in Parts D and E of this Report, exemptions and exceptions are found throughout the Act and, in some cases, in other pieces of legislation. This can make it difficult to ascertain whether the Privacy Act covers a particular agency or organisation and, if so, to what extent. In addition, the drafting of some exemptions, such as exempt acts and practices in s 7, is complex and difficult to understand.
5.65 In the course of the Inquiry, a significant number of stakeholders commented on the problems caused by the complex structure of the Privacy Act.[107] Electronic Frontiers Australia expressed the view that the Act was ‘complex, confusing and unwieldy’ and that this was leading to misapplication of the provisions.[108] The Centre for Law and Genetics agreed that the Act has become difficult to work with:
We would strongly support the redrafting of the legislation to achieve a greater degree of simplicity and clarity. Nevertheless, the original flow from collection through to release arose from the OECD Guidelines and this remains a defensible template.[109]
5.66 The Office of the Information Commissioner Northern Territory was of the view that the Privacy Act had ‘lost its way’ and should be redrafted, using plain English, and restructured, including grouping exemptions together.[110] Privacy NSW agreed.[111] A number of commentators have also been critical of the Act’s complexity.[112]
Discussion Paper proposal
5.67 In DP 72, the ALRC expressed the view that such complexity seems undesirable in legislation intended to protect individuals’ personal information. An individual is unlikely to be able to take action to protect his or her rights if it is difficult to ascertain what acts and practices of agencies and organisations are covered by the legislation. The ALRC proposed that the Privacy Act should be amended to achieve greater logical consistency, simplicity and clarity, including the consolidation of the IPPs and the NPPs into a single set of UPPs; the clarification and grouping together of exemptions; and the restructuring and renumbering of the Act.[113]
Submissions and consultations
5.68 There was strong support for this proposal.[114] PIAC noted that:
The Act is well overdue for a complete overhaul. In its current form, it lacks coherence, and is overly complex and confusing. Many of PIAC’s clients have complained that they have been unable to understand their rights from their own reading of the Act and have therefore been put in the position of being forced to seek legal advice and representation. This is inappropriate in a jurisdiction that encourages self-representation.[115]
5.69 The Australian Government Department of Human Services expressed support for the proposal, but noted that substantial changes to the Privacy Act will present more difficulties for agencies than for organisations, and that training will be required to manage the transition.[116]
5.70 Several stakeholders expressed concern about the proposal, however, drawing attention to the significant investment that has been made to establish policies and procedures to meet the requirements of the current regime. These stakeholders noted that any major reform of the Act will come at a cost as agencies and organisations will be required to amend policies and procedures to meet new requirements.[117]
ALRC’s view
5.71 The ALRC acknowledges that there will be costs involved for agencies and organisations in updating policies and procedures to meet new requirements imposed by an amended Privacy Act. In the ALRC’s view, however, the current complexity is giving rise to ongoing and significant costs and that these costs cannot be justified into the future. These issues are discussed in detail in Chapter 14.
5.72 In Chapter 18, the ALRC recommends the introduction of a single set of UPPs applying to both agencies and organisations.[118] This change, alone, would resolve much of the complexity in the current provisions. In Chapter 33, the ALRC also recommends that the exemptions in the Privacy Act should be clarified and located together.[119] Amending the Privacy Act in line with these recommendations would provide an excellent opportunity to restructure the entire Act to achieve greater logical consistency, simplicity and clarity.
Recommendation 5-2 The Privacy Act should be redrafted to achieve greater logical consistency, simplicity and clarity.
[107] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Law Institute of Victoria, Submission PR 200, 21 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; AAMI, Submission PR 147, 29 January 2007; Confidential, Submission PR 143, 24 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; W Caelli, Submission PR 99, 15 January 2007; I Turnbull, Submission PR 82, 12 January 2007; Tasmanian Ombudsman, Consultation PC 158, Hobart, 30 March 2007.
[108] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[109] Centre for Law and Genetics, Submission PR 127, 16 January 2007.
[110] Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[111] Privacy NSW, Submission PR 468, 14 December 2007.
[112] R Clarke, The Australian Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines (1989) Australian National University <www.anu.edu.au/people/Roger.Clarke/DV/ PActOECD.html> at 14 April 2008, [6.1]; T Dixon, ‘Preparing for the New Privacy Legislation’ (Paper presented at Australia’s New Privacy Legislation, Baker & McKenzie Cyberspace Law and Policy Centre CLE Conference, Sydney, 24–25 May 2001).
[113] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–2.
[114] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; BPay, Submission PR 566, 31 January 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Google Australia, Submission PR 539, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; National Transport Commission, Submission PR 416, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007; AAPT Ltd, Submission PR 338, 7 November 2007.
[115] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[116] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.
[117] Acxiom Australia, Submission PR 551, 1 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007.
[118] Rec 18–2.
[119] Rec 33–1.