Enforcing ‘own motion’ investigations

Background

50.2 In addition to the Commissioner’s power to investigate an act or practice when a complaint has been made, the Commissioner also can investigate an act or practice on his or her own motion where the Commissioner considers it desirable that the act or practice be investigated.[1] Own motion investigations are used by the OPC where it becomes aware of matters that may involve interferences with privacy through media coverage, calls to the Privacy Enquiries line, or individuals writing to the OPC.[2]

Remedies following own motion investigations

50.3 The Commissioner can report to the Minister on own motion investigations made in relation to the acts and practices of agencies, file number recipients, credit reporting agencies or credit providers. Section 30 of the Act provides that, where the Commissioner has investigated an act or practice without a complaint having been made under s 36, the Commissioner may report to the Minister about the act or practice investigated and must report where the:

  • Minister directs the Commissioner to do so; or
  • Commissioner thinks the act or practice investigated is an interference with an individual’s privacy and the Commissioner has not considered it appropriate to endeavour to settle the matter, or has tried to settle the matter without success.[3]

50.4 Section 30(6) of the Act specifies that these reporting obligations do not apply to a complaint made under s 36 in relation to an act or practice of an organisation or a complaint accepted under s 40(1B). The purpose of this subsection was said to be ‘to clarify that there is no requirement to report to the Minister following investigations conducted by the Privacy Commissioner into the acts or practices of organisations’.[4]

50.5 The OPC stated in its Annual Report for 2006–07 that, in the majority of own motion investigations in which it found allegations to be substantiated, the respondent dealt with the issues of concern either on its own initiative or following the OPC’s suggestions. The types of action taken included apologies, retrieval and appropriate disposal of records, and change in procedures.[5]

50.6 The inability of the Commissioner to enforce remedies following an own motion investigation was commented on by stakeholders in the OPC’s review of the private sector provisions of the Privacy Act (OPC Review) and the Senate Legal and Constitutional References Committee inquiry into the Privacy Act 1988 (Senate Committee privacy inquiry). In the former, stakeholders submitted that a wider power of enforcement should be conferred on the Commissioner. It was suggested that the Commissioner should ‘be able to enforce any directions given in relation to findings after an own motion investigation’, ensuring that ‘light handed’ measures taken by the Commissioner have the ‘weight of possible further action attached to them’.[6]

50.7 In the OPC Review, the OPC acknowledged that it had ‘experienced some difficulties’ in dealing with potential privacy breaches where there was no individual complainant and where the respondent was not cooperative.[7] It recommended that the Australian Government consider amending the Privacy Act to ‘provide for enforceable remedies following own motion investigations where the Commissioner finds a breach of the National Privacy Principles’ (NPPs).[8] The Australian Government agreed with this recommendation.[9]

Submissions and consultations

50.8 In the Discussion Paper Review of Australian Privacy Law (DP 72), the ALRC identified support in submissions and consultations for the Commissioner’s power to conduct own motion investigations as a means of addressing systemic issues. Several stakeholders reiterated the need for the Commissioner to have the power to enforce remedies following own motion investigations where the Commissioner finds that there has been a breach of the privacy principles.[10]

50.9 In response to these concerns, the ALRC proposed in DP 72 that the Commissioner be empowered to issue a notice to comply following an own motion investigation. In the notice, the Commissioner could determine that the agency or organisation has engaged in conduct constituting an interference with the privacy of an individual and could prescribe that the agency or organisation must take specified action within a specified period for the purpose of ensuring compliance with the Act.[11]

50.10 The OPC was supportive of the proposed amendments to increase its powers to take action following an own motion investigation.[12] Other stakeholders also expressed their support.[13] The Public Interest Advocacy Centre (PIAC), for example, stated that:

To date, own-motion investigations have had limited value as a compliance tool because of the Commissioner’s inability to enforce remedies following such investigations. The proposed amendments will greatly enhance the ability of the Commissioner to address systemic interferences with privacy.[14]

50.11 The Federation of Community Legal Centres also supported the proposal. It stated that ‘a range of compliance strategies with an associated hierarchy of enforcement powers and consequences is appropriate to the modern complexities of privacy issues in Australia’.[15]

50.12 Some stakeholders argued that there also should be greater transparency in the reporting of results of own motion investigations. PIAC and the Cyberspace Law and Policy Centre submitted that there should be a requirement that reports on own motion investigations be made public, either through reporting in OPC case notes or in reports to Parliament.[16] The view was also put that there should be procedures to allow privacy and consumer groups to intervene in own motion investigations where appropriate.[17]

50.13 Other stakeholders considered the existing enforcement powers of the Commissioner to be adequate.[18] One stakeholder suggested that there was no evidence to suggest that there is widespread non-compliance with the Act or any need to change the enforcement approach. It its view, most breaches of the Act are inadvertent, and the fact that penalties have rarely been used is ‘indicative of the fact that penalties are not required’.[19]

ALRC’s view

50.14 Own motion investigations provide a valuable tool for the Commissioner to investigate allegations of non-compliance that come to light via means other than a complaint being lodged. In order to make such investigations effective as a compliance tool, however, it is important that the Commissioner have adequate means to enforce remedies where he or she finds a breach of the NPPs, the Information Privacy Principles (IPPs)[20] or other provisions in the Privacy Act.

50.15 Accordingly, the Privacy Act should be amended to allow the Commissioner to issue a notice to comply following an own motion investigation. The Commissioner should be empowered to determine in the notice that the agency or organisation has engaged in conduct constituting an interference with the privacy of an individual. Consistently with the ALRC’s recommendation in relation to determinations,[21] the Commissioner also should be empowered to prescribe in the notice that the agency or organisation must take specified action within a specified period for the purpose of ensuring compliance with the Act.[22]

50.16 As with determinations, the notice should be enforceable by proceedings in the Federal Court or Federal Magistrates Court.[23] The Privacy Act should be amended to include a mechanism similar to that under s 55A of the Act where the complainant, the Commissioner or an adjudicator under a code may commence court proceedings for an order to enforce a determination. Unlike in the case of determinations, however, the ALRC does not recommend that there be merits review of a notice to comply issued by the Commissioner. If the respondent in a notice to comply contests the Commissioner’s findings or the actions prescribed in the notice, the respondent could choose not to comply with the notice and wait for the Commissioner to enforce it in the Federal Court by way of a hearing de novo.

50.17 The ALRC agrees that the OPC’s reporting of own motion investigations could be improved. In its 2006–07 Annual Report, the OPC reported it received 55 new matters and ‘took steps to contact the organisation in about 85% of cases’.[24] Summaries of some of the allegations are provided, but not specific details of the outcome of the investigations. The OPC should make its reporting on own motion investigations more comprehensive. If Recommendation 50–1 is implemented, this reporting should include when a notice to comply was issued, and any proceedings that were commenced for enforcement of a notice.

Recommendation 50-1 The Privacy Act should be amended to empower the Privacy Commissioner to:

(a) issue a notice to comply to an agency or organisation following an own motion investigation, where the Commissioner determines that the agency or organisation has engaged in conduct constituting an interference with the privacy of an individual;

(b) prescribe in the notice that an agency or organisation must take specified action within a specified period for the purpose of ensuring compliance with the Privacy Act; and

(c) commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce the notice.

[1]Privacy Act 1988 (Cth) s 40.

[2] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), [3.4.1]. The Annual Report provides examples of situations investigated by the OPC on its own motion.

[3]Privacy Act 1988 (Cth)s 30(1). As at May 2008, the relevant Minister is the Cabinet Secretary.

[4] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 107.

[5] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), [3.4.2].

[6] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 145. See also Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), 146.

[7] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 155.

[8] Ibid, rec 44. See also Ibid, 157.

[9] Australian Government Attorney-General’s Department, Government Response to the Privacy Commissioner’s Report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2006), [Item 44].

[10] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Privacy NSW, Submission PR 193, 15 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007. See also Electronic Frontiers Australia Inc, Submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988, 24 February 2005 as affirmed in Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[11] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 46–1.

[12] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[13] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. This proposal was also supported by Privacy NSW: Privacy NSW, Submission PR 468, 14 December 2007.

[14] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[15] Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007. Other stakeholders who supported the proposal included: Veda Advantage, Submission PR 498, 20 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[16] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[17] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[18] Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[19] Confidential, Submission PR 536, 21 December 2007.

[20] If Rec 18–2 is adopted, there will be a single set of privacy principles—the model Unified Privacy Principles (UPPs).

[21] Rec 49–7.

[22] The proposed wording for this power is based on the compliance notice model used in other privacy legislation: see Information Privacy Act 2000 (Vic) s 44; Health Records Act 2001 (Vic) s 66; Information Act 2002 (NT) s 82.

[23] Enforcement of determinations is discussed further below.

[24] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), [3.4.1].