The breadth of the subject matter covered in this Inquiry required the ALRC to undertake the largest community consultation program in its 33 year history. To facilitate public engagement and stakeholder participation, two issues papers, Review of Privacy (IP 31)and Review of Privacy: Credit Reporting Provisions (IP 32), and a three-volume Discussion Paper, Review of Australian Privacy Law (DP 72), were released. Concise overviews of IP 31 and IP 32, and DP 72, also were published to reach the non-specialist audience. The ALRC organised:
- about 250 face-to-face meetings with individuals, organisations and agencies;
- major public forums in Melbourne (focusing on consumers and privacy), Sydney (focusing on business and privacy) and Coffs Harbour (focusing on health privacy and research);
- six workshops for children and young people (aimed at those aged 13–25);
- a series of roundtables with individuals, agencies and organisations on a variety of themes including: credit reporting; telecommunications; the privacy principles; children and young people; and health and research;
- a highly publicised ‘National Privacy Phone-In’ on 1–2 June 2006, during which more than 1,300 members of the public contacted the ALRC to share their experiences, ideas and attitudes about privacy protection (see below); and
- the establishment of a ‘Talking Privacy’ website, designed specifically to appeal to young people.
The ALRC also actively solicited submissions, receiving 585 written submissions from a broad cross-section of individuals, organisations and agencies. The high level of public engagement with the ALRC Inquiry reflected the extent of public interest and concern about privacy protection. Community and stakeholder concerns helped direct the ALRC in developing its priorities and the ultimate reform agenda.
The scope of the Privacy Act
In the early stages, at least, some meetings suggested that there was a mismatch in the broader concept of privacy utilised by the general public and the way the term ‘privacy’ is defined in a technical legal sense in the Privacy Act. Experts and privacy professionals mainly concern themselves with information privacy and data security and protection. The ALRC has, in fact, recommended that the name of the Act be changed to the Privacy and Personal Information Act.
Australians generally consider that they have a ‘right to privacy’—notwithstanding the absence of a national charter of rights—and that this protection has been extended to cover the activities of the private sector as well as government agencies. Many members of the general public (and no doubt many lawyers), however, incorrectly assume that the Privacy Act also covers such others matters as:
- unwanted calls at home by telemarketers (now addressed by the ‘Do Not Call Register’);
- surveillance at work and in public places;
- spying by neighbours;
- paparazzi-type photographs; and
- police procedures, especially intrusive searches and seizures and the collection of DNA samples.
The National Privacy Phone-In
The ALRC kicked off the public phase of the Inquiry with a two day National Privacy Phone-In on 1–2 June 2006, which handled 1,343 responses. The results were very interesting. Nearly three-quarters of all respondents (73%) cited telemarketing as a major concern, provoking a cluster bomb of indignant questions and comments: ‘It feels like a “home invasion”’; ‘How did they get my number?’; ‘Why do they always call at dinner time when I’ve got my hands full cooking and trying to settle the kids?’
This category was followed, in order of prevalence, by concerns expressed about:
- the handling of personal information by the private sector (19%);
- the handling of personal information by government (9%);
- the protection of privacy on the internet (7%);
- national identity cards and ‘smart cards’ (7%);
- problems accessing and correcting personal information (7%); and
- surveillance in public places (4%).
Contrary to expectations, very few comments were received about workplace surveillance (2%) or spying by neighbours (only four calls).
The general lamentation: is privacy passé?
It was very evident in public forums and meetings that there is a general feeling in the community that technological advances have steadily and irreparably eroded personal privacy—‘we have much less privacy than previous generations, and it will only get worse!’—and that greater efforts must be made to resist this.
When the discussion moved from the general to the specific, however, there was evident a countervailing appreciation of the parallel benefits of modern information and communication technology, with praise for the ease, convenience and empowering qualities of email, mobile phones, e-commerce, digital photography, the internet and so on.
People also expressed a high degree of willingness to trade off privacy interests (or at least to understand the potential compromise) to meet concerns about law and order at the local level—for example, accepting the use of surveillance cameras in public places—or about national security more generally.
Similarly, the ALRC found—despite the frequent use of the absolutist language of ‘rights’—that there is general community appreciation for the need to strike a common sense balance between privacy interests and practical concerns in a range of areas. For example, while personal health information is regarded as ‘sensitive’ and deserving of the highest level of protections, individuals understand that a premium may be placed on prompt access to, and disclosure of, such information in the case of a medical emergency.
An emerging generation gap?
During the course of this Inquiry, the ALRC explored whether there is an emerging generation gap in basic attitudes to privacy. That is, do young people have such a fundamentally different approach to privacy that this should be recognised (or at least anticipated) by law?
It does appear that young people are more comfortable than their parents, and certainly their grandparents, in sharing personal information, photos and other material on social networking websites. The question is whether this represents the beginnings of an enduring cultural shift, or simply the eternal recklessness of youth, played out in a new medium and utilising new technology. Put another way, will today’s teenagers be horrified in a decade’s time when prospective employers—and prospective partners and in-laws—can easily ‘google up’ intimate and potentially embarrassing images and information?
As mentioned above, the ALRC went to considerable effort to consult directly with children and young people—and found that, even though there is an increased willingness to share information on websites like MySpace and Facebook, nevertheless there remains a strong desire to retain control over access to, and distribution of, this personal information. Some young people were quite savvy about how to achieve this. Many others, however, appeared to be unaware of the privacy policies of the social networking sites they frequented, and unfortunately naïve about the degree of control they can exercise in practice. Further, many young people were unaware of the extent to which information—for example, photographs—deleted from their profile remain on the internet; either as a result of downloading onto other sites or archiving.
While children and young people normally can seek guidance about moral and ethical standards of behaviour at home, at school or at their place of worship, they may find themselves pretty much on their own when operating at the cutting edge of technology.
The ALRC found, however, that there was little appetite for more law or formal regulation in this area. The consistent advice received was that much more education is needed for children and young people—and the adults in their lives—about how to operate properly and safely in this new electronic environment. Some excellent guidance already is being published by industry bodies, and the ALRC recommends that this effort intensify and also involve the Office of the Privacy Commissioner (OPC).
Complexity and confusion
Businesses—not surprisingly—were concerned mainly with the overly complex and confusing web of privacy laws in Australia, citing the overlapping federal, state and territory laws; the separate privacy principles for government agencies (the Information Privacy Principles (IPPs)) and private sector organisations (the National Privacy Principles (NPPs)), and other relevant laws, including those covering the privacy of health information. This makes it very difficult—and expensive—for even the best-intentioned business to comply.
These concerns were expressed consistently and strongly in submissions and consultations throughout the Inquiry—making it clear to the ALRC that simplification and harmonisation of the law had to be one of the principal aims and outcomes of this Inquiry.
The ALRC often heard concerns that the Privacy Act is a ‘toothless tiger’, lacking adequate enforcement mechanisms and sufficient sanctions to ensure compliance. Whether this is a real or a perceived problem, the ALRC takes very seriously the need to improve the regulatory scheme and to increase community confidence in the level of compliance with the requirements of the Act.
The ALRC actively sought and received community and stakeholder comment in this area, and makes a number of recommendations (see below) aimed at addressing: the structure, role and powers of the OPC; improvements to the complaint-handling process; the Privacy Commissioner’s ability to require a Privacy Impact Assessment for a new project or development that may have a significant impact on the handling of personal information; the Privacy Commissioner’s powers to conduct audits, monitor compliance, and to issue notices to comply where required; greater powers for the OPC to spur the development of context or industry-specific privacy codes, to flesh out the general privacy principles; and the ability of the OPC to pursue civil penalties in a federal court, where there is a serious or repeated misuse of an individual’s personal information.
The BOTPA excuse: ‘Because of the Privacy Act’
Interestingly, a range of callers to the National Privacy Phone-In argued that sometimes there may be ‘too much privacy’—or rather that ‘privacy’ is all too often trotted out as an excuse for inaction or non-cooperation. Among privacy professionals, this has become known as the ‘BOTPA’ excuse, since people are told that their reasonable requests cannot be accommodated ‘because of the Privacy Act’. For example, the ALRC heard complaints from people who, ‘because of the Privacy Act’, were unable to:
- access or correct their own personal information held on a government or corporate database;
- assist an elderly relative or neighbour with their banking, or in dealing with a public utility or government agency—even where that person had written authorisation or held a valid power of attorney; and
- urge their church congregation to pray for a named individual who was unwell and in hospital.
Australian Law Reform Commission, Review of Privacy, IP 31 (2006).
Australian Law Reform Commission, Review of Privacy—Credit Reporting Provisions, IP 32 (2006).
Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007).
Australian Law Reform Commission, Reviewing Australia’s Privacy Laws: Is Privacy Passé?, Overview (2006).
Australian Law Reform Commission, Review of Australian Privacy Law: An Overview of Discussion Paper 72 (2007).
 See Ch 5.
 Callers were able to nominate more than one concern, which is reflected in the statistics. Further, the nature of the comments may have been influenced by a number of media stories about the Phone-In, which focused on telemarketing as a possible concern.