Principle 9: Privacy protection is an issue of shared responsibility

2.36 The notion of shared responsibility is an important consideration informing legislative frameworks for the protection of privacy. Provided they have the power and means to do so, individuals bear a measure of responsibility for the protection of their own privacy and the privacy of others. Organisations that collect, store, process, or disclose information have a responsibility to empower individuals to control their own personal information as much as practicable and appropriate, but also to take steps to protect the privacy of individuals. Legislative and non-legislative mechanisms are needed to ensure that individuals can and that organisations do adequately exercise their respective responsibilities to protect privacy.

2.37 The ALRC considers that capable adults should be encouraged to take reasonable steps to utilise the privacy tools and frameworks offered by service providers. Several stakeholders stressed the importance of personal responsibility. The Australian Federal Police, for example, argued that ‘individuals should take ownership of their own privacy’.^[43] The National E-Health Transition Authority (NEHTA) advanced the concept of personal control, arguing that individuals can and should exercise control over their electronic health records. NEHTA explained that this control may be exercised through individuals setting controls over access to their health records; authorising others to access their records; and the capacity to make enquiries and complaints about the treatment of their online records.^[44]

2.38 However, personal responsibility can only be fully exercised when individuals are provided with the tools necessary to protect their privacy, and when the choices expressed by individuals are respected. Personal responsibility of individuals must therefore be balanced with the responsibility of organisations and service providers. Service providers should provide transparent and accessible methods to protect the privacy of their customers. This includes providing clear privacy policies, information about how to protect privacy, and privacy warnings, where relevant. Individuals need to be kept properly informed if privacy policies are not followed or are to be unilaterally changed.

2.39 Several stakeholders made submissions stressing the role of education as an essential and powerful tool to prevent invasions or breaches of privacy that might arise from the use of the internet or digital and mobile technologies.^[45] Many people of all ages are unaware of the means available to protect their privacy, of the risks to privacy that arise in the digital era, and of the legal ramifications of some conduct.

2.40 The ALRC considers that education has an important role to play in reducing and preventing serious invasions of privacy, particularly in assisting individuals to interact safely and effectively in online and electronic relationships—whether they are personal or commercial in nature—and to respect the privacy of others. The ALRC considers that governments and industry have a responsibility to provide adequate education and assistance, particularly for vulnerable members of the Australian community, such as people with disability, children and some young people who may lack the capacity or knowledge to effectively protect their privacy in the digital era.

2.41 To that end, the ALRC highlights the responsibility of governments, relevant industries and industry groups representing entities that benefit from the advances of the digital era, to fund and support education programs which provide assistance and advocacy for individuals to manage their privacy. The ALRC has not made any proposals regarding education, as the ALRC’s Terms of Reference for this Inquiry are limited to consideration of the ways in which the law may redress and reduce serious invasions of privacy.