Multiple regulators

14.21 Some industries are required to comply with multiple layers of privacy regulation overseen by more than one regulator. This has been identified as an issue in the telecommunications industry[32] and the financial services sector. For example, bank customers with privacy complaints may choose to lodge a complaint with the Banking and Financial Services Ombudsman (BFSO) or the OPC.

14.22 It has been noted that industry ombudsmen and the OPC may take opposing views in relation to the same privacy complaint. Concerns were expressed to the OPC Review about the lack of clarity in the respective complaint-handling responsibilities of the federal and New South Wales privacy commissioners,[33] and that consumers may not know to which regulator to complain, or which law applies to their matter.[34]

Submissions and consultations

14.23 In submissions to this Inquiry, stakeholders noted that the lack of consistency of federal and state and territory privacy regimes leads to confusion about to whom to complain, and how to complain.[35] They noted that it would be useful to have a ‘one-stop shop’ for complaint handling.[36]

14.24 A number of organisations reported that multiple regulators contribute to compliance cost by increasing the number of ‘compliance activities’ required each year and the slower resolution of privacy complaints.[37]

14.25 Privacy regulators also noted difficulties. The OVPC submitted that there will be cases where privacy regulators cannot agree on which privacy law applies.[38] The OPC emphasised that lack of consistency in legislation is often the primary source of the problem, rather than the existence of more than one regulator.[39] The OPC observed, however, that the existence of multiple regulators at the federal, state and territory level raises three concerns:

First, it can be difficult for individuals to understand their rights, and know how to enforce them. Second, organisations may bear increased compliance costs by having to obey multiple sets of regulations. Third, this may lead to unnecessary duplication of effort and resource expenditure by regulators.[40]

14.26 The OPC considered that the existence of multiple regulators in one sector presents the potential risks of forum shopping, inefficient use of resources, and inconsistent outcomes. In the OPC’s view, however, these issues could be overcome by

creating memoranda of understanding, harmonisation of complaint-handling procedures and legislative interpretation, and appropriate referral mechanisms. Where the source of these problems is inconsistent legislation, clarifying the scope of each regulator’s jurisdiction could help to avoid such risks, provided this does not lead to gaps in regulatory coverage.[41]

14.27 The Australian Privacy Foundation submitted that having more than one regulator results in ‘peer review’, which can contribute to the maintenance of high standards and a consumer focus. It noted, however, that it is essential that multiple privacy regulators establish a good working relationship.[42]

14.28 The need for regulators with expertise in certain industry sectors was noted in other submissions. For example, the NHMRC submitted that health privacy issues require the attention of regulators who are expert in privacy and also have specific expertise in the health services and health and medical research sectors.[43] The Australian Bankers’ Association noted that the majority of the few privacy-related complaints the BFSO receives are part of wider banking complaints. It is therefore convenient for the customer to have the dispute dealt with by the one body, particularly as the OPC would not have the power to determine the banking aspects of the dispute.[44]

ALRC’s view

14.29 There are several benefits in having multiple regulators that are responsible for privacy. It is preferable to have privacy regulators at the federal, state and territory level as it ensures that citizens in each jurisdiction have a regulator they can approach for advice and to make a complaint. Similarly, organisations that are subject to local privacy laws have access to a state and territory regulator who is aware of their circumstances and can provide advice and training on implementing the legislation.[45]

14.30 Further, industry-specific regulators, such as the BFSO and the Telecommunications Industry Ombudsman, play an important role in the regulation of personal information handling as they provide industry expertise that the OPC does not possess. Industry-specific regulators also reduce the volume of privacy complaints that would otherwise be made to the OPC, freeing the OPC’s resources for other functions.

14.31 Another potential benefit is peer review and the promotion of high standards of performance. This will occur when privacy regulators interpret a single set of privacy principles. Transparency also can be promoted by publishing decisions and guidance on the operation of the principles.

14.32 The ALRC also accepts, however, that there is evidence to suggest that multiple privacy regulators can create confusion for individuals when making complaints, and for organisations and agencies when seeking advice. Further, it can create a compliance burden for businesses and result in the inefficient use of privacy regulators’ resources.

14.33 The ALRC therefore makes a number of recommendations aimed at achieving greater cooperation between privacy regulators. Issues related to multiple regulators at the federal, state and territory level are discussed in more detail in Chapter 17—‘Interaction with State and Territory Laws’. In that chapter, the ALRC recommends that state and territory privacy legislation should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territory’s public sector.

14.34 The ALRC also recommends that the OPC develop and publish memorandums of understanding with each of the bodies with responsibility for information privacy in Australia, including industry-specific dispute resolution bodies and state and territory bodies with responsibility for privacy. These memorandums of understanding should outline:

  • the roles and functions of each of the bodies;

  • when a matter will be referred to, or received from, each of the bodies; and

  • processes for consultation between the bodies when issuing public interest determinations, temporary public interest determinations and codes, and for the development and publication of joint guidance.

14.35 Other relevant recommendations include amendment of the Privacy Act to empower the Privacy Commissioner to delegate all or any of the powers in relation to complaint handling conferred on the Commissioner by the Act;[46] and the development and publication of complaint-handling policies, enforcement guidelines and educational material that addresses the role and functions of the various bodies with responsibility for information privacy.[47]

[32] See discussion in Part J and Telstra, Submission PR 185, 9 February 2007; Telstra Corporation Limited, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 22 December 2004, 9.

[33] Private Health Insurance Ombudsman, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 14 December 2004, 1.

[34] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 68.

[35] Australian Privacy Foundation, Submission PR 167, 2 February 2007; Public Interest Advocacy Centre, Consultation PC 29, Sydney, 16 May 2006.

[36] Telstra, Submission PR 185, 9 February 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007.

[37] Telstra, Submission PR 185, 9 February 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007. See also Australian Chamber of Commerce and Industry, Holding Back the Red Tape Avalanche: A Regulatory Reform Agenda for Australia (2005).

[38] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[39] The OPC noted the inconsistency between the Privacy Act and NSW health privacy legislation: see Office of the Privacy Commissioner, Submission PR 215, 28 February 2007 and Part H.

[40] Ibid.

[41] Ibid.

[42] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[43] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[44] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007.

[45] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[46] See Ch 49.

[47] See Chs 17, 73.