ALRC’s preference for principles-based regulation

4.27 The ALRC adopts principles-based regulation as its guide in developing the tools for regulating privacy for several reasons.

4.28 First, the ALRC is of the view that principles have greater flexibility in comparison to rules. Being high-level, technology-neutral and generally non-prescriptive, principles are capable of application to all agencies and organisations subject to the Privacy Act, and to the myriad of ways personal information is handled in Australia.

4.29 Secondly, as outlined above, principles allow for a greater degree of ‘future-proofing’ and enable the regime to respond to new issues as they arise without having to create new rules.[39]

4.30 Thirdly, the ALRC recognises the considerable support by stakeholders for retaining principles as the primary regulatory method in the Privacy Act, which is discussed in more detail in Chapter 18.

Hybrid regulatory system

4.31 While the Privacy Act can be described as a ‘principles-based regime’, it is important to recognise that the ALRC’s adopted approach is not a pure form of principles-based regulation. In order to achieve the necessary policy outcomes, the ALRC adopts a pragmatic approach to its regulatory model, drawing significantly on principles-based regulation as its foundation, but allowing for a reversion to more traditional rules-based regulation where appropriate.

4.32 This pragmatic approach arises out of the recognition that despite the overall benefits of principles-based regulation, the regulatory method also has its limitations. First, this type of regulation can lack certainty: agencies and organisations subject to the Act may have trouble understanding the exact requirements of the principle, and how it should apply or comply with the principles in its day-to-day operations. The second difficulty of principles-based regulation in the privacy context is that the same principles may not be appropriate to achieve the policy objectives in all the areas covered by the Privacy Act. In some instances, more prescriptive or different regulation may be required.

4.33 For these reasons, the ALRC is not recommending the adoption of a pure form of principles-based regulation. Having regard to the wide remit of the Privacy Act, the ALRC takes a pragmatic approach in drafting the regulatory tools, adopting what could be described as a hybrid model.

4.34 The approach adopted by the ALRC is a hybrid model in two respects. First, the principles themselves are not uniformly ‘principles’, in the theoretical sense explained above. While some of the model Unified Privacy Principles (UPPs) recommended by the ALRC are high-level and set out objectives to achieve without much prescription, others are a hybrid between high-level principle and more prescriptive rule. For example, UPP 5 sets out relatively detailed rules related to the use and disclosure of personal information, whereas UPP 7 provides a broad, high-level principle relating to data quality.[40]

4.35 Secondly, the overall regulatory model adopted by the ALRC is a hybrid system of principles and rules. While principles-based regulation forms the foundation of the ALRC’s approach, the model allows for these principles to be supplemented by more specific rules in regulations or other legislative instruments, to accommodate different industries or different policy considerations.

4.36 This Inquiry considers a number of areas that pose particularly important or difficult privacy problems, such as health, research, and credit reporting. In relation to each of these areas, the ALRC’s approach is to identify the appropriate balance that should be struck between allowing agencies and organisations to find their own way to achieving the object of the principle and providing more traditional, prescriptive regulation. The ALRC’s approach allows for the adoption of a more rule-based approach to regulation, either to complement or supplant the privacy principles, in order to achieve the policy objectives.

4.37 The advantage of a hybrid system is that it is a practical, pragmatic response to the competing needs of clarity, flexibility, simplicity and certainty. Such a system seeks to take the advantages of both a principles- and a rules-based system in order to achieve a regulatory regime that appropriately balances clarity, enforceability and flexibility.[41] This approach also recognises that stringent adherence to principles-based regulation would not, in some instances, achieve the necessary policy outcomes.

Forms of regulation

4.38 In the ALRC’s principles-based, hybrid approach, the rules relating to privacy are located in a combination of the following:

  • primary legislation;
  • regulations and other legislative instruments; and
  • non-binding guidance issued by the Office of the Privacy Commissioner (OPC).

4.39 These three forms of regulation are intended to operate together and complement each other. Together they make up the ALRC’s recommended approach to regulating privacy in Australia. Each level of regulation is discussed in detail below.

Primary legislation

4.40 The primary legislation regulating privacy at the federal level is the Privacy Act. In Chapter 5, the ALRC recommends that the Privacy Act be amended to achieve greater logical consistency, simplicity and clarity. In particular, the ALRC recommends that the Privacy Act should be redrafted so that it is relatively brief and uncluttered, and contains the following key elements:

  • objects and purposes of the legislative regime, as recommended by the ALRC in Chapter 5;
  • mechanical provisions, including definitions and regulation-making powers;
  • privacy principles, which will provide the core requirements of privacy law and will apply to agencies and organisations; and
  • constituent and operational provisions for the OPC, including the provisions setting out the OPC’s functions and powers.

4.41 Redrafting the Privacy Act in this way will result in a clear, concise and user-friendly document that would be capable of being understood and applied by the agencies and organisations—large and small—that will be subject to the regime. In this way, the ALRC hopes to reduce compliance costs associated with interpreting the Privacy Act, and to make the transition for small businesses to privacy regulation as simple as possible.

Regulations and other legislative instruments

4.42 In the ALRC’s approach, the next level of regulation after the primary legislation is subordinate legislation, being regulations and other legislative instruments. These two regulatory tools introduce the second notion of the hybrid system discussed above and enable flexibility in the regulatory scheme to address specific areas that either merit particular privacy protection or require a lessening of privacy protection to enable a freer flow of information. Certain areas within the privacy sphere require more or less detailed protection to achieve the desired policy outcome.

Regulations

4.43 Under the ALRC’s recommended model, regulations can be introduced to provide greater specificity and certainty in regulating privacy in relation to particular activities. Those regulations would be more detailed and specific than the privacy principles and, where appropriate, they would be able to derogate from the requirements in the privacy principles, by providing different (that is, more or less stringent) requirements than are provided for in the principles (while remaining consistent with the objects of the Act).

4.44 The minister responsible for administering the Privacy Act[42] should be responsible for introducing regulations to cover these activities, rather than the OPC. This approach better conforms with the principles of responsible government and parliamentary supremacy, by clearly vesting in Parliament the power to control the rules that apply to privacy. Secondly, this approach would not exclude the OPC from the process of formulating these regulations. Rather, there would be a requirement to consult with affected parties in this process, and this is highly likely to include the OPC, as well as any relevant stakeholders.[43]

Credit Reporting Regulations

4.45 Credit reporting provides an example of where there are strong policy reasons for further prescription in relation to the collection, use and disclosure of personal information.[44] In such circumstances, a broad principle may not be considered specific enough to achieve the desired regulatory outcome.

4.46 For example, in the credit reporting context there is a public interest in specifying exactly what types of information a credit reporting agency can collect and disclose. The model UPP 2, which provides that an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities, is not considered sufficiently specific or prescriptive. Under the ALRC’s approach, this principle is supplemented by the recommended Privacy (Credit Reporting Information) Regulations, which specify the permitted content of credit report information.[45]

Health Services Regulations

4.47 In the provision of health services and the conduct of research, there are different policy considerations at stake in relation to privacy. In particular, there is a strong public interest in allowing a freer flow of information to facilitate better health outcomes and for the prevention of harm. In such circumstances, it may be necessary to derogate from a privacy principle in order to allow for greater information sharing, within set parameters.[46]

4.48 For example, the proposed Privacy (Health Information) Regulations allow health service providers to disclose an individual’s genetic information without consent to a genetic relative of that individual, if the provider believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of the genetic relative. This provision, while derogating from the usual principles in relation to disclosing sensitive information, recognises the shared or familial nature of genetic information and the public interest in sharing that information with potentially affected individuals. Any such disclosure must be done in accordance with binding rules developed by the National Health and Medical Research Council (NHMRC) and approved by the Privacy Commissioner.

Other legislative instruments

4.49 In the approach adopted by the ALRC, further prescription, guidance and flexibility can also be provided through legislative instruments issued or approved by the Privacy Commissioner.

Public Interest Determinations

4.50 Such legislative instruments include Public Interest Determinations, which waive the obligation to comply with a principle such that an act or practice that would otherwise breach a privacy principle will be taken not to be an interference with privacy.[47] Public interest determinations provide the Privacy Commissioner with the flexibility to address situations where the public interest is in conflict with the privacy principles. The history of privacy regulation at the federal level would suggest that this is a fairly rare occurrence; the Commissioner only has found it necessary to issue nine Public Interest Determinations in the Privacy Act’s 20 years of operation. It remains, however, a useful component of the regulatory framework and one that allows greater flexibility in the privacy regime. The ALRC also notes that Public Interest Determinations are disallowable by Parliament, and therefore are subject to Parliamentary oversight.

Part IIIAA privacy codes

4.51 Another type of legislative instrument that can be used to elaborate on the requirements of the principles is a privacy code approved under Part IIIAA. These codes are discussed in detail in Chapter 48, with the ALRC recommending that the code provisions be changed so that: a code applies in addition to the UPPs and does not replace them; and the primary purpose of a code is to prescribe how a principle is to be applied or complied with.

4.52 Privacy codes, under the current provisions and the ALRC’s recommended changes, cannot derogate from the principles in the way that subordinate legislation, such as regulations, can. This is a very important distinction. For the reasons set out above, the ALRC has formed the view that only the regulations should be able to derogate from the principles established by Parliament in the Privacy Act. The Privacy Commissioner, while almost certainly involved in the consultation and development process for regulations, will not have the power to promulgate regulations or codes that weaken (or strengthen) the principles; that will be Parliament’s responsibility.

4.53 The ALRC’s approach, however, does have the flexibility to allow codes to be incorporated in regulations, similar to Part IVB of the Trade Practices Act 1974 (Cth). The responsible minister, in consultation with the OPC and other relevant stakeholders, could choose to adopt a code and transform it into regulation, thereby allowing greater industry involvement in the regulatory sphere. As the minister is using the recommended regulation-making power, the code could contain provisions that derogate from the privacy principles.

Rules

4.54 Another type of legislative instrument under the Act is a rule, issued or approved by the Commissioner. Currently referred to as guidelines, the ALRC has recommended that they be renamed rules to reflect their binding nature.[48]

4.55 An example of the application of rules in the Privacy Act is to allow the collection, use and disclosure of personal and health information for health and medical research. While most research is conducted on the basis of consent from participants, the Privacy Act recognises that in some circumstances it is very difficult or impossible to conduct research that may be in the public interest—for example, epidemiological studies of the distribution and determinants of disease in large populations—in a way that complies with the Act. In these circumstances, the Act provides a mechanism to allow such research to go forward, subject to rules issued by the NHMRC and approved by the Privacy Commissioner. Any such research must be approved by a Human Research Ethics Committee, which must be satisfied that the public interest in the research outweighs the public interest in maintaining the level of privacy protection provided by the Act.

Guidance

4.56 Guidance is the third part of the regulatory approach adopted by the ALRC. It should be seen as sitting at the base of the regulatory model, in the sense that it is non-binding and, unlike primary and subordinate legislation, does not set out rules or obligations.

4.57 Guidance plays a particularly significant role in a regime like the Privacy Act. Notwithstanding the fact that the model privacy principles may be supplemented by more specific regulation in certain areas, it is still the case that the principles will form the primary method of regulation under the Act and apply to all agencies and organisations. For agencies and organisations that do not deal with personal information that is subject to specific regulations, such as health or credit reporting information, the model privacy principles will be the primary, and possibly only, source of privacy obligations.

4.58 While principles may appear simple to apply, problems may arise in interpreting what is required to be in compliance. Whether a principle is certain depends on whether there is general consensus about what is required to achieve compliance. For these reasons, guidance from the regulator is critical to assist regulated bodies to interpret and apply the privacy principles.

4.59 Such guidance should not be considered a luxury or an add-on to the core privacy regime; the ALRC’s recommended regime cannot operate effectively unless there is such guidance. The ALRC recognises, however, the tension presented by guidance as a regulatory tool. While intended by the regulator as suggestions for compliance, it can be understood by the regulated entity as binding rules that must be applied to achieve compliance. If the regulated entity treats guidance in this way, and there is a proliferation of guidance, the administration of a principles-based regime is undermined.[49] It can also deprive the regulator of the benefits of a principles-based approach by ‘creating expectations as to its own conduct in the future’. That is, while the regulator may see guidance as advisory only, some regulated entities may understand it as being the definitive interpretation of the principles.[50]

4.60 Thus guidance should be published, but care should be taken that it is published only where appropriate. It is important to recognise, however, that it is not an alternative for a regulator of a principles-based regime to refuse to publish guidance where there is a genuine need. It is neither appropriate nor effective to refuse to publish guidance to help organisations and agencies understand their obligations and instead wait for them to make a mistake and breach the law. Further, such a refusal to publish guidance is inconsistent with the regulator’s focus on fostering and securing compliance with principles.

4.61 It is important to make clear in publishing guidance that an agency or organisation can be in compliance with a privacy principle but not in compliance with the Commissioner’s guidance; that is, the guidance is not legally binding. Such a situation is likely to be rare, but the OPC acknowledges this prospect in its non-binding guidance. For example, the guidelines on the use of data-matching in Commonwealth administration explains that the guidelines ‘aim to encourage a higher standard of regard for people’s privacy rights in relation to data-matching than is required by bare compliance with the IPPs and an agency would not necessarily breach the IPPs if it did not adhere to these guidelines’.[51]

[39]J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science, 7.

[40] This hybrid approach is also reflected in the Information Privacy Principles and the National Privacy Principles in the Privacy Act, both of which have their genesis in the Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). For further discussion of privacy principles, see Ch 18.

[41]O Krackhardt, ‘New Rules for Corporate Governance in the United States and Germany—A Model for New Zealand’ (2005) 36 Victoria University of Wellington Law Review 319, 332.

[42]Commonwealth of Australia, Administrative Arrangements Order, 25 January 2008 [as amended 1 May 2008].

[43] This is provided for in Legislative Instruments Act 2003 (Cth) ss 17–19.

[44] The regulatory framework for credit reporting is discussed in Ch 54.

[45] See Ch 54.

[46] The regulatory framework for health services and research is discussed in Ch 60.

[47] Public interest determinations are discussed in detail in Ch 47.

[48] See Rec 47–2.

[49] J Black, Principles Based Regulation: Risks, Challenges and Opportunities (2007) London School of Economics and Political Science, 15–16.

[50] Ibid, 16.

[51] See Office of the Federal Privacy Commissioner, The Use of Data Matching in Commonwealth Administration—Guidelines (1998), 3.