Privacy Law and Policy Reporter
With so many proposals and models for privacy regulation currently under discussion, Australian privacy advocates decided it was time for a clear and concise statement of a ‘bottom line’ position. This position will comprise a critique of the Privacy Commissioner’s National Principles (a draft of which is to follow in the next issue) and, in this article, a proposed statement of the necessary ‘machinery’ or framework elements of an effective privacy law.
The necessary framework elements can be grouped under five main headings: scope and coverage; surveillance limitation functions; the role of codes of practice and how they fit within the legislation; complaint handling and enforcement; and the Privacy Commissioner — appointment, functions, powers and resources.
It is clearly desirable that privacy protection should apply as widely as possible throughout the community — covering the activities of organisations and individuals in the public, private, charitable and non-government sectors. Exemptions should be kept to a minimum and should wherever possible be targeted at the particular provision of the law which it is decided cannot be complied with. Blanket exemptions for whole classes of organisation — such as law enforcement and intelligence agencies or the media — must be avoided. Even organisations with the most highly sensitive functions also perform routine administrative activities which should be subject to the law.
A sensible exemption for personal, domestic, household or recreational uses is desirable. No one wants or intends to subject individuals’ personal diaries, notes or jottings to the law — excessive intrusion into our private thoughts would itself be a major interference with privacy. But people must not be able to hide systematic record-keeping about others behind a personal use exemption. Not too much time should be spent trying to make such a definition ‘watertight’ — there will always be grey areas where personal use blends into commercial or organisational use. Experience around the world suggests it is safe to leave a reasonable amount of discretion with a Privacy Commissioner, (and ultimately tribunals and courts) to judge when the line has been crossed.
Employment records should clearly be covered; in the employment context privacy rights are particularly valuable as a check against arbitrary and discriminatory decisions with major consequences for individuals. But here too it is important that employees are not able to avoid accountability for decisions about others by sheltering behind a personal information exemption. This is particularly true in the public sector, where occasional abuse of privacy laws to avoid accountability has undermined the image of the law. In the workplace context only, the original Freedom of Information concept of personal affairs information may be a better guide to what needs to be protected than the wider personal information concept that replaced it.
A comprehensive law applying to all data users would avoid the problem created under the present federal law by the trend to contract out or ‘outsource’ an increasing range of functions. In the short term the proposed outsourcing amendments must go ahead to prevent a loss of existing privacy rights. In the medium term, a single law applying to all sectors, with a common set of principles, is clearly the only sensible option.
Privacy laws, where they exist, have performed reasonably well at providing safeguards for individuals in the operation of personal data systems. Where they have been less successful is in limiting the proliferation and intrusiveness of such systems. Giving a Privacy Commissioner a general function of researching and publicising technological and organisational developments can go some way to ensuring that privacy implications are considered in other decision-making processes. But the pace of change and the pressures leading, either by choice or incidentally, to greater surveillance and privacy intrusion are so overwhelming that something more is needed.
The Australian Privacy Charter recognises the surveillance limitation function in several of its principles — notably justification (Principle 1), freedom from surveillance (Principle 6), and no disadvantage (Principle 18). While these principles can and should be built in to the core ‘rules’ of any privacy law, they also require some machinery in the law. The concept of requiring organisations to develop privacy impact statements is one good way of addressing this need (see Assistant New Zealand Commissioner Blair Stewart’s articles — most recently at (1999) 5 PLPR 147 — and see ‘Private Parts’ in this issue for other resources).
Any new Australian law should include a requirement for privacy impact assessments for any major proposals with privacy implications. A set of criteria will need to be developed to determine when an impact assessment is required, although there should also be a ‘fallback’ power for a Privacy Commissioner to require one in exceptional circumstances that fall outside the criteria — to accommodate currently unanticipated developments.
It is now almost a given that a privacy law should include provision for codes of practice, but it is important to be clear about the function of codes. They can provide useful flexibility, applying general principles to specific circumstances. But they must not provide a way of achieving a lesser standard of privacy protection for any particular activity or sector.
The law should state clearly that codes of practice may not be approved if they do not provide at least the same or equivalent level of protection as the default legislative scheme.
However codes are ‘made’ (whether by a Commissioner or by a Minister on a Commissioner’s advice) there must be an adequate process of community consultation, and an opportunity for disallowance by Parliament (since codes represent a variation to the law). It is not necessary to make the development and adoption of a code too easy. As experience in New Zealand has shown, few if any sectors must have a code — most can, and will, choose to live with the default scheme. The ‘bar’ over which interested parties must jump to obtain a code should properly be set quite high, not least because codes complicate the scene from the consumer’s perspective.
Codes can legitimately deal with some or all of the principles, and with machinery issues such as complaint handling and compliance auditing, provided that there is ultimate recourse to legal remedies in circumstances where sectoral mechanisms are found wanting. This need not mean an automatic right of appeal in every complaint case (see below under ‘complaint handling’) but there should be a process for challenging the operation of a code where there are clear prima facie grounds for believing it is not providing the promised alternative to elements of the statutory scheme.
The availability of easy, cheap and quick dispute resolution mechanisms is essential. A graduated system, with steps of increasing formality for more serious alleged breaches, is appropriate. Attempts to shoehorn all complainants into mediation or conciliation should be resisted, as the power imbalance in many situations make this an unsatisfactory option. Many privacy complaints are not in any case amenable to negotiated outcomes — they require an independent umpire to speedily investigate, form a view, and make a decision which is binding on the parties (subject to appeal). There is no reason why this mechanism cannot be provided within a sector or industry — the Banking and Telecommunications Industry Ombudsman schemes, while not without faults, provide a useful model. But for the bulk of complaints, and in less well organised sectors, a dedicated Privacy Commissioner is best placed to perform this role.
Equally important is a pro-active compliance auditing and enforcement role. Again this can be provided within a sector as part of a code of practice, but any such arrangements should be subject to the oversight of a Privacy Commissioner who also performs the role directly.
The value of privacy auditing cannot be overstated. Complaints alone are a poor indication of levels of compliance with privacy principles. Many privacy breaches do not even come to the notice of the individuals concerned. Even if they do, unless they cause direct harm, affected individuals may not feel it worthwhile to invest the considerable time and effort needed to pursue a complaint. This does not mean that organisations committing the breach should not be taken to task, particularly where the breach involves systemic non-compliance potentially affecting many thousands of individuals. The prospect of a random audit, leading to a binding determination to change practices in some way, is the most effective way of ensuring long term and widespread compliance.
The functions and powers of a supervisory authority (typically a Privacy Commissioner) are critical to the success of any statutory privacy regime, as are the personal characteristics of the person appointed.
A Commissioner should have the full suite of functions and powers already held by the Federal Commissioner under the Privacy Act 1988, with the addition of express authority to report publicly at any time on any of their functions. Under a regime which incorporates codes of practice, a Commissioner also needs an express role of monitoring the adequacy of code arrangements and outcomes, as well as either making or advising on the making of the codes in the first place.
The best suite of functions and powers will be ineffective if not properly resourced. Promotion of privacy and the supervisory roles under the law, in relation to all sectors of the economy, cannot be done effectively on the cheap. A well resourced Commissioner with, say, 40 to 50 staff and a budget to match, including an allocation for advertising and access to a litigation fund, would not be too much to expect and still modest compared with many other regulatory bodies.
While a powerful and well resourced Commissioner is essential, she or he should not be left entirely to their own devices. Without some checks and balances, there is a danger that a single Commissioner will either get too close to the organisations they are regulating, or let personal preferences or idiosyncracies guide their performance of the role in particular directions, perhaps to the neglect of others. Ideally, a Commissioner should have a standing Parliamentary Committee to ‘keep them honest’. The next best option is a privacy advisory committee, but one with a significantly different role from the existing committee established under the Privacy Act. While providing the Commissioner with a useful sounding board (when it has been fully operational), this committee has been almost wholly ineffectual in challenging and monitoring the Commissioner’s activities. A useful advisory committee would have an independent chair, secretariat and sufficient resources to keep the Commissioner on his or her toes, and a separate reporting line.
There is clearly a lot more detail that will be important in the design of a new privacy law. This article has attempted to provide a baseline of key elements which are necessary to give us a modern privacy law of which we can be proud and which will meet the needs of the Australian community well into the next century. Comments are invited on this draft, which will then be finalised and presented to federal and state governments. Comments should be sent to Nigel Waters, Convenor of the Australian Privacy Charter Council — see the on the front page of this issue for contact details.
Nigel Waters, Associate Editor.