• Introduction
• Overview
• NPPs & codes
• Complying
  • Sanctions
  • Commissioner's activities
    • Detailed analysis of review
    • Health implications of review
    • Case notes
  • Guidelines and information sheets
  • Other obligations
• Legislation & links
• Industries
• News
• Contacts
• Glossary

The Privacy Commissioner's review into the operation of the private sector provisions of the Privacy Act was released in May 2005.

• National consistency
• Telecommunications consistency
• Privacy notices: shorter, dated and unbundled
• Direct marketing
• Due diligence
• Small business exemption

On 18 May 2005, the Federal Attorney-General released the Privacy Commissioner's review into the operation of the private sector provisions of the Privacy Act, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

The review represents the first major examination of the private sector provisions since they came into force in December 2001. It draws on information and opinions from individuals, businesses, industry organisations, consumer groups and government agencies.

In the Privacy Commissioner's opinion, there are no fundamental flaws with the private sector provisions, although clearly there are areas where the private sector provisions have not met their objectives.

Eighty-five recommendations are made in the review to improve the private sector provisions, which are intended to balance protection of individual rights, while recognising the collective needs of the community, including the business community. Those recommendations contemplate action either by the Australian Government or by the Office of the Privacy Commissioner (OPC).

National consistency

The review discusses the failure of the private sector provisions to meet their objective of national consistency.

Inconsistency at a number of levels

Inconsistencies in the privacy legislation have been identified at various levels, namely:

• within the Privacy Act itself (because different rules apply to the private sector from those that apply to federal government agencies);
• between different sources of Commonwealth regulation impacting on privacy (for example, Part 13 of the Telecommunications Act contains disclosure provisions that are inconsistent with the Privacy Act); and
• between state and Commonwealth legislation.

The regulation of privacy in relation to health information has been particularly affected, as has, to a lesser degree, the regulation of employee privacy and tenancy databases.

There are numerous sources of law identified in the review that may impact on how organisations comply with their obligations under the Privacy Act, such as the misleading and deceptive conduction provisions in the Trade Practices Act and the ASIC Act; the limits in the Corporations Act on the use or disclosure of information on company share registers and the provisions in the Commonwealth Electoral Act on the use and disclosure of electoral roll information. Therefore, not only are organisations subject to separate regulatory regimes, but also multiple regulators for the same personal information.

This inconsistency has had a negative effect on business efficiency, with increasing compliance burdens and administrative duplication because of the overlap between separate legislative regimes. It has also had an adverse effect on the ability of individuals to understand and protect their privacy rights.

Reasons for inconsistencies

The review identifies a number of reasons for these inconsistencies. These include the following:

• Rapidly changing technology since the formation of the private sector provisions has led to separate, but overlapping, legislation such as the Spam Act 2003. Given likely future developments in technology, the need for national consistency is particularly acute to ensure that regulation of those new technologies fits with the private sector provisions.
• The Privacy Act contains slightly different public sector and private sector privacy principles.
• National Privacy Principles (NPPs) relating to the private sector include specific provisions about the transfer of data overseas and provide more protection to defined types of 'secure personal information' than under the public sector principles (IPPs). This has become more of an issue as private sector organisations increasingly carry on activities that were traditionally the responsibility of government agencies (such as in the area of health care where government contractors may need to comply with both the NPPs and IPPs).
• States and territories have legislated in areas that are exempt under the Privacy Act, such as workplace surveillance and the regulation of tenancy databases.
• Concerns have also been expressed about the differences in legislation between the various states and territories. For example, at least two States are currently developing workforce surveillance legislation but independently of each other.
• Further there is uncertainty about the extent to which the states and territories can legislate separately in this area. Section 3 of the Privacy Act provides that the operation of state and territory laws capable of operating concurrently with the Privacy Act are not to be affected. It is not clear how broadly this is to be interpreted, and therefore if, and to what extent, state and territory laws may be unconstitutional.
• The OPC has been unable to respond speedily to queries about the application of the NPPs in some areas because of a large caseload.

The recommendations

The recommendations put forward in the review relating to national consistency for the Australian Government to consider are as follows:

• Removing any ambiguity as to the regulatory intent of the private sector provisions by amending section 3 of the Privacy Act.
• Seeking the Council of Australian Governments' endorsement of national consistency in all privacy-related legislation. This would overcome not only inconsistencies in legislation but also differences in interpretation of the same terms by the various jurisdictions.
• Establishing mechanics to address inconsistencies arising out of exemptions in the Privacy Act.
• Developing a single set of principles that apply both to government agencies and private sector organisations, instead of separate IPPs and NPPs.
• Changing the name of the OPC to the Australian Privacy Commission so as to clearly differentiate the OPC from the various state offices and avoid confusion for consumers.
• Amending the Privacy Act to provide a power to introduce binding codes to regulate particular activities and therefore to overcome the problem of states and territories enacting similar but different legislation. The recommendation refers to the Trade Practices Act model that provides for the adoption of mandatory codes to regulate particular industries.
• Special measures in relation to telecommunications
• Encouraging the National Health Ministers to finalise the National Health Privacy Code, and then adoption of that code as a schedule to the Privacy Act.
• Advancing as a high priority the work being undertaken by the Working Group on Residential Tenancy Databases.

Telecommunications consistency

In addition to the Privacy Act, privacy in the telecommunications sector is also regulated by the:

• Telecommunications Act 1997 (Telecommunications Act);
• Telecommunications (Interception) Act 1979; and
• Spam Act 2003.

The telecommunications sector deals with a large quantity and range of personal information, as well as carrying the contents of voice calls, SMS and MMS messages, and emails. Given the sensitive nature of much of this information, the community's interest in protecting the privacy of these telecommunications is reflected by the legislation above which, except for the Spam Act, pre-dates the private sector provisions of the Privacy Act. The OPC has therefore perceived a need for national consistency in regulating privacy in the telecommunications sector.

Small business

The OPC has recommended that s6E of the Privacy Act be amended to ensure that the Act applies to all small businesses in the telecommunications sector, including Internet service providers (ISPs) and public number directory producers. A number of submissions to the OPC noted that the small business exemption may currently leave unregulated such organisations operating in the telecommunications sector.

Telecommunications Act

Many of the submissions received by the OPC dealt with the interaction between the Privacy Act and the Telecommunications Act. The OPC has recommended that it discuss with the Australian Communications Authority (ACA) the development of guidance to clarify the relationship between the Privacy Act and Part 13 of the Telecommunications Act. In particular, the OPC recommended that these Acts be amended to clarify what constitutes authorised uses and disclosures under each Act, and to ensure that the Privacy Act cannot be used to lower the standard of privacy protection provided by the Telecommunications Act.

By way of background, Part 13 of the Telecommunications Act contains different standards for the use and disclosure of personal information from NPP 2. For example, the Telecommunications Act offers greater privacy protection in relation to use or disclosure for the primary purpose of collection than does NPP 2. There is a concern that the exceptions to NPP 2 may provide an 'authorisation' under law, for the purposes of the Telecommunications Act. However, the opposite applies in relation to secondary purposes, as unlike NPP 2, the Telecommunications Act does not require the use or disclosure to be related to the purpose of collection. As a consequence, a disclosure for a secondary purpose may be permitted by the Telecommunications Act, but not by NPP 2.

Spam Act

The OPC has recommended that it discuss with the ACA the development of guidance to clarify the relationship between the Privacy Act and the Spam Act (for more on this see General Right to Opt-Out in relation to direct marketing). 

Privacy notices: shorter, dated and unbundled

Short form notices

The OPC has recommended that the Privacy Act be amended to allow privacy statements and collection notices to be 'short form' and to clarify the interaction between a stated privacy policy (under NPP 5.1) and a notification at time of collection (under NPP 1.3). Submissions to the OPC have indicated that privacy statements and collection notices have tended to be long and drafted to cover all possible uses and disclosures.

In order to encourage short form privacy notices, the OPC recommends that it develop industry-specific standard form notices to guide compliance and to simplify the notices being used by organisations. This will be a very interesting development. Brevity and clarity are undoubtedly desirable. However, organisations have obligations in addition to their obligations under the Privacy Act, in particular an obligation not to engage in conduct that is misleading or deceptive. Their privacy statements need to reflect what they actually do with personal information. A short form, standard form, notice may create compliance risks other than privacy ones.

No notice can sometimes be a reasonable step

A welcome suggestion in the review is that the Government should consider amending NPP 1.3 and 1.5 to clarify that there may be situations in which it may be a reasonable step not to give a privacy collection statement. This is in response to concerns that businesses, relying on the existing OPC information sheet on what are 'reasonable steps', might still be found to be in breach of the Privacy Act if a court were to interpret NPP 1 more narrowly than the OPC has.

Dating privacy statements

Following submissions that some privacy statements were drafted so that the organisation could unilaterally (and without notice) amend the privacy statement, the OPC recommends that all statements should be dated. The OPC fell short of requiring that changes to privacy statements be notified to those individuals affected.

Bundled consent

The OPC recommended that it develop guidance notes on avoiding the perceived problem of 'bundled consent'. 'Bundled consent' concerns the practice of bundling together consent to a range of uses and disclosures of personal information without giving individuals an opportunity to choose which uses and disclosures they agree to and which they do not.

The steps taken by the OPC to implement this recommendation will need to be carefully monitored. There are often legitimate business reasons for organisations seeking consent to a range of uses and disclosures, and indicating that if that consent is not forthcoming the organisation will not be able to supply the product or service.

Some organisations need consent to comply with other laws.

Many organisations are simply not able to support customers opting out of particular uses or disclosures. In some cases this is because, unless they occur, the organisation cannot supply the relevant product or service. In other cases, the organisation might still be able to supply the product or service but would need to increase its costs substantially in order to accommodate the tailoring of individual treatment for particular customers.

Offering any 'opt-out' will require an organisation to be able to flag that opt-out in its systems and ensure that its processes observe the relevant flag. For many organisations supporting even a single opt-out flag (for example an opt-out for direct marketing) is an expensive exercise. If organisations were to be forced to support a number of different opt-out flags, they would incur substantial IT expenditure and they would need to amend their business processes to ensure that the relevant 'opt-out' was observed.

This issue of bundled consent is a difficult one and it is to be hoped that the OPC will further consult with business before finalising any guidance on the issue.

Direct marketing

The current position

Privacy issues relating to direct marketing are dealt with by NPP 2.1.

At present, if:

• an organisation has obtained information for the primary purpose of direct marketing (by, for example, buying a list from another organisation); or
• direct marketing is related (directly related for sensitive information) to the primary purpose of collection and can be reasonably expected,

an individual does not have a right to opt-out of receiving marketing material.

Even if direct marketing is not related to the primary purpose for which the information was originally collected, the information can be used for the purpose of direct marketing (unless it is sensitive information) where:

• it is impractical to seek the individual's consent before using the information; and
• the individual will not be charged for putting into effect any request not to receive any material; and
• the individual has not opted-out of receiving material; and
• in each communication with the individual, the individual's attention is drawn to the fact that he or she may opt-out of receiving further material; and
• each communication with the individual includes the contact details of the organisation (including electronic contact details if the material was sent electronically) sending out the material.

General right to opt-out

The review recommends that the Federal Government should consider amending the Privacy Act to give individuals a right to opt-out of receiving marketing material under all circumstances, with organisations required to comply with an opt-out request within a specified time.

The review points out that the Australian Direct Marketing Association (ADMA) supports this recommendation and the OPC argues that it may not result in significant compliance costs as many organisations already offer an opt-out irrespective of the original purpose of collection.

An opt-in direct marketing system, favoured by consumer and privacy groups, was rejected. Note, however, that the Spam Act 2003 (Cth) requires, with certain exceptions, the consent of a person receiving commercial electronic messages.

Source of an individual's information

The review recommends that consideration be given to amending the Privacy Act to require an organisation to take reasonable steps, when asked, to divulge where they obtained an individual's personal information. An organisation would only have to reveal where they themselves got an individual's information, not the ultimate source of that information.

Currently there is no requirement for such information to be disclosed. This prevents the individual from complaining to the organisation that released his or her information or, if necessary, making a complaint to the OPC regarding that organisation.

It is not clear whether the recommendation relates only to the source of information used for direct marketing, or is intended to have broader application to information collected for any purpose.

There would be increased compliance costs associated with keeping track of the relevant information. The ADMA pointed out that for small organisations and charities these costs may be significant and recommended that, initially, the requirement be brought in as a 'best practice' guideline with a period of 18 to 24 months before it is made mandatory.

For large organisations, these costs could also potentially be very significant, especially if the amendment to the Privacy Act required a source to be recorded for all personal information collected, not just information collected for the primary purpose of direct marketing. This information is not commonly recorded at present. Some organisations hold a great deal of information about their customers that is collected from a range of different sources. A requirement to record those sources, and disclose them on request, could potentially impose a very substantial administrative burden and lead to significantly higher compliance costs.

A 'Do Not Contact' register

The review recommends exploring options for establishing a national 'Do Not Contact' register.

A limited register is currently maintained by the ADMA but, as pointed out in the review, membership of the ADMA and costs associated with accessing the register regularly may be beyond the resources of smaller organisations.

The recommendation does not go beyond a recommendation that a national register be explored – difficult issues such as who would pay for maintaining it, how often an organisation would be required to 'wash' its own lists against the national register and what, if any, cost there would be to access the register were not canvassed in the recommendation.

Due diligence

The review recognises that technical breaches of the NPPs may be occurring when businesses that hold personal information are bought and sold. This is particularly an issue where sensitive information is involved because of the impracticality (and likely impossibility) of obtaining the consent of everyone whose sensitive information is disclosed by a vendor to prospective purchasers in such transactions.

The OPC has recommended that the NPPs be amended to remove these technical breaches and authorise the practice of disclosure in the course of due diligence.

Small business exemption

The review recommends that the Government should consider retaining, but modifying, the small business exemption. It suggests a new definition expressed in terms of the Australian Bureau of Statistics definition (currently 20 employees or fewer) rather than annual turnover. The use of this concept has created difficulties in other areas – for example, in the Code of Banking Practice where a test solely on number of employees inadvertently brought a number of businesses that were not really 'small' within the ambit of the Code.

This change could have the opposite effect – it could allow organisations to avoid the operation of the Privacy Act by collecting information in subsidiaries that employ very few people. The rationale for the recommendation to change the definition appears to be that a number of employees test will be more easily understood by consumers and other interested parties than an annual turnover test. The Privacy Commissioner will, however, carefully need to consider the scope for avoidance if the definition is changed.