Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2018

Roger Clarke's 'Australian Privacy Law'

History of Australian Privacy Law
The Commonwealth

Emergent Draft of 26 October 2010

Roger Clarke ** [and co-authors?]

© Xamax Consultancy Pty Ltd, 2010

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

It is one chapter in a study of privacy law in Australia

1. Introduction

The Commonwealth of Australia was formed in 1901, through the federation of six colonies that had been formed between 1788 and 1851. The six colonies becames six States of the Commonwealth. One Territory was granted self-government in 1978, and another had self-government thrust upon it in 1988. There are accordingy nine Crowns in Australia, the Commonwealth (also variously referred to as 'federal' and 'Australian'), six States with substantial powers, and two Territories. Each of the nine Crowns has authority over its own public sector. However, the Commonwealth Parliament retains the power to over-ride the Territory Parliaments, and has occasionally done so, relevantly in relation to euthanasia laws.

Because of features of the constitution, both the national and sub-national Parliaments have powers in relation to the private sector. Hence, at least for the purposes of privacy law, a tenth context needs to be recognised - the non-government sectors.

This paper reviews the history and status of privacy law at Commonwealth level, as it relates to the public sector. Separate papers in the series address the complex situation in the private sector, N.S.W., Victoria, and the other six sub-national jurisdictions.

2. The Beginnings - 1969-1984

Despite the exhortations of UDHR (1948), and Australia's undertakings arising from ICCPR (1966), privacy was not a major item of discussion during the immediate post-war period. This was a time in which recovery, progress, the Communist menace, and the Cold War dominated. At about the same time as privacy issues were beginning to attract attention in Europe and North America, the wake-up call was issued in Australia by Zelman Cowen (some years later Governor-General), in his ABC Boyer Lecture Series in 1969 (Cowen 1969). This had direct consequences in, but only in, N.S.W.

Australia signed the ICCR in 1972 and ratified it in 1980. The act of ratification required Australia to adopt legislative and other measures to give effect to the ICCPR. However, the ICCP has never been adopted as law of the Commonwealth of Australia, and mainly operates as a reference point for the functions of the Human Rights Commission (AHRC 2006, 2010).

In April 1976, the Commonwealth Government of the (conservative) Liberal Prime Minister Malcolm Fraser gave the Australian Law Reform Commission (ALRC) a reference to study interferences with privacy arising under the laws of the Commonwealth or Commonwealth Terrritories.

The ALRC took in an inordinate length of time to complete its Report (1976-83). As a result, it was not completed during the term of the Government that commissioned it, but was finally presented, in December 1983, to the then quite new Labor Government of Prime Minister Bob Hawke (ALRC 1983). The Government's first responses were cautiously supportive, but the issue had low priority for a new Government whose concerns were dominated by economic matters.

In the interim, during 1978-79, the Organisation for Economic Cooperation and Development (OECD) had formed an Expert Group to work on data protection matters. The Chair of the ALRC, Michael Kirby was elected to the Chairmanship of the Group. The OECD perceived "a danger that disparities in national legislations could hamper the free flow of personal data across frontiers. ... Restrictions on these flows could cause serious disruption in important sectors of the economy, such as banking and insurance" (OECD 1980, p.1). The concern about "unjustified obstacles" is expressed many times in the document. The expression makes clear that privacy, a merely social interest, was perceived as a constraint on the implicitly higher-order economic interest in "free flows of personal data", and that the constraining effects of privacy protections must be minimised. To address that risk, it sought "a consensus on basic principles which can be built into existing national legislation, or serve as a basis for legislation in those countries which do not yet have it" (p.1), and thereby codified the already fairly mature regime based on 'Fair Information Principles' (FIPs).

Although Australia acceded to the OECD Guidelines in 1984, there was no momentum within the country and no privacy-protective actions were taken.

3. The Australia Card and the Privacy Act - 1985-1990

Between March 1985 and September 1987, the Hawke Labor Government was intent on introducing a national identification scheme, which it dubbed the Australia Card (Greenleaf & Nolan 1986, Clarke 1987).

Public concerns wer apparent from an early stage. In an attempt to provide a veneer of respectability for the Australia Card Bill, public servants threw together a Draft Privacy Bill at short notice during the course of 1986.

After the collapse of the Australia Card proposal in late 1987, the Privacy Bill remained on the table. Following considerable negotiation, the Privacy Act 1988 was enacted.

The Act imposed what later came to be referred to as 'light-touch' regulation of the Commonwealth public sector. More specifically, it embodied in s. 14 the Information Privacy Principles (the IPPs), created the Privacy Commissioner and the Office of the Australian Privacy Commissioner (OAPC), and provided the Commissioner with some very limited powers. From the viewpoint of privacy protection, the Privacy Act 1988 was a weak instrument, but perceived by privacy advocates as considerably better than nothing at all. An evaluation of the Act against the OECD Guidelines is in Clarke (1989).

Some limited further progress was made on specific matters. Coverage was extended to an additional class of data, 'spent' criminal convictions, through an amendment to the Crimes Act Part VIIC. For a review, see Knowles (1994).

In addition, some limited regulation was applied to a specific application of the data matching technique, through the Data-Matching Program (Assistance and Tax) Act 1990.

4. Rampant Data-Exploitation - 1991-2001

Continual attempts were made by government agencies to recover elements of the Australia Card regime. The scope of use of the Tax File Number was extended far beyond its original purposes (Clarke 1991). Multiple further attempts have been made to impose a national identification scheme (Clarke 1992). During the period 1990-92, a Law Enforcement Access Network (LEAN) had been mooted (Clarke 1992). It foundered on the altar of State jealousy and distrust of the Commonwealth. Data was contrived in order to justify data matching schemes (Clarke 1993, 1995).

Parliamentary authority for data-sharing among agencies has been slid through in omnibus legislation and without consultation or even debate. Data centres and then applications have been consolidated on the same workstation, again without consultation or meaningful debate. Significant data breaches have occurred. Recent, mostly failed, projects have sought to extend use of the Medicare Card, to establish an 'Access Card' for the welfare services that are administered by Centrelink, and to impose an Individual Health Identifier. A wide array of new technologies have been developed and deployed, including means of identifying, locating and tracking people.

The Privacy Commissioner resigned with effect from January 1999, three years short of her five-year term. One of her last acts was to declare that the Federal Government's GST mail-out to pensioners "was not authorised under the Social Security Act, and the database should not have been used", but that it was only a "technical breach". Rather than egg on the Minister for Social Security's face, if not her resignation, this appears to have resulted in no other outcomes than a newspaper article in 'The Canberra Times'. The failure to take positive, public stances in support of privacy has been a feature of the Privacy Commissioner's role throughout its history.

In mid-1998, a proposal similar to the earlier LEAN project had emerged from the office of the Minister for Justice. Clearly, technology needed to be harnessed in the support of law enforcement. Equally clearly, however, great care needed to be taken to ensure that such measures were not intrusive in ways, or to such an extent, that they unduly invaded privacy and undermined the public's confidence. There was, however, no privacy or civil rights advocacy representation on the working party that developed the proposal.

A Request for Tenders was released in July 1999. It demonstrated no appreciation whatsoever of the very substantial privacy concerns that the proposal raises.

Some dissension among the States and Territories was reported in the press, particularly in relation to the very seriously invasive DNA database proposals. These were the subject of a report by the Attorney-General's Department ('Model Forensic Procedures Bill and the Proposed National DNA Database' of May 1999). The Crimtrac organisation was formed in 2000, and, although progress in multilateral negotiations with the States has been tortuous, it has steadily increased its functions, data-holdings and privacy-invasiveness.

Through the 1990s, occasional recommendations emerged from parliamentary committees, and occasional private members' Bills were tabled, but meaningful enhancements to privacy law were successfully avoided by the public sector for an entire decade. With the passage of time and of a vast fleet of subsequent laws that over-ride the protections that the 1988 statute provided, it has atrophied into an extremely weak instrument.

And then Muslim extremists not only killed 3,000 Americans, but also dealt a massive blow to civil liberties and privacy in all advanced western nations.

5. Rampant Counter-Terrorism Measures - 2001-

During the period 2001-10, in the aftermath of terrorist strikes in New York, London, Madrid and Bali, some 40 items of legislation were enacted without any requirement for justification and which in most cases could be readily demonstrated to be unnecessary and disproportionate. A catalogue is provided in APL (2007).

Many of the new powers were not limited to terrorism offences, none were subject to sunset clauses, and none have yet been rescinded. Not only were very few new privacy protections enacted, but the new powers were accompanied by very weak controls and in many cases no controls of any consequence at all.

NEEDS A BRIEF REVIEW OF THE DAMAGE HERE, incl. sedition (Connolly), see also


The fourth Privacy Commissioner from July 2004 was in her mid-career, and previously an executive with an industry peak-body. During the next 6 years, she sustained the Office's closeness to government, significantly increased its closeness to business, and kept privacy advocacy organisations at arm's length.

?Was there a Stott-Despoja Bill that stimulated developments?

Senate Committee (2005?)

ALRC review 2006-08

A raft of Recommendations, some of which would, if implemented effectively, improve privacy protections, but many of which are highly friendly to business and government and authorise privacy abuses rather than protecting against them.

Complete failure of the Rudd Government of 2007-10 to review the swathe of counter-terrorism, despite its platform

No sign from the Gillard Government of 2010 of any intention to do so, and a complacent Attorney-General has remained in place, well-controlled by his Department

The incumbent Privacy Commissioner 2005-10 was not renewed. Following an open advertisement and a closed selection process, the Deputy Privacy Commissioner of the last 10 years was appointed to the role in July 2010.

As part of its agenda to upgrade the Freedom of Information laws, driven by Senator John Faulkner, the Rudd Government established an Information Commissioner, with effect from November 2010. One aspect of this initiative was that the Privacy Commissioner became subordinate to the Information Commissioner, and the Office of the Australian Privacy Commissioner (OAPC) was subsumed into the Office of the Australian Information Commissioner (OAIC).

The Government's initial tranche of responses to the ALRC Report in 2009 nominally adopted most of the recommendations it considered, but in fact weakened many of them.

The ALRC's proposed Unified Privacy Principles (UPPs) were drastically worsened by the public service, such that the Australian Privacy Principles submitted in draft for review by a Senate Committee (REF, 2010) were severely criticised (CLPC 2010, APF 2010).

6. 2010 Stocktake

In 2010, a badly eroded 1988 law remains in place. There are prospects of wholesale amendments,

A considerable array of laws provide incidental protections for various aspects of privacy. For example, privacy of the physical person enjoys protection from aspects of the criminal law (e.g. assault, kidnapping and false imprisonment). Privacy of personal behaviour is subject to laws relating to listening devices, cameras and surveillance devices generally. The privacy of personal communications is protected by laws relating to the mail, the recording of conversations, and telephonic and other forms of electronic interception. The privacy of personal data benefits from aspects of the laws of confidence and negligence, and anti-discrimination legislation. Relevant laws are identified in APF (2010).

Government agencies are subject to particular provisions in the statutes that govern their activities and programmes. Organisations in both the public and private sectors are subject to provisions within statutes that regulate such activities as public health, education, family law, children's safety, occupational health and safety, financial services, consumer rights, and archives. Many of these laws contain features that are intentionally or at least incidentally privacy-protective, although very few are even faintly comprehensive, and the pattern as a whole is anything but coherent. Delegated legislation such as formal Codes play a role, and some limited benefits arise from informal industry codes and from industry standards.

Most of the functions of the Privacy Commissioner are specifically limited to information privacy, in particular as defined by the Privacy Principles in the Privacy Act. However, seven of the 24 are expressed openly, and empower and require the Commissioner to consider all dimension of the privacy of individuals, not merely the privacy of personal information. These functions are the examination of proposed enactments (s.27(1)(b)), research into IT (c), provision of advice (f), examination of proposals for data matching or data linkage (k), educational programs (m), reports and recommendations (r), and anything incidental or conducive to those six functions (s).

The first four Commissioners during the two decades from 1989 to 2010 largely avoided the exercise of these functions outside the narrow realm of privacy of personal data as limited by the Privacy Principles. It remains to be seen whether the 5th Privacy Commissioner, operating in the new context of a junior to the Information Commissioner, will adopt a broader interpretation of the office's scope, and will reduce his predecessor's friendliness to the interests of business and government and hostility to privacy protection.

More broadly, none of the Privacy Commissioners has ever acted as a watchdog, or been a significant factor in the enhancement of privacy protections, or in the holding back of even the most highly-invasive government initiatives.

The fourth Privacy Commissioner, 2004-10, went much further in subverting the role, by actively avoiding the exercise of her privacy-protective powers, actively facilitating government initiatives, and compromising her indpendence by operating as a paid consultant to agencies under Memoranda of Understanding, and excluding public interest organisations from her dealings with government. Quite simply, the Office of the Privacy Commissioner has been converted into a government agency whose role is to protect other government agencies from negative impacts on their operations arising from privacy law and public concerns about privacy. It remains to be seen whether the fifth Privacy Commissioner, now working with the more senior Information Commissioner, will continue to subvert the role.

A further consideration is the hints that a tort of privacy might emerge. However no court of any consequence has handed down a significant decision. A Law Reform Commission Report recommended a common law right of action (ALRC 2008), but the media wilfully misrepresented it as an attack on freedom of the press, and neither the current nor any future Government appears to have the capacity to withstand media assaults; so the chances of a right of action emerging remain very low.


See the consolidated reference list for the complete series of papers.



Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 7 August 2010 - Last Amended: 26 October 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy