Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2016
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 25 June 1989
© Xamax Consultancy Pty Ltd, 1989, 1997
This paper is at http://www.rogerclarke.com/DV/PActOECD.html
In 1980, the Organisation for Economic Cooperation and Development (OECD) issued a set of Guidelines for data protection. Australia, an OECD member, had no significant data protection laws at that time. Subsequent proposals for Australian data protection law have been claimed to draw on the OECD Guidelines. The Australian Law Reform Commission completed a Report on Privacy in 1983, including a Draft Bill. The Australian government introduced a Privacy Bill in 1986, closely coupled with a Bill to introduce a national identification scheme. It lapsed.
A significantly revised Bill was introduced in late 1988, and following amendments in the House, passed into law in December of that year. This paper assesses the Privacy Act 1988 against the international guidelines. It concludes that the Act falls short of the OECD requirements in a number of very important respects.
The Preamble to the Commonwealth Privacy Act 1988 recites that, inter alia
... WHEREAS Australia is a member of the Organisation for Economic Co-operation and Development: AND WHEREAS the Council of that Organisation has recommended that member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the Guidelines attached to the recommendation: AND WHEREAS Australia has informed that Organisation that it will participate in the recommendation concerning those Guidelines,
the Privacy Act is enacted in consequence of that obligation. It also recites another international obligation, "the right of persons not to be subjected to arbitrary or unlawful interference with their privacy", contained in the International Covenant on Civil and Political Rights (ICCPR 1966).
The Privacy Act 1988 incorporates eleven Information Privacy Principles (IPPs), which the Explanatory Memorandum (p.1) states are based on the recommendations of the Australian Law Reform Commission's Report on Privacy (ALRC 1983). The Law Reform Commission had also stated that its Principles were based on the OECD Guidelines (ALRC 1983, paras. 602-3, 1195).
This paper assesses the Privacy Act 1988 against the OECD Guidelines, considering where appropriate the ALRC's Report (1983) and the Privacy Bill 1986. Preliminary sections provide background on the history of data protection laws generally, and the OECD Guidelines in particular, and discuss factors affecting their implementation in the Australian context.
Concern about unfair information practices developed quickly during the latter half of the 1960's. This was stimulated by growth in the power of computers, and the extent of their use, although many problems either pre-existed computers, or were associated also with other forms of information system automation, such as photocopying, microfilm and telecommunications. Concern about the social impact of computers resulted in a significantly improved appreciation of the impact of information technology generally.
In many countries it was felt that the emergence of the various information technologies represented a challenge that existing legal protections were unable to cope with. As a result, during the decade of the 1970's, many of the 'advanced western nations' acted to provide legislative and/or administrative protections.
Important early activity in the United States included studies by Westin (Westin 1967, 1974) and an Advisory Committee to the then Department of Health Education and Welfare (HEW 1973). Congress passed the Privacy Act in 1974 regulating federal government agencies. A report on early experiences is to be found in the Report of the Privacy Protection Study Commission (PPSC 1977). Legislation in Europe had begun even earlier, with the West German Land of Hesse passing the very first Data Protection Act in 1970, and Sweden's Data Act of 1973 being the first comprehensive legislation at national level. In the United Kingdom, Private Members' Bills were introduced in the late 1960's, and the Younger Committee reported in 1972.
Since the early 1970's, most of the advanced western nations have legislated. In addition, many of the states of the U.S.A., provinces of Canada and Länder of West Germany have also passed laws. Some of these apply to all personal data systems, while others are restricted, e.g. to the public sector, or to automated or computerised systems. In an endeavour to achieve some amount of consistency in the highly varied approaches, the European Economic Community adopted a Convention in 1980 (EEC 1980).
Meanwhile, the United Kingdom had once again ignored the recommendations of a Government Committee (Lindop 1978). It finally responded to commercial pressure to ensure that British companies were not disadvantaged against their European competitors, and passed the Data Protection Act in 1984.
The membership of the Organisation for Economic Co-operation and Development (OECD) comprises the nineteen major Western European countries, plus the United States, Japan, Canada, Australia and New Zealand. By 1980, many of the OECD's Member countries had legislation of some kind in force (ALRC 1983 Vol.3 provides a summary). By 1978 it was apparent that "these laws have tended to assume different forms in different countries", and "the disparities in legislation may create obstacles to the free flow of information between countries" (OECD, 1980, p.15).
An Expert Group, chaired by Justice Michael Kirby, then Chairman of the Australian Law Reform Commission, was established in 1978 "in order to facilitate the harmonisation of national legislation" (p.15). Its instructions were "to develop guidelines on basic rules governing transborder flow and the protection of personal data and privacy, in order to facilitate a harmonisation of national legislations ..." (p.18). It was expressly not an attempt to flesh out more general documents concerning human rights, such as ICCPR (1966).
The prime concern was to " ... advance the free flow of information between Member countries and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries" (OECD, 1980, p.7), and the concern to ensure that member-countries had a clear statement of international expectations regarding privacy protection was quite secondary. However, "The Guidelines attempt to balance the two values against one another; while accepting certain restrictions to free transborder flows of personal data, they seek to reduce the need for such restrictions and thereby strengthen the notion of free information flows between countries" (p.22-23).
The Guidelines are contained in OECD (1980), and comprise a 1-page Council Recommendation, 4 pages of Guidelines and a 22-page Explanatory Memorandum. The document provides " ... a general framework for concerted action by Member countries: objectives ... may be pursued in different ways" (p.23). It does not represent a binding International Convention.
The OECD Guidelines comprise eight 'Basic Principles of National Application' (pp.10-11), definitions of terms and of scope, and discussion of a number of matters of international concern. This paper concentrates on the national, to the virtual exclusion of the international, matters. References to paragraph-numbers in the Guidelines are prefaced with 'G', and those in the Explanatory Memorandum with 'EM'. References to paragraphs of ALRC, 1983 are enclosed in square brackets, e.g. .
The Guidelines make clear that they "do not constitute a set of general privacy protection principles"; they relate only to that sub-set of privacy concerns referred to as 'information privacy' (EM 38). Although the term 'privacy' is used, the guidelines are predominantly concerned with 'data protection' with consideration of some broader matters such as relevance, reasons for refusal and public participation.
The OECD's 'Basic Principles of National Application' are reproduced in Exhibit 1. In this paper the OECD Principles are numbered sequentially from 1, rather than in accordance with their paragraph numbers in the Guidelines (which run from 7 to 14).
The first five Principles relate to the collection, storage, use, and dissemination of personal data. Three further principles relate to a 'policy of openness' regarding data systems, the ability of individuals to participate in certain aspects of data systems, and accountability for compliance. The structure reflects that of previous national laws: "Generally speaking, statutes ... attempt to cover the successive stages of the cycle, beginning with the initial collection of data and ending with erasure or similar measures, and to ensure ... individual awareness, participation and control" (EM5).
They are also clearly, and fairly explicitly (e.g. EM 4, 51), a result of negotiation among common law and codified law countries, and between 'data protection' and 'privacy' oriented countries. This exercise in international diplomacy produced some fairly broad qualifications: "The framework ... permits Member countries to exercise their discretion with respect to the degree of stringency with which the Guidelines are to be implemented ... generally speaking, the Guidelines do not presuppose their uniform implementation by Member countries with respect to details" (EM45). It is also envisaged that some countries will undertake "the regulation of ['particular'] types of data or activities as compared to regulation of a general nature ("omnibus approach")" (EM46). Subject access and correction rights in particular are to be implemented pragmatically (the liberally-worded Principle in G13 is heavily qualified by EM58-61). Similarly the means whereby a Member country complies with the Guidelines is at its own discretion, as are the mechanisms of action and appeal (G19, EM69-70).
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, compete and kept up-to-date.
The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [Principle 3] except:
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
An individual should have the right:-
A data controller should be accountable for complying with measures which give effect to the principles stated above.
Prior to assessing the Australian legislation against the OECD Guidelines, it is necessary to identify important considerations which justify differences among the national implementations of the various OECD members.
Significant differences exist among OECD member countries, ranging from conceptions of data protection and privacy, through approaches to regulation, to the nature of legal procedures. Some of the important factors involved are:
Some relevant aspects of Australian society are identified below.
Australia is a widely dispersed country, with a population of 16 million spread over an area the size of contiguous U.S.A. and larger than Europe excluding Russia. Perth is as far from the national capital as London is from Tel Aviv, and Jakarta and Singapore are closer. The population is mainly urban (40% in the two largest cities, 55% in the five largest), but provincial and country populations are very widely spread.
It is a relatively well-off country, with the mining industry having grown quickly during the last twenty years to supplement the long-established agricultural and pastoral industries. Per capita disposable income is noticeably less than in the U.S.A., but of the same order as in West Germany, and greater than in the United Kingdom and Italy.
About 20% of the population was born outside the country, and since the last war the previously very strongly Anglo-Celtic population has been leavened with many 'New Australians' of other ethnic groups, particularly Italians and Greeks, resulting in what is currently referred to as 'multi-culturalism'. These have included small numbers of many different refugee groups, including European Jews and White Russians (1930's and 1940's), Hungarians (1956), Czechs (1968) and Vietnamese (1970's and 1980's). The attitudes of Australians to information privacy, and the degree of trust they have in record-keepers, are accordingly highly varied.
Australians have a long-standing ambivalence toward authority. They were fervant supporters of the British Empire into the 1950's, and since then most have regarded their country as a staunch ally of the United States. During recent decades they have pioneered compulsory seat-belts and random breath-testing with little protest. Yet attitudes of distrust of central authority, a cynical dislike for politics, and a love for both anarchic and republican symbols (such as the colony's convict origins, bushrangers, the Eureka Stockade flag and frequent use of the right to strike) have persisted. Although they live in one of the more strongly urbanised countries, Australians enjoy the 'boy from the bush' getting the better of the 'city slicker' - an image successfully and profitably projected by the film 'Crocodile Dundee'.
Despite the significant heterogeneity in Australian society, there have been few periods of real social unrest since the Second World War, with the Vietnam War having been the most socially divisive issue of recent times, followed by the Australia Card campaign.
Unlike some countries, including some in its reference group, Australia has no restrictions on location of residence or employment, no system of identity cards, and no comprehensive register of people's addresses and occupations. A multitude of identity documents are used in transactions, and a recent attempt to introduce a national identification scheme foundered in the face of strong community opposition. Police have no general powers to require that a person prove his or her identity. For the most part, individual freedoms have dominated social control.
Australian companies and government agencies have been early adopters of new information technology products, and are sophisticated users. For example, the banking sector comprises a small number of institutions which are large by world standards, and are world leaders in consumer Electronic Funds Transfer Systems (EFTS). There have been a number of innovative computing applications in the public sector, including Medicare, administered by the Health Insurance Commission, and the Department of Social Security's system. As in other countries making advanced use of information technology, there are shortages of trained staff, but standards remain high.
Australia's federal structure provides the Commonwealth Government with specific powers, but leaves the States with considerable residual powers and responsibilities. However, the Commonwealth's powers are certainly sufficient to enable regulation of its own agencies, and are adequate to enable it to at least significantly influence practices in the private sector and in agencies of the State governments. The current Commonwealth Government certainly believed it had sufficient powers to enforce a national identification scheme irrespective of the attitudes of the States.
Australian law was inherited from the United Kingdom, with prior cases defining some areas of law, and being crucial to the interpretation of others. A similar line of development has been followed to that of British law, and only very recently was the last possibility of final appeal to the United Kingdom Privy Council removed. Although foreign case-law is generally no longer binding on Australian courts, decisions by courts from other common law jurisdictions are of persuasive value. Judicial decisions in other common law countries are particularly relevant to Australian cases where the legislation is based on similar sources, such as the pioneering statute of some other country, or an international instrument.
In common with many other common law countries, Australia has experimented with methods of dispute resolution alternative to the traditional courts. A variety of bodies and tribunals have been established since the mid-1970's to deal with administrative law, including, at the federal level, an Ombudsman, an Administrative Appeals Tribunal, and a Human Rights and Equal Opportunities Commission. Various States have Ombudsmen, Anti-Discrimination Boards, and Administrative Appeals Tribunals.
Little Australian data protection law existed prior to the 1988 Act. There is no constitutional right of privacy as in the United States. A number of incidental protections for 'information privacy' potentially exist in the general law (common law and equity), in such areas as breach of confidence, negligent advice and defamation, but they have received little development by the Courts. The Commonwealth Freedom of Information Act 1982 and the Victorian (State) Freedom of Information Act 1982 both provide individuals with a right of access to, and correction of, records held on them by the Commonwealth and Victorian Governments respectively. In New South Wales, a Privacy Committee of twelve people representing various community interests is empowered under the Privacy Committee Act 1975 as a 'privacy ombudsman' to investigate complaints of invasion of privacy against both public and private sector bodies and make recommendations. In Queensland, South Australia and Victoria there is legislation providing individuals with rights of access and correction to credit bureau files. These matters are reviewed in ALRC (1983).
Australian courts generally avoid changing the law for policy reasons, asserting not just the primacy of Parliaments in law reform, but their exclusive responsibility for it. Given that Parliaments are better financed, and have less fettered access to know-how, this conservatism does not seem unreasonable. However, Australian Parliaments look less like sober law-making institutions than gladiatorial arenas, and tend to undertake major change in the law only sporadically. Difficult issues are referred to Law Reform Commissions, whose report is delivered years later, in a different social and political climate, often to a new Minister, and not infrequently to a subsequent Government of a different persuasion. Unsurprisingly, most of their recommendations are generally ignored.
In April 1976, the Commonwealth Government of the (conservative) Liberal Prime Minister Fraser gave the Australian Law Reform Commission a reference to study interferences with privacy arising under the laws of the Commonwealth or Commonwealth Terrritories. The Commission's Report was not completed for that Government (1976-83), but was finally presented, in December 1983, to the Labor Government of Prime Minister Bob Hawke. The Government's first responses were cautiously supportive, but the issue had low priority for a new Government whose concerns were dominated by economic matters.
The ALRC's proposals will be mentioned in this paper where appropriate, within the structure provided by the OECD Guidelines. The key elements were (ALRC 1983, Clarke 1985):
In formulating its ten Information Privacy Principles, the Commission claimed to have drawn primarily on the OECD Guidelines [ALRC, 1195]. However, the mechanisms proposed were designed to mesh with mechanisms and institutions already in existence, principally the Freedom of Information Act 1982 and the Human Rights Commission.
The Commonwealth Freedom of Information Act 1982, although it provided only very heavily qualified rights of access to government information, had been strenuously opposed by government agencies. By far the most common use of the Act has been to enable individuals to gain access to their own records, and the second most common use appears to be by investigative journalists. After an unsuccessful attempt in 1985, the Government has significantly increased charges for FOI access, in order to dissuade some requests, and recover a larger proportion of the cost of the remainder.
The ALRC Report contained a Draft Privacy Bill. This was distributed to federal government agencies for comment, and drew generally defensive reactions. The Attorney-General's Department made many changes to the Bill, some clearly related to legislative drafting style, but many suggesting that the public service felt it had a free hand to ensure that the legislation did not prejudice its interests. In accordance with an ALRC recommendation that the Federal Government create the environment for a national solution, State Attorneys-General were also given the opportunity to comment on the revised Draft Bill. There was no involvement of the public, or of public interest groups, during these stages.
Although presaged for the August 1985 parliamentary session, no Privacy Bill was tabled. During 1985-86, the question of privacy became caught up in the maelstrom of a much more divisive issue. The Government committed itself to the introduction of a national, multi-purpose identification scheme, involving a computer-based register, a card, a unique identification number, and reporting and other obligations on all organisations and individuals. In an attempt to imply that to oppose the scheme was to be unpatriotic, it was named the 'Australia Card' scheme. Its stated purposes were to address tax evasion, welfare fraud and illegal immigration. For a summary of the proposed scheme, see Clarke (1987).
The ALRC had proposed that the Human Rights Commission (since changed to the Human Rights and Equal Opportunities Commission) be established as the statutory guardian over the implementation of the Information Privacy Principles. Instead, the Government chose to vest that responsibility in a new Data Protection Agency whose primary function was to oversee the operation of the Australia Card scheme. This proposal made administrative sense in that one specialist agency would oversee all aspects of federal data protection laws. However, the provisions creating the Data Protection Agency were placed in the Australia Card Bill (Part VII), rather than in the Privacy Bill, and the Privacy Bill was therefore inoperable unless the Australia Card Bill was also passed. This was an attempt by the Government to neutralise the anticipated opposition of the civil liberties lobby to the national identification scheme.
Despite such manoeuvring, the Australia Card Bill was defeated in the Senate, in December 1986 and March 1987, by the combined opposition of the three non-Labor parties. In contrast to the furore over the Australia Card, the Privacy Bill debate was restricted to a little over an hour, and with the demise of the major Bill, it was left, forlorn, on the parliamentary table.
The second rejection of the Australia Card Bill gave the Government the constitutional grounds for an election involving the dissolution of both Houses of Parliament. After a succession of denials that it would exercise that option, it did so in May 1987. The reason for doing so was political (the opportunity to go to the polls during a period of leadership turmoil in the Opposition conservative parties), and had little to do with the Australia Card as a substantive issue. In the ensuing election campaign, despite being the technical grounds for the election and a matter of clear division between Government and Opposition, the Australia Card was barely mentioned, with competence in economic management being the main theme.
At the July election, the Government was returned with a sufficient overall majority that, if the Bill were again rejected by the Senate, the Government could force its enactment at a joint sitting of both Houses. The Prime Minister stated his intention to pursue this course. During the third quarter of 1987, a well-orchestrated public campaign turned public opinion violently against the scheme, and after a significant drafting flaw was brought to light (ironically by an ex-Deputy Secretary of the Attorney-General's Department), the Government withdrew the Bill.
Although they were introduced as a tactical manoeuvre to gain support for another proposal entirely, the data protection elements of the combined Privacy Bill and Australia Card Bill represented a serious attempt to implement data protection in Australia, and an earlier working paper (Clarke & Greenleaf 1987) undertook an analysis of them.
During 1988, as an alternative to the withdrawn Australia Card proposal, the Government set out to significantly enhance the Tax File Number scheme used by the Australian Tax Office. In order to buy the necessary support of the Senate, the Government introduced a Privacy Bill developed largely from the 1986 Bill, and accepted a number of amendments to it which were proposed by the Opposition. This resulted in the passage of the two Bills.
The subsequent developments have been so positive as to suggest that the Government is seeking to make the best of the course of events forced on it. The Bill was passed only in early December 1988, assented to in mid-December, and took effect on 1 January 1989. A Privacy Commissioner, with significant prior involvement with data protection issues, was appointed early in the New Year, and given a significant budget. After a prolonged period of neglect, information privacy has suddenly been addressed in a positive manner by Parliament and the Government alike. In May 1989, the Privacy Commissioner, by an amendment to the Crimes Act, was given powers relating to the disclosure of convictions which have been pardoned, quashed or spent. In June 1989, a Privacy Amendment Bill was introduced, to extend the Privacy Commissioner's ambit to include the consumer credit reporting industry.
The remainder of this paper assesses the Privacy Act 1988 against the framework provided by the OECD Guidelines, with mentions of the earlier ALRC proposals and the Privacy Bill 1986 where appropriate. It is not directly concerned with those provisions of the Act which relate to control of the Tax File Number.
Section 7 will consider each of the OECD Principles, assessing the manner and extent to which the Privacy Act 1988's Information Privacy Principles (IPPs) fulfil the OECD requirements. This preliminary section deals with the general framework within which those principles are intended to be applied, in particular what it is that is regulated, who is thereby to be protected, who is subject to regulation, and what exceptions are intended. Subsequent sections deal with two particularly important constraints on the proposals' effectiveness, and the proposed enforcement and regulation mechanisms.
The OECD considered restricting the scope of the Guidelines to only the public or only the private sector, but decided to cover both (G2,G5,EM44). The reason is not discussed, but it was presumably on the grounds that threats arise in both areas, and that, although somewhat different regulation may be required, the Guidelines are at a sufficient level of generalisation for the same general statement to apply to both.
The ALRC did not limit its recommendations to one sector; indeed, it came down firmly on the side of general applicability of the Principles [617, 1088-92, 1393]. However, it did anticipate that enforceability of the Principles would be undertaken in the public sector earlier and more commonly than in the private sector [1051,1239]. The ALRC's Draft Privacy Bill would have applied to the private sector in the minor Territories controlled by the Commonwealth and to records concerning residents of those Territories stored anywhere in Australia. It would therefore have had an impact on the record-keeping practices of the many large private sector organisations which use the same software to maintain data about customers and clients throughout the country .
Under the Privacy Act (ss.10(1),6(1)), most Commonwealth government agencies are record-keepers. A set of Information Privacy Principles is established by s.14. Its applicability is defined in s.16 by the statement that "an agency shall not do an act, or engage in a practice, that breaches an Information Privacy Principle". However the definition of an 'act or practice' is defined in s.7 to embody an extremely large and complicated set of exemptions, many of which exempt whole organisations, not just certain classes of the records with which they deal. In addition, the Privacy Commissioner's functions and powers (s.27) are limited to matters involving an 'interference with privacy', which is defined in s.13 to be 'acts or practices which breach an IPP'. The effect of this merry-go-round of definitions is that a large number of agencies are wholly or partly exempt from the Act. Moreover, such agencies are under no compulsion to consider in what ways the principles should be applied to their operations.
The Act does not apply directly to individuals acting as employees of an agency, and it is unclear whether a person's written notes or private notebook would be subject to the Act. If not, then the notes of a policeman, government doctor, social worker, journalist or other employed professional may not be subject to the Act.
The limitation of the Privacy Act to the public sector, and the exemption of a great many agencies in whole or in part, represent significant retreats from the OECD Guidelines, and the ALRC's Recommendations.
The Information Privacy Principles are not directly applicable to the private sector. It would not have been possible to provide the same degree of enforceability of the IPPs against private sector record-keepers, because the administrative law remedies which are to be used to force public sector agencies to comply are not available. Nonetheless, the IPPs could have been given some status within the private sector as a statutory standard, even though unenforceable.
However, there are four ways in which the Privacy Act influences the private sector:
The ALRC is consistent with the OECD's requirements, but the Act falls short in that it provides only limited data protection in the private sector. However there is some influence in the private sector, and the possibility of further extensions.
The OECD Guidelines use the notion of a 'data controller' (G1,14, EM40,62), who "should carry ultimate responsibility for activities concerned with the processing of personal data" (EM40), and is defined as "any person who, according to domestic law, is competent to decide about the contents and use of personal data" (G1). The definition is intended to exclude service bureaux and telecommunications carriers (who are mere agents), and also 'dependent users' who have little control over any aspect other than data use. It assumes that a single natural or legal person can reasonably be held responsible for all aspects of practices relating to a given piece of information; and also that that person is the one concerned with the data's processing. This is quite unrealistic. However, "nothing in the Guidelines prevents service bureaux personnel, 'dependent users' ... and others from being held accountable" (EM62). The term is used only in the Accountability Principle. Since it contains a compound criterion and could result in many data collections having no data controller, it is to be assumed that the explanation was intended for guidance, rather than as a serious attempt at authoritative definition.
The ALRC used the term 'record-keeper' for "a person who has possession or control of the record", where control includes "being in a position to obtain access to a record" [1199, cls.47, 49, our emphasis].
The Privacy Act 1988 adopts the ALRC wording, but splits the responsibility for compliance. IPPs 1 to 3 place obligations on the 'collector' of information, whereas IPPs 4 to 11 impose obligations on 'a record-keeper who has possession or control of a record that contains personal information'. 'Record-keeper' is also defined by s.10 (with some procedural qualifications relating to archives) as "an agency that is in possession or control of a record of personal information". The difference between 'a record that contains personal information' and 'a record of personal information' might be treated by the courts as being of significance, although it seems unlikely that the difference was intentional.
The 'possession or control' criterion introduced by the ALRC and retained by the Privacy Act creates a serious difficulty. It appears that this is an attempt to cope with circumstances in which:
Every organisation with 'control' of any part of the record, or possession of it, is responsible for the application of the IPPs to the record as a whole. But to partially ease that imposition, the Act then limits the obligations of an agency which "has possession but not control" of a record "to the extent only of the obligations or duties to which that agency is subject, otherwise than by virtue of the operation of this Act, because it is in possession of that particular record" (s.12). Depending on what the courts can make of that provision, it may ease the position of data centres, but agencies which have shared control of a record seem to be responsible for each others' compliance with IPPs 4-11. The definition is therefore a literal nonsense, and this, coupled with its legalism, would confuse both data subjects and record-keepers, and facilitate attempts by agencies to avoid responsibilities.
The combined effect of ss.10 and 12 is that a record-keeper is an organisation that has control of a record (whether or not it also has possession of it). However, different records within a database may be under the control of different organisations. Moreover, the various items which make up a record may be under the control of different organisations. Where the whole of a record is entirely under the control of one organisation, that organisation is the record-keeper. In all other circumstances, real doubts arise whether, for the purposes of the Privacy Act 1988, any record-keeper exists.
A further problem in the definition is that responsibility for compliance with the Storage and Security IPP (4) and the Disclosure IPP (11) would be more appropriately assigned to the organisation in possession of the data, whether or not that organisation also has control of the data.
The ALRC avoids a problem inherent in the OECD's approach, but in so doing creates a further problem. The Privacy Act 1988 is largely consistent with the ALRC's problematical approach, but is more complex and confusing.
Some national legislation restricts the scope of protection depending on the status of the data subject, in many cases seemingly accidentally. In particular:
The OECD Guidelines define 'data subject' as "an identified or identifiable individual" (implicitly only, see G1b), and other references (e.g. at EM33 and 41) are to 'individual' and 'physical persons' in an unqualified manner. It would appear therefore that the Guidelines avoid creating any unnecessary difficulties of this kind.
The ALRC used the term 'record-subject'. The Report concluded that rights should be "available to anyone in Australia" , seeming not to notice that this is also a restriction. The Draft Privacy Bill, possibly by drafting accident, restricted the right somewhat differently, to persons who "ordinarily reside" in Australia [cls.45,46].
The Privacy Act 1988 defines 'individual' very openly as "a natural person" (s.6(1)). An exception is made in s.41(4), which precludes the Privacy Commissioner from investigating a breach of the Alteration IPP unless each of the persons concerned is either an Australian citizen or has rights of permanent residence. In the case of foreigners denied visas for reasons they suspect to be unfair, that seems an unfortunate constraint.
Both of the ALRC's two proposals fell somewhat short of those of the OECD, whereas, with one explicit exception, the Privacy Act 1988 appears to conform.
The OECD considered whether data protection should apply not only to natural persons, but also to groups or classes of natural persons including associations, and to legal personæ such as companies and trusts (EM19c, 31-33). This was decided in favour of natural persons only, on the basis that " ... individual integrity and privacy are in many respects particular and should not be treated in the same way as the integrity of a group of persons, or corporate security and confidentiality" (EM33).
The ALRC limited its recommendations to natural persons, referring the other matters to the recommended statutory guardian [27-9, 1404]. The Privacy Act 1988 applies only to natural persons, and so conforms with the OECD Guidelines.
The OECD considered whether there should be restrictions on the scope of coverage of data (EM19g, 41). Considerable difficulty appears to have been encountered in reaching consensus as to what types of data should be covered.
A central issue is whether the scheme deals with personal information, personal data, records of personal data, documents containing personal data, or personal data systems. Three issues require consideration:
The OECD Guidelines use a framework based on 'personal data', defined as "any information relating to an identified or identifiable individual (data subject)" (G1b). This is much less restrictive than the approach traditionally taken in Freedom Of Information statutes, which are generally restricted to 'documents'. However, the OECD Guidelines do not distinguish between data and information.
The ALRC's proposals related to 'records of personal information' [1196-98,1237, cls.45,46,48]. There is no evidence that the Commission appreciated the difference between 'information' and 'data', and the choice of word appears to have been arbitrary. Nor was there any explicit justification for restricting the scope to data stored in 'records', other than a desire to retain consistency with the Freedom of Information Act. There may have been an implicit assumption that only information which is reduced to the concrete form of a 'record' requires protection against misuse, or that data protection laws could not be effectively imposed on transactions which involved only transient communications and no potentially permanent records.
In the Privacy Act 1988, some provisions relate to 'personal information', but some only to 'records of personal information'. 'Personal information' means "information ... about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion", and 'individual' means "a natural person" (s.6(1)). The term 'information' appears to be used in the same general sense in which the OECD used the more appropriate term 'data'.
The term 'record' means "a document, a database (however kept), or a ... pictorial representation of a person", but excludes a generally available publication, museum and archive records, and articles in the course of transmission by post (s.6(1)). A separate amendment to the Acts Interpretation Act makes clear that 'record' now includes "information stored or recorded by means of a computer" (Crimes Legislation Amendment Act 1989). However, the Privacy Act definition of 'record' appears to create several difficulties:
Interestingly, the provisions relating to the Tax File Number (ss.17, 28) apply to tax file number information, not records. These provisions were drafted for the first time in 1988, and did not derive from the ALRC Report or the Privacy Bill 1986.
The Act is narrower in scope than the OECD Guidelines, because it refers to records. In endeavouring to be specific, and presumably thereby avoid certain operational difficulties, the legislative draftsman appears to have created many others.
The OECD considered restricting the scope of the Guidelines depending on whether they were (at least partly) automatic rather than entirely manual systems (G2,G3c,EM19b,34-38,41-43,45). They concluded that, "Above all, ... the principles are valid for the processing of data in general, irrespective of the particular technology employed" (EM37) and " ... the OECD Guidelines apply ... irrespective of the methods and machinery used in [the data] handling" (EM20).
The reasons canvassed for common treatment were that distinguishing between them is difficult; that many systems are partly automated and partly manual; that ongoing technological change means that many private systems are becoming automated in some sense; and that definitional problems would inevitably lead to excessively literal interpretation and the accidental creation of loopholes (EM35). The intuitively obvious explanation (that the unfair information practices from which people need protection are as much characteristic of manual as of automated systems) is not discussed.
However, making the Guidelines generally applicable would have created difficulties for countries such as France, Luxembourg and Austria (and subsequently the United Kingdom) who apply data protection only to data maintained in computer-based systems. The OECD therefore allowed that "some countries may find it appropriate to restrict the application of the Guidelines to ... automatic processing" (EM45). The Council of Europe went further, by restricting its Convention to 'any set of personal data processed in whole or in part by automatic means' (EEC, 1980, Arts.2,3).
The ALRC [118,589,1193,1413,1415] and the Privacy Act 1988 are not explicitly qualified, although some doubts are raised above as to the completeness of their coverage.
The OECD considered specifying restrictions based on the nature of the recording medium, but decided against them. Unnecessary confusion can be created by referring to 'computer-readable' media. Greater difficulties still may arise from an open-ended, technology-dependent definition like "information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose" (U.K. Data Protection Act 1984 s.2, our emphasis).
The ALRC's definitions of 'record' and 'document' contained no such qualification to the applicability of its proposals [1237, cls.8,48].
The Privacy Act definitions of 'record' and 'document' similarly contain no qualification, and include as one form of record "a database (however kept)" - s.6(1). It is unclear from the Act itself whether the term 'document' includes data transmitted and stored using electronic, magnetic or optical technologies. However, under the Acts Interpretation Act s.25, as amended in 1984, the term 'document' includes anything:
There is sufficient complexity in these definitions for imaginative counsel to become enthusiastic. However, in the absence of any evidence to the contrary,.it seems reasonable to assume that the Privacy Act applies to records irrespective of the recording medium, and therefore appears to comply with the OECD recommendations.
The OECD Guidelines are intended to apply to data which is relatable to 'identified or identifiable individuals' (G1b,EM41).
The ALRC's Report reached a similar conclusion: "If the information can be easily combined with other known information, so that the person's identity becomes apparent, the information should be regarded as personal information" [1196-98]. However, a weakness was built in, probably by accident, by the Commission's legislative draftsman, because its Draft Privacy Bill referred to "a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion" (cl.8, our emphasis). As a result of the last phrase, the literal meaning is that the identity must be apparent or ascertainable from the information itself, without reference to any other information. Hence it seems entirely feasible that a record identified by a code, and which therefore required a look-up of a code-table to tie the data to the identity, could be held not to be personal information. This weakness was carried forward into the 1986 Bill and the 1988 Act.
In addition, the ALRC's Draft Bill restricted personal information to "information or an opinion ... about an individual" (cl.8, our emphasis). A recording or transcript of a person speaking might not contain data about that person, yet it may impliedly reveal much about their affairs, and hence require data protection. It is unclear from the Act whether it will be interpreted as though it read 'about an individual or his affairs'. The deficiencies of the ALRC Principles in relation to such 'implicit information' are analysed in Greenleaf and Clarke (1984 and 1986). This potential weakness is carried forward into the 1986 Bill and the 1988 Act.
The Privacy Act 1988 is deficient in comparison with the OECD Guidelines in two respects, as a result of mistakes in the ALRC's Draft Bill.
The Privacy Act 1988 excludes from the definition of 'record' any library reference material, publicly accessible archives or 'generally available publication' (cl.6(1)). A 'generally available publication' is defined as "a magazine, book, newspaper or other publication that is or will be generally available to members of the public" (s.6(1)).
Australia has a less open tradition than, for example, Sweden, and it is unlikely that a great many data systems would be regarded as being in this category. However, some important and sensitive data collections might be held to be 'generally available publications', such as the electoral register (which is available for purchase); but possibly also births, deaths, marriages and driver licensing registers in the Territories, which are not purchasable in whole, but are publicly accessible; the telephone books, both those published by Telecom, and extracts from them; and publicly purchaseable mailing lists (including those from Telecom). There may be good grounds for exempting some kinds of 'generally available publications' from some of the IPPs, but not from the data protection regime as a whole. For example, the electoral roll may reasonably be exempt from the disclosure principle, but surely not from the data quality or collection principles.
This exclusion in the Privacy Act 1988 appears to be a considerable qualification on the protections envisaged by the OECD Guidelines.
The OECD Guidelines apply to data which poses a danger to privacy and individual liberties (whether that danger is inherent in the data, or arises from the manner of its processing or the context in which it is used). This test is intended to exclude "data collections of an obviously innocent nature (e.g. personal notebooks)" (EM43). The term 'obvious', and the presumption that personal notebooks are necessarily innocent, seem rather naive. Perhaps it was the likely limited circulation that justified the example, and the desire for consensus that justified the general comment.
Consideration was also given to distinguishing sensitive and non-sensitive personal data (G3b,EM19a,50-51). The European approach tends to recognise some items of data as being by its very nature sensitive, whereas the U.S. privacy legislation reflects the view that sensitivity is dependent on context and use. The OECD concluded that "it is probably not possible to identify a set of data which are universally regarded as being sensitive" (EM19a).
The ALRC generally avoided the use of such a concept, although the term 'excessively personal' appeared as a test of data quality in the collection phase (Principle 3). The only reference in the Privacy Act 1988 is the requirement that "the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned" (IPP 3), but no guidance is provided as to what information collection might constitute an unreasonable intrusion.
The OECD considered the question of exceptions to the Principles, and concluded that they "should be as few as possible, and ... made known to the public" (G4,EM19g,EM46-7). This applies even to those relating to national sovereignty (e.g. relationships with foreign governments), national security (e.g. espionage and counter-espionage organisations) and 'ordre public', a very French phrase usually translated into English as 'public policy' (arguably as a polite euphemism for 'law and order'). The Explanatory Memorandum also contemplates additional heads, such as financial interests of the State. The extent to which international diplomacy can lead to empty statements is demonstrated by the wonderful remark that "To summarise, the Expert Group has assumed that exceptions will be limited to those which are necessary in a democratic society" (EM47).
Within the ALRC proposals, the only enforceable rights (those of subject access and correction) were subject to a wide variety of exceptions.
The Privacy Act adopts the extensive ALRC-recommended exceptions, and extends them. Exceptions constitute over 25% of the wording of the IPPs. For example, the limitation of use and disclosure to the original purposes is subject to not two controlled exceptions (as in the OECD Guidelines), but five, mostly uncontrolled exceptions. This section assesses the exemptions in the Privacy Act.
In order to maintain consistency with the Freedom of Information legislation, the Act adopts its many categories of exemption, and its long list of fully exempt and partially exempt government agencies (s.7(1)(a)(i), (c) and (2), and FOI Act Schedules 1 and 2). This represents a far greater leakage than is envisaged by the OECD Guidelines.
Moreover, the Act is phrased in such a way that not only is there no external control over exempt agencies, but there is also no requirement that exempt agencies observe the IPPs. It is unfortunate that all records of exempt agencies are exempt from privacy regulation, even though some of those records are of a class (such as basic personnel data) which would not be exempt if they were records of any ordinary agency. Further, while it is clear that the IPPs may need some degree of qualification before being applied to some agencies, or (more likely) some classes of records, it seems most unreasonable for them to be deemed by Parliament to be completely irrelevant. For example, some standards of data collection and data quality should surely apply; as should some constraints on use and disclosure (e.g. to which classes of organisation may personal information be disseminated, and under what circumstances).
British countries have long held very high regard for (their own) espionage and counter-espionage activities. The legal fraternity, convention-bound and slow to adapt, is likely to be the last to notice how outdated such reverence has become. The ALRC was precluded by its Terms of Reference from considering matters relating to national security or defence. Beyond expressing concern that "this may be precisely the area where additional protections ... are needed", the Report respected that exclusion [14,1418].
The Australian Parliament allows intelligence-related agencies to operate with a very large amount of delegated authority; but surely it should instruct them to establish and monitor standards of performance. Instead, national security agencies are fully protected from the rigours of privacy regulation through their exempt status within the FOI framework. The Attorney-General's Second Reading Speech claimed that privacy complaints "will be able to be dealt with by the Inspector-General of Intelligence and Security", but the Act does nothing to bind intelligence agencies to abide by the IPPs, nor does it contain any requirement that the Inspector-General take any notice of them, or consult with the Privacy Commissioner on such matters.
The Privacy Act provides exemption for "a record that has originated with, or has been received from" an intelligence agency, including the National Crime Authority (s.7(1), our emphasis). It is one thing for an intelligence report, as such, to be provided with such an exemption. But the words we have emphasised have the effect that any record whatsoever can be permanently removed from the individual's sight by passing the data to an intelligence agency for its consideration and return. Any material that an agency wishes to keep from a data subject can therefore be protected.
While it is unlikely in the present climate that government agencies would routinely abuse this provision, there can be little doubt that the opportunity would be taken in regard to particularly sensitive material, such as potentially defamatory material concerning a person's mental health, sexual preferences, associations or motivations; or information which reflected very badly on a politician, a senior public servant, or a public service practice. There is no control whereby the extent to which this provision is used itself becomes public knowledge, e.g. through annual reports. This provision complements the 'data laundering' technique which is discussed in section 8.2 below.
The Privacy Act excludes all non-administrative acts and practices of the courts, many acts and practices of Ministers, and all acts and practices of the National Crime Authority and Royal Commissions (s.7(1)). It is unclear what this is meant to entail, or what justification exists.
Reasonably enough, the Privacy Act limits the applicability of the collection principles to data collected after the commencement of the Act (s.15(1)). However the use and disclosure principles are subject to the same restriction, which means that Australia's adult population cannot anticipate the fully effective operation of the use and disclosure principles during their lifetime. These limitations do not appear in either the OECD Guidelines or the ALRC proposals. This compounds the serious weakness of the Privacy Act's Use and Disclosure Principles, discussed in section 7.4 below.
The Privacy Commissioner presides over a mechanism whereby more exemptions can be approved (ss.71-80). An agency may apply for a determination that "the public interest in the agency doing [an] act, or engaging in [a] practice ... outweighs to a substantial degree the public interest in adhering to [an] Information Privacy Principle" (s.72(b)). Thereafter that act or practice would be deemed not to be an interference with privacy. The Commissioner is empowered to make a decison in favour of the application, or dismiss it. He is not explicitly able to approve it subject to general or specific conditions (such as a Code of Conduct, sunset clause, reporting requirements, etc). There also appears to be no provision for him to review his determinations after a period of time, and vary or reverse his previous fndings.
In considering applications, the Commissioner is to make them public, and may, at his discretion, consider submissions from any person who "has a real and substantial interest in the application". Under a restrictive interpretation this could mean that a person would have to be directly affected, rather than be an advocate or a public interest group. There are many aspects of the specified procedure which make it difficult for the public to oppose an application by an agency. As with many other aspects of the Act, interpretations are crucial to the effectiveness of the Act in protecting privacy, and the approach taken by the appointee, and the selection criteria applied by the Government in making appointments, will determine the success or failure of the legislation in protecting information privacy.
The ALRC discussed medical research matters, but did not recommend any special provisions. Had the Privacy Bill 1986 been passed, the National Health and Medical Research Council (NHMRC) would have enjoyed a very privileged position. Under the Privacy Act, it gained one special condition, in that the Privacy Commissioner has the power to approve guidelines issued by NHMRC for the protection of privacy in medical research (s.95). There is no explicit statement that such guidelines are to be consistent with the IPPs. A decision by the Commissioner not to approve such guidelines is reviewable by the Administrative Appeals Tribunal, but a decision to approve is not so reviewable. These provisions bias the process in favour of medical research and against information privacy.
The ALRC provided for a wider range of exemptions than does the OECD. The Privacy Act is much weaker still.
The right to be given reasons for adverse decisions was a matter of difficulty for the OECD (G13,EM60). IPP 7(c) makes clear that "an individual should have the right to be given reasons if a request [for access or correction] is denied". In a particularly bold move, "broadening of this right to include reasons for adverse decisions in general, based on the use of personal data, met with sympathy by the Expert Group. However, on final consideration a right of this kind was thought to be too broad for insertion in the privacy framework constituted by the Guidelines".
The ALRC rejected a general requirement as unnecessarily costly, but felt it to be "thoroughly desirable as a good administrative practice", and commended it for ongoing study by the statutory guardian . Consistently with the OECD, it also proposed that where a request for access or correction was not fully complied with, the reason should be given [cl.82].
The Privacy Act 1988 does not appear to require that an organisation give the individual reasons for any kind of adverse decision. This constrains the person's capacity to appeal to the respondent (required under s.41(1)(b) as a pre-requisite to a complaint), to complain to the Privacy Commissioner under s.36, to request alteration to a record under IPP 7, and to request the Privacy Commissioner under s.35 that a record be annotated. The Privacy Commissioner can, subject to some exceptions - ss.69-70, gain access to the reasons. However that will often not assist the appeal, complaint or request for alteration, because in cases in which the respondent is claiming an FOI exemption, the PC is precluded by s.34 from giving the person information about the contents, or even the existence, of a record. On the other hand, the Privacy Commissioner himself is required to give reasons for non-investigation of a complaint - s.52(2), and to give the reasons for a public interest determination - s.79(3).
The ALRC Report complied with the OECD requirements, but the Privacy Act 1988 does not.
On the questions of choice of jurisdiction and of law, the OECD reached no conclusions as to the basis whereby these issues might be resolved (EM19f,74). On the surface this is a remarkable failure for an international organisation. On the other hand, the OECD's efforts were directed at defusing a potential restraint of international flow of communications, and conflict avoidance was a higher priority than conflict resolution.
The ALRC stated it to be "extremely important that the principles of privacy protection be the same in both the Federal and the State jurisdictions" [1088,1393]. However, although the harmonisation of international laws and facilitation of transborder data flows were important, they were beyond the Commission's terms of reference [604-7,1089,1417].
In the Privacy Act 1988, there is no explicit reference to choice of laws and conflict of laws, and the Privacy Commissioner is not given the function of encouraging or negotiating with State Government agencies to facilitate harmonisation of laws.
This section is structured along the lines of the OECD Principles, and assesses the manner and extent to which the relevant Information Privacy Principles (IPPs) of the Privacy Act 1988 fulfil the OECD requirements. Reference is made to the ALRC Report and the Privacy Bill 1986 where appropriate.
The ALRC claimed that its Principles drew primarily on the OECD Guidelines . The Attorney-General, in his Second Reading Speeches introducing the 1986 and 1988 Bills, claimed that the IPPs were "based on the Principles recommended in [the ALRC's] draft legislation". One would therefore expect little difficulty in tracing the implementation of the OECD's Principles through into the Government's proposals. The following 12000 words will show such an expectation to be wrong.
The intention of the OECD Principles was to provide guidance. As a result, they were clipped and clear, and a mere 350 words long. The ALRC had similar intent, although a few more complexities crept in and the length was 450 words. The Privacy Act Principles (ss.14) require over 1500 words.
Because the IPPs in the Act are to have the force of law, the drafter has written them at a greater level of detail, and defensively. They contain a large number of qualifications (e.g. phrases containing the word 'reasonable' or 'practicable' occur a dozen times). Sentences and clauses specifying exceptions occupy over 400 words, more than the whole of the OECD Principles. The phrase 'a record-keeper who has possession or control of a record that contains personal information' occurs eight times, resulting in nearly 100 unnecessary words.
The ALRC Principles were structured differently from those of the OECD, and used a different sequence, terminology and style. The Privacy Act uses broadly the same structure as the ALRC, but departs significantly in content. An outline reconciliation of the three sets is shown in Exhibit 3.
The IPPs are central to the operation of the Privacy Act. "An agency shall not do an act, or engage in a practice, that breaches an Information Privacy Principle" (s.16). An act or practice which breaches an IPP is an interference with privacy (s.13), and the Privacy Commissioner is empowered to investigate it (ss.27(1) and 36-51), and make a determination (ss.52-53), which may include a declaration requiring the agency to provide redress or compensation to the complainant. The Commissioner may enforce such determination and declarations through the courts (ss.55-59 and 98). Others of the Commissioner's powers are also defined by reference to the IPPs (ss.27(1), 30-33 and 71-80).
The following sections deal with each of the OECD Principles in turn, considering the extent to which each has been implemented by the Privacy Act 1988.
OECD Guidelines ALRC Principles Privacy Act 1988 1. Collection Limitation 1. Collection 1. Collection 3. Collection 3. Solicitation 2. Data Quality 3. Collection 3. Solicitation 6. Correction 7. Alteration 7. Use 8. Accuracy, &c 9. Use 9. Relevance 3. Purpose Specification 2. Collection 1. Collection 2. Solicitation 5. Information 4. Use Limitation 8. Use 10. Use 10. Disclosure 11. Disclosure 5. Security Safeguards 4. Storage 4. Storage 6. Openness OMITTED 5. Information 7. Individual Participation - Access 5. Access 6. Access - Challenge 6. Correction 7. Alteration 8. Accountability elsewhere elsewhere
The Principles in the Privacy Act are almost identical to those which first appeared in the Privacy Bill 1986, with the exception of IPPs 10 and 11. Global changes were that the 1988 Act uses the form 'shall' where the 1986 Bill used 'should' (this was discussed by the media as a major concession by the Government to the Opposition team), and the phrase 'the individual concerned' was substituted for 'the information-subject'.
The OECD recognised that "there should be limits to the collection of personal data", but did not specify what they were. Presumably the Data Quality Principle considerations of relevance, accuracy, completeness and up-to-dateness were intended to be relevant.
ALRC Principle 3 nominated the same factors, but inverted the phrasing, e.g. from 'accurate' to 'not inaccurate'. It added requirements that information collected should not be 'excessively personal'; and that "personal information should not be collected unnecessarily".
The Privacy Act differs from the ALRC as follows:
The ALRC is largely consistent with the OECD Guidelines, whereas the Privacy Bill falls well short of the OECD requirements.
The OECD's direct prescription is inverted by the ALRC, and thence in the Act. The meaning of 'unfair' is not qualified by the 'purpose of collection', and its meaning will have to be interpreted by the courts. It is possible that actions bordering on duress might be deemed 'fair' by a court because the agency is performing a public duty. For example, an agency might threaten to withdraw benefits, or impose of a discretionary charge, or schedule an inspection or an audit of the person's affairs. A multi-function agency might indicate to defaulters or miscreants in respect of one of their functions that their rights in respect of another function might be suspended pending the modification of their behaviour. Such 'cross-system enforcement' is discussed in Clarke (1988) as a major form of 'data surveillance'.
The OECD Guidelines fail to explicitly state the preference that data be collected from the data subject. The ALRC and the Privacy Act 1988 follow the OECD Guidelines in omitting this privacy protection.
The OECD requires the 'knowledge or consent of the data subject', with an open-ended and undiscussed qualification "where appropriate". ALRC Principle 2 contained a heavily qualified (and in many cases unnecessary and highly onerous) requirement that information be communicated to the 'record-subject'. No consent to collection was to be required.
The Privacy Act entirely omits reference to the 'knowledge or consent of the data subject' in the context of data collection. The Explanatory Memorandum to the Privacy Bill 1986 claimed that "the right of the information-subject to know about ... 3rd party-supplied information about him is catered for in IPPs 5 and 6 concerning information about records held by record-keepers and access to those records" (para.39). This is not only inadequate but also impractical: it obliges every information-subject who wishes to know who has information about him, to seek frequent access to every one of the scores of records about him in government agencies. Whereas OECD Principle 1 explicitly relates the subject's knowledge or consent to the collection of the data, the Privacy Act contains no element of consent, and restricts the right to know to a later time, and then only to those people who ask.
IPP2(c)-(e) specifies that the collector is to ensure that the person is "generally aware of" the purpose of, and authorisation for, collection, and of usual disclosure practices. Even in this minor concession to privacy rights, the Act shows a heavy bias in favour of government agencies, in that:
The OECD Collection Limitation Principle applies to personal data generally. So too did the ALRC proposals.
In the Privacy Act, the IPPs are limited to personal information which is collected "for inclusion in a record or in a generally available publication". There are many different circumstances in which data may be excluded because of this qualification. For example, data may be collected for immediate use, or for storage in some manner which is not a record (e.g. a professional's notebook). Literally it is irrelevant whether the data comes to be included in a record or in a generally available publication - it is only the intent at the time of collection which matters.
It is unclear why data should not, in all circumstances,.be collected "for a lawful purpose"; not unnecessarily; in such a way that the person concerned is (at least) "generally aware of" its purpose etc; and subject to data integrity standards. The qualification has the effect of enabling agencies to ask irrelevant questions at will, free of any privacy constraints.
In comparison to the OECD requirements, the ALRC proposals are weak, and the Privacy Act proposals much weaker still.
Rather than the more conventional term 'data integrity', the OECD refers to 'data quality'. Reasonable though that expression is, the use of a term which bears an uncertain relationship to the underlying discipline risks difficulties in using expert information technology knowledge to interpret and apply the requirements.
The OECD Data Quality Principle is not constrained in time, but requires data quality to be maintained throughout the cycle of collection, storage, use and dissemination. It explicitly refers to relevance, accuracy, completeness and up-to-dateness as the heads of data quality. Although the OECD Principle contains no mention of destruction, the matter is discussed in the Explanatory Memorandum: " ... when data no longer serve a purpose, and if it is practicable, it may be necessary to have them destroyed (erased) or given an anonymous form. The reason is that control over data may be lost when data are no longer of interest; this may lead to risks of theft, unauthorised copying or the like" (EM54).
The main elements of data quality or integrity are:
Data quality is a factor throughout the cycle of data collection, processing, storage, processing, internal use, external disclosure and on into further data systems. Data quality is not an absolute concept, but is relative to the particular use to which it is to be put. Data quality is also not a static concept, because data can decay in storage, as it becomes outdated, and loses its context. Organisations therefore need to take positive measures at all stages of data processing, to ensure the quality of their data. Their primary motivation for this is not to serve the privacy interests of the people concerned, but to ensure that their own decision-making is based on data of adequate quality. There are, however, many circumstances in which the two interests coincide quite closely.
The ALRC approach was piecemeal and incomplete, depending on Principles 3, 6, 7, 9 and 10. They therefore failed to clearly impose on the data-keeper a responsibility to maintain data in an accurate, complete and up-to-date condition. The draftsman may have failed to appreciate that data 'decays' in storage, as a result of subsequent events, and of changes in context and social values. In the IPPs, the 'data quality' notion is also scattered widely.
In IPP3, the criterion of accuracy has been omitted at the point of collection. This may have been an oversight, due to the enormous complexity of the drafting. Credence is lent to that assumption by the phrasing of IPP8, in which accuracy is treated as being dependent on purpose. The error is serious, because a collector could infer that data can be collected without concern for its accuracy. There is no doubt that a 'reasonableness' qualification is justified, to avoid philosophical debates about the meaning of 'accuracy', but such a qualification already exists.
In IPP3, the 'not misleading' quality criterion is missing. Sometimes this matters, for example in the case of an empty field, which may result in a judgement being made adverse to the data subject's interests, when all it really means is that the data is unavailable or the field is irrelevant to that particular person
In addition, IPPs1-3 introduce the new notion of 'solicitation'. This has the effect of restricting data quality controls only to those circumstances where data is actively sought by the record-keeper. In IPP3, if data is unsolicited, then there are no requirements at all regarding data quality at the point of collection! This is so important that separate section is devoted to it (section 8.2 below).
In addition, in IPP3, data which is collected other than "for inclusion in a record or a generally available publication" is subject to no quality controls whatsoever.
IPP4 fails to require that data be maintained in an accurate, up-to-date, complete and not misleading form. However, IPP 7 (Alteration) does impose a requirement to maintain data quality. The requirement exists at all times, and not just when the data subject challenges its quality, or requests alteration. Unfortunately, in IPP7, accuracy is incorrectly treated as though it were an absolute concept, independent of the data's purpose.
IPPs 8 and 9 require a record-keeper to use data only for relevant purposes, and to take steps before using it to ensure that it is of sufficient quality. In IPPs 8 and 9,.the criterion of 'not misleadingness' is omitted.
Consistently with the ALRC wording, where data is disseminated to a third-party decision-maker, the record-keeper is under no obligation to ensure data quality. In the ALRC wording the matter did not appear to be serious, because any user was required to ensure the quality of data that he used. However, IPPs 8 and 9 fail to impose data quality constraints on all users, since they refer explicitly to record-keepers. As a result, third parties who receive and use data without storing it, are under no obligation to ensure its quality and relevance! Nor are third parties who pass the data on to further organisations under any obligation to ensure its quality, unless they first include it in a record or a generally available publication. There is clearly a need for data quality, not only in relation to use by the record-keeper, but also by anyone else. The intention is easily inferred from the OECD's wording, but apparently it should have been explicit.
The OECD's failure to explicitly require destruction of data after it ceases to be relevant is reflected in both the ALRC's proposals and the Privacy Act, although some limited right of expungement may arise from the right to seek alteration of records under Privacy Act IPP 7. The permanence of destruction brings the privacy interest into clear conflict with the interests of historians in archival. However, a watchdog agency should have the specific responsibility of considering the circumstances under which some classes of information should be destroyed when their relevance expires. It is unclear whether the question of destruction lies within the Privacy Commissioner's purview.
The ALRC inadequately implements the OECD requirements, and the Privacy Act IPPs are much, and very seriously, weaker.
OECD Principles 3 and 4 contain a clumsy piece of drafting. For OECD 3 to correspond to its title, the second half, commencing "and the subsequent use limited ..." should have been moved into OECD 4. This paper treats OECD 3 and 4 as if they were worded that way.
ALRC replaced the words "should be specified" with "ensure that the record-subject is told". Interpreted literally, this has the effect of requiring a communication even when none is needed. It is probable that the OECD intended only that the purposes be 'specified in writing' (such that they could be communicated on any future occasion when they became an issue) rather than being necessarily 'specified to the data subject' (EM54). The impact of this excessive requirement is then mitigated by the clause "unless that purpose is obvious". Such 'obvious' (and therefore unspecified) purposes represent a loophole of the same kind, if not the same magnitude, as the infamous 'routine uses' provision of the U.S. Privacy Act 1974.
The ALRC added the requirements that the data-subject be told of the existence of any authority for collection (although not, literally, what that authority is, nor why it exists), and of the usual practices with respect to disclosure. These requirements were not mitigated by any qualifying clause, and were therefore to be enforced communications.
The OECD wording was weakened by the ALRC in the following ways:
However, as with the OECD formulation, the ALRC requirements applied to all data collected, whether from the data-subject himself or otherwise.
In one limited sense, the Privacy Act improves on both the OECD and ALRC, by referring to "a lawful purpose directly related to a function or activity of the collector" (although 'record-keeper' would seem more appropriate than 'collector'). It retains the ALRC requirement to notify the information-subject of any legal authority, and (in a weakened form) of usual disclosure practices. However, these protections are restricted to information solicited from the information-subject.
Moreover, the Privacy Act retains the weaknesses introduced by the ALRC, and adds some very significant weaknesses and qualifications of its own:
The OECD's Purpose Specification Principle is somewhat misunderstood by the ALRC, and positively butchered by the Privacy Act proposals.
This section treats OECD Principle 4 as though it included the second part of OECD Principle 3. The ALRC and the Privacy Act also follow this more logical structure.
The OECD envisages two primary circumstances of use, plus two exceptional circumstances dealt with in the next sub-section. The two primary circumstances are:
ALRC 8 and 9 (Use and Disclosure) fell short of the OECD requirements, and IPPs 10 and 11 followed them. As a result, the Privacy Act is deficient in that:
There appears to be no discussion of the reasons why the ALRC wandered so far from the OECD requirements. It may be that the Commission had doubts about the practicability and cost-effectiveness of the proposal. On the other hand, given the tortuous manner in which the various OECD proposals have been incorporated, some of the points may just have got lost. The matter is a serious one, since the requirement that "new purposes should not be introduced arbitrarily" (EM54) was not fulfilled by the ALRC Principles.
Having adopted these ALRC-induced weaknesses, the Privacy Bill 1986 went much further, with a number of additional, and quite remarkable, departures. Most of these survived into the Privacy Act, to become law.
The first was that the purpose limitation was only to be applicable to information that was solicited from an information-subject. This enormous weakness did not survive into the Privacy Act 1988, although a related weakness did (see later). The second is discussed in the next sub-section.
The third issue was that IPPs 10 and 11 applied not to all users, but only to record-keepers. The ALRC's failure to control disclosure according to purpose did not relieve a third-party user of his obligation to relate his use to an acceptable purpose; but the Privacy Bill 1986 would have entirely relieved third-party users of justifying their use of personal information according to its purposes. IPP 11 in the Privacy Act 1988 contains an additional clause 11.3, which precludes a recipient from using information disclosed to it for any purpose other than the reason for which it was given. This is an improvement, but it is a far from the complete protection regime implied by the OECD Guidelines. Data may be disclosed for any reason, irrespective of whether or not it is related to the original purpose. Indeed, if the recipient places the information on a record of personal information, it is then subject to IPPs 10 and 11, which enables its use and sisclosure for any additional purpose (and so on ad infinitum). IPP11.3 therefore appears to be basically empty of an privacy-protective content, but provides a loophole for subversion of the Act's supposed intentions. This is clearly an enormous shortfall from the OECD Guidelines.
Moreover, unless he first places the information in a record-system, and thereby becomes a record-keeper for the purposes of the Act, a recipient is not under any obligation to ensure data quality (e.g. that the information is accurate - since IPP 8 does not apply), nor to ensure that it is relevant to the purpose (since IPP 9 does not apply).
Some of the weaknesses introduced by both the ALRC and the 1986 Bill found their way into the 1988 Act, and caused it to fall far short of OECD requirements.
The OECD envisages exceptional use of data being restricted to two circumstances:
ALRC 8 (Use) changed the OECD wording in that it:
In the Privacy Bill 1986, four additional circumstances were created under which data may be used or disseminated, and three of these survived into the 1988 Act. The following sub-sections identify and discuss the various exceptions.
IPPs10.1(a) and 11.1(b) (like OECD4(a)) are silent about whether consent needs to be informed and/or voluntary, and whether consent is effective if obtained under duress, or in a position of unequal bargaining power between the parties. They imply that consent cannot be obtained retrospectively.
It is unclear why the OECD's straightforward phrase "by the authority of law" needs to be replaced by Act's "required or authorised by or under law".
IPPs10.2 and 11.2 require notation in the record in the event of use or disclosure for law enforcement and related reasons under IPPs10.1(d) and 11.1(e). However there is no such requirement in the case of use or disclosure for emergency reasons.
The ALRC Report contained no such exception. It was introduced in the Privacy Bill 1986. IPPs 10.1(d) and 11.1(e) provide a blanket authorisation for use and disclosure for any purpose "reasonably necessary for enforcement of the criminal law". It may be that the Government felt that law enforcement would be unreasonably restrained without such an exemption. If so, it must be because law enforcement agencies are in the habit of gaining access to personal information without legal authority. It is quite clear that search warrants,sub poenas and the exercise of Ministerial discretions would be covered by the 'required or authorised by or under law' exception.
All agencies are now explicitly authorised to provide any data to any organisation, provided it appears to be related to a criminal matter. In 1987, a furore arose over the so-called McGoldrick case, which involved unauthorised disclosure by the Health Insurance Commission of the names and addresses of young women who had had abortions by a particular doctor. The Privacy Act, passed by Parliament as a privacy-protective measure, has explicitly authorised such disclosures.
The ALRC Report contained no such exception. It was introduced in the Privacy Bill 1986. IPPs 10.1(d) and 11.1(e) allow use and disclosure, irrespective of the system purpose, for any purposes "reasonably necessary for enforcement of ... a law imposing a pecuniary penalty". This 'pecuniary penalty' criterion would appear to include not only significant offences, but also very minor matters, such as parking fines, penalties for late submission of tax returns, failure to vote in an election, failure to return library books on time, and failure to complete an obligatory statistical return. There is no constraint on this use, such as a requirement to balance the degree of privacy invasion against the importance of administering the particular law. A nominally privacy-protective Act has therefore been subverted to provide approval for personal information to be passed beyond the government agencies which collected it, in any circumstances which involve, or can be reasonably argued to involve, a misdemeanour.
The ALRC Report contained no such exception. It was introduced in the Privacy Bill 1986. IPPs 10.1(d) and 11.1(e) allow use and disclosure, irrespective of the data's purpose, wherever it is "reasonably necessary ... for the protection of the public revenue". Once again, there is no test whereby the gravity of the public revenue matter needs to be weighed against the privacy-invasiveness of the use or disclosure.
All personal data held by all agencies is freely available, including that relating to health, financial, and educational matters. The Tax Office's major Act includes explicit limitations on the passing of tax-related personal data (s.16). These long-standing protections have been rendered redundant by a sub-clause of a nominally privacy-protective Act. The scope of the 'protection of the public revenue' exception is so vague that virtually any use and disclosure of virtually any personal data by virtually any government agency could be justified under it! It is precisely this kind of very low valuation of personal privacy that the Act is supposed to be correcting!
The blanket approvals for trafficking in personal data contained in IPPs 10.1(d) and 11.1(e) may prove in time to do more harm to personal privacy in Australia than the benefits which will arise from all other features of the Act.
The fourth additional circumstance created in the Privacy Bill 1986 was to allow use and disclosure, irrespective of the system purpose, for any purpose "necessary or desirable for medical research". This exception represented a lone recognition of the self-regulation approach to information privacy. It was remarkable because:
This clause did not survive into the 1988 Act. Instead, under s.95, the NHMRC may "issue guidelines for the protection of privacy in the conduct of medical research", but only "with the approval of the [Privacy] Commissioner", and the Commissioner must take account of the IPPs in approving the guidelines. Hence this special case is now dealt with appropriately, by providing means for it to be "required or authorised by or under law", rather than by acceding to the claims of a powerful lobby-group for a general exemption.
IPP2(e) was a new sub-clause in the Privacy Act 1988. It contemplates disclosures not on the basis of relationship to original purpose of collection, but on the basis of 'usual practice'. IPP11.1(a) provides the corresponding power to disclose data which is 'usually passed'. This means that all existing practices whereby agencies collect data for one purpose and disclose for another, are explicitly authorised by law. This represents a major decrease in information privacy, introduced under the guise of a privacy protection statute.
The fact that these practices will become more visible due to (in some cases only) disclosure under this IPP, and in all cases declaration under IPP5.3(e), does not compensate for the loss of privacy, because each of the large number of such disclosures have to be investigated, reported on, and lobbied about for long periods, before legislation precluding them would be passed.
IPP2(e) clearly contemplates that a collector may disclose personal data to a third party without any knowledge of or concern for that party's subsequent use of the data. IPP 11.3 does not make the disclosing agency responsible for the recipient's actions, but it does restrict the use of that data to the purpose for which it was disclosed. IPPs2(e) and 11.3 are therefore to some extent in conflict.
A contribution to privacy rights relating to disclosure is made by a refinement to the Freedom of Information Act 1982, which implements what is commonly called 'reverse FOI'. Where access is sought by anyone to a document which contains information relating to the personal affairs of a particular person, reasonable efforts are to be made to contact that person in order to give them the opportunity to make a submission supporting the contention that the document is an exempt document under s.41 of the FOI Act (s.101 and Schedule 1, inserting s.27A in the principal Act).
The Privacy Act 1988 also makes a change to the law of confidence, such that, where a person is obliged by that law not to disclose personal information, the obligation is transmitted to any person who subsequently receives that information (ss.89-95).
The OECD Guidelines fail to require that procedures should be specified in such a way as to ensure:
The ALRC Report and the Privacy Act are also silent on these important matters.
The OECD Guidelines are inherently weak, in that they fail to control the purposes of personal data systems (see section 8.1). The ALRC proposals fall well short of the OECD Guidelines, and the Privacy Act embodies further shortfalls from the standards set by the OECD. The effect of the Privacy Act's deficiencies is so great as to undermine the purpose of information privacy legislation.
The OECD provides a list of explicit dangers against which personal data is to be safeguarded.
The ALRC differed in the following ways:
Perhaps the ALRC intended that such difficulties would be overcome by the proposed power of the Human Rights Commission to initiate security regulations [1399,1402, cl.115].
IPP4 adopts the style of the ALRC, but returns to the OECD approach of enumerating the risks to be safeguarded against. However there are three changes:
The ALRC proposal falls short of the OECD requirements. The Privacy Act makes good some of the ALRC-induced deficiencies, but creates additional weaknesses.
The Openness, or Public Participation, Principle was considered by the OECD "as a prerequisite for the Individual Participation Principle" (EM57). Its function is to provide information to both existing and potential data-subjects of record systems such that, if they consider features of them to be undesirable or dangerous, they can seek, through the appropriate legal or (more likely) political channels, to have controls imposed. The OECD Principle requires openness about the existence and nature of data, and the manner in which it is processed and used. It contains a surprising (and perhaps accidental) qualification whereby only the 'main' purposes need to be disclosed. Given the ability of data controllers to specify changes of purpose (under Principle 3), this qualification creates an unfortunate loophole.
Amazingly, the ALRC entirely omitted this Principle! Nor did it provide any explanation for omitting it [the relevant passages are at 602-3,1195,1253-55,1281 and 1399]. It may be that the Commission felt that the existing Freedom of Information legislation already fulfilled that requirement. If so, the Commission erred on the counts that:
Alternatively it is possible that the Commission judged the content of the OECD Principle to be procedural rather than substantive. This is tenable in relation to the latter parts of OECD 6 ("means of establishing the existence, nature and main purposes of data, and the identity and residence of the data controller"). However, it certainly is not tenable in relation to the first part, which requires a "general policy of openness about developments, practices and policies with respect to personal data". For a fuller discussion, see Greenleaf and Clarke (1986).
The Explanatory Memoranda to both the 1986 Bill and the 1988 Act stated that IPP 5 "is intended to give effect to the 'openness principle' that is found in the OECD Guidelines" (paras. 44 and 66 respectively), but this claim is exaggerated. It is certainly true that the Privacy Act is limited to federal government agencies, and that the Commonwealth Freedom of Information Act 1982 (in particular ss.8 and 9) has already achieved some improvement in their degree of openness. But what that Act created was a (heavily qualified) right of access to documents, which is a poor surrogate for requiring agencies to answer reasonable questions from members of the public, which is the direct implication of the OECD's phrase 'general policy of openness'.
Privacy Act IPP 5 does enable any person to ascertain the nature of information held about him, and the main purposes for which it is used. However, it is qualified by 'reasonable in the circumstances', and it is subject to any subsequent or existing right of the agency to refuse access, which ensures that the wide range of existing FOI exemptions remain in place. The Act depends on the FOI provisions to satisfy the OECD requirement of openness concerning developments, practices, policies, the existence of data, and the identity and location of the data controller. However, unlike both the OECD and ALRC, the Privacy Act does explicitly require that the procedure for an individual to gain access should be readily knowable.
The Privacy Act 1988 contains two clauses, 5.3 and 5.4, which did not appear in the 1986 Bill. They specify procedural detail as to the manner in which record-keepers are to comply with the obligations created by clause 5.1. This is an echo of the 'public register' provisions of the U.S. Privacy Act 1974 (which have been a bureaucratic measure of almost no value whatsoever in protecting privacy), and of the registry function established by the U.K. Data Protection Act 1984 (which consumes some 80% of the Data Protection Registrar's resources, to very limited effect). As a result of these two clauses, agencies have no obligation to provide an up-to-date answer to an enquirer, since they can point to their most recent version of a bland record and rightly claim that they have complied with the Privacy Act. Moreover IPP5.3 and 5.4 deny the Privacy Commissioner any powers to determine what is a reasonable approach in any particular circumstance. It would have been more administratively effective to have left such matters of detail to regulation.
Weaknesses are apparent from even a cursory reading of the clauses:
The addition of IPPs 5.3 and 5.4 has therefore seriously weakened the effect of the IPP as a whole.
The ALRC fails to adopt the OECD Openness Principle. The Privacy Act implements part of it, and depends on the Commonwealth FOI Act as a surrogate for the remainder. The effect is far less than that required by the OECD Guidelines.
The OECD Guidelines explicitly require that the data subject be able to know whether data exists, irrespective of whether or not he has access to it. This is important, because, where access is refused, the data subject needs sufficient information to be able to exercise his appeal rights.
The ALRC, because it failed to include the Openness Principle, omitted the requirement that an individual be able to obtain confirmation or denial of the existence of data about himself. In the Privacy Bill 1986, Principle 5 was to implement the OECD confirmation requirement. However the Privacy Act 1988 is different from the 1986 Bill in that the words "in relation to the person" were removed from the end of clause 5.1(a). The effect is that Principle 5 no longer enables a person to find out whether or not a record-keeper has any information about him - it is only the means of ascertaining general information about the nature and purpose of the data system, and the procedures for gaining access to data about himself (if any). As a result, the Privacy Act fails to implement OECD Principle 7(a). There is simply no requirement under the Act that a record-keeper confirm or deny whether it holds any data about any particular person.
Moreover, in respect of FOI exempt records, s.34 of the Act positively precludes the Privacy Commissioner from giving a person information as to the existence or non-existence of information.
The Privacy Act fails to implement the OECD requirements.
"The right of individuals to access and challenge personal data is generally regarded as perhaps the most important privacy protection safeguard. ... [T]he Expert Group ... has chosen to express it in clear and fairly specific language" (EM58).
The ALRC significantly weakened the OECD formulation by requiring that the personal information be contained in a record, rather than merely being data.
IPP 6 of the Privacy Act 1988 adds a qualification, to save any existing power whereby an agency must or may refuse to provide access. Making exemptions from the right of access under the Privacy Bill parallel those of FOI is administratively convenient, but it appears to severely limit the strength of the IPP. However it may be less likely to cause injustice than at first appears, because Administrative Appeals Tribunal and Federal Court decisions have tended to recognise that individuals have a greater interest in obtaining information about themselves than in obtaining other information, with the result that some exemptions have been construed more narrowly when personal information is involved.
The combination of the Act's failure to implement the OECD Principle 7(a) requirement concerning confirmation, together with the denial of access to FOI exempt records, means that, where information exists which a data-subject is denied access to, he is also denied the right to know of its existence.
IPP 6 is supplemented by two small amendments to the existing subject access rights under the Freedom of Information Act, to implement 'reverse FOI', and slightly broaden the law of confidence. See also Clarke (1985) and Greenleaf and Clarke (1986).
The Privacy Act falls short of the OECD requirements.
The OECD prescribes not only that data subjects are to have access to data about themselves, but also sets standards as to the manner in which that access is to be provided - 7(b). The Privacy Act is silent on this matter, and the meaning of the Act hinges on the interpretation of the term 'access'. It is certainly the case that some flexibility is needed. Access procedures need to be different for records stored in manilla folders, hard-copy printouts and screen-displays. .In some circumstances an intermediary is advisable, e.g. where the data contains technical jargon, where proper interpretation is dependent on an understanding of the context, and where the contents may be injurious to the person's state of mind. However it is likely that the intention would have been better served by establishing some general standards relating to the access mechanism (e.g. "under reasonable conditions"), rather than providing no guidance at all.
In addition, the OECD specifies that reasons for denials are to be given - 7(c). The Privacy Act entirely omits this requirement. Unless reasons are given, then the persons's capacity is seriously constrained:
The Privacy Commissioner can (subject to some exceptions - ss.69-70) gain access to the reasons. However that will in many cases not assist the appeal, complaint or request for alteration, because in cases in which the respondent is claiming an FOI exemption, the Privacy Commissioner is precluded under s.34 from giving the person information about the contents, or even the existence, of the record. It is noteworthy that the Commissioner must himself give reasons for non-investigation of a complaint (s.48); to state findings of fact on which a complaint determination is based (s.52(2); and to give the reasons for a public interest determination (s.79(3)).
The Privacy Act fails to comply with the OECD Guidelines.
OECD Principle 7 expressly provided for challenge by the individual of the data held, but leaves open the basis whereby a challenge would be judged.
ALRC Principle 6 omitted the concept of 'challenge', implying that the record-keeper was to have a responsibility to ensure data quality, in all circumstances and not just when a data subject instigates a challenge. This approach appears to set a higher standard than that of the OECD (and therefore to represent an implied criticism of the OECD Guidelines). The ALRC Principle used the term 'correction', although the Report used the gentler term 'amendment' [1278-80,1383].
A further difference is that whereas OECD Principle 7 lists the actions which might be taken to amend personal data, ALRC Principle 6 listed the heads of data quality which should be maintained by, where necessary, 'correcting' the data. This aspect of the ALRC's proposal was only as broad as the OECD's if a very liberal interpretation were made of the nature of 'correction'.
ALRC Principle 6 treated 'accuracy' as an absolute concept (argued earlier to be inappropriate), whereas whether data is 'misleading, out of date, incomplete or irrelevant' was to be assessed in the light of the 'purpose of collection or a purpose that is incidental to or connected with that purpose'. This wording clearly (although possibly accidentally) excluded from the subject correction capability, poor quality data which was used for any other purpose (i.e. under the consent, emergency and legal authority exceptions of ALRC Principles 8 and 10). It is of course essential that data quality be judged against the particular circumstances in which it is used.
The Privacy Act goes beyond merely avoiding the confrontationist concept of 'challenge', in that it replaces the pejorative terms 'erasure','rectification' and 'correction' by the non-judgmental word 'alteration'. This seems to be a highly desirable improvement to both the OECD and ALRC proposals, since many disputes are at heart matters of opinion rather than fact.
However, IPP7 contains some additional qualifications, several of which are very significant:
As outlined in the previous section, the Privacy Act qualifies access rights. The additional concern therefore arises as to whether the alteration right extends to records which are exempt from access. The inability of the data-subject to know the content of a record should not diminish the entitlement to ensure that its content is relevant, accurate, complete and up-to-date. If anything, the denial of access makes the alteration right even more important, because records which are exempt from access are more likely than not to be records which have great potential to adversely affect the interests of the person concerned (e.g. national security and law enforcement records) . In such cases, the person's interests in data quality may be of compelling importance. Naturally, such an alteration right has to involve an intermediary, preferably one who enjoys the confidence of both parties.
In the Privacy Act, the right to amend an exempt document depends on s.35. The Privacy Commissioner has certain powers if a person is refused access to an exempt document, has nonetheless requested the agency to amend the document, and has complained to the Privacy Commissioner about the agency's refusal or failure to do so. A fundamental problem with this mechanism is that the agency is within its rights to refuse to confirm or deny the existence of any such document. If the agency exercises that right (and, as a matter of policy, most do), then the person never receives a refusal, and has no basis on which he can show there has been a failure.
If a person ever manages to navigate his way through that procedure, the Privacy Commissioner can act as an intermediary and inspect exempt records on a person's behalf. S.35(1)(f) implies that the Commissioner can make a recommendation under s.30(3) to "the Minister" about the act or practice involved (it is unclear whether this means his own Minister, currently the Attorney-General, or the Minister responsible for the agency involved), and ultimately direct the agency to "add to the document an appropriate annotation". However there are serious doubts about whether this provision is effective. S.30(3) recommendations appear to be applicable only to an act or practice investigated by the Commissioner "without a complaint having been made under s.36" (s.30(1)). Since s.35 is only applicable where the person has made a complaint to the Commissioner (s.35(1)(e)), the two clauses are in conflict, and would presumably nullify one another. In any case, there appears to be no sanction against an agency which ignores the Commissioner's direction.
The ALRC falls well short of the OECD requirements, and the Privacy Act provisions, with a few specific exceptions, are still weaker.
There was no ALRC Principle corresponding to OECD 8 because the OECD 'Principle' is procedural, representing an exhortation to law reformers to sheet home responsibilities to identifiable individuals.
The ALRC responded by phrasing its Principles 2, 3, 4, 6, 9 and 10 in the active voice. Those Principles applied not to the 'record-keeper', but without limitation to 'a person'. On the other hand, Principles 1, 7 and 8 were phrased in the passive voice, and so were not to be explicitly imposed on anyone, and Principle 5's dubious syntax (in that the subordinate clause was in the active voice using the term 'a person', but the principal clause, "the record-subject should be entitled to have access to those records", was in the passive voice) may have made it difficult to assign responsibility for granting access. Note, however, that only Principles 5 and 6 were designed to be enforceable, with the remainder intended as a parliamentary statement of principle, and as the means of defining 'interferences with privacy' which were to fall within the purview of the statutory watchdog.
The IPPs are generally explicit as to who is responsible, referring variously to 'the collector' (IPPs 1-3) and 'the record-keeper' (IPPs 4-11). The term 'collector' is defined (in obvious fashion) in s.9, subject to some procedural sub-clauses. The term 'record-keeper' is defined in ss.10 and 12, although as noted earlier there is a subtly different, competing definition which appears in each of the relevant IPPs.
As discussed in section 6.1 above, where the whole of a record is entirely under the control of one agency, that agency is unequivocally the record-keeper, but in all other cases, real doubt arises as to whether, for the purposes of the Privacy Act, a record-keeper exists. Nor does it appear that this deficiency can be overcome by interpreting the terms in the Act in a convenient manner.
In addition, there are weaknesses in the law as it relates to data held on behalf of an agency by another organisation. For example, the agency does not have full responsibility for the acts of the agent, and the Privacy Commissioner's powers of entry and inspection are far less than they would be if the information were held on the agency's own premises (s.68).
The effect is that the Privacy Act fails to adequately implement the OECD Principle.
There are two further respects in which the Act does not provide effective protection for information privacy. They are of sufficiently general and sufficiently serious concern, that they are dealt with in this separate section.
Rule et al (1980) claim that the 'official response' of Governments to the public demand for data protection regulation has been dominated by what they call the 'efficiency criterion':
In [the conventional] view, the drawbacks of surveillance systems are not inherent in their nature, but lie in their failure to work 'correctly'. And 'correctly' in this context means 'efficiently' from the standpoint of the long-term interests of the organisation. (p. 69)
By this ['efficiency'] criterion, surveillance is considered acceptable provided that four conditions are met: first, that personal data are kept accurate, complete and up-to-date; second, that openly promulgated rules of 'due process' govern the workings of data systems, including the decision-making based on the data; third, that organisations collect and use personal data only as necessary to attain 'legitimate' organisational goals; fourth, that the people described in data files have the right to monitor and contest adherence to those principles. By these criteria, organisations can claim to protect the privacy of those with whom they deal, even as they demand more and more data from them and accumulate ever more power over their lives. From the standpoint of surveillance organisations, this is a most opportune interpretation of 'privacy protection' (p. 71, our emphasis).
The effectiveness of data protection principles is heavily dependent on the purposes for which the personal data are maintained. If data protection is to be effective, these purposes need to be decided taking into account not just the interests of the data-keeper, but also those of the individual, and society as a whole. This means that, in addition to internal, 'efficiency' criteria, external or 'political' criteria are needed.
Yet neither the OECD, the ALRC Guidelines nor the Privacy Act 1988 provide for either oversight of the purposes of personal data systems, or for disallowance of purposes. Indeed, as Rule observes, such a provision is uncommon (see, however, NSWPC 1977, whose Guidelines are not legally enforceable, and, with qualifications, the Swedish Data Act 1973). As a result of this lack of oversight, organisations can define for themselves their 'functions or activities', and the purposes of their data, subject only to the very remote constraint of not acting outside the law or ultra vires (Greenleaf and Clarke 1986). The failure of the U.S. Privacy Act can be traced back to the token nature of control over uses.
Four of the IPPs are qualified by the phrase 'having regard to the purpose for which the information was collected' (IPPs 3, 7, 8 and 10). Other mentions of the term 'purpose' occur in IPPs 1.1, 2(c), 5.1(b)(ii), 5.3(b), 9 and 11.3. There are potentially significant discrepancies in the terms used. Of particular importance is the need to distinguish between 'purpose', 'main purpose', 'related purpose' and 'purpose of disclosure'.
These purposes are established by the record-keeper, and there is no control on them other than that they be lawful (i.e. not unlawful). In addition, there is nothing to prevent so broad a definition of purpose that virtually any data is 'relevant'. For example, the creation of one central bureau for the purpose of gaining a complete picture of a person's socio-economic history and status, e.g. by pooling financial, tenancy, employment, education, medical, insurance and criminal data, is not contrary to the IPPs.
In any case, the Act fails to constrain disclosures to these purposes, since IPPs 2(e), 11.1(a) and 11.3 authorise disclosure in accordance with the 'usual practices' of the collector and record-keeper.
The OECD, ALRC and Privacy Act are all seriously undermined by the assumption that the purposes to which organisations put personal data is not an information privacy issue. As a result, the Act represents no protection whatsoever against the brisk development of data surveillance (Clarke 1988).The OECD at least demands a 'general policy of openness' about inter alia the purposes of personal data, and therefore provides the possibility for informed debate. The ALRC entirely omitted that crucial principle. The Privacy Act, because of the narrowness, document-orientation and heavy qualifications of the Freedom of Information legislation, falls far short of establishing the degree of openness necessary to enable the public to understand and influence the purposes of personal data systems.
The ALRC argued, in rather confusing manner, that the collection principles should not apply where information is volunteered, "but only where the collector of the information actually seeks it out" . This restriction has no counterpart in the OECD Guidelines.
The Privacy Bill 1986 adopted this restriction, using not the clumsy term 'seeking it out', but rather 'solicitation': "Personal information shall be taken to be solicited by an agency from a person if the person provides that information to the agency in response to a request by the agency for that information ..." (cl.12). The Bill applied solicitation not only to collection (Principles 2 and 3), but also to use and disclosure (Principles 10 and 11). This latter exemption was a new development in the Bill which has no counterpart in the ALRC Report.
In the Privacy Act 1988, the references to solicitation were dropped from the use and disclosure principles (10 and 11), but retained in those relating to collection (2 and 3). The effects of the 'solicitation' clauses are:
As a result of the inclusion of the 'solicitation' qualification in IPPs 2 and 3, the Privacy Act imposes very few obligations relating to data collection in the following cases:
The solicitation notion has created for the public service the opportunity to develop a class of personal data which is clean of all data protection constraints. Data may be 'created clean', by observation and by voluntary offer by the data subject, or it may be 'washed clean' by offering it unsolicited to other agencies. An additional 'data laundromat' is identified in section 9.4 below.
The claimed justification for this enormous qualification is that information-subjects have the right to find out about non-solicited information under Principles 5 & 6 (EM42). However, this right applies only ex post facto, is heavily qualified, and requires the data subject to make a thorough and frequent pest of himself with every organisation with which he has dealings (and a few more besides). Hence the Privacy Act fails to establish the basis for the association-with-purpose control, which is fundamental to the OECD Guidelines.
Who uses unsolicited information, and for what purposes, is declared by the Privacy Bill Principles to be completely irrelevant to information privacy. As a result, the Privacy Commissioner would have no power to find under s.13 that the use or disclosure of such information was inconsistent with the Principles and therefore an interference with privacy. The exclusion of 'unsolicited' information is an enormously important departure from the OECD Principles.
The OECD left the approach to regulation and enforcement almost entirely at the discretion of each Member country, although it did suggest that self-regulation may be appropriate in common law countries (G19,EM5,19d-e,69-70). Matters considered included:
The ALRC proposed that the existing Human Rights Commission be expanded by the addition of a Privacy Commissioner, and take responsibility for policy and education matters. The Commission, in conjunction with representatives of affected organisations, was to prepare codes of practice relevant to particular classes of organisations and/or records [1054,1415,1418,cl.10].
The Privacy Bill 1986 proposed a new statutory authority called the Data Protection Agency (DPA) with powers to investigate, to conciliate, to publish guidelines for government agencies, to collate information about agency records (which is already available under the Freedom of Information Act), and to provide advice and reports to the Government. (The Bill was inextricably inter-twined with the Australia Card Bill 1986, which was twice defeated in the Senate, gave rise to a double-dissolution, and was eventually withdrawn as popular opinion swung strongly against it - see, for example, Clarke (1987) and Greenleaf and Nolan (1987)).
The Privacy Act 1988 reverted to the ALRC model, in that it created a Privacy Commissioner, and located the position within the (in the interim re-named) Human Rights and Equal Opportunities Commission (HREOC). The Privacy Commissioner is established by ss.19-35 (see also ss.96 and 99) as a member of the Human Rights and Equal Opportunities Commission, although his relationship with HREOC is rather vague. He is to have an Advisory Committee (ss.81-88). He has the following functions (s.27):
The investigations function may be triggered by a complaint, or invoked at the Commissioner's own volition. It is supported by substantial powers (ss.36-59, 64-70, 30-33), although they are constrained in a number of important ways.
The examination functions are restricted to circumstances in which Ministers seek advice, and the Commissioner cannot examine of his own volition, nor cause copies of draft legislation or proposals to be shown to him. The advice function is not so constrained.
In addition, the Commissioner has functions and relating to tax file number information (ss.28), and associated powers (ss.36-53, 60-70, 30-33).
The ALRC proposed that the new member of the existing Human Rights Commission (HRC), the Privacy Commissioner, deal with complaints. Significant information-collection powers were to be balanced by constraints. The Commissioner was to have no power to enforce his decisions, but would need to convince his fellow Commissioners on the HRC to recommend changes in the law to the Government of the day. His position was to be that of a conciliator, not an arbiter [1041,1052-70].
The Privacy Commissioner actually created by the Privacy Act 1988 is in a far more powerful position than the ALRC had proposed. His investigations powers may be triggered in three different ways:
The Commissioner's investigation powers are very similar in all three cases. However, whereas complaints give rise to determination and enforcement powers, such conclusions as the Commissioner may reach as a result of investigations on his own initiative are subject to very limited sanctions (ss.30-33). The remainder of this section is concerned only with complaints.
In general the Commissioner is required to investigate complaints, provided that they comply with a number of requirements. Explicit requirements include that complaints must:
However there is an impressive range of less obvious constraints, such as that:
A representative complaint is subject to considerable additional requirements (ss.36(2), 38 and 39), although the Commissioner may waive these in some circumstances (s.38(2)(b)).
The Act specifies in some detail the manner in which complaints are to be investigated (ss.43-51). This appears to leave very little scope for any less bureaucratic procedure, even where both parties are agreeable, and conflicts with the implication of s.27(1)(a) that the Commissioner may "endeavour, by conciliation, to effect a settlement". The Commissioner must generally afford both parties the opportunity to appear before him, and cannot delegate that role to a staff-member. There is therefore the possibility that his effectiveness may be stultified by even a moderate case-load. On the other hand, he has powers to require information and documents to be provided to him. He has powers to enter premises and inspect documents (s.68). However these appear to be ineffective where the data are not expressed in documents or are located on the premises of an agent of the respondent. Two other important qualifications to his power to collect information are that information which reveals the identity of a person other than a complainant is not to be disclosed without permission (s.69), and that the Attorney-General may furnish a certificate to the effect that provision of the information would be contrary to the public interest (s.70).
After completing an investigation of a personal or representative complaint, the Commissioner may make a determination dismissing the complaint, or, if finding it substantiated, declaring that an act or practice should not be repeated or continued, and/or that the respondent should provide redress, compensation and/or reimbursement (s.52-53). However the Commissioner has no power to instruct a respondent as to the specific way in which its practices should be changed (although he does not appear to be precluded from making constructive suggesions). He must state any findings of fact, although there is no explicit requirement that he state his reasoning.
A declaration is binding on an agency, and the Commissioner or the complainant may (some time later) apply to the Federal Court for an order directing ther agency to comply (ss.54-59), or restraining a person from engaging in conduct in contravention of the Act (s.98). Nothing in the Act explicitly empowers the Court to make a full review of the facts of a case, or of the Commissioner's rationale and value judgements. Nor is there any provision for the respondent to instigate an appeal against a decision by the Commissioner.
The dispute resolution mechanisms established by the Act provide the Commissioner with considerable powers, but embody a number of significant problems.
The ALRC recommended that the Principles be enacted as indicative or guidance legislation, as "statements of principle and aspiration. They were not intended to be statements of inflexible law" . However, in relation to the matters of subject access and correction, ALRC Principles 5 and 6 proposed an enforceable right which would have bound all Commonwealth government agencies, private sector organisations in the Territories, and the many private sector organisations which operate nationally [1236, 1278-80, cls. 51,68].
The Commission did not support civil or criminal remedies, preferring "a judicious mixture of judicial and administrative mechanisms, provided in a legislative framework" [1068,1074-87]. In general, matters were to be appealable by the individual, the record-keeper or the Privacy Commissioner to the Administrative Appeals Tribunal and thence the Federal Court. A supervisory agency or 'statutory guardian' was proposed [1039-66,1228-29]. See sections 9.2 and 9.3 below.
The Government implicitly rejected most of the ALRC's recommendations, preferring to pass all of a heavily amended set of principles into law, but regulating only the public sector. Under the Privacy Act, an agency is obliged to discontinue a practice determined by the Privacy Commissioner to be an interference with privacy. This may be accompanied by a declaration concerning redress or compensation. The Commissioner or a complainant may apply to the Federal Court for an order directing the agency to comply (ss.52-59). In addition, the possibility exists for the Commissioner, or any other person, to seek from the Federal Court an injunction under s.98, restraining a person from engaging in conduct which constitutes a contravention of the Act.
On the surface, the enforceability of the Privacy Act appears to be a very positive step in providing privacy rights. However, there are important disadvantages in legislating an enforceable framework:
The Privacy Act also leaves the private sector unregulated and without guidelines within which to work. The Commissioner has powers over private sector organisations in relation to tax file number information (ss.13, 28, 36-53, 60-63). He also has the function of encouraging corporations to develop programs for the handling of records of personal information" (s.27(1)(n)), but has no explicit powers. The Privacy Amendment Bill 1989 would provide enforceable rights in respect of consumer credit data. However, the Privacy Bill falls short of the OECD requirements.
The ALRC claimed that its proposals were a national implementation of the OECD Guidelines, reflecting the legal, economic, social and cultural characteristics of the Australian environment. However, many of the differences between the ALRC's proposals and the OECD Guidelines appear to be stylistic or arbitrary. In some cases their effect is probably neutral, but many of them result in shortfalls from the protective scheme devised by the OECD, or in ambiguity that would have to be settled by an appropriate legal authority, or clarified by specific codes of practice.
The Privacy Act departs much further from the OECD Guidelines. A summary of the most important deficiencies identified in this paper is at Exhibit 5. Some of the inadequacies seem to result from misunderstandings of either the OECD Guidelines or the ALRC proposals. However, given the high standard of Australian parliamentary drafting, it is hardly tenable to treat all of the shortfalls identified in this paper as accidents. Regrettably, it is very difficult not to interpret some aspects of the Privacy Act as direct manoeuvres by the Commonwealth public service to pervert the intentions of privacy protection, and instead consolidate and even strengthen its ability to apply personal information to whatever uses it sees fit.
National implementations of international instruments must necessarily differ, for a range of cultural reasons. However, it appears that some additional variables need to be taken into account. Law reform reports are generally written by semi-academic lawyers, and draft legislation by parliamentary draftsmen, who are lawyers steeped in the terminology and mythology of the administrative arm of government. The habits of those classes of people can have a significant impact not only on the style, but even the content of legislation. Another significant factor may be the entirely understandable human weakness of wishing to leave a personal stamp on new initiatives. The test to be applied is whether the personal stamp, in general, and in the circumstances, if it is practicable, unless that stamp is obvious, and having regard to the purpose for which the legal reform is intended, is believed on reasonable grounds to be reasonable.
In addition, powerful institutions will move to protect their interests. In this instance, apart from the medical research lobby, the main player was the Commonwealth public service itself, which successfully shielded its re-working of the Law Reform Commission's Draft Bill from the public eye, and used its mastery of detail, and the Government-of-the-day's political needs to smuggle features into the Bill, onto the table of Parliament, and into law.
The Privacy Act 1988 has great potential to bring about improvements in the information privacy of Australians. However it contains many flaws, and fails in a great many respects to measure up to the requirements of the international instrument which was supposed to be its origins. In addition, it has been passed over a decade too late. The protective apparatus which the OECD observed and codified was a response to the information technology of the early 1970's. Developments have been substantial, and new measures are urgently required if privacy, and other values crucial to democracy and humanism are to be retained. It is therefore essential that the Privacy Act be improved upon, and progressively extended.
ALRC (1983) 'Report No.22: Privacy' Australian Law Reform Commission, Elizabeth St, Sydney NSW 2000, 1983 (3 vols.)
Clarke R.A. (1985) 'The Impact on Practitioners of the A.L.R.C.'s Information Privacy Proposals' Aust. Comp. J. 17,2 (May 1985)
Clarke R.A. (1987) 'Just Another Piece of Plastic for Your Wallet: The Australia Card Scheme' Prometheus 5,1 (June 1987) 29-45
Clarke R.A. (1988) 'Information Technology and Dataveillance' Comm ACM 31,5 (May, 1988)
Clarke R.A. & Greenleaf G.W. (1987) 'An Assessment of Australian Information Privacy Law Proposals Against the OECD Guidelines' Working Paper available from the authors (November 1987)
EEC (1980) 'Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data' Brussels 1980
Greenleaf G.W. & Clarke R.A. (1984) 'Database Retrieval Technology and Subject Access Principles' Aust. Comp. J. 16,1 (Feb 1984)
Greenleaf G.W. & Clarke R.A. (1986) 'Aspects of the Australian Law Reform Commission's Information Privacy Proposals' J. of Law & Info. Sc. 2,1 (August 1986)
HEW (1973) 'Records, Computers and the Rights of Citizens' Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Dept. of Health, Education and Welfare (now Health and Human Services) MIT Press, 1973
ICCPR (1966) 'International Covenant on Civil and Political Rights' United Nations, 1966
Lindop N. (1978) 'Report of the Committee on Data Protection' U.K. Cmnd 7341 H.M.S.O. London 1978
Morison W.L. (1973) 'Report on the Law of Privacy' Govt. Printer, Sydney 1973
NSWPC (1977) 'Guidelines for the Operation of Personal Data Systems' New South Wales Privacy Committee, Sydney, 1977
OECD (1980) 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' OECD, Paris, 1980
OTA (1986) 'Federal Government Information Technology: Electronic Record Systems and Individual Privacy' Office of Technology Assessment, U.S. Congress, OTA-CIT-296 (June 1986)
PPSC (1977) 'Personal Privacy in an Information Society' Privacy Protection Study Commission, U.S. Govt. Printing Office, Washington D.C., 1977
Rule J.B., McAdam D., Stearns L. & Uglow D. (1980) 'The Politics of Privacy' New American Library 1980
Westin A.F. (1967) 'Privacy and Freedom' Atheneum 1967
Westin A.F. & Baker M.A. (1974) 'Databanks in a Free Society: Computers, Record-Keeping and Privacy' Quadrangle 1974
Younger K. (1972) 'Report, Committee on Privacy' U.K. Cmnd 5012 London 1972
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 15 February 1997 - Last Amended: 15 February 1997 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PActOECD.html