Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 25 June 1989
© Xamax Consultancy Pty Ltd, 1989, 1997
This paper is at http://www.anu.edu.au/people/Roger.Clarke/DV/PActOECD.html
In 1980, the Organisation for Economic Cooperation and Development (OECD) issued a set of Guidelines for data protection. Australia, an OECD member, had no significant data protection laws at that time. Subsequent proposals for Australian data protection law have been claimed to draw on the OECD Guidelines. The Australian Law Reform Commission completed a Report on Privacy in 1983, including a Draft Bill. The Australian government introduced a Privacy Bill in 1986, closely coupled with a Bill to introduce a national identification scheme. It lapsed.
A significantly revised Bill was introduced in late 1988, and following amendments in the House, passed into law in December of that year. This paper assesses the Privacy Act 1988 against the international guidelines. It concludes that the Act falls short of the OECD requirements in a number of very important respects.
The Preamble to the Commonwealth Privacy Act 1988 recites that, inter alia
... WHEREAS Australia is a member of the Organisation for Economic Co-operation and Development: AND WHEREAS the Council of that Organisation has recommended that member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the Guidelines attached to the recommendation: AND WHEREAS Australia has informed that Organisation that it will participate in the recommendation concerning those Guidelines,
the Privacy Act is enacted in consequence of that obligation. It also recites another international obligation, "the right of persons not to be subjected to arbitrary or unlawful interference with their privacy", contained in the International Covenant on Civil and Political Rights (ICCPR 1966).
The Privacy Act 1988 incorporates eleven Information Privacy Principles (IPPs), which the Explanatory Memorandum (p.1) states are based on the recommendations of the Australian Law Reform Commission's Report on Privacy (ALRC 1983). The Law Reform Commission had also stated that its Principles were based on the OECD Guidelines (ALRC 1983, paras. 602-3, 1195).
This paper assesses the Privacy Act 1988 against the OECD Guidelines, considering where appropriate the ALRC's Report (1983) and the Privacy Bill 1986. Preliminary sections provide background on the history of data protection laws generally, and the OECD Guidelines in particular, and discuss factors affecting their implementation in the Australian context.
Concern about unfair information practices developed quickly during the latter half of the 1960's. This was stimulated by growth in the power of computers, and the extent of their use, although many problems either pre-existed computers, or were associated also with other forms of information system automation, such as photocopying, microfilm and telecommunications. Concern about the social impact of computers resulted in a significantly improved appreciation of the impact of information technology generally.
In many countries it was felt that the emergence of the various information technologies represented a challenge that existing legal protections were unable to cope with. As a result, during the decade of the 1970's, many of the 'advanced western nations' acted to provide legislative and/or administrative protections.
Important early activity in the United States included studies by Westin (Westin 1967, 1974) and an Advisory Committee to the then Department of Health Education and Welfare (HEW 1973). Congress passed the Privacy Act in 1974 regulating federal government agencies. A report on early experiences is to be found in the Report of the Privacy Protection Study Commission (PPSC 1977). Legislation in Europe had begun even earlier, with the West German Land of Hesse passing the very first Data Protection Act in 1970, and Sweden's Data Act of 1973 being the first comprehensive legislation at national level. In the United Kingdom, Private Members' Bills were introduced in the late 1960's, and the Younger Committee reported in 1972.
Since the early 1970's, most of the advanced western nations have legislated. In addition, many of the states of the U.S.A., provinces of Canada and Länder of West Germany have also passed laws. Some of these apply to all personal data systems, while others are restricted, e.g. to the public sector, or to automated or computerised systems. In an endeavour to achieve some amount of consistency in the highly varied approaches, the European Economic Community adopted a Convention in 1980 (EEC 1980).
Meanwhile, the United Kingdom had once again ignored the recommendations of a Government Committee (Lindop 1978). It finally responded to commercial pressure to ensure that British companies were not disadvantaged against their European competitors, and passed the Data Protection Act in 1984.
The membership of the Organisation for Economic Co-operation and Development (OECD) comprises the nineteen major Western European countries, plus the United States, Japan, Canada, Australia and New Zealand. By 1980, many of the OECD's Member countries had legislation of some kind in force (ALRC 1983 Vol.3 provides a summary). By 1978 it was apparent that "these laws have tended to assume different forms in different countries", and "the disparities in legislation may create obstacles to the free flow of information between countries" (OECD, 1980, p.15).
An Expert Group, chaired by Justice Michael Kirby, then Chairman of the Australian Law Reform Commission, was established in 1978 "in order to facilitate the harmonisation of national legislation" (p.15). Its instructions were "to develop guidelines on basic rules governing transborder flow and the protection of personal data and privacy, in order to facilitate a harmonisation of national legislations ..." (p.18). It was expressly not an attempt to flesh out more general documents concerning human rights, such as ICCPR (1966).
The prime concern was to " ... advance the free flow of information between Member countries and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries" (OECD, 1980, p.7), and the concern to ensure that member-countries had a clear statement of international expectations regarding privacy protection was quite secondary. However, "The Guidelines attempt to balance the two values against one another; while accepting certain restrictions to free transborder flows of personal data, they seek to reduce the need for such restrictions and thereby strengthen the notion of free information flows between countries" (p.22-23).
The Guidelines are contained in OECD (1980), and comprise a 1-page Council Recommendation, 4 pages of Guidelines and a 22-page Explanatory Memorandum. The document provides " ... a general framework for concerted action by Member countries: objectives ... may be pursued in different ways" (p.23). It does not represent a binding International Convention.
The OECD Guidelines comprise eight 'Basic Principles of National Application' (pp.10-11), definitions of terms and of scope, and discussion of a number of matters of international concern. This paper concentrates on the national, to the virtual exclusion of the international, matters. References to paragraph-numbers in the Guidelines are prefaced with 'G', and those in the Explanatory Memorandum with 'EM'. References to paragraphs of ALRC, 1983 are enclosed in square brackets, e.g. [1236].
The Guidelines make clear that they "do not constitute a set of general privacy protection principles"; they relate only to that sub-set of privacy concerns referred to as 'information privacy' (EM 38). Although the term 'privacy' is used, the guidelines are predominantly concerned with 'data protection' with consideration of some broader matters such as relevance, reasons for refusal and public participation.
The OECD's 'Basic Principles of National Application' are reproduced in Exhibit 1. In this paper the OECD Principles are numbered sequentially from 1, rather than in accordance with their paragraph numbers in the Guidelines (which run from 7 to 14).
The first five Principles relate to the collection, storage, use, and dissemination of personal data. Three further principles relate to a 'policy of openness' regarding data systems, the ability of individuals to participate in certain aspects of data systems, and accountability for compliance. The structure reflects that of previous national laws: "Generally speaking, statutes ... attempt to cover the successive stages of the cycle, beginning with the initial collection of data and ending with erasure or similar measures, and to ensure ... individual awareness, participation and control" (EM5).
They are also clearly, and fairly explicitly (e.g. EM 4, 51), a result of negotiation among common law and codified law countries, and between 'data protection' and 'privacy' oriented countries. This exercise in international diplomacy produced some fairly broad qualifications: "The framework ... permits Member countries to exercise their discretion with respect to the degree of stringency with which the Guidelines are to be implemented ... generally speaking, the Guidelines do not presuppose their uniform implementation by Member countries with respect to details" (EM45). It is also envisaged that some countries will undertake "the regulation of ['particular'] types of data or activities as compared to regulation of a general nature ("omnibus approach")" (EM46). Subject access and correction rights in particular are to be implemented pragmatically (the liberally-worded Principle in G13 is heavily qualified by EM58-61). Similarly the means whereby a Member country complies with the Guidelines is at its own discretion, as are the mechanisms of action and appeal (G19, EM69-70).
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, compete and kept up-to-date.
The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [Principle 3] except:
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
An individual should have the right:-
A data controller should be accountable for complying with measures which give effect to the principles stated above.
Prior to assessing the Australian legislation against the OECD Guidelines, it is necessary to identify important considerations which justify differences among the national implementations of the various OECD members.
Significant differences exist among OECD member countries, ranging from conceptions of data protection and privacy, through approaches to regulation, to the nature of legal procedures. Some of the important factors involved are:
Some relevant aspects of Australian society are identified below.
Australia is a widely dispersed country, with a population of 16 million spread over an area the size of contiguous U.S.A. and larger than Europe excluding Russia. Perth is as far from the national capital as London is from Tel Aviv, and Jakarta and Singapore are closer. The population is mainly urban (40% in the two largest cities, 55% in the five largest), but provincial and country populations are very widely spread.
It is a relatively well-off country, with the mining industry having grown quickly during the last twenty years to supplement the long-established agricultural and pastoral industries. Per capita disposable income is noticeably less than in the U.S.A., but of the same order as in West Germany, and greater than in the United Kingdom and Italy.
About 20% of the population was born outside the country, and since the last war the previously very strongly Anglo-Celtic population has been leavened with many 'New Australians' of other ethnic groups, particularly Italians and Greeks, resulting in what is currently referred to as 'multi-culturalism'. These have included small numbers of many different refugee groups, including European Jews and White Russians (1930's and 1940's), Hungarians (1956), Czechs (1968) and Vietnamese (1970's and 1980's). The attitudes of Australians to information privacy, and the degree of trust they have in record-keepers, are accordingly highly varied.
Australians have a long-standing ambivalence toward authority. They were fervant supporters of the British Empire into the 1950's, and since then most have regarded their country as a staunch ally of the United States. During recent decades they have pioneered compulsory seat-belts and random breath-testing with little protest. Yet attitudes of distrust of central authority, a cynical dislike for politics, and a love for both anarchic and republican symbols (such as the colony's convict origins, bushrangers, the Eureka Stockade flag and frequent use of the right to strike) have persisted. Although they live in one of the more strongly urbanised countries, Australians enjoy the 'boy from the bush' getting the better of the 'city slicker' - an image successfully and profitably projected by the film 'Crocodile Dundee'.
Despite the significant heterogeneity in Australian society, there have been few periods of real social unrest since the Second World War, with the Vietnam War having been the most socially divisive issue of recent times, followed by the Australia Card campaign.
Unlike some countries, including some in its reference group, Australia has no restrictions on location of residence or employment, no system of identity cards, and no comprehensive register of people's addresses and occupations. A multitude of identity documents are used in transactions, and a recent attempt to introduce a national identification scheme foundered in the face of strong community opposition. Police have no general powers to require that a person prove his or her identity. For the most part, individual freedoms have dominated social control.
Australian companies and government agencies have been early adopters of new information technology products, and are sophisticated users. For example, the banking sector comprises a small number of institutions which are large by world standards, and are world leaders in consumer Electronic Funds Transfer Systems (EFTS). There have been a number of innovative computing applications in the public sector, including Medicare, administered by the Health Insurance Commission, and the Department of Social Security's system. As in other countries making advanced use of information technology, there are shortages of trained staff, but standards remain high.
Australia's federal structure provides the Commonwealth Government with specific powers, but leaves the States with considerable residual powers and responsibilities. However, the Commonwealth's powers are certainly sufficient to enable regulation of its own agencies, and are adequate to enable it to at least significantly influence practices in the private sector and in agencies of the State governments. The current Commonwealth Government certainly believed it had sufficient powers to enforce a national identification scheme irrespective of the attitudes of the States.
Australian law was inherited from the United Kingdom, with prior cases defining some areas of law, and being crucial to the interpretation of others. A similar line of development has been followed to that of British law, and only very recently was the last possibility of final appeal to the United Kingdom Privy Council removed. Although foreign case-law is generally no longer binding on Australian courts, decisions by courts from other common law jurisdictions are of persuasive value. Judicial decisions in other common law countries are particularly relevant to Australian cases where the legislation is based on similar sources, such as the pioneering statute of some other country, or an international instrument.
In common with many other common law countries, Australia has experimented with methods of dispute resolution alternative to the traditional courts. A variety of bodies and tribunals have been established since the mid-1970's to deal with administrative law, including, at the federal level, an Ombudsman, an Administrative Appeals Tribunal, and a Human Rights and Equal Opportunities Commission. Various States have Ombudsmen, Anti-Discrimination Boards, and Administrative Appeals Tribunals.
Little Australian data protection law existed prior to the 1988 Act. There is no constitutional right of privacy as in the United States. A number of incidental protections for 'information privacy' potentially exist in the general law (common law and equity), in such areas as breach of confidence, negligent advice and defamation, but they have received little development by the Courts. The Commonwealth Freedom of Information Act 1982 and the Victorian (State) Freedom of Information Act 1982 both provide individuals with a right of access to, and correction of, records held on them by the Commonwealth and Victorian Governments respectively. In New South Wales, a Privacy Committee of twelve people representing various community interests is empowered under the Privacy Committee Act 1975 as a 'privacy ombudsman' to investigate complaints of invasion of privacy against both public and private sector bodies and make recommendations. In Queensland, South Australia and Victoria there is legislation providing individuals with rights of access and correction to credit bureau files. These matters are reviewed in ALRC (1983).
Australian courts generally avoid changing the law for policy reasons, asserting not just the primacy of Parliaments in law reform, but their exclusive responsibility for it. Given that Parliaments are better financed, and have less fettered access to know-how, this conservatism does not seem unreasonable. However, Australian Parliaments look less like sober law-making institutions than gladiatorial arenas, and tend to undertake major change in the law only sporadically. Difficult issues are referred to Law Reform Commissions, whose report is delivered years later, in a different social and political climate, often to a new Minister, and not infrequently to a subsequent Government of a different persuasion. Unsurprisingly, most of their recommendations are generally ignored.
In April 1976, the Commonwealth Government of the (conservative) Liberal Prime Minister Fraser gave the Australian Law Reform Commission a reference to study interferences with privacy arising under the laws of the Commonwealth or Commonwealth Terrritories. The Commission's Report was not completed for that Government (1976-83), but was finally presented, in December 1983, to the Labor Government of Prime Minister Bob Hawke. The Government's first responses were cautiously supportive, but the issue had low priority for a new Government whose concerns were dominated by economic matters.
The ALRC's proposals will be mentioned in this paper where appropriate, within the structure provided by the OECD Guidelines. The key elements were (ALRC 1983, Clarke 1985):
In formulating its ten Information Privacy Principles, the Commission claimed to have drawn primarily on the OECD Guidelines [ALRC, 1195]. However, the mechanisms proposed were designed to mesh with mechanisms and institutions already in existence, principally the Freedom of Information Act 1982 and the Human Rights Commission.
The Commonwealth Freedom of Information Act 1982, although it provided only very heavily qualified rights of access to government information, had been strenuously opposed by government agencies. By far the most common use of the Act has been to enable individuals to gain access to their own records, and the second most common use appears to be by investigative journalists. After an unsuccessful attempt in 1985, the Government has significantly increased charges for FOI access, in order to dissuade some requests, and recover a larger proportion of the cost of the remainder.
The ALRC Report contained a Draft Privacy Bill. This was distributed to federal government agencies for comment, and drew generally defensive reactions. The Attorney-General's Department made many changes to the Bill, some clearly related to legislative drafting style, but many suggesting that the public service felt it had a free hand to ensure that the legislation did not prejudice its interests. In accordance with an ALRC recommendation that the Federal Government create the environment for a national solution, State Attorneys-General were also given the opportunity to comment on the revised Draft Bill. There was no involvement of the public, or of public interest groups, during these stages.
Although presaged for the August 1985 parliamentary session, no Privacy Bill was tabled. During 1985-86, the question of privacy became caught up in the maelstrom of a much more divisive issue. The Government committed itself to the introduction of a national, multi-purpose identification scheme, involving a computer-based register, a card, a unique identification number, and reporting and other obligations on all organisations and individuals. In an attempt to imply that to oppose the scheme was to be unpatriotic, it was named the 'Australia Card' scheme. Its stated purposes were to address tax evasion, welfare fraud and illegal immigration. For a summary of the proposed scheme, see Clarke (1987).
The ALRC had proposed that the Human Rights Commission (since changed to the Human Rights and Equal Opportunities Commission) be established as the statutory guardian over the implementation of the Information Privacy Principles. Instead, the Government chose to vest that responsibility in a new Data Protection Agency whose primary function was to oversee the operation of the Australia Card scheme. This proposal made administrative sense in that one specialist agency would oversee all aspects of federal data protection laws. However, the provisions creating the Data Protection Agency were placed in the Australia Card Bill (Part VII), rather than in the Privacy Bill, and the Privacy Bill was therefore inoperable unless the Australia Card Bill was also passed. This was an attempt by the Government to neutralise the anticipated opposition of the civil liberties lobby to the national identification scheme.
Despite such manoeuvring, the Australia Card Bill was defeated in the Senate, in December 1986 and March 1987, by the combined opposition of the three non-Labor parties. In contrast to the furore over the Australia Card, the Privacy Bill debate was restricted to a little over an hour, and with the demise of the major Bill, it was left, forlorn, on the parliamentary table.
The second rejection of the Australia Card Bill gave the Government the constitutional grounds for an election involving the dissolution of both Houses of Parliament. After a succession of denials that it would exercise that option, it did so in May 1987. The reason for doing so was political (the opportunity to go to the polls during a period of leadership turmoil in the Opposition conservative parties), and had little to do with the Australia Card as a substantive issue. In the ensuing election campaign, despite being the technical grounds for the election and a matter of clear division between Government and Opposition, the Australia Card was barely mentioned, with competence in economic management being the main theme.
At the July election, the Government was returned with a sufficient overall majority that, if the Bill were again rejected by the Senate, the Government could force its enactment at a joint sitting of both Houses. The Prime Minister stated his intention to pursue this course. During the third quarter of 1987, a well-orchestrated public campaign turned public opinion violently against the scheme, and after a significant drafting flaw was brought to light (ironically by an ex-Deputy Secretary of the Attorney-General's Department), the Government withdrew the Bill.
Although they were introduced as a tactical manoeuvre to gain support for another proposal entirely, the data protection elements of the combined Privacy Bill and Australia Card Bill represented a serious attempt to implement data protection in Australia, and an earlier working paper (Clarke & Greenleaf 1987) undertook an analysis of them.
During 1988, as an alternative to the withdrawn Australia Card proposal, the Government set out to significantly enhance the Tax File Number scheme used by the Australian Tax Office. In order to buy the necessary support of the Senate, the Government introduced a Privacy Bill developed largely from the 1986 Bill, and accepted a number of amendments to it which were proposed by the Opposition. This resulted in the passage of the two Bills.
The subsequent developments have been so positive as to suggest that the Government is seeking to make the best of the course of events forced on it. The Bill was passed only in early December 1988, assented to in mid-December, and took effect on 1 January 1989. A Privacy Commissioner, with significant prior involvement with data protection issues, was appointed early in the New Year, and given a significant budget. After a prolonged period of neglect, information privacy has suddenly been addressed in a positive manner by Parliament and the Government alike. In May 1989, the Privacy Commissioner, by an amendment to the Crimes Act, was given powers relating to the disclosure of convictions which have been pardoned, quashed or spent. In June 1989, a Privacy Amendment Bill was introduced, to extend the Privacy Commissioner's ambit to include the consumer credit reporting industry.
The remainder of this paper assesses the Privacy Act 1988 against the framework provided by the OECD Guidelines, with mentions of the earlier ALRC proposals and the Privacy Bill 1986 where appropriate. It is not directly concerned with those provisions of the Act which relate to control of the Tax File Number.
Section 7 will consider each of the OECD Principles, assessing the manner and extent to which the Privacy Act 1988's Information Privacy Principles (IPPs) fulfil the OECD requirements. This preliminary section deals with the general framework within which those principles are intended to be applied, in particular what it is that is regulated, who is thereby to be protected, who is subject to regulation, and what exceptions are intended. Subsequent sections deal with two particularly important constraints on the proposals' effectiveness, and the proposed enforcement and regulation mechanisms.
The OECD considered restricting the scope of the Guidelines to only the public or only the private sector, but decided to cover both (G2,G5,EM44). The reason is not discussed, but it was presumably on the grounds that threats arise in both areas, and that, although somewhat different regulation may be required, the Guidelines are at a sufficient level of generalisation for the same general statement to apply to both.
The ALRC did not limit its recommendations to one sector; indeed, it came down firmly on the side of general applicability of the Principles [617, 1088-92, 1393]. However, it did anticipate that enforceability of the Principles would be undertaken in the public sector earlier and more commonly than in the private sector [1051,1239]. The ALRC's Draft Privacy Bill would have applied to the private sector in the minor Territories controlled by the Commonwealth and to records concerning residents of those Territories stored anywhere in Australia. It would therefore have had an impact on the record-keeping practices of the many large private sector organisations which use the same software to maintain data about customers and clients throughout the country [1037].
Under the Privacy Act (ss.10(1),6(1)), most Commonwealth government agencies are record-keepers. A set of Information Privacy Principles is established by s.14. Its applicability is defined in s.16 by the statement that "an agency shall not do an act, or engage in a practice, that breaches an Information Privacy Principle". However the definition of an 'act or practice' is defined in s.7 to embody an extremely large and complicated set of exemptions, many of which exempt whole organisations, not just certain classes of the records with which they deal. In addition, the Privacy Commissioner's functions and powers (s.27) are limited to matters involving an 'interference with privacy', which is defined in s.13 to be 'acts or practices which breach an IPP'. The effect of this merry-go-round of definitions is that a large number of agencies are wholly or partly exempt from the Act. Moreover, such agencies are under no compulsion to consider in what ways the principles should be applied to their operations.
The Act does not apply directly to individuals acting as employees of an agency, and it is unclear whether a person's written notes or private notebook would be subject to the Act. If not, then the notes of a policeman, government doctor, social worker, journalist or other employed professional may not be subject to the Act.
The limitation of the Privacy Act to the public sector, and the exemption of a great many agencies in whole or in part, represent significant retreats from the OECD Guidelines, and the ALRC's Recommendations.
The Information Privacy Principles are not directly applicable to the private sector. It would not have been possible to provide the same degree of enforceability of the IPPs against private sector record-keepers, because the administrative law remedies which are to be used to force public sector agencies to comply are not available. Nonetheless, the IPPs could have been given some status within the private sector as a statutory standard, even though unenforceable.
However, there are four ways in which the Privacy Act influences the private sector:
The ALRC is consistent with the OECD's requirements, but the Act falls short in that it provides only limited data protection in the private sector. However there is some influence in the private sector, and the possibility of further extensions.
The OECD Guidelines use the notion of a 'data controller' (G1,14, EM40,62), who "should carry ultimate responsibility for activities concerned with the processing of personal data" (EM40), and is defined as "any person who, according to domestic law, is competent to decide about the contents and use of personal data" (G1). The definition is intended to exclude service bureaux and telecommunications carriers (who are mere agents), and also 'dependent users' who have little control over any aspect other than data use. It assumes that a single natural or legal person can reasonably be held responsible for all aspects of practices relating to a given piece of information; and also that that person is the one concerned with the data's processing. This is quite unrealistic. However, "nothing in the Guidelines prevents service bureaux personnel, 'dependent users' ... and others from being held accountable" (EM62). The term is used only in the Accountability Principle. Since it contains a compound criterion and could result in many data collections having no data controller, it is to be assumed that the explanation was intended for guidance, rather than as a serious attempt at authoritative definition.
The ALRC used the term 'record-keeper' for "a person who has possession or control of the record", where control includes "being in a position to obtain access to a record" [1199, cls.47, 49, our emphasis].
The Privacy Act 1988 adopts the ALRC wording, but splits the responsibility for compliance. IPPs 1 to 3 place obligations on the 'collector' of information, whereas IPPs 4 to 11 impose obligations on 'a record-keeper who has possession or control of a record that contains personal information'. 'Record-keeper' is also defined by s.10 (with some procedural qualifications relating to archives) as "an agency that is in possession or control of a record of personal information". The difference between 'a record that contains personal information' and 'a record of personal information' might be treated by the courts as being of significance, although it seems unlikely that the difference was intentional.
The 'possession or control' criterion introduced by the ALRC and retained by the Privacy Act creates a serious difficulty. It appears that this is an attempt to cope with circumstances in which:
Every organisation with 'control' of any part of the record, or possession of it, is responsible for the application of the IPPs to the record as a whole. But to partially ease that imposition, the Act then limits the obligations of an agency which "has possession but not control" of a record "to the extent only of the obligations or duties to which that agency is subject, otherwise than by virtue of the operation of this Act, because it is in possession of that particular record" (s.12). Depending on what the courts can make of that provision, it may ease the position of data centres, but agencies which have shared control of a record seem to be responsible for each others' compliance with IPPs 4-11. The definition is therefore a literal nonsense, and this, coupled with its legalism, would confuse both data subjects and record-keepers, and facilitate attempts by agencies to avoid responsibilities.
The combined effect of ss.10 and 12 is that a record-keeper is an organisation that has control of a record (whether or not it also has possession of it). However, different records within a database may be under the control of different organisations. Moreover, the various items which make up a record may be under the control of different organisations. Where the whole of a record is entirely under the control of one organisation, that organisation is the record-keeper. In all other circumstances, real doubts arise whether, for the purposes of the Privacy Act 1988, any record-keeper exists.
A further problem in the definition is that responsibility for compliance with the Storage and Security IPP (4) and the Disclosure IPP (11) would be more appropriately assigned to the organisation in possession of the data, whether or not that organisation also has control of the data.
The ALRC avoids a problem inherent in the OECD's approach, but in so doing creates a further problem. The Privacy Act 1988 is largely consistent with the ALRC's problematical approach, but is more complex and confusing.
Some national legislation restricts the scope of protection depending on the status of the data subject, in many cases seemingly accidentally. In particular:
The OECD Guidelines define 'data subject' as "an identified or identifiable individual" (implicitly only, see G1b), and other references (e.g. at EM33 and 41) are to 'individual' and 'physical persons' in an unqualified manner. It would appear therefore that the Guidelines avoid creating any unnecessary difficulties of this kind.
The ALRC used the term 'record-subject'. The Report concluded that rights should be "available to anyone in Australia" [1238], seeming not to notice that this is also a restriction. The Draft Privacy Bill, possibly by drafting accident, restricted the right somewhat differently, to persons who "ordinarily reside" in Australia [cls.45,46].
The Privacy Act 1988 defines 'individual' very openly as "a natural person" (s.6(1)). An exception is made in s.41(4), which precludes the Privacy Commissioner from investigating a breach of the Alteration IPP unless each of the persons concerned is either an Australian citizen or has rights of permanent residence. In the case of foreigners denied visas for reasons they suspect to be unfair, that seems an unfortunate constraint.
Both of the ALRC's two proposals fell somewhat short of those of the OECD, whereas, with one explicit exception, the Privacy Act 1988 appears to conform.
The OECD considered whether data protection should apply not only to natural persons, but also to groups or classes of natural persons including associations, and to legal personæ such as companies and trusts (EM19c, 31-33). This was decided in favour of natural persons only, on the basis that " ... individual integrity and privacy are in many respects particular and should not be treated in the same way as the integrity of a group of persons, or corporate security and confidentiality" (EM33).
The ALRC limited its recommendations to natural persons, referring the other matters to the recommended statutory guardian [27-9, 1404]. The Privacy Act 1988 applies only to natural persons, and so conforms with the OECD Guidelines.
The OECD considered whether there should be restrictions on the scope of coverage of data (EM19g, 41). Considerable difficulty appears to have been encountered in reaching consensus as to what types of data should be covered.
A central issue is whether the scheme deals with personal information, personal data, records of personal data, documents containing personal data, or personal data systems. Three issues require consideration:
The OECD Guidelines use a framework based on 'personal data', defined as "any information relating to an identified or identifiable individual (data subject)" (G1b). This is much less restrictive than the approach traditionally taken in Freedom Of Information statutes, which are generally restricted to 'documents'. However, the OECD Guidelines do not distinguish between data and information.
The ALRC's proposals related to 'records of personal information' [1196-98,1237, cls.45,46,48]. There is no evidence that the Commission appreciated the difference between 'information' and 'data', and the choice of word appears to have been arbitrary. Nor was there any explicit justification for restricting the scope to data stored in 'records', other than a desire to retain consistency with the Freedom of Information Act. There may have been an implicit assumption that only information which is reduced to the concrete form of a 'record' requires protection against misuse, or that data protection laws could not be effectively imposed on transactions which involved only transient communications and no potentially permanent records.
In the Privacy Act 1988, some provisions relate to 'personal information', but some only to 'records of personal information'. 'Personal information' means "information ... about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion", and 'individual' means "a natural person" (s.6(1)). The term 'information' appears to be used in the same general sense in which the OECD used the more appropriate term 'data'.
The term 'record' means "a document, a database (however kept), or a ... pictorial representation of a person", but excludes a generally available publication, museum and archive records, and articles in the course of transmission by post (s.6(1)). A separate amendment to the Acts Interpretation Act makes clear that 'record' now includes "information stored or recorded by means of a computer" (Crimes Legislation Amendment Act 1989). However, the Privacy Act definition of 'record' appears to create several difficulties:
Interestingly, the provisions relating to the Tax File Number (ss.17, 28) apply to tax file number information, not records. These provisions were drafted for the first time in 1988, and did not derive from the ALRC Report or the Privacy Bill 1986.
The Act is narrower in scope than the OECD Guidelines, because it refers to records. In endeavouring to be specific, and presumably thereby avoid certain operational difficulties, the legislative draftsman appears to have created many others.
The OECD considered restricting the scope of the Guidelines depending on whether they were (at least partly) automatic rather than entirely manual systems (G2,G3c,EM19b,34-38,41-43,45). They concluded that, "Above all, ... the principles are valid for the processing of data in general, irrespective of the particular technology employed" (EM37) and " ... the OECD Guidelines apply ... irrespective of the methods and machinery used in [the data] handling" (EM20).
The reasons canvassed for common treatment were that distinguishing between them is difficult; that many systems are partly automated and partly manual; that ongoing technological change means that many private systems are becoming automated in some sense; and that definitional problems would inevitably lead to excessively literal interpretation and the accidental creation of loopholes (EM35). The intuitively obvious explanation (that the unfair information practices from which people need protection are as much characteristic of manual as of automated systems) is not discussed.
However, making the Guidelines generally applicable would have created difficulties for countries such as France, Luxembourg and Austria (and subsequently the United Kingdom) who apply data protection only to data maintained in computer-based systems. The OECD therefore allowed that "some countries may find it appropriate to restrict the application of the Guidelines to ... automatic processing" (EM45). The Council of Europe went further, by restricting its Convention to 'any set of personal data processed in whole or in part by automatic means' (EEC, 1980, Arts.2,3).
The ALRC [118,589,1193,1413,1415] and the Privacy Act 1988 are not explicitly qualified, although some doubts are raised above as to the completeness of their coverage.
The OECD considered specifying restrictions based on the nature of the recording medium, but decided against them. Unnecessary confusion can be created by referring to 'computer-readable' media. Greater difficulties still may arise from an open-ended, technology-dependent definition like "information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose" (U.K. Data Protection Act 1984 s.2, our emphasis).
The ALRC's definitions of 'record' and 'document' contained no such qualification to the applicability of its proposals [1237, cls.8,48].
The Privacy Act definitions of 'record' and 'document' similarly contain no qualification, and include as one form of record "a database (however kept)" - s.6(1). It is unclear from the Act itself whether the term 'document' includes data transmitted and stored using electronic, magnetic or optical technologies. However, under the Acts Interpretation Act s.25, as amended in 1984, the term 'document' includes anything:
There is sufficient complexity in these definitions for imaginative counsel to become enthusiastic. However, in the absence of any evidence to the contrary,.it seems reasonable to assume that the Privacy Act applies to records irrespective of the recording medium, and therefore appears to comply with the OECD recommendations.
The OECD Guidelines are intended to apply to data which is relatable to 'identified or identifiable individuals' (G1b,EM41).
The ALRC's Report reached a similar conclusion: "If the information can be easily combined with other known information, so that the person's identity becomes apparent, the information should be regarded as personal information" [1196-98]. However, a weakness was built in, probably by accident, by the Commission's legislative draftsman, because its Draft Privacy Bill referred to "a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion" (cl.8, our emphasis). As a result of the last phrase, the literal meaning is that the identity must be apparent or ascertainable from the information itself, without reference to any other information. Hence it seems entirely feasible that a record identified by a code, and which therefore required a look-up of a code-table to tie the data to the identity, could be held not to be personal information. This weakness was carried forward into the 1986 Bill and the 1988 Act.
In addition, the ALRC's Draft Bill restricted personal information to "information or an opinion ... about an individual" (cl.8, our emphasis). A recording or transcript of a person speaking might not contain data about that person, yet it may impliedly reveal much about their affairs, and hence require data protection. It is unclear from the Act whether it will be interpreted as though it read 'about an individual or his affairs'. The deficiencies of the ALRC Principles in relation to such 'implicit information' are analysed in Greenleaf and Clarke (1984 and 1986). This potential weakness is carried forward into the 1986 Bill and the 1988 Act.
The Privacy Act 1988 is deficient in comparison with the OECD Guidelines in two respects, as a result of mistakes in the ALRC's Draft Bill.
The Privacy Act 1988 excludes from the definition of 'record' any library reference material, publicly accessible archives or 'generally available publication' (cl.6(1)). A 'generally available publication' is defined as "a magazine, book, newspaper or other publication that is or will be generally available to members of the public" (s.6(1)).
Australia has a less open tradition than, for example, Sweden, and it is unlikely that a great many data systems would be regarded as being in this category. However, some important and sensitive data collections might be held to be 'generally available publications', such as the electoral register (which is available for purchase); but possibly also births, deaths, marriages and driver licensing registers in the Territories, which are not purchasable in whole, but are publicly accessible; the telephone books, both those published by Telecom, and extracts from them; and publicly purchaseable mailing lists (including those from Telecom). There may be good grounds for exempting some kinds of 'generally available publications' from some of the IPPs, but not from the data protection regime as a whole. For example, the electoral roll may reasonably be exempt from the disclosure principle, but surely not from the data quality or collection principles.
This exclusion in the Privacy Act 1988 appears to be a considerable qualification on the protections envisaged by the OECD Guidelines.
The OECD Guidelines apply to data which poses a danger to privacy and individual liberties (whether that danger is inherent in the data, or arises from the manner of its processing or the context in which it is used). This test is intended to exclude "data collections of an obviously innocent nature (e.g. personal notebooks)" (EM43). The term 'obvious', and the presumption that personal notebooks are necessarily innocent, seem rather naive. Perhaps it was the likely limited circulation that justified the example, and the desire for consensus that justified the general comment.
Consideration was also given to distinguishing sensitive and non-sensitive personal data (G3b,EM19a,50-51). The European approach tends to recognise some items of data as being by its very nature sensitive, whereas the U.S. privacy legislation reflects the view that sensitivity is dependent on context and use. The OECD concluded that "it is probably not possible to identify a set of data which are universally regarded as being sensitive" (EM19a).
The ALRC generally avoided the use of such a concept, although the term 'excessively personal' appeared as a test of data quality in the collection phase (Principle 3). The only reference in the Privacy Act 1988 is the requirement that "the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned" (IPP 3), but no guidance is provided as to what information collection might constitute an unreasonable intrusion.
The OECD considered the question of exceptions to the Principles, and concluded that they "should be as few as possible, and ... made known to the public" (G4,EM19g,EM46-7). This applies even to those relating to national sovereignty (e.g. relationships with foreign governments), national security (e.g. espionage and counter-espionage organisations) and 'ordre public', a very French phrase usually translated into English as 'public policy' (arguably as a polite euphemism for 'law and order'). The Explanatory Memorandum also contemplates additional heads, such as financial interests of the State. The extent to which international diplomacy can lead to empty statements is demonstrated by the wonderful remark that "To summarise, the Expert Group has assumed that exceptions will be limited to those which are necessary in a democratic society" (EM47).
Within the ALRC proposals, the only enforceable rights (those of subject access and correction) were subject to a wide variety of exceptions.
The Privacy Act adopts the extensive ALRC-recommended exceptions, and extends them. Exceptions constitute over 25% of the wording of the IPPs. For example, the limitation of use and disclosure to the original purposes is subject to not two controlled exceptions (as in the OECD Guidelines), but five, mostly uncontrolled exceptions. This section assesses the exemptions in the Privacy Act.
In order to maintain consistency with the Freedom of Information legislation, the Act adopts its many categories of exemption, and its long list of fully exempt and partially exempt government agencies (s.7(1)(a)(i), (c) and (2), and FOI Act Schedules 1 and 2). This represents a far greater leakage than is envisaged by the OECD Guidelines.
Moreover, the Act is phrased in such a way that not only is there no external control over exempt agencies, but there is also no requirement that exempt agencies observe the IPPs. It is unfortunate that all records of exempt agencies are exempt from privacy regulation, even though some of those records are of a class (such as basic personnel data) which would not be exempt if they were records of any ordinary agency. Further, while it is clear that the IPPs may need some degree of qualification before being applied to some agencies, or (more likely) some classes of records, it seems most unreasonable for them to be deemed by Parliament to be completely irrelevant. For example, some standards of data collection and data quality should surely apply; as should some constraints on use and disclosure (e.g. to which classes of organisation may personal information be disseminated, and under what circumstances).
British countries have long held very high regard for (their own) espionage and counter-espionage activities. The legal fraternity, convention-bound and slow to adapt, is likely to be the last to notice how outdated such reverence has become. The ALRC was precluded by its Terms of Reference from considering matters relating to national security or defence. Beyond expressing concern that "this may be precisely the area where additional protections ... are needed", the Report respected that exclusion [14,1418].
The Australian Parliament allows intelligence-related agencies to operate with a very large amount of delegated authority; but surely it should instruct them to establish and monitor standards of performance. Instead, national security agencies are fully protected from the rigours of privacy regulation through their exempt status within the FOI framework. The Attorney-General's Second Reading Speech claimed that privacy complaints "will be able to be dealt with by the Inspector-General of Intelligence and Security", but the Act does nothing to bind intelligence agencies to abide by the IPPs, nor does it contain any requirement that the Inspector-General take any notice of them, or consult with the Privacy Commissioner on such matters.
The Privacy Act provides exemption for "a record that has originated with, or has been received from" an intelligence agency, including the National Crime Authority (s.7(1), our emphasis). It is one thing for an intelligence report, as such, to be provided with such an exemption. But the words we have emphasised have the effect that any record whatsoever can be permanently removed from the individual's sight by passing the data to an intelligence agency for its consideration and return. Any material that an agency wishes to keep from a data subject can therefore be protected.
While it is unlikely in the present climate that government agencies would routinely abuse this provision, there can be little doubt that the opportunity would be taken in regard to particularly sensitive material, such as potentially defamatory material concerning a person's mental health, sexual preferences, associations or motivations; or information which reflected very badly on a politician, a senior public servant, or a public service practice. There is no control whereby the extent to which this provision is used itself becomes public knowledge, e.g. through annual reports. This provision complements the 'data laundering' technique which is discussed in section 8.2 below.
The Privacy Act excludes all non-administrative acts and practices of the courts, many acts and practices of Ministers, and all acts and practices of the National Crime Authority and Royal Commissions (s.7(1)). It is unclear what this is meant to entail, or what justification exists.
Reasonably enough, the Privacy Act limits the applicability of the collection principles to data collected after the commencement of the Act (s.15(1)). However the use and disclosure principles are subject to the same restriction, which means that Australia's adult population cannot anticipate the fully effective operation of the use and disclosure principles during their lifetime. These limitations do not appear in either the OECD Guidelines or the ALRC proposals. This compounds the serious weakness of the Privacy Act's Use and Disclosure Principles, discussed in section 7.4 below.
The Privacy Commissioner presides over a mechanism whereby more exemptions can be approved (ss.71-80). An agency may apply for a determination that "the public interest in the agency doing [an] act, or engaging in [a] practice ... outweighs to a substantial degree the public interest in adhering to [an] Information Privacy Principle" (s.72(b)). Thereafter that act or practice would be deemed not to be an interference with privacy. The Commissioner is empowered to make a decison in favour of the application, or dismiss it. He is not explicitly able to approve it subject to general or specific conditions (such as a Code of Conduct, sunset clause, reporting requirements, etc). There also appears to be no provision for him to review his determinations after a period of time, and vary or reverse his previous fndings.
In considering applications, the Commissioner is to make them public, and may, at his discretion, consider submissions from any person who "has a real and substantial interest in the application". Under a restrictive interpretation this could mean that a person would have to be directly affected, rather than be an advocate or a public interest group. There are many aspects of the specified procedure which make it difficult for the public to oppose an application by an agency. As with many other aspects of the Act, interpretations are crucial to the effectiveness of the Act in protecting privacy, and the approach taken by the appointee, and the selection criteria applied by the Government in making appointments, will determine the success or failure of the legislation in protecting information privacy.
The ALRC discussed medical research matters, but did not recommend any special provisions. Had the Privacy Bill 1986 been passed, the National Health and Medical Research Council (NHMRC) would have enjoyed a very privileged position. Under the Privacy Act, it gained one special condition, in that the Privacy Commissioner has the power to approve guidelines issued by NHMRC for the protection of privacy in medical research (s.95). There is no explicit statement that such guidelines are to be consistent with the IPPs. A decision by the Commissioner not to approve such guidelines is reviewable by the Administrative Appeals Tribunal, but a decision to approve is not so reviewable. These provisions bias the process in favour of medical research and against information privacy.
The ALRC provided for a wider range of exemptions than does the OECD. The Privacy Act is much weaker still.
The right to be given reasons for adverse decisions was a matter of difficulty for the OECD (G13,EM60). IPP 7(c) makes clear that "an individual should have the right to be given reasons if a request [for access or correction] is denied". In a particularly bold move, "broadening of this right to include reasons for adverse decisions in general, based on the use of personal data, met with sympathy by the Expert Group. However, on final consideration a right of this kind was thought to be too broad for insertion in the privacy framework constituted by the Guidelines".
The ALRC rejected a general requirement as unnecessarily costly, but felt it to be "thoroughly desirable as a good administrative practice", and commended it for ongoing study by the statutory guardian [1397]. Consistently with the OECD, it also proposed that where a request for access or correction was not fully complied with, the reason should be given [cl.82].
The Privacy Act 1988 does not appear to require that an organisation give the individual reasons for any kind of adverse decision. This constrains the person's capacity to appeal to the respondent (required under s.41(1)(b) as a pre-requisite to a complaint), to complain to the Privacy Commissioner under s.36, to request alteration to a record under IPP 7, and to request the Privacy Commissioner under s.35 that a record be annotated. The Privacy Commissioner can, subject to some exceptions - ss.69-70, gain access to the reasons. However that will often not assist the appeal, complaint or request for alteration, because in cases in which the respondent is claiming an FOI exemption, the PC is precluded by s.34 from giving the person information about the contents, or even the existence, of a record. On the other hand, the Privacy Commissioner himself is required to give reasons for non-investigation of a complaint - s.52(2), and to give the reasons for a public interest determination - s.79(3).
The ALRC Report complied with the OECD requirements, but the Privacy Act 1988 does not.
On the questions of choice of jurisdiction and of law, the OECD reached no conclusions as to the basis whereby these issues might be resolved (EM19f,74). On the surface this is a remarkable failure for an international organisation. On the other hand, the OECD's efforts were directed at defusing a potential restraint of international flow of communications, and conflict avoidance was a higher priority than conflict resolution.
The ALRC stated it to be "extremely important that the principles of privacy protection be the same in both the Federal and the State jurisdictions" [1088,1393]. However, although the harmonisation of international laws and facilitation of transborder data flows were important, they were beyond the Commission's terms of reference [604-7,1089,1417].
In the Privacy Act 1988, there is no explicit reference to choice of laws and conflict of laws, and the Privacy Commissioner is not given the function of encouraging or negotiating with State Government agencies to facilitate harmonisation of laws.
This section is structured along the lines of the OECD Principles, and assesses the manner and extent to which the relevant Information Privacy Principles (IPPs) of the Privacy Act 1988 fulfil the OECD requirements. Reference is made to the ALRC Report and the Privacy Bill 1986 where appropriate.
The ALRC claimed that its Principles drew primarily on the OECD Guidelines [1195]. The Attorney-General, in his Second Reading Speeches introducing the 1986 and 1988 Bills, claimed that the IPPs were "based on the Principles recommended in [the ALRC's] draft legislation". One would therefore expect little difficulty in tracing the implementation of the OECD's Principles through into the Government's proposals. The following 12000 words will show such an expectation to be wrong.
The intention of the OECD Principles was to provide guidance. As a result, they were clipped and clear, and a mere 350 words long. The ALRC had similar intent, although a few more complexities crept in and the length was 450 words. The Privacy Act Principles (ss.14) require over 1500 words.
Because the IPPs in the Act are to have the force of law, the drafter has written them at a greater level of detail, and defensively. They contain a large number of qualifications (e.g. phrases containing the word 'reasonable' or 'practicable' occur a dozen times). Sentences and clauses specifying exceptions occupy over 400 words, more than the whole of the OECD Principles. The phrase 'a record-keeper who has possession or control of a record that contains personal information' occurs eight times, resulting in nearly 100 unnecessary words.
The ALRC Principles were structured differently from those of the OECD, and used a different sequence, terminology and style. The Privacy Act uses broadly the same structure as the ALRC, but departs significantly in content. An outline reconciliation of the three sets is shown in Exhibit 3.
The IPPs are central to the operation of the Privacy Act. "An agency shall not do an act, or engage in a practice, that breaches an Information Privacy Principle" (s.16). An act or practice which breaches an IPP is an interference with privacy (s.13), and the Privacy Commissioner is empowered to investigate it (ss.27(1) and 36-51), and make a determination (ss.52-53), which may include a declaration requiring the agency to provide redress or compensation to the complainant. The Commissioner may enforce such determination and declarations through the courts (ss.55-59 and 98). Others of the Commissioner's powers are also defined by reference to the IPPs (ss.27(1), 30-33 and 71-80).
The following sections deal with each of the OECD Principles in turn, considering the extent to which each has been implemented by the Privacy Act 1988.
OECD Guidelines ALRC Principles Privacy Act 1988 1. Collection Limitation 1. Collection 1. Collection 3. Collection 3. Solicitation 2. Data Quality 3. Collection 3. Solicitation 6. Correction 7. Alteration 7. Use 8. Accuracy, &c 9. Use 9. Relevance 3. Purpose Specification 2. Collection 1. Collection 2. Solicitation 5. Information 4. Use Limitation 8. Use 10. Use 10. Disclosure 11. Disclosure 5. Security Safeguards 4. Storage 4. Storage 6. Openness OMITTED 5. Information 7. Individual Participation - Access 5. Access 6. Access - Challenge 6. Correction 7. Alteration 8. Accountability elsewhere elsewhere
The Principles in the Privacy Act are almost identical to those which first appeared in the Privacy Bill 1986, with the exception of IPPs 10 and 11. Global changes were that the 1988 Act uses the form 'shall' where the 1986 Bill used 'should' (this was discussed by the media as a major concession by the Government to the Opposition team), and the phrase 'the individual concerned' was substituted for 'the information-subject'.
The OECD recognised that "there should be limits to the collection of personal data", but did not specify what they were. Presumably the Data Quality Principle considerations of relevance, accuracy, completeness and up-to-dateness were intended to be relevant.
ALRC Principle 3 nominated the same factors, but inverted the phrasing, e.g. from 'accurate' to 'not inaccurate'. It added requirements that information collected should not be 'excessively personal'; and that "personal information should not be collected unnecessarily".
The Privacy Act differs from the ALRC as follows:
The ALRC is largely consistent with the OECD Guidelines, whereas the Privacy Bill falls well short of the OECD requirements.
The OECD's direct prescription is inverted by the ALRC, and thence in the Act. The meaning of 'unfair' is not qualified by the 'purpose of collection', and its meaning will have to be interpreted by the courts. It is possible that actions bordering on duress might be deemed 'fair' by a court because the agency is performing a public duty. For example, an agency might threaten to withdraw benefits, or impose of a discretionary charge, or schedule an inspection or an audit of the person's affairs. A multi-function agency might indicate to defaulters or miscreants in respect of one of their functions that their rights in respect of another function might be suspended pending the modification of their behaviour. Such 'cross-system enforcement' is discussed in Clarke (1988) as a major form of 'data surveillance'.
The OECD Guidelines fail to explicitly state the preference that data be collected from the data subject. The ALRC and the Privacy Act 1988 follow the OECD Guidelines in omitting this privacy protection.
The OECD requires the 'knowledge or consent of the data subject', with an open-ended and undiscussed qualification "where appropriate". ALRC Principle 2 contained a heavily qualified (and in many cases unnecessary and highly onerous) requirement that information be communicated to the 'record-subject'. No consent to collection was to be required.
The Privacy Act entirely omits reference to the 'knowledge or consent of the data subject' in the context of data collection. The Explanatory Memorandum to the Privacy Bill 1986 claimed that "the right of the information-subject to know about ... 3rd party-supplied information about him is catered for in IPPs 5 and 6 concerning information about records held by record-keepers and access to those records" (para.39). This is not only inadequate but also impractical: it obliges every information-subject who wishes to know who has information about him, to seek frequent access to every one of the scores of records about him in government agencies. Whereas OECD Principle 1 explicitly relates the subject's knowledge or consent to the collection of the data, the Privacy Act contains no element of consent, and restricts the right to know to a later time, and then only to those people who ask.
IPP2(c)-(e) specifies that the collector is to ensure that the person is "generally aware of" the purpose of, and authorisation for, collection, and of usual disclosure practices. Even in this minor concession to privacy rights, the Act shows a heavy bias in favour of government agencies, in that:
The OECD Collection Limitation Principle applies to personal data generally. So too did the ALRC proposals.
In the Privacy Act, the IPPs are limited to personal information which is collected "for inclusion in a record or in a generally available publication". There are many different circumstances in which data may be excluded because of this qualification. For example, data may be collected for immediate use, or for storage in some manner which is not a record (e.g. a professional's notebook). Literally it is irrelevant whether the data comes to be included in a record or in a generally available publication - it is only the intent at the time of collection which matters.
It is unclear why data should not, in all circumstances,.be collected "for a lawful purpose"; not unnecessarily; in such a way that the person concerned is (at least) "generally aware of" its purpose etc; and subject to data integrity standards. The qualification has the effect of enabling agencies to ask irrelevant questions at will, free of any privacy constraints.
In comparison to the OECD requirements, the ALRC proposals are weak, and the Privacy Act proposals much weaker still.
Rather than the more conventional term 'data integrity', the OECD refers to 'data quality'. Reasonable though that expression is, the use of a term which bears an uncertain relationship to the underlying discipline risks difficulties in using expert information technology knowledge to interpret and apply the requirements.
The OECD Data Quality Principle is not constrained in time, but requires data quality to be maintained throughout the cycle of collection, storage, use and dissemination. It explicitly refers to relevance, accuracy, completeness and up-to-dateness as the heads of data quality. Although the OECD Principle contains no mention of destruction, the matter is discussed in the Explanatory Memorandum: " ... when data no longer serve a purpose, and if it is practicable, it may be necessary to have them destroyed (erased) or given an anonymous form. The reason is that control over data may be lost when data are no longer of interest; this may lead to risks of theft, unauthorised copying or the like" (EM54).
The main elements of data quality or integrity are:
Data quality is a factor throughout the cycle of data collection, processing, storage, processing, internal use, external disclosure and on into further data systems. Data quality is not an absolute concept, but is relative to the particular use to which it is to be put. Data quality is also not a static concept, because data can decay in storage, as it becomes outdated, and loses its context. Organisations therefore need to take positive measures at all stages of data processing, to ensure the quality of their data. Their primary motivation for this is not to serve the privacy interests of the people concerned, but to ensure that their own decision-making is based on data of adequate quality. There are, however, many circumstances in which the two interests coincide quite closely.
The ALRC approach was piecemeal and incomplete, depending on Principles 3, 6, 7, 9 and 10. They therefore failed to clearly impose on the data-keeper a responsibility to maintain data in an accurate, complete and up-to-date condition. The draftsman may have failed to appreciate that data 'decays' in storage, as a result of subsequent events, and of changes in context and social values. In the IPPs, the 'data quality' notion is also scattered widely.
In IPP3, the criterion of accuracy has been omitted at the point of collection. This may have been an oversight, due to the enormous complexity of the drafting. Credence is lent to that assumption by the phrasing of IPP8, in which accuracy is treated as being dependent on purpose. The error is serious, because a collector could infer that data can be collected without concern for its accuracy. There is no doubt that a 'reasonableness' qualification is justified, to avoid philosophical debates about the meaning of 'accuracy', but such a qualification already exists.
In IPP3, the 'not misleading' quality criterion is missing. Sometimes this matters, for example in the case of an empty field, which may result in a judgement being made adverse to the data subject's interests, when all it really means is that the data is unavailable or the field is irrelevant to that particular person
In addition, IPPs1-3 introduce the new notion of 'solicitation'. This has the effect of restricting data quality controls only to those circumstances where data is actively sought by the record-keeper. In IPP3, if data is unsolicited, then there are no requirements at all regarding data quality at the point of collection! This is so important that separate section is devoted to it (section 8.2 below).
In addition, in IPP3, data which is collected other than "for inclusion in a record or a generally available publication" is subject to no quality controls whatsoever.
IPP4 fails to require that data be maintained in an accurate, up-to-date, complete and not misleading form. However, IPP 7 (Alteration) does impose a requirement to maintain data quality. The requirement exists at all times, and not just when the data subject challenges its quality, or requests alteration. Unfortunately, in IPP7, accuracy is incorrectly treated as though it were an absolute concept, independent of the data's purpose.
IPPs 8 and 9 require a record-keeper to use data only for relevant purposes, and to take steps before using it to ensure that it is of sufficient quality. In IPPs 8 and 9,.the criterion of 'not misleadingness' is omitted.
Consistently with the ALRC wording, where data is disseminated to a third-party decision-maker, the record-keeper is under no obligation to ensure data quality. In the ALRC wording the matter did not appear to be serious, because any user was required to ensure the quality of data that he used. However, IPPs 8 and 9 fail to impose data quality constraints on all users, since they refer explicitly to record-keepers. As a result, third parties who receive and use data without storing it, are under no obligation to ensure its quality and relevance! Nor are third parties who pass the data on to further organisations under any obligation to ensure its quality, unless they first include it in a record or a generally available publication. There is clearly a need for data quality, not only in relation to use by the record-keeper, but also by anyone else. The intention is easily inferred from the OECD's wording, but apparently it should have been explicit.
The OECD's failure to explicitly require destruction of data after it ceases to be relevant is reflected in both the ALRC's proposals and the Privacy Act, although some limited right of expungement may arise from the right to seek alteration of records under Privacy Act IPP 7. The permanence of destruction brings the privacy interest into clear conflict with the interests of historians in archival. However, a watchdog agency should have the specific responsibility of considering the circumstances under which some classes of information should be destroyed when their relevance expires. It is unclear whether the question of destruction lies within the Privacy Commissioner's purview.
The ALRC inadequately implements the OECD requirements, and the Privacy Act IPPs are much, and very seriously, weaker.
OECD Principles 3 and 4 contain a clumsy piece of drafting. For OECD 3 to correspond to its title, the second half, commencing "and the subsequent use limited ..." should have been moved into OECD 4. This paper treats OECD 3 and 4 as if they were worded that way.
ALRC replaced the words "should be specified" with "ensure that the record-subject is told". Interpreted literally, this has the effect of requiring a communication even when none is needed. It is probable that the OECD intended only that the purposes be 'specified in writing' (such that they could be communicated on any future occasion when they became an issue) rather than being necessarily 'specified to the data subject' (EM54). The impact of this excessive requirement is then mitigated by the clause "unless that purpose is obvious". Such 'obvious' (and therefore unspecified) purposes represent a loophole of the same kind, if not the same magnitude, as the infamous 'routine uses' provision of the U.S. Privacy Act 1974.
The ALRC added the requirements that the data-subject be told of the existence of any authority for collection (although not, literally, what that authority is, nor why it exists), and of the usual practices with respect to disclosure. These requirements were not mitigated by any qualifying clause, and were therefore to be enforced communications.
The OECD wording was weakened by the ALRC in the following ways:
However, as with the OECD formulation, the ALRC requirements applied to all data collected, whether from the data-subject himself or otherwise.
In one limited sense, the Privacy Act improves on both the OECD and ALRC, by referring to "a lawful purpose directly related to a function or activity of the collector" (although 'record-keeper' would seem more appropriate than 'collector'). It retains the ALRC requirement to notify the information-subject of any legal authority, and (in a weakened form) of usual disclosure practices. However, these protections are restricted to information solicited from the information-subject.
Moreover, the Privacy Act retains the weaknesses introduced by the ALRC, and adds some very significant weaknesses and qualifications of its own:
The OECD's Purpose Specification Principle is somewhat misunderstood by the ALRC, and positively butchered by the Privacy Act proposals.
This section treats OECD Principle 4 as though it included the second part of OECD Principle 3. The ALRC and the Privacy Act also follow this more logical structure.
The OECD envisages two primary circumstances of use, plus two exceptional circumstances dealt with in the next sub-section. The two primary circumstances are:
ALRC 8 and 9 (Use and Disclosure) fell short of the OECD requirements, and IPPs 10 and 11 followed them. As a result, the Privacy Act is deficient in that:
There appears to be no discussion of the reasons why the ALRC wandered so far from the OECD requirements. It may be that the Commission had doubts about the practicability and cost-effectiveness of the proposal. On the other hand, given the tortuous manner in which the various OECD proposals have been incorporated, some of the points may just have got lost. The matter is a serious one, since the requirement that "new purposes should not be introduced arbitrarily" (EM54) was not fulfilled by the ALRC Principles.
Having adopted these ALRC-induced weaknesses, the Privacy Bill 1986 went much further, with a number of additional, and quite remarkable, departures. Most of these survived into the Privacy Act, to become law.
The first was that the purpose limitation was only to be applicable to information that was solicited from an information-subject. This enormous weakness did not survive into the Privacy Act 1988, although a related weakness did (see later). The second is discussed in the next sub-section.
The third issue was that IPPs 10 and 11 applied not to all users, but only to record-keepers. The ALRC's failure to control disclosure according to purpose did not relieve a third-party user of his obligation to relate his use to an acceptable purpose; but the Privacy Bill 1986 would have entirely relieved third-party users of justifying their use of personal information according to its purposes. IPP 11 in the Privacy Act 1988 contains an additional clause 11.3, which precludes a recipient from using information disclosed to it for any purpose other than the reason for which it was given. This is an improvement, but it is a far from the complete protection regime implied by the OECD Guidelines. Data may be disclosed for any reason, irrespective of whether or not it is related to the original purpose. Indeed, if the recipient places the information on a record of personal information, it is then subject to IPPs 10 and 11, which enables its use and sisclosure for any additional purpose (and so on ad infinitum). IPP11.3 therefore appears to be basically empty of an privacy-protective content, but provides a loophole for subversion of the Act's supposed intentions. This is clearly an enormous shortfall from the OECD Guidelines.
Moreover, unless he first places the information in a record-system, and thereby becomes a record-keeper for the purposes of the Act, a recipient is not under any obligation to ensure data quality (e.g. that the information is accurate - since IPP 8 does not apply), nor to ensure that it is relevant to the purpose (since IPP 9 does not apply).
Some of the weaknesses introduced by both the ALRC and the 1986 Bill found their way into the 1988 Act, and caused it to fall far short of OECD requirements.
The OECD envisages exceptional use of data being restricted to two circumstances:
ALRC 8 (Use) changed the OECD wording in that it:
In the Privacy Bill 1986, four additional circumstances were created under which data may be used or disseminated, and three of these survived into the 1988 Act. The following sub-sections identify and discuss the various exceptions.
IPPs10.1(a) and 11.1(b) (like OECD4(a)) are silent about whether consent needs to be informed and/or voluntary, and whether consent is effective if obtained under duress, or in a position of unequal bargaining power between the parties. They imply that consent cannot be obtained retrospectively.
It is unclear why the OECD's straightforward phrase "by the authority of law" needs to be replaced by Act's "required or authorised by or under law".
IPPs10.2 and 11.2 require notation in the record in the event of use or disclosure for law enforcement and related reasons under IPPs10.1(d) and 11.1(e). However there is no such requirement in the case of use or disclosure for emergency reasons.
The ALRC Report contained no such exception. It was introduced in the Privacy Bill 1986. IPPs 10.1(d) and 11.1(e) provide a blanket authorisation for use and disclosure for any purpose "reasonably necessary for enforcement of the criminal law". It may be that the Government felt that law enforcement would be unreasonably restrained without such an exemption. If so, it must be because law enforcement agencies are in the habit of gaining access to personal information without legal authority. It is quite clear that search warrants,sub poenas and the exercise of Ministerial discretions would be covered by the 'required or authorised by or under law' exception.
All agencies are now explicitly authorised to provide any data to any organisation, provided it appears to be related to a criminal matter. In 1987, a furore arose over the so-called McGoldrick case, which involved unauthorised disclosure by the Health Insurance Commission of the names and addresses of young women who had had abortions by a particular doctor. The Privacy Act, passed by Parliament as a privacy-protective measure, has explicitly authorised such disclosures.
The ALRC Report contained no such exception. It was introduced in the Privacy Bill 1986. IPPs 10.1(d) and 11.1(e) allow use and disclosure, irrespective of the system purpose, for any purposes "reasonably necessary for enforcement of ... a law imposing a pecuniary penalty". This 'pecuniary penalty' criterion would appear to include not only significant offences, but also very minor matters, such as parking fines, penalties for late submission of tax returns, failure to vote in an election, failure to return library books on time, and failure to complete an obligatory statistical return. There is no constraint on this use, such as a requirement to balance the degree of privacy invasion against the importance of administering the particular law. A nominally privacy-protective Act has therefore been subverted to provide approval for personal information to be passed beyond the government agencies which collected it, in any circumstances which involve, or can be reasonably argued to involve, a misdemeanour.
The ALRC Report contained no such exception. It was introduced in the Privacy Bill 1986. IPPs 10.1(d) and 11.1(e) allow use and disclosure, irrespective of the data's purpose, wherever it is "reasonably necessary ... for the protection of the public revenue". Once again, there is no test whereby the gravity of the public revenue matter needs to be weighed against the privacy-invasiveness of the use or disclosure.
All personal data held by all agencies is freely available, including that relating to health, financial, and educational matters. The Tax Office's major Act includes explicit limitations on the passing of tax-related personal data (s.16). These long-standing protections have been rendered redundant by a sub-clause of a nominally privacy-protective Act. The scope of the 'protection of the public revenue' exception is so vague that virtually any use and disclosure of virtually any personal data by virtually any government agency could be justified under it! It is precisely this kind of very low valuation of personal privacy that the Act is supposed to be correcting!
The blanket approvals for trafficking in personal data contained in IPPs 10.1(d) and 11.1(e) may prove in time to do more harm to personal privacy in Australia than the benefits which will arise from all other features of the Act.
The fourth additional circumstance created in the Privacy Bill 1986 was to allow use and disclosure, irrespective of the system purpose, for any purpose "necessary or desirable for medical research". This exception represented a lone recognition of the self-regulation approach to information privacy. It was remarkable because:
This clause did not survive into the 1988 Act. Instead, under s.95, the NHMRC may "issue guidelines for the protection of privacy in the conduct of medical research", but only "with the approval of the [Privacy] Commissioner", and the Commissioner must take account of the IPPs in approving the guidelines. Hence this special case is now dealt with appropriately, by providing means for it to be "required or authorised by or under law", rather than by acceding to the claims of a powerful lobby-group for a general exemption.
IPP2(e) was a new sub-clause in the Privacy Act 1988. It contemplates disclosures not on the basis of relationship to original purpose of collection, but on the basis of 'usual practice'. IPP11.1(a) provides the corresponding power to disclose data which is 'usually passed'. This means that all existing practices whereby agencies collect data for one purpose and disclose for another, are explicitly authorised by law. This represents a major decrease in information privacy, introduced under