Home | Databases | WorldLII | Search | Feedback Australian Law Reform Commission - Reform Journal

Dobinson, Jonathan --- "Achieving National Consistency in Privacy Regulation" [2007] ALRCRefJl 15; (2007) 91 Australian Law Reform Commission Reform Journal 54

Achieving national consistency in privacy regulation

* By Jonathan Dobinson

On 12 September 2007, the ALRC released a blueprint with 301 proposals for overhauling Australia's complex privacy laws. Review of Australian Privacy Law (Discussion Paper 72) is just under 2, 000 pages, and is the product of the largest consultation process in ALRC history.

A key issue raised in the ALRC review of the Privacy Act 1988 (Cth) has been that Australian privacy laws are multi-layered, fragmented and inconsistent. One of the main problems identified is that information privacy in Australia is regulated at the federal and state and territory level. The Discussion Paper (DP 72) sets out a number of reforms to Australia’s privacy laws, including proposals aimed at achieving national consistency.¹

Federal regulation of privacy

The Privacy Act 1988 (Cth) regulates the handling of personal information by the Australian Government, the ACT Government and the private sector. The Act does not regulate the handling of personal information by the state governments or the Northern Territory Government, except to a very limited extent.

Other federal legislation also regulates the handling of personal information. For example, the Freedom of Information Act 1982 (Cth) and the Archives Act 1983 (Cth) restrict access to personal information held by the Australian Government in certain circumstances.

State and territory regulation of privacy

Each Australian state and territory regulates the management of personal information although not every state and territory has specific privacy legislation in place. New South Wales, Victoria, Tasmania and the Northern Territory have legislation that regulates the handling of personal information in the state or territory public sector.2 The public sector in Queensland and South Australia is required to comply with an administrative privacy policy rather than privacy specific legislation.³ The public sector in Western Australia does not have a privacy regime. However, state freedom of information legislation and public records legislation provide some privacy protection.⁴

Legislation in New South Wales, Victoria and the ACT regulates health information in the public and private sectors.⁵ These Acts overlap with the private sector provisions in the Privacy Act. Regulation of health information in other jurisdictions is restricted to public sector agencies or is the subject of codes and guidelines.⁶

Personal information is also regulated under state and territory legislation that is not specifically concerned with the protection of personal information such as freedom of information legislation, public records legislation and local government legislation.

These state and territory laws are sometimes inconsistent with the Privacy Act and with each other. For example, there is inconsistency in the bodies and individuals regulated; the types of personal information regulated; and the privacy principles governing the handling of personal information.

Is national consistency important?

A threshold issue is whether national consistency in the regulation of personal information is important. It is the ALRC’s view that national consistency should be one of the goals of privacy regulation.⁷ The ALRC has found that inconsistency and fragmentation in privacy regulation causes a number of problems including unjustified compliance burden and cost, impediments to information sharing and national initiatives and confusion about who to approach to make a privacy complaint.

All submissions to the ALRC Inquiry that addressed this issue strongly supported national consistency. Most focused on how a nationally consistent privacy regime would lessen unjustified compliance burden and cost. A large number of submissions identified that state and territory legislation regulating the handling of personal information in the private sector is a major cause of inconsistency, complexity and costs. Others, including state governments, supported harmonisation of privacy regimes between governments, and between the public and private sectors, but not uniform privacy laws that mirrored the Privacy Act.

A proposal for national consistency

The ALRC has proposed a flexible approach to achieving national consistency. In some areas, uniformity is a desirable policy outcome, for example, the adoption of uniform privacy principles at the federal, state and territory level. National consistency can also involve the interoperability of laws, or necessitate consistent approaches to the implementation of privacy laws and therefore require cooperation and coordination between privacy regulators.

A nationally consistent privacy regime will help to ensure that Australians’ personal information attracts similar protection whether that personal information is being handled by an Australian Government agency or a state or territory government agency, a multinational organisation or a small business, and whether that information is recorded in a paper file or electronically. The ALRC is also mindful, however, of the need for flexibility in some areas. The ALRC acknowledges that some sectors require specific laws when dealing with personal information, for example, the health sector, the credit reporting industry and the telecommunications industry.

National legislation regulating the private sector

It is the ALRC’s view that the Australian Parliament has the power under the Australian Constitution to legislate to the exclusion of the states regarding privacy in the state public and private sectors, subject to a number of express and implied constitutional limits.

A large number of submissions focused on inconsistency in the regulation of personal health information. Submissions suggested that various problems arise because the handling of health information in the private sector is regulated by the Privacy Act as well as state and territory legislation in New South Wales, Victoria and the ACT. Submissions noted that these laws are creating a significant compliance burden and cost, and are preventing the implementation of projects that are in the public interest, including important medical research. These submissions urged the ALRC to propose the enactment of national privacy laws that regulate the handling of health information.

One way these issues would be dealt with effectively is if private sector organisations were required to comply with a single set of principles in relation to the handling of health information. The ALRC has therefore proposed that the Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by the private sector. In particular, the following laws of a state or territory should be excluded to the extent that they apply to organisations: Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); and the Health Records (Privacy and Access) Act 1997 (ACT).

Submissions from state and territory governments and others noted that there are various state and territory laws that regulate the handling of personal information in the private sector that would need to be preserved if the Australian Government enacted national privacy legislation. These laws include state and territory laws that require reporting for public health and child protection purposes. The ALRC believes that it is vital that the Australian Government consult with state and territory governments about the laws that should be preserved under an extended Privacy Act. The ALRC has proposed that the Australian Government, in consultation with state and territory governments, should develop a list of ‘non-excluded matters’ for the purposes of the Privacy Act.

Commonwealth-state cooperative scheme

It is the ALRC’s preliminary view that national consistency will also be promoted if the Commonwealth and state and territory governments enter into an intergovernmental agreement in relation to the handling of personal information. The intergovernmental agreement should establish a Commonwealth-state cooperative scheme that provides that the states and territories should enact legislation that regulates the handling of personal information in that state or territory’s public sector.

It is proposed that these laws adopt key elements of the federal legislation into state and territory privacy laws, including privacy principles and key definitions. The ALRC has also proposed that these laws should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territory’s public sector.

In addition, the ALRC has proposed the establishment of an expert committee to assist the Standing Committee of Attorneys-General (SCAG) to ensure national consistency in the regulation of personal information. The committee should comprise representatives from state and territory bodies with responsibility for privacy, as well as others with an interest in privacy issues.

A review

Given the importance of national consistency, it is the ALRC’s view that the Australian Government should initiate a review in five years, time to consider whether the proposed Commonwealth-state scheme in relation to the handling of personal information in state and territory public sectors has achieved its goal. This review should consider whether it would be more effective for the Australian Parliament to exercise its legislative power in relation to information privacy in the state and territory public sectors.

Where to next?

The proposals outlined in DP 72 do not represent the ALRC’s final views. They are preliminary views and the ALRC has welcomed feedback on whether they are practical and appropriate. To date, the ALRC has received over 550 submissions from stakeholders and other interested parties including federal, state and territory government agencies; local and international private sector organisations; lawyers; academics; community groups and individuals. The ALRC is currently considering these submissions and preparing a final report to the Attorney-General of Australia.

Endnotes

1. See Australian Law Reform Commission, Review of Privacy Law (DP 72, 2007),Ch 4.

2. Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2000 (Vic); Personal Information and Protection Act 2004 (Tas); Information Act 2002 (NT).

3. Queensland Government, Information Standard 42—Information Privacy (2001); South Australian Government Department of Premier and Cabinet, PC012—Information Privacy Principles Instruction (1992).

4. Freedom of Information Act 1992 (WA); State Records Act 2000 (WA). The Information Privacy Bill 2007—which aims to regulate the handling of personal information by the state public sector and the handling of health information by the public and private sectors—was introduced into the Western Australian Legislative Assembly in March 2007.

5. Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); Health Records (Privacy and Access) Act 1997 (ACT).

6. See, eg, Queensland Government, Information Standard 42A—Information Privacy for the Queensland Department of Health (2001); South Australian Government Department of Health, Code of Fair Information Practice (2004); Northern Territory Government Department of Health, Information Privacy Code of Conduct (1997).

7. This finding is consistent with other recent inquiries into privacy laws: Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 3; Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), recs 2–7.

*Jonathan Dobinson is a Senior Legal Officer at the Australian Law Reform Commission. He is part of the team working on the ALRC's Privacy Inquiry