SENATE

Revised Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Honourable Daryl Williams AM QC MP)

Regulation impact statement

The following information is provided in accordance with the Guidelines issued by the Office of Regulation Review, Productivity Commission.

Introduction

The development of electronic commerce is important for Australias future. Encouraging Australians to embrace the Information Age will maximise the potential benefits. The Government is looking to encourage business and consumer confidence by setting in place a legislative framework to support and encourage private sector led development of the information economy.

Buying and selling between individuals and businesses, banking and international trade in goods and services is increasingly being conducted over the Internet or through other information technology systems. The use of these new systems to conduct business transactions, purchase goods and services, pay bills or collect and retrieve information offers many benefits in terms of speed, convenience and records management.

However, the rapid developments in information technology, data networking and electronic commerce raise some correspondingly difficult economic and legal problems relating to taxation, security, privacy and jurisdictional issues.

Privacy has become a more significant concern as more peoples personal details are stored and exchanged as part of an electronic transaction. Common concerns centre on whether there is any protection for personal information, including how it is collected and stored, how it is used, whether it is secure and accurate, as well as whether an individual has a right of access to personal information held by an organisation about them. There are also concerns as to whether existing legal mechanisms are enforceable. Even if one countrys laws are adequate, it may be difficult to enforce rights under such laws as transactions may flow across many national borders, depending on where the business, consumer and website is located. For example, a single transaction can involve three or more countries making it hard to determine which countrys law will apply to the transaction.

The speed at which electronic commerce is evolving and changing makes it difficult for existing laws to be adapted. Any arrangements that are put in place need to provide an adequate and enforceable level of security and protection of personal information, while being flexible and technology-neutral so they can adjust to changing circumstances and emerging technologies.

At present, Australia has no comprehensive privacy laws applying to the private sector. Existing legislation includes the Privacy Act and the Telecommunications Act 1997 . The Privacy Act applies to Commonwealth Government agencies and to private organisations that handle credit information and tax file numbers (for example, banks and credit unions). The Privacy Act sets standards for the collection, storage, use and disclosure of personal information. The provisions in the Telecommunications Act 1997 allow the Australian Communications Authority to request the development of an industry code dealing with privacy.

Since 1997-98, a self-regulatory framework has been operating in the private sector. The framework is based on the Privacy Commissioners National Principles, developed to guide private sector businesses in the development of practices for dealing with personal information that prevent its inappropriate collection, misuse, insecure storage or inappropriate disclosure. The Privacy Commissioners National Principles also encourage organisations to be open about the personal information they hold and require organisations to provide an individual with access to personal information held about them.

Voluntary codes, based on the Privacy Commissioners National Principles have been developed in some industry sectors. The Australian Direct Marketing Association (ADMA) and the Insurance Council of Australia (ICA) have released codes, although the ICA code departs from them in certain respects. A draft code incorporating the Privacy Commissioners National Principles was developed by the Internet Industry Association (IIA) although the incorporation of privacy standards in the IIAs final code has been delayed in view of the Governments decision to legislate. Other organisations, such as the Australian Retailers Association, are consulting with members on whether, and how, privacy standards might be implemented. The Australian Bankers Association has indicated that it favours a code that incorporates privacy standards through contractual agreements with customers. Other organisations have adopted internal codes, policies or standards, which may or may not be consistent with the Privacy Commissioners National Principles . Many industry sectors that regularly deal with personal information are partially covered by some form of regulation. Consequently, any move to more comprehensive controls over privacy will not impose onerous costs on the main affected industries.

The issues surrounding the protection of personal information, and the best strategy to secure such protection, have been publicly discussed for some time. Over the last two years, the Government has provided encouragement and assistance to business, through the Office of the Privacy Commissioner, to encourage the take-up of mechanisms to protect personal information held by them. However, the response from business has not been consistent and has not led to comprehensive personal data protection.

The Governments election policy platform committed it to review the implementation of self-regulatory privacy protection in the private sector to ensure the fair handling of personal information by Australian businesses. The Attorney-General, through a core consultative group, conducted this review. The Governments decision to extend a privacy regime to the private sector is to be achieved by applying privacy principles, similar to those in the Privacy Act that apply to the public sector, to personal information held by private sector organisations.

Issues

The extensive consultations over recent years on the absence of privacy protection in the private sector have raised a number of concerns that have not been resolved under the present self-regulatory approach. These concerns include:

1.

the potential for barriers to international trade for business;

2.

the lack of protection afforded to the consumer;

3.

the effects on the take-up of electronic commerce resulting from lack of protection to consumers;

4.

the lack of comprehensive coverage of business;

5.

the possibility that some States and Territories will impose stricter controls, which may result in inconsistencies between jurisdictions.

Businesses engaging in trade with European Union (EU) Member States are likely to experience difficulties under the current self-regulatory approach. There are serious questions surrounding the ability of Australia to meet the requirements for continued trade with EU Members under the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data ("the EU Directive"). The ability of individual businesses to satisfy the requirements of the EU Directive could prove problematic and result in ongoing costs, and the extent to which electronic commerce opportunities across borders can be utilised may also be affected.

There is no indication so far that trade with non-EU Member States will be affected. This will depend on the extent to which other countries move to restrict transborder flows of personal information to countries that do not provide appropriate privacy safeguards. Various countries may consider such measures in order to satisfy the requirements of the EU Directive. Some of Australias key trading partners are moving towards private sector privacy legislation. Canada passed private sector privacy legislation in April 2000. The United States has a mix of legislative and self-regulatory protection. Several countries in our region have privacy legislation and others are understood to be considering the development of similar legislation. The extent to which a flow-on effect from the requirements of trading with EU Member States will result in other countries moving to restrict transborder data flows is not clear, but should not be discounted as a potential trade barrier in the future.

The lack of comprehensive protection of consumers personal information is an important element affecting consumer confidence in the information economy and, increasingly, participation in electronic commerce. Surveys conducted both here, and in other countries such as the United States, have indicated that consumer confidence in electronic commerce depends largely on the level of protection afforded to their personal information. Consumers want some limitations imposed on the private sector in respect of personal information that may be collected. Also, consumers want stronger controls regarding how their personal information may be used after it is collected and to whom it may be disclosed outside the organisation. The Government acknowledges that if this issue is not adequately addressed, it has the potential to hamper the growth of electronic commerce.

Notwithstanding the lengthy period of time during which consumer privacy has been recognised as a critical issue, particularly in the context of the growing information economy, the take-up of personal information protection by business has been variable and slower than expected. Codes or other means (for example, by way of contract) of implementing personal information protection already in place have not set consistent standards. For example, different codes nominate various dispute resolution bodies, creating jurisdictional problems and administrative burdens for business. In addition, no industry groups have 100 per cent coverage of their industry. In some cases, such as the ICA code, members are not bound unless they sign up to the code. For the protection of personal information to be effective, any voluntary scheme providing for this type of protection must be coherent and comprehensive in its application. This has not occurred, in spite of the increased encouragement and support provided by the Government in the last two years.

The adoption of self-regulatory privacy codes by only some businesses has led to an absence of an effective and comprehensive data protection framework for the private sector in Australia. This has the potential to impact negatively on consumer and business adoption of electronic commerce and also Australias trading relationships.

However, the provision of any personal information protection imposes costs on business and it is important to take these compliance costs into account when developing a scheme for the fair handling of consumers personal information. The level of cost will depend on a number of factors, including:

•

the flexibility of the regulatory approach adopted;

•

the extent to which individual organisations are able to turn to recognised standards and mechanisms, or are required to develop them independently;

•

the consistency of the standards to be applied across an organisation or industry sector; and

•

the means of resolving disputes and the extent of redress that may be required.

The effectiveness of privacy protection for consumers will depend on the nature of the privacy scheme that is implemented. This includes the extent to which a scheme provides readily-understood, consistent levels of protection, affordable and accessible dispute resolution procedures, as well as the extent to which a scheme assists businesses to improve their practices, where necessary.

Objectives

The objective of the Governments privacy policy is to reduce obstacles to the development, take-up and use of electronic commerce and other new technologies resulting from concerns about the possible mishandling of personal information by the private sector. In developing a system for the fair handling (collection, holding, use, disclosure and transfer) of personal information in the private sector the Government also aims to ensure that any scheme:

•

is workable, consistent and cost-effective;

•

provides Australian businesses with a framework that will assist them to take a leading role in the global information economy; and

•

is compatible with the EU Directive, so that potential barriers to international trade are removed. (See Attachment A for a summary of the NPPs and relevant parts of the EU Directive.)

Options

There are a variety of possible options to address the problems identified. A regulatory strategy based on prescriptive Commonwealth legislation could be introduced. This option might involve the extension to the private sector of the framework that currently applies to the public sector under the Privacy Act. (The principles that govern the way the public sector should handle personal information are contained in s.14 of the Act, and are known as the "Information Privacy Principles" (IPPs). The standard they set for the public sector handling of personal information is slightly higher than that provided in the NPPs. The NPPs, whilst based on the IPPs, have been modified to take private sector business practices into account.) While having the advantage of providing a uniform approach applicable to all industries, professions, organisations, jurisdictions, activities and types of information, such a strategy could result in some inefficiencies. The legislation would not necessarily provide any guidance to organisations on how the IPPs would apply in particular circumstances. As a result, compliance could impose considerable cost burdens on businesses, and these costs may be passed on to consumers.

Other options involving minimal regulatory impact are available. These are self-regulation , which reflects the status quo, and co-regulation . The current self-regulatory system involves some industry-developed codes of practice without any legislative backing. Adoption of a code is voluntary and not necessarily uniform across a particular industry. There is, therefore, no way to ensure that all organisations in that particular part of the private sector adopt fair information handling practices.

Co-regulation would also foster industry-developed codes, but these would be underpinned by legislation that would establish key principles and serve as a default framework in the absence of industry codes. As a general principle, most organisations in the private sector would be required to either adopt a code or comply with the legislative principles - either of which would require them to engage in fair information handling practices.

Option one: self-regulation (status quo)

The current, fully self-regulatory framework has a number of positive features. First, the ability of industry to develop codes leads to industry "ownership" which may foster a commitment to implementation greater than that which might apply under rules imposed through legislation. Second, codes are cost-effective, flexible, offer a large degree of sensitivity to market circumstances and are conducive to international competitiveness and product innovation. Australian businesses would be able to choose a level of privacy protection that allows them to compete internationally with foreign businesses.

As noted, some industries have already developed their own codes. However, the codes implemented to date have, in some industries, proved relatively ineffective because coverage is not comprehensive. For example, the ADMA code of practice for privacy protection covers only organisations that are members of ADMA. It is obvious that non-member direct marketing organisations are not required to adhere to the principles in that code.

Other industries have been reluctant to innovate in the area of privacy protection. For example, the final version of the Life Insurance Code of Practice did not address privacy issues. The life insurance industry was reluctant to take a position of leadership with respect to privacy protection, preferring to wait for direction from Government. The Internet Industry Association has adopted a similar stance.

The major difficulty with self-regulation is that it may result in inconsistent standards across industries, and, as the system is voluntary, there is no way to guarantee that all organisations in the private sector will even adopt a code of practice. Where differences across industries are significant, problems may arise, particularly for organisations whose operations span a number of different industries. For example, the insurance industry may have to comply with codes drafted for life insurance, general insurance, finance, direct marketing and so on. A second potentially negative effect of self-regulation may be "regulatory arbitrage", where organisations try to redefine their operations to fit within the most favourable code.

There may also be difficulties with enforcement. Self-regulatory codes do not usually provide consumers with any effective enforcement mechanism. The only means by which such codes could be made legally binding would be by inclusion by reference in a contract. Action under contract is cumbersome and costly for consumers and provides only limited remedies.

A central complaints mechanism, such as the Privacy Commissioner, would not be available to individuals under self-regulation. Where an organisation is required to comply with several different codes (which may conceivably have different enforcement mechanisms) a consumer may also have difficulty deciding how to commence an enforcement action in the first place. Ultimately, consumers may be reluctant to take any action if the cost and inconvenience of taking action is too high.

Option two: co-regulation

The term "co-regulation" refers to a legislative framework within which self-regulatory codes of practice can be given official recognition. Legislation establishes the general principles with which all organisations must comply. It establishes the minimum benchmarks or safeguards that must apply across the board.

By providing the framework upon which industry codes are developed, the legislative approach ensures consistency and standardisation of personal information handling practices. In the absence of an industry code, the legislation would provide a default framework. The complaints mechanism available under the legislation would also provide a default mechanism where a code did not provide for a mechanism for consumers to make a complaint. The remedies available to the consumer under a code would be the same as those available under the legislation.

This option would appear to have significant advantages. First, it would ensure that all organisations would be required to adopt fair practices in relation to handling personal information, that there would be an identifiable mechanism for making a complaint about any organisation, and consistency and transparency in the remedies available to the consumer. Second, it would allow industries to develop codes tailored to the specific requirements of that industry. This would allow flexibility and sensitivity to industry and market needs. Third, industry would retain ownership of its code and its implementation process. Fourth, codes could be written in language readily understood by the operators in the industry, thus allowing their direct use at the operational level. Finally, the possibility of being able to amend codes would ensure that changing circumstances could be readily accommodated.

One difficulty with co-regulation, like the self-regulation model, is that because codes may apply to acts or practices, or to certain information, or to a particular industry, there is a possibility that some organisations may have to comply with several different codes. Another difficulty may arise in relation to dealing with complaints. Organisations may have adopted a code that sets out a complaint resolution mechanism for consumers to use. Alternatively, complaints may be made to the Privacy Commissioner about an organisation where there is no code setting out a complaint resolution mechanism which binds that organisation. The consumer may not always be aware of the relevant complaint mechanism and may become confused about where to go to resolve their problem.

Option three: full regulation

Full regulation would have the advantage of imposing a uniform framework across all Australian industries that collect, store and deal with personal information. Such a framework would not only implement general privacy principles, but would also provide a uniform complaints resolution mechanism and ensure remedies available to the consumer (including compensation) were consistent across the entire private sector. It would also provide other countries with a more certain picture on how personal information was protected in Australia.

However, the extension to the private sector of principles enshrined in legislation would not recognise and accommodate specific industry requirements, and would not allow flexibility and sensitivity to industry and market needs. It would therefore entail high legal and compliance costs for government and business. These costs may eventually be passed on to the consumer and could potentially erode the competitiveness of Australian businesses competing internationally in a globalised on-line environment. It would also be difficult to adapt or amend legislation rapidly to accommodate changes in technology or commercial practices.

Full regulation is not an option that has been considered by the Government to date. However, if co-regulation does not work well it may be an option for the future. At present full regulation is not considered feasible and is not discussed in further detail in this Regulation Impact Statement.

Impacts

Impact group identification

The groups affected by each of these options can be described as follows:

•

the Commonwealth Government and its agencies (in particular the Federal Privacy Commissioner and the Attorney-Generals Department) as well as State and Territory Governments (government);

•

businesses and other organisations in so far as they deal with the relevant forms of personal information (business); and

•

consumers who deal with those businesses (consumers).

The following analysis looks at the impact in terms of potential costs and benefits for the identified groups in respect of each of the options.

Estimating costs and benefits

The Senate Legal and Constitutional References Committee in its March 1999 report on privacy issues noted that "costing of privacy schemes is difficult mostly because the variables are unknown. It is not easy to determine, for example, the extent to which consumers will complain, or the extent to which they will require compensation. Thus, administrative and other costs are difficult to predict." A corresponding difficulty applies to the estimation of benefits, notwithstanding consumer surveys that indicate consumer confidence in electronic commerce is impeded by the absence of legal privacy protection in an on-line environment.

Witnesses giving evidence before the inquiry and submissions made in response to the Attorney-Generals Departments discussion paper have been equally reluctant to make precise estimates of costs and benefits. In the Information Privacy in Victoria discussion paper it was noted that "the cost implications of the data protection regime will vary greatly from organisation to organisation. They will depend on the size and complexity of the organisation and its exposure to personal information." For these reasons, this Regulation Impact Statement does not seek to give firm estimates in economic terms of impacts on identified groups, but assesses costs and benefits in more general terms on the basis of analysis and consultations.

What can be stated with confidence is that there are certainly legislative options available that do not impose unacceptable compliance costs, especially where these legislative options, such as the proposed strategy, focus primarily on medium-sized and large businesses. The Victorian discussion paper cited a "survey conducted by Price Waterhouse in 1997, [which] revealed that major Australian businesses estimate that costs might not be significant. Of the 130 companies that responded, 79 per cent felt that only minor changes to their business practices would be necessary to comply with privacy legislation. Nearly two thirds of the companies, most with sales figures in the billions of dollars, believed it would cost them less than $100 000 to conform to any privacy legislation-less than 0.01 per cent of sales revenue."

Option one: self-regulation (status quo)

Government

Costs

There would be no direct cost for the Commonwealth Government in continuing the current self-regulatory system apart from the costs associated with the Privacy Commissioners ongoing role in developing privacy protection in the private sector through assisting industries with voluntary codes (if the Government continued to support this role of the Privacy Commissioner).

Some State and Territory Governments may choose to proceed with legislation to protect privacy in the private sector. This may raise the overall cost to government of legislating through duplication of elements of the policy development and implementation process. The extent of these costs would depend on the strategies pursued by States and Territories choosing to legislate.

Benefits

Under self-regulation, the Commonwealth Government would not have to resource the development and implementation of a legislative regime for privacy protection in the private sector. It would also not need to resource the Privacy Commissioner to administer the NPPs and his increased powers and functions, including assisting with the development of codes and providing a complaints and enforcement mechanism for individuals.

If State and Territory Governments chose to proceed with their own legislation this may provide some benefits from competition and innovation through the policy development process.

Business

Costs

First, under the status quo businesses will continue to face the costs of developing and implementing a self-regulatory framework for the protection of personal information. Businesses are only likely to invest in privacy protection if they perceive it as good business practice including some commercial advantage (for example, by acknowledging the statistical evidence which indicates that consumers value and seek privacy protection, especially in the electronic environment). It is likely therefore that within each industry there will continue to be a spread of businesses that offer different levels of privacy protection.

Businesses using electronic commerce (eg, to purchase supplies) that are interested in privacy protection may have to spend some time and money searching for businesses that offer the required level of protection. These costs are likely to fall over time for those businesses that tend to operate through established contacts. If businesses find search costs and the risks of using electronic commerce too high they may choose to use alternative services/payment methods. This may have some adverse effects on those businesses offering electronic commerce services (whether or not they have invested in privacy protection), from slower growth in demand.

For businesses using electronic commerce that have no concerns about privacy protection for individuals there will be no search costs.

A low level of consumer and market confidence in a purely self-regulatory framework may result in these businesses being unable to take full advantage of the benefits and efficiency to be gained by utilising electronic commerce and other new technologies. This issue has been raised by a number of consulted parties, but no cost estimates are available.

Second, any State and Territory legislation in relation to private sector data protection may impose increased complexity and compliance costs on business as a result of having to adapt to varying State and Territory privacy laws. Overall, Australias existing legal frameworks are only limited in their coverage and vary widely across jurisdictions. A corresponding erosion of the international competitiveness of Australian businesses could also result. This concern has been raised in consultations but an estimate of the cost of complying with differential legislative frameworks has not been established.

Third, such an approach would not create a level playing field within Australia in terms of compliance with standards of protection for personal information. "Free riders" that do not provide effective protection could still benefit from the reputation of a sector that broadly does. Conversely, their behaviour could impact negatively on perceptions of organisations that comply in good faith. Compliant companies would also lose a direct competitive advantage over non-compliant companies, which do not assume the costs of compliance. The actions of organisations that do not provide effective protection could also undermine the credibility of data protection in the particular industry sector as a whole, creating a disincentive to invest in the development of self-regulatory protection. It may also provide a disincentive to consumers to embrace the services provided by that sector, as, for example, in relation to electronic commerce. The overall value of the potential damage caused by free riders is difficult to estimate.

Fourth, organisations that operate across multiple industry sectors may experience difficulties in complying with different standards under industry codes that operate in relation to different parts or activities of the one organisation. In addition, such organisations may experience extra burdens and costs involved in liaison and referral to various dispute resolution bodies established under different codes. On the basis of extensive consultation, the Senate Legal and Constitutional References Committee reported that the costs of complying with multiple industry codes, often with different and even contradictory objectives, would probably be greater than the costs associated with a co-ordinated code-based approach underpinned by legislation.

Finally, in light of information provided by the European Commission (EC) on their approach to ascertaining "adequacy" for the purposes of the EU Directive, it appears unlikely that a purely self-regulatory approach will suffice. Business may continue to experience uncertainty regarding trade with EU Member States. In addition, the EC has placed the hurdle somewhat higher in relation to self-regulation as opposed to legislative protection of personal information. The requirements regarding voluntary codes have been made more rigorous in order to address concerns about reduced enforceability and accountability. For example, it appears that the EC may require punitive sanctions to be available under voluntary codes but will not require similar sanctions to be available under a legislative scheme. It is difficult to estimate the value of the international trade that could be affected in this regard, but it has the potential to be significant given that the EU is one of Australias major trading partners.

Without an assessment of adequacy at the national level, industry associations in sectors with privacy codes could incur costs in ascertaining whether they satisfy the requirements of the EU Directive.

Benefits

Businesses that develop privacy protection regimes may attract additional business, which could provide a competitive advantage for some firms. The extent of these benefits will depend on how well informed consumers are, the nature of the privacy code and its effectiveness for those consumers who care about privacy protection.

Businesses will be able to decide for themselves whether to set up a scheme for the protection of personal information held by them, and if so, to what standard. They therefore have the ability to control the costs of implementing an industry or corporate code. Businesses that do not see a market advantage in self-regulating may choose not to do so, or choose not to enter into particular types of electronic commerce where the protection of personal information concerns are likely to be high. Self-regulation is probably more flexible and responsive to business and consumer preferences, and may be modified quickly and easily.

Also, Australian businesses could choose a level of privacy protection that would not erode their competitive position internationally to the same extent that a prescriptive, regulatory approach may. The exact value of these benefits would depend on the commercial decisions made by individual businesses, and has not been estimated.

Some private sector organisations, for example, the Insurance Council of Australia, that already have mature and comprehensive privacy protection standards, including a complaints resolution process, may prefer self-regulation to be retained. Self-regulation provides more scope for such businesses to tailor their consumer complaints mechanism.

Consumers

Costs

The costs of self-regulation to consumers are derived from four main areas.

First, in a self-regulatory framework, consumers are subject to differing levels of protection for their personal information, depending on which organisation or sector they are dealing with. There may be confusion about requirements and the nature of any rights. The onus is placed on the consumer to investigate and evaluate their options regarding the levels of protection offered by particular organisations.

Second, due to geographic factors and/or the absence of protection for personal information across an entire industry, consumers will often have no choice but to deal with an organisation that offers no privacy protection. Where a code does apply, the ability of the consumer to enforce the obligations of a business in a particular industry will be limited by the availability and robustness of industry established and funded enforcement mechanisms. Consumers who deal with organisations or businesses that do not abide by a comprehensive self-regulatory code may be unable to obtain compensation or other redress, for example, to obtain correction of inaccurate information, or for loss or damage resulting from misuse of personal information. The cost of this lack of protection would depend on the kind and size of transactions undertaken and the extent of possible misuse of personal information.

Third, it is likely that those consumers dealing with companies that have developed and implemented information protection systems will pay the costs of those systems as absorbed into the prices of goods and services. Similarly, in the event of inconsistent legislation being passed by States and Territories, the cost of compliance with varying State and Territory privacy laws is likely to be passed on to consumers. The cost of goods and services, where they involve the transfer of personal information from Europe under the EU Directive, may be unevenly distributed. The precise extent to which these costs would be passed on to consumers would ultimately depend on commercial decisions of the affected businesses.

Fourth, the general Australian community would continue to have concerns about the way personal information is handled by Australian businesses in the on-line environment and may not have the confidence to avail themselves of the benefits of electronic commerce and other new commercial possibilities. The overall growth of the information economy in Australia could be stunted as a result, although there are no detailed costing projections in this respect.

Many potential misuses of personal information can impose a direct cost on the consumer. "Spam" e-mail and direct marketing via bulk facsimile transmission are examples. If the transfer of an individuals e-mail address or fax number (along with perhaps other information such as purchasing habits) results in that person receiving unsolicited communications, the nature of e-mail and fax as a form of communication means that the cost of delivery will largely be borne by the recipient. This is also the case with the consumers cost in contacting the organisation to request no further communications. Australian businesses may be more likely to initiate such practices in a self-regulatory framework.

Benefits

Where consumers deal with an organisation that chooses to provide protection for personal information, they benefit from the privacy standards and enforcement mechanisms that the organisation voluntarily abides by. Conversely, consumers who are not concerned about the protection of personal information might choose to transact with an organisation that is not covered by a code, thus potentially taking economic advantage of any reduced costs under which that business may operate. Consumers may choose to take risks with their personal information in order to secure a cheaper product, although the precise value of this benefit to consumers is difficult to estimate.

Consumers may also benefit under self-regulation by not having to bear transferred compliance costs arising from prescriptive regulation. The value of these benefits would depend on commercial decisions and consumer behaviour.

Option two: co-regulation

Government

Costs

The Privacy Commissioner, funded by the Commonwealth Government, will have a role in relation to:

•

complaints resolution and general oversight of compliance for those businesses without privacy codes;

•

evaluating, and deciding whether or not to approve, proposed privacy codes (the Privacy Commissioner would be required to consider many factors, and, before approving a code, would need to be satisfied that: the code sets out obligations that are at least equivalent to all the obligations set out in the NPPs; the code specifies the organisations that will be bound by it; only organisations that consent to be bound by the code are, or will be, bound by the code; and members of the public have been given an adequate opportunity to comment on a draft of the code. The code, if approved, would take effect on the day specified in the approval);

•

supporting voluntary industry codes; and

•

providing targeted assistance to businesses that hold little personal information.

Additional funding will be required for these functions. Further resources will also be required in the Attorney-Generals Department for the administration of the legislation. Indicative costs are $1.397 million in 1999/2000, with a total cost of $6.093 million over four years.

Benefits

The Government would be taking a role in the promotion of greater consumer confidence in on-line transactions with Australian businesses covered by the legislation and associated codes, and would thus be supporting the development of the information economy. It would also be providing some certainty to Australian businesses regarding trade with EU Member States, thereby facilitating international trade, with likely benefits for the wider economy. The precise economic value of these benefits would depend on a large number of variables. The Government would also benefit from certainty about its compliance with privacy obligations where Government services are outsourced to the private sector.

Government would avoid some of the costs of a more prescriptive approach because the costs of developing industry codes, including dispute resolution, would be largely borne by business. The Privacy Commissioner would not be required to resolve disputes relating to businesses that have their own approved privacy code consistent with the NPPs.

Business

Costs

Businesses will have to develop their own codes, including dispute resolution mechanisms, for the protection of personal information that comply with the NPPs and the other provisions in the legislation. These compliance costs may include the cost of:

•

the development of a privacy policy and procedure document and the advertisement of the policy and procedure in pamphlet form, and/or on the organisations website;

•

reviewing the sort of information collected by the organisation and the way in which the organisation collects the information;

•

reviewing the way the information is stored, and possibly developing a new and secure storage system for paper and electronic records in order to prevent unauthorised access to, or use or disclosure of, the information. This may involve the purchase of a secure facsimile machine, lockable filing cabinets, and/or a new computer system;

•

reviewing the way in which the information is used and disclosed and modifying practices accordingly. This may involve the training of staff members about their obligations in relation to use of personal information and disclosure of that information. Identifying the types of organisations to which information is usually disclosed may lead to the redevelopment of paper and electronic forms and notices. on websites.

The cost of this option to business will vary given that some have already commenced adoption of a self-regulatory approach to privacy protection. Those that currently offer protection for personal information or intend to develop their own privacy codes will incur few or no additional costs. Costs involved with upgrading or altering an existing code would depend on the nature of the code and the extent of additional work that is required to ensure that it complies with the legislation. Where an existing code complies with the legislation, the additional costs should be negligible. There has been no precise estimate of the total cost across the private sector in this respect.

The impact of the proposed framework will vary across industry sectors. The importance of a strategy that is both uniform in its application of privacy principles and flexible enough to accommodate sectoral differences is illustrated by the case of the direct marketing industry. The direct marketing industry is, in a sense, based on trade in personal information. Implementation of a legislative framework without recognition of the specific nature of the direct marketing industry could have a significant negative impact on this industry. ADMAs existing code incorporates the Privacy Commissioners National Principles . ADMA may opt to revise its code to apply the NPPs in the context of its industry and examine different options for enforcement of its code. Various provisions such as an "opt-out" capacity for consumers have been developed to satisfy the broad spirit of the Privacy Commissioners National Principles . While the outcome of these efforts in relation to the proposed legislative framework is yet to be seen, the example of the direct marketing industry illustrates the capacity of the proposed strategy to operate uniformly, but with a degree of flexibility that can help to minimise negative economic impact on businesses.

Organisations that do not comply with personal information protection standards in an industry code may be required to provide compensation to consumers for harm suffered as a result of a breach of the code. If there is no relevant code, a breach of the legislation could also result in sanctions imposed by the Privacy Commissioner.

Co-regulation may be less flexible than full self-regulation. The capacity of Australian businesses to compete internationally with businesses that do not have the costs of complying with such a framework may be somewhat diminished, and offshore businesses will continue to transact on-line with Australian consumers without being captured by a code or default privacy principles since they are likely to fall outside Australian jurisdiction.

The marginal cost of applying a privacy protection system, once implemented, to large amounts of information is probably relatively low. Costs are, however, potentially greater in relative terms for small businesses. To minimise compliance costs, it is proposed that small businesses be exempt from the operation of the legislation. Only those small businesses that pose a higher risk to the privacy of individuals will be made subject to the legislation. The treatment of small business under the legislation is explored in "Effects on Small Business" below.

Benefits

A legislative framework underpinning self-regulation would allow a continuation of the progress that has been made to date towards self-regulation, while correcting those elements that have acted to undermine effective privacy protection of personal information. Business will benefit in four main ways.

First, Australian businesses covered by the co-regulatory framework should benefit from increased consumer confidence in their systems for the handling of personal information. This will develop through the codification of privacy protection with legislative backing. The actions of organisations that do not voluntarily subscribe to any approved privacy code will be regulated by the legislative aspects of this scheme and therefore the organisations would find it more difficult to undermine the credibility and relative cost-effectiveness of privacy protection in the industry or sector as a whole. This approach would be likely to foster a level of consumer confidence in on-line transactions with Australian businesses, and should correspondingly increase the uptake of electronic commerce and new technology. Businesses will be able to take advantage of the savings to be made and the opportunities offered by utilising these new commercial platforms.

Second, Australian businesses will generally be able to operate on a level playing field domestically in terms of compliance with personal information protection standards. Organisations that choose to comply will no longer incur a cost disadvantage to free riders based in Australia. Organisations operating across multiple industry sectors will be less likely to be subject to inconsistent standards between codes that operate in different industry sectors, and would not be subject to the burdens and costs associated with liaison and referral to various dispute resolution bodies under different codes. The differential in commercial benefits for individual businesses between self-regulation and co-regulation with respect to compliance would vary depending on the difference in practical requirements for individual businesses between these two frameworks.

Third, a Commonwealth regulatory framework will provide national consistency for business and will remove compliance costs to business associated with varying or even conflicting State and Territory legislation. The benefits of the proposed co-regulatory framework, with its national uniformity, would outweigh any benefits from multiple State and Territory regimes. Significant cost advantages are to be derived from a single national privacy law. Electronic Frontiers Australia has noted that, "[a] major factor about not having a federal scheme, and possibly having many state schemes, is the cost of compliance. Under a federal scheme it would be one set of rules to follow. Under separate state schemes, one organisation operating nationally would be required to comply with seven different laws."

Fourth, it would also be more likely to satisfy the requirements of the EU Directive and thus provide business with certainty in their dealings with European business partners. A uniform system has the advantage that there is no requirement to prove on a case by case basis that businesses comply with any particular privacy standards such as that for the EU. Mr Nigel Waters, a privacy advocate, has told the Senate Legal and Constitutional References Committee that, "even if some sectors or jurisdictions are able to pass the EU 'adequate protection' test, this would still leave most Australian businesses, and governments, in the situation of having to demonstrate on a case by case basis that they ensured adequate protection for particular transfers of personal data from Europe. The cost, and cost of uncertainty, involved will potentially massively outweigh the modest compliance costs associated with a sensible, light handed statutory privacy scheme." Under the proposed co-regulatory framework, the possibility that Australian trade could be adversely affected by the EU Directive would very likely be removed, although the total value of the affected trade, and the possible impact on this trade of variable outcomes from business level negotiations, has not been estimated.

Consumers

Costs

Costs associated with implementing or upgrading an industry code, or complying with the default legislative framework, may be passed on to consumers. These costs may be transferred by affected businesses to the customers who benefit from the privacy protection, or may be absorbed elsewhere. The monetary cost to consumers would depend on commercial decisions made by the affected businesses, and no precise estimate has been made.

Other costs to consumers may arise if opportunities for direct marketing are reduced. Consumers could receive less information about products and the range of goods and services available. The economic value of the decrease in information about products and services is, however, difficult to quantify.

There may also be initial costs for the consumer in seeking redress through dispute resolution procedures if an alleged interference with privacy is pursued by the consumer or a breach is established. For example, assuming the responsible business was within the jurisdiction of the amended Privacy Act or an industry code, a consumer who has surrendered personal information to a number of different businesses would have to establish which business was responsible for the interference with privacy and the nature of the interference. There would also be costs involved in pursuing any possible breach whether through the Privacy Commissioner or the code mechanism. However, costs would vary from case to case.

Benefits

Consumers could more confidently use electronic commerce and other new technologies where these allow them to perform transactions with businesses covered by the legislation or an approved privacy code. They would therefore be more likely to enjoy the efficiencies and benefits of new technology. Consumer confidence in the existence of accessible and effective dispute resolution mechanisms, whether through the Privacy Commissioner in the legislation or in an approved privacy code, would develop.

There would also be consistency in the standards and therefore the level of privacy protection across all States and Territories, potentially reducing the compliance costs to business and the level of cost consequently passed on to consumers. Exact benefits would vary according to circumstances.

Community access to goods and services involving the transfer of personal information from EU countries would probably not be disrupted. The direct cost associated with unwanted "spam", e-mail and bulk faxes from direct marketing operations within the jurisdiction of the legislation or an approved code may also be reduced, as, under the proposed legislation, consumers would be given the opportunity to opt out of further direct marketing communications.

Effects on small business

Before the legislation was introduced, it was considered necessary to identify categories of business, especially categories of small business (if any), or further categories of information (if any), that could be exempted on the ground that compliance costs would be unreasonable or excessive. Consultations between the Attorney-General, the Minister for Communications, Information Technology and the Arts, the Minister for Employment, Workplace Relations and Small Business, and officials from their Departments, sought to identify reasonable grounds for exemption.

It was considered that, for some small businesses and organisations, the requirement to develop and comply with a code of practice, or the default provisions in the legislation itself, might not be justified in light of low privacy risk and potentially high compliance costs.

It was decided that small businesses would be exempt from the legislation unless they:

•

provide a health service and hold health information; or

•

disclose personal information about another individual to anyone else for benefit, service or advantage (unless that disclose is with consent from the individual or as required or authorised by legislation); or

•

provide a benefit, service or advantage to collect personal information about another individual from anyone else (unless that collection is with consent from the individual or as required or authorised by legislation); or

•

are a contracted service provider for a Commonwealth contract; or

•

are related to a business that is not a small business; or

•

are prescribed by regulation (regulations may be made to prescribe particular small businesses or particular acts or practices of small businesses to be subject to the operation of the legislation.)

Small business exemption criteria were originally suggested by the Office of Small Business. They were developed further in a paper written by the National Office for the Information Economy, with in-put from the Office of Small Business and the Attorney-Generals Department. One of the criteria for determining whether a business could be categorised as a "small business organisation" for the purposes of the Act refers to annual turnover. Annual turnover of $10 million was originally used by the Small Business Deregulation Taskforce. The Australian Taxation Office estimated that 93% of small businesses would fall into the exemption if the $10 million threshold was adopted, while statistics from the Australian Bureau of Statistics indicated that up to 85% of small businesses would be exempt from the application of the Act if the $10 million figure was used. Using the figure of $10 million was, however, identified as a possible problem in the paper prepared by the National Office for the Information Economy, because excluding such a high proportion of businesses was identified as having the potential to adversely affect the efficacy of the legislation.

The annual turnover figure of $3 million was finally adopted on the recommendation of the Department of Employment, Workplace Relations and Small Business. The Privacy Commissioner and the Attorney-General will review the figure from time to time to ensure that it remains appropriate.

The fact that small businesses may be exempt from the operation of the legislation because their annual turnover falls below $3 million and they do not fall within any of the exceptions to the exemption does not necessarily mean that small businesses should adopt practices that are contrary to the NPPs. Sound business practice and the possibility of falling outside the exemption where turnover exceeds $3 million will act as an incentive for small business to adopt general practices for handling personal information that are fair, while the exemption itself will reduce the administrative burden of compliance. Those small businesses that choose to abide by good privacy practices will have the option to bring themselves within the legislative scheme.

Small business, like other businesses, will be able to access whatever assistance and education is available generally through the Privacy Commissioners Office.

Consultation

In recent years, there has been extensive public consideration of the need for privacy protection in the private sector, and the means by which it should be provided. There is ample evidence of the views of many business sectors, organisations and individuals on the options outlined above. Many individuals and organisations have made submissions in previous consultations by the Attorney-Generals Department, the Privacy Commissioner and various Parliamentary Committees. Where the views of a particular sector or organisation are not known, it is unlikely, given the many opportunities that have arisen to date, that more formal consultation would elicit them.

Privacy and consumer advocates have for many years publicly lobbied the Government for protection for personal information through the enactment of legislation. More recently a number of key business players have approached the Government expressing their view in favour of a less prescriptive regulatory approach of the kind proposed. The Australian Chamber of Commerce and Industry, the Internet Industry Association and the Asia Pacific Smart Card Forum, which have previously supported a self-regulatory approach, have now advised that Commonwealth legislation, to underpin the application of approved self-regulatory codes, would be appropriate. The Credit Union Services Corporation (Australia) Limited has also advised of their support for Commonwealth legislation.

The Privacy Commissioner has been consulted and supports the proposal to provide a legislative framework to support and underpin approved voluntary codes.

In announcing the proposed legislation, the Government emphasised that it would be developed in consultation with business and privacy interests. The Governments aim was to ensure that the legislation established sound privacy protection without placing unnecessary burdens on business.

Over 100 submissions received in response to the Attorney-Generals Departments 1996 discussion paper, Privacy Protection in the Private Sector , have been considered in developing the policy. This was followed with the Departments September 1999 Information Paper setting out the legislative framework and then the release of the key draft provisions in December 1999, which elicited more than 100 submissions.

There have also been submissions made to, and reports by, a number of Federal Parliamentary inquiries, including:

•

the Joint Committee on Public Accounts and Audit Inquiry into Internet Commerce, which reported in June 1998 and recommended legislation to protect personal information held by the private sector;

•

the Senate Select Committee on Information Technologies Inquiry into Self-Regulation in the Information and Communications Industries during 1998, which is yet to report; and

•

the Senate Legal and Constitutional References Committee Report on Privacy and the Private Sector of March 1999, which recommended legislation in this area after examining evidence from well over 100 business, consumer and advocacy groups and individuals.

The Attorney-Generals Department also considered the discussion paper released by the former Victorian Government in 1998 ( Information Privacy in Victoria ) and the Data Protection Bill drafted and released later that year. These sources have yielded valuable information on achieving privacy protection in the private sector.

Consistent with the aim of ensuring that one national regime is achieved, there has been wide consultation with the States and Territories. The Territories and most States have taken the view that one national approach is desirable, and have been consulted in relation to the development of the Commonwealth legislation.

To facilitate consultation, the Attorney-Generals Department also established a Core Consultative Group (CCG) in 1999 including representatives from business, consumer and privacy groups, the Privacy Commissioner and the National Office for the Information Economy. The States and Territories were also represented. The business peak bodies represented a wide range of businesses with interests in the handling of personal information. Business, consumer and privacy interests were represented by:

Australian Chamber of Commerce and Industry

Council of Small Business

Organisations of Australia

Australian Bankers' Association

Investment and Financial Services Association

Credit Union Services Corporation

Insurance Council of Australia

Australian Finance Conference

Credit Reference

Real Estate Institute of Australia

Institute of Mercantile Agents

Australian Information Industry Association

Internet Industry Association

Australian Direct Marketing Association

Australian Communications Industry Forum

Telstra

Major Mail Users of Australia Ltd

Australian Retailers' Association

Australian Consumers' Association

Australian Privacy Charter Council

Australian Privacy Foundation

Australian Computer Society

Electronic Frontiers Australia

Blake Dawson Waldron

Consumers' Telecommunication Network

Asia Pacific Smart Card Forum

National Association of Tenants' Organisations

The State and Territory representatives were Multimedia Victoria, which represented officials supporting the Commonwealth-State On-Line Ministers' Council, and the New South Wales Attorney-General's Department, which represented officials supporting the Standing Committee of Commonwealth and State Attorneys-General (SCAG).

The CCG provided feedback on many issues and made a valuable contribution to the development of the proposed legislation. This formed a solid basis for an assessment of how the legislation might operate in practice and how various legislative approaches might impact upon business and be received by consumers.

The Attorney-General's Department published an information paper to solicit public comment, and convened a successful series of public consultation fora in Sydney, Melbourne and Perth in September 1999. The Department received submissions in response to the information paper from:

Australian Dental Association

Market Research Society of Australia

Australian Institute of Credit Management

PriceWaterhouseCoopers

Administration Review Council

People Living With HIV/AIDS

Australian Society of CPAs

Youth and Family Service (Logan City)

Australian and New Zealand College of Anaesthetists

Law Institute of Victoria

Tenants' Union of Queensland

Law Council of Australia

Australian Direct Marketing Association

Medibank Private

Royal College of Nursing

Australian Council on Healthcare Standards

Department of Finance and Administration

Vonaldy Pty Ltd

Privacy Advocate

Australian Chamber of Commerce and Industry

Australian Bankers Association

Coles Myer Ltd

Australian Broadcasting Corporation

Commonwealth Consumer Affairs Advisory Council

Cable & Wireless Optus

Commonwealth Bank of Australia

Privacy New South Wales

Australian National University

Insurance Council of Australia Ltd

Investment and Financial Services Association

Australian Competition & Consumer Commission

Public Interest Advocacy Centre

National Australia Bank

Australian Prudential Regulation Authority

Australian Finance Conference

Australian Law Reform Commission

Australian Communications Authority

Refugee Review Tribunal

Southern Cross Broadcasting

Australian Taxation Office

Federation of Australian Radio Broadcasters Ltd

Australian Subscription Television and Radio Association

Australian Privacy Charter Council

Special Broadcasting Service

Australian Press Council

Federation of Australian Commercial Television Stations

Lifeline Brisbane

Corrs Chambers Westgarth-Herald and Weekly Times Ltd.

News Limited

During this extensive consultation process, key evidence and submissions from, for example, PriceWaterhouseCoopers, the New South Wales Privacy Committee, the Australian Chamber of Commerce and Industry, the Internet Industry Association, the Asia Pacific Smart Card Forum, the Credit Union Services Corporation (Australia) Limited, the National Australia Bank and Telstra, have indicated broad support for the proposed strategy.

PriceWaterhouseCoopers has supported a co-regulatory regime in the following words: "we agree that a co-regulatory approach, utilising Information Privacy Principles and the Codes of Practice is a suitable method to adopt. Self regulation methods are not enough to ensure compliance with the Act." The New South Wales Privacy Committee is also committed to a co-regulatory approach to privacy in the private sector: "the co-regulatory approach suggested in the discussion paper is the Committees preferred option. This approach gives flexibility while retaining a safety net of minimum privacy standards." The ACCI has noted that, "the strength of adopting a co-regulatory model, post a self-regulatory evaluation phase is that it represents evolution, not revolution."

According to the Internet Industry Association, "Privacy concerns remain a significant impediment in the uptake of Internet usage, particularly for purposes of e-commerce. The [IIA] Code addresses this by fully implementing the National Principles for the Handling of Personal Information. We anticipate that private sector privacy legislation will be introduced this year by the Federal government". Telstra has indicated that it is "desirable that there should be national privacy standards within a legislative framework."

Of the options considered, public consideration has overwhelmingly favoured the proposed co-regulatory strategy. The CCG generally accepted most elements of the proposed co-regulatory strategy, including elements of codes; approval and revocation of approved codes; giving effect to the Privacy Commissioners National Principles in legislation and in codes; enforcement; public interest determinations; application of codes; the Privacy Commissioners role and functions; commencement and phase-in period; and elements relating to the acts and practices of employees.

The CCG generally accepted, among other things:

•

the parameters for application of privacy codes;

•

that a code should bind only a signatory or member of a signatory industry body;

•

that a code should be based on the legislative Privacy Principles;

•

that a code should set down a complaints handling process;

•

that the Privacy Commissioner should approve codes;

•

that the Privacy Commissioner should make available a public register of approved codes;

•

that the default legislative framework should apply to an organisation that is not bound by an approved code;

•

that determinations by the Privacy Commissioner should be enforceable in the Federal Court;

•

that the Privacy Commissioner should be able to make public interest determinations that allow an organisation to do an act or engage in a practice that would otherwise be in breach of a Privacy Principle;

•

that the Privacy Commissioners functions be expanded to investigate breaches of a code, approve and revoke codes, promote the Principles, issue guidelines to help organisations to avoid breaches, issue guidelines for the development of codes, and provide advice on matters relevant to the Privacy Act;

•

that there be a phase-in period during which the Privacy Commissioners functions would be extended, codes would be developed and augmented to meet legislative requirements, and education, advice and guidance programs would be implemented;

•

that the balance of the provisions would come into effect after twelve months or on 1 July 2001, whichever is later; and

•

that, under certain conditions, anything done by a person in the performance of their duties as an employee is treated as if done by the employer organisation.

These issues were considered by the CCG in great detail.

Finally, three more Parliamentary Committees have considered the Bill since it was introduced into the House of Representatives on 12 April 2000. These include:

•

the House of Representatives Standing Committee on Legal and Constitutional Affairs;

•

the Senate Legal and Constitutional Legislation Committee; and

•

the Senate Select Committee on Information Technologies.

While these Committees have made recommendations covering various aspects of the Bill, none have expressed the view that the Governments co-regulatory approach should not be adopted.

Conclusion and recommended option

It is proposed that introducing legislation under Option Two would meet the specified objectives of achieving a workable, consistent and effective scheme of personal information protection in the private sector and would foster business and consumer confidence in, and thereby increase the take-up of, electronic commerce and other new technologies. It would provide at least cost:

•

a privacy protection framework which will assist business in taking a leading role in the global information economy;

•

coherence in setting a national standard set of principles, thereby simplifying issues for organisations which operate across industry sectors;

•

a single comprehensive framework so that businesses are not faced with the prospect of inconsistent State and Territory legislation; and

•

certainty regarding trade with EU Member States.

Considering the costs and benefits, Option Two is recommended. Experience in the development, implementation and operation of a self-regulatory approach to date has demonstrated that Option One is unlikely to meet policy objectives in the near future. Option Three is considered too expensive and inflexible for government and industry.

Implementation and review

The Attorney-General will be responsible for administering the Act. The Attorney-Generals Department will be responsible for the ongoing monitoring of its operation. Currently the Privacy Commissioner is able to report to the Attorney-General on privacy issues and reports annually on the Privacy Act 1988 . The Privacy Commissioners reporting functions will be extended to cover the protection of personal information in the private sector, including the operation of the proposed legislation. Under the Competition Principles Agreement, a comprehensive review of any Commonwealth legislation enacted to underpin self-regulation will be required within ten years of its implementation. It is likely that this legislation will be reviewed by the Privacy Commissioner in two years time, especially in relation to the operation of the exemptions.

Attachment a

1. National privacy principles:

There are ten National Privacy Principles, which are summarised below:

NPP 1 relates to the collection of personal information by an organisation. An organisation must only collect personal information where it is relevant to one or more of its functions or activities, and the way it is collected must be fair. The organisation should, where possible, collect the information directly from the individual concerned. At the time of collection, the organisation should tell the individual who it usually discloses the information to.

NPP 2 governs how an organisation may use and disclose personal information in its possession. There are restrictions on the way in which an organisation may use or disclose personal information where that use or disclosure is for a purpose other than the primary purpose for which it was collected.

NPP 3 relates to the quality of the data held by an organisation. An organisation must take reasonable steps to make sure that the personal information it holds is accurate, complete and up-to-date.

NPP 4 states that an organisation must take reasonable steps to make sure the personal information it holds is secure, and destroy or de-identify personal information if it is no longer needed for any purpose.

NPP 5 requires an organisation to be open about what personal information it holds and its policy on its management of personal information.

NPP 6 relates to access to, and correction of, personal information held by an organisation about an individual, by that individual. The general rule is that an organisation should let an individual have access to the personal information held about that individual. There are, however, exceptions to this general rule. An organisation should correct information held about an individual where that individual is able to establish that the information is not accurate, complete and up-to-date.

NPP 7 regulates the adoption, use and disclosure of identifiers assigned by a Commonwealth agency.

NPP 8 states that individuals must have the option of not identifying themselves when entering transactions with organisations, if it is lawful and practicable to remain anonymous.

NPP 9 regulates the transfer of personal information held by an organisation in Australia about an individual to someone (other than the organisation or the individual) in a foreign country.

NPP 10 places limits on when an organisation is permitted to collect sensitive information (ie, information or an opinion about an individual's racial or ethical origin, political opinions, religious or philosophical beliefs, political or religious affiliations, membership of a trade or professional association or union, sexual preferences or practices, criminal record, or health information.)

2. Directive 95/46/ec of the european parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data:

CHAPTER II: general rules on the lawfulness of the processing of personal data

Article 6 relates to the fair processing of personal data. "Processing" is defined as any operation or set of operations performed on personal data including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. The article requires that information that is collected be collected for a particular purpose and used in a way that is compatible with that purpose (this is incorporated in NPPs 1 and 2); that information be accurate, complete and up to date (this is reflected in NPPs 3 and 6), and be kept in a form which permits the identification of data subjects for no longer than is necessary (addressed in NPP 4).

Article 7 lists the criteria for making data processing legitimate, namely, consent from the data subject; or the necessity to process the information for -

•

the performance of a contract to which the data subject is a party;

•

compliance with a legal obligation; or

•

to protect the vital interest of the data subject; or

•

the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller of the data or a third party to whom the data was disclosed; or

•

the purposes of the legitimate interests pursued by the controller or by a third party to parties to whom the information is disclosed.

(NPP 2 incorporates similar limitations on the use and disclosure of personal information).

Article 8 regulates the processing of "special categories" of data (the same sort of information covered in the definition of "sensitive information", to which NPP 10 applies).

Article 9 requires that Member States shall provide for exemptions for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression. (This matter is not covered in the NPPs, but by amendments to the existing Privacy Act. The Privacy Commissioner will, in exercising his or her functions under the Act, be required to consider the desirability of the free flow of information through the media or otherwise. Generally speaking, acts done, or practices engaged in, by a media organisation will be exempt from the operation of the Act if the acts are done, or the practices are engaged in, by the organisation in the course of journalism and where the media organisation has publicly committed itself to privacy standards in a media context.)

Article 10 relates to the information that a collector must tell the individual, where the collector gets the information directly from that individual. The collector must provide to the individual (the "data subject") information about the identity of the controller, the purposes of the processing for which the information is intended and further information, such as who will receive the data, whether replies to questions are mandatory and the consequences of failing to provide information, and the existence of the right of access to and the right to rectify data concerning him or her (NPP 1.3 requires organisations to inform individuals of these things.)

Article 11 requires the controller of data that has not been collected directly from the data subject to provide the data subject with information about the controllers identity (and other information, as identified in Article 10), except where the provision of such information proves impossible or would involve a disproportionate effort (this situation is addressed in NPPs 1.3 and 1.5).

Article 12 requires Member States to guarantee every data subject the right to obtain from the controller, whether or not the controller has data about the subject, and if so, for what purpose and who it will be disclosed to and what data the controller holds about the subject (this is addressed in NPP 6). Article 12 also requires the controller to rectify, erase or block data where the processing does not comply with the provisions of the directive because the information is inaccurate or incomplete. (NPP 4.2 requires an organisation to destroy or de-identify information no longer needed for any purpose.)

Article 13 outlines circumstances in which it may be appropriate to restrict the scope of the obligations and rights provided for in Articles 6(1) (which relates to collection and quality of data), 10 (which relates to the procedure for collection of information directly from the data subject), 11(1) (which relates to the procedure where information is collected from sources other than the data subject), 12 (which relates to the data subjects right to know what information is held about him or her by the controller) and 21 (which relates to the processing of publishing operations). These circumstances (including measures to safeguard national security; defence; public security; the prevention, investigation, detection and prosecution of criminal offences; an important economic or financial interest of a Member State etc) have been taken into account in drafting the NPPs, most notably NPP 6 (in relation to an individuals right of access to personal information held by an organisation about that individual).

Article 14 provides that Member States shall grant the data subject the right to object to the processing of information about him or her, particularly where the information is to be used or disclosed for the purpose of direct marketing. NPP 2.1(c) expressly gives the individual the right to opt out of receiving further direct marketing communications from a particular organisation where the organisation uses personal information held by it for the secondary purpose of direct marketing.

Article 15 provides that Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or her, or significantly affects him or her and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him or her (such as performance at work, creditworthiness, reliability, conduct etc).

Article 16 provides that any person acting under the authority of the controller or processor of personal data must not process the data except on instructions from the controller (unless he or she is required to do so by law).

Article 17 requires Member States to ensure that the controller of personal data has appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access (this matter is addressed in NPP 4). Where processing is carried out on the controllers behalf, the controller must choose a processor that provides sufficient technical security measures, and ensure compliance with those measures. The carrying out of processing on the controllers behalf must be governed by contract or legal act binding the processor to the controller, and requiring the processor to conform to the obligations imposed on the controller to provide appropriate security for the data.

Article 18 provides that Member States shall provide that the controller of information must notify the supervisory authority (described in Article 28 as an independent public authority responsible for monitoring the application of the provisions adopted by the Member States) before carrying out any wholly or partly automatic processing operation (or set of operations) intended to serve a single purpose or several related purposes. The article also provides for simplification of the notification process or exemption from the process altogether, in certain circumstances. Article 19 sets out the information to be given in the notification.

Article 20 requires Member States to determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and to check (itself or through a supervisory authority) that the processing operations are examined prior to the start thereof.

Article 21 requires Member States to take measures to ensure that processing operations are publicised, and that a register of processing operations be kept by the supervisory authority, and may be inspected by any person.

CHAPTER IV: transfer of personal data to third countries:

Article 25 requires Member States to ensure that the transfer of personal data to a third country (for processing) may only take place if the third country ensures an adequate level of protection, and outlines the procedures for assessing whether protection is adequate, and for dealing with the situation where a third country does not ensure adequate levels of protection. Article 26 sets out the circumstances in which the transfer of personal information is allowed to a third country that does not ensure an adequate level of protection. NPP 9 requires similar safeguards where personal information is transferred to a foreign country.