SENATE

Privacy Amendment (Private Sector) Bill 2000

Revised Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Honourable Daryl Williams AM QC MP)

Outline

This Bill is part of the Commonwealth Governments commitment to enacting balanced privacy legislation for the private sector to ensure that full advantage may be taken of the opportunities that electronic commerce presents for Australian business within Australia and overseas.

The Australian public has expressed concern about doing business online, and this concern could frustrate the growth of electronic commerce. The Government acknowledges that user confidence in the way that personal information is handled in the online environment will significantly influence consumer choices about whether to use electronic commerce. Any business demonstrating that it will protect the privacy of its customers will therefore gain a competitive advantage. Similarly, a country that can demonstrate it protects its citizens privacy will have an advantage over those countries that do not.

The National Privacy Principles in the Bill (the NPPs) set out minimum standards about how business and other private sector organisations should collect personal information, about the use and disclosure of personal information and about ensuring that the personal information they hold is accurate and secure. These Principles, like the Information Privacy Principles currently in the Privacy Act 1988 (the Privacy Act) that apply to Commonwealth public sector agencies, reflect the Organisation for Economic Co-operation and Development (OECD) data protection principles.

The NPPs are based on the National Principles for the Fair Handling of Personal Information (the Privacy Commissioners National Principles ), developed by the Privacy Commissioner following extensive consultation with business and consumers.

The Privacy Commissioners National Principles were intended to provide a basis for business to develop practices to ensure that the privacy of individuals is protected.

While the NPPs derive from the Privacy Commissioners National Principles they have been revised to accommodate legislative language and modified in their application to health information and transborder data flows. The modifications made in relation to health information are based on the Privacy Commissioners recommendations to the Government, following consultation with health stakeholders. As a result, the application of the NPPs to health information promotes a consistent, high level approach to privacy protection by organisations that hold health information, as well as other types of personal information.

The NPPs provide an underlying legislative framework for the protection of personal information. Private sector organisations will be bound by them, unless they have their own privacy code that has been approved by the Privacy Commissioner. A code will only be approved by the Privacy Commissioner if it provides at least as much privacy protection as the NPPs in the Bill.

Part IIIAA of the proposed legislation sets out the matters that the Privacy Commissioner must take into account when deciding whether or not to approve a privacy code. Where a code sets out a procedure for making and dealing with complaints, the Privacy Commissioner must consider the matters set out in sub-clause 18BB(3), including whether the procedures meet the prescribed standards. At this stage, the Government intends to prescribe the "Benchmarks for Industry-Based Customer Dispute Resolution Schemes" published by the Consumer Affairs Division of what was then known as the Department of Industry, Science and Tourism (August 1997) as the required standard.

Application:

The proposed private sector privacy legislation will apply to the acts and practices of "organisations". An "organisation" is defined to mean a body corporate, an unincorporated association, a partnership, a trust and an individual. A body corporate that is related to another body corporate will be permitted to share personal information. However, related bodies corporate will be required to comply with the NPPs in the Bill in relation to using and handling the information. A similar rule exists in relation to the collection and disclosure of personal information by one partnership which dissolves to another partnership that forms immediately afterwards, has at least one partner in common with the first partnership and carries on the same (or similar) business as the first partnership.

The proposed legislation is not intended to cover the State and Territory public sector or State and Territory Government Business Enterprises (GBEs) that perform substantially core government functions.

Extra-territorial operation of Act:

The Bill will apply to certain acts and practices of organisations that occur outside Australia. This is to ensure that, as far as practicable and appropriate, the legislation will apply in an environment where organisations operate across national boundaries and may move information overseas to use and process it. This is also intended to ensure that the provisions of the legislation are not avoided simply by moving personal information overseas.

Interaction with State and Territory legislation:

The Bill intends to establish a comprehensive national scheme providing for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by organisations in the private sector. State and Territory laws that make provision for the collection, holding, use, correction, disclosure or transfer of personal information will continue to operate to the extent that they are not inconsistent with the proposed Commonwealth legislation.

Application to the media:

The Bill includes an exemption for acts done and practices engaged in by media organisations "in the course of journalism". Before a media organisation can take advantage of the exemption, it must demonstrate that it is publicly committed to observing published written standards dealing with privacy in the context of media activities. This exemption seeks to balance the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media. The objects clause also highlights this need for a balanced approach.

A range of other provisions recognises the important role of the media in facilitating the free flow of information to the Australian public. For example, as part of the process of approving a code the Privacy Commissioner will have to be satisfied that code adjudicators will be required to have due regard to such issues. This is consistent with the obligation imposed on the Privacy Commissioner under existing paragraph 29(a).

In addition, the Bill provides that a journalist is not required to give information, answer a question or produce a document or record under the provisions of the Bill where this would tend to reveal the identity of a person who gave information to the journalist in confidence.

Application to Employee Records:

The Government has agreed that the handling of employee records is a matter better dealt with under workplace relations legislation. An act or practice engaged in by a current or former employer of a person in relation to an employee record will be exempt from the operation of the legislation if the act or practice is directly related to the current or former employment relationship. The requirement of a direct link to the employment relationship has been included to ensure that employers cannot use employee records for commercial purposes unrelated to the employment context.

An employee record is defined broadly as a record relating to the employment of an employee and includes the types of records typically held by employers on personnel files.

Application to Small Business:

All small businesses, apart from those that provide health services, will be exempt from the operation of the legislation for a period of 12 months after the commencement of the legislation. This delayed application is designed to allow small business extra time to ensure compliance with the legislation. After the initial period it is intended that small business be exempt from the legislation unless there is a privacy risk. This is in accordance with Government policy to minimise compliance costs for small business.

A business is a small business during a financial year if its annual turnover for the previous financial year was $3 million or less. Annual turnover has a defined meaning for the purposes of the Bill but, in general, will equate to the total of the instalment income the business notifies to the Commissioner of Taxation on its Business Activity Statements during the course of a year.

A small business will be exempt from the operation of the legislation unless it:

provides a health service and holds health information; or
discloses personal information about another individual to anyone else for benefit, service or advantage (unless it does so with the consent of the individual concerned or is required or authorised to do so under legislation); or
provides a benefit, service or advantage to collect personal information about another individual from anyone else (unless it does so with the consent of the individual concerned or is required or authorised to do so under legislation); or
is a contracted service provider for a Commonwealth contract; or
is prescribed by regulation.

These exceptions to the exemption for small businesses acknowledge that some personal information and some activities pose a higher threat to privacy than others and that small businesses within these categories ought to be covered by the Bill.

While the Government is not requiring all small businesses to comply with privacy legislation it acknowledges that there could be many reasons why a small business may want to comply with privacy standards in its business activities. To support this choice the Government has included provision for an otherwise exempt small business to opt-in to the coverage of the Bill. A small business that chooses to opt-in will be treated as an organisation under the legislation and subject to the jurisdiction of the Privacy Commissioner. This jurisdiction will be preserved for relevant periods should the small business subsequently revoke this choice.

Application to political parties and political representatives:

Political parties registered under Part XI of the Commonwealth Electoral Act 1918 will be exempt from the operation of the legislation. Acts and practices of political representatives such as members of Parliament and local government councillors (however described) will also be exempt from the legislation provided their acts and practices relate to an election, a referendum or other participation in the political process.

The acts and practices of contractors (and their sub-contractors) of registered political parties and political representatives will be exempt provided that the acts done or practices engaged in relate to an election, a referendum, or the participation of a registered political party or a political representative in the political process.

Acts done or practices engaged in by volunteers on behalf of and with the authority of a registered political party will also be exempt from the operation of the legislation.

Application where government services are outsourced to the private sector:

The Bill enables a contract between the Commonwealth agency and the contractor (and any subcontract) to be the primary source of a contracted service providers obligations in respect of the personal information collected or held for the purpose of performing the contract. Contractual clauses must be consistent with the privacy obligations that apply to the agency (generally, the Information Privacy Principles). Contractors will be subject to the NPPs (or to an approved code) to the extent that they are not inconsistent with the Commonwealth contract.

A small business operator that is also a contracted service provider under a Commonwealth contract will be subject to the legislation in respect of the performance of the contract, but will be exempt in relation to its other acts and practices.

To ensure that people are able to find out what privacy standards apply, agencies and contractors will be required to release, on request, details of privacy clauses in their contracts.

As a safeguard, the Bill contains a provision explicitly prohibiting a contracted service provider from using or disclosing personal information collected under a Commonwealth contract for direct marketing purposes unless this is a necessary part of the contract itself.

Specific provisions will ensure that the complaints system works smoothly where the complaint is made about an act or practice of an organisation that is also a contracted service provider where that act or practice is in relation to a Commonwealth contract.

The Bill contains a provision to cover the situation where, for one of the reasons specified, a remedy cannot be obtained from a contracted service provider. It allows the Privacy Commissioner to substitute the agency for the contracted service provider and is intended to ensure that the agency remains ultimately responsible for the acts and practices of its contracted service providers.

Organisations providing services to a State government under contract:

A specific provision will exclude acts and practices of organisations performed in relation to a contract with a State or Territory instrumentality where that contract involves handling of personal information. Such acts and practices will not be covered by the Commonwealths privacy scheme but rather the State or Territorys own privacy standards.