House of Representatives

Privacy Amendment (Private Sector) Bill 2000

Second Reading Speech

Mr Williams (Tangney - Attorney General)

The Privacy Amendment (Private Sector) Bill 2000 is the most significant development in the area of privacy law in Australia since the passage of the Privacy Act in 1988. Based on industry benchmarks and over 12 months of intensive consultation with Australian business, consumers and privacy advocates, the bill establishes national standards for the handling of personal information by the private sector. For the first time, Australians can be confident that information held about them by private sector organisations will be stored, used and disclosed in a fair and appropriate way. For the first time, Australians will have a right to gain access to that information and a right to correct it if it is wrong.

This bill is about confidence building. It is about giving consumers confidence in Australian business practices. It is about giving business confidence in a more level playing field. It is about giving the international community confidence that personal information sent to Australia will be stored safely and handled properly.

While some businesses in Australia are leading the way by putting in place codes of practice which commit them to handling personal information in a fair and responsible way, these good business practices are not consistent. The Privacy Amendment (Private Sector) Bill 2000 provides a national, consistent and clear set of standards to encourage and support good privacy practices.

The bill is one element of the government's strategy to ensure that full advantage is taken of the opportunities presented by electronic commerce and the information economy for Australian business and Australian consumers. The Australian public has expressed concern about the security of personal information when doing business online. This concern, if not addressed, has the potential to significantly influence consumer choices about whether or not to participate in electronic commerce.

The bill provides a framework within which Australian business will be able to address these concerns effectively and efficiently. There is no doubt in my mind that businesses which demonstrate that they are committed to protecting the privacy of their customers will gain a competitive advantage. Addressing privacy concerns is clearly smart business. It is smart business domestically, but it is also smart business internationally. Increasingly, important trading partners are requiring an assurance that information will be given appropriate protection. This bill will ensure that Australia is in a position to meet international obligations and concerns and that we are not disadvantaged in the global information market.

The bill draws on the 1980 OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data, which represent a consensus among our major trading partners on the basic principles that ought to be built into privacy regulation. It will also implement certain obligations under article 17 of the International Covenant on Civil and Political Rights.

The bill is intended to facilitate trade in information between Australian and foreign companies. Without such legislative measures, this trade may be adversely affected. The 1995 European Union directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data restricts the transfer of personal information from member countries to other countries unless adequate privacy safeguards are in place. I am confident that this bill will provide adequate privacy safeguards to facilitate future trade with EU members.

The real strength of this legislation stems from the highly interactive way it has been developed. The National Principles for the Fair Handling of Personal Information, which form the basis of the bill, were developed by the Privacy Commissioner following extensive consultation with business, consumers and other stakeholders. The national principles are a set of guidelines for the collection, holding, use, disclosure and transfer of personal information.

The government's commitment to a fully consultative process continued following the announcement in December 1998 that we would legislate. A core consultative group was established with a membership drawn from peak business, consumer and privacy groups. The states and territories were also represented. The group provided an invaluable arena in which to test and develop various legislative models and to examine how each model would operate in practice. In addition, the Privacy Commissioner was asked to consult with health stakeholders as to how the national privacy principles should be modified to deal with health information.

An information paper issued in September last year followed by a successful series of public consultation meetings in Sydney, Melbourne and Perth and draft key provisions made public in December attracted a large number of submissions. Drawing on this input and feedback has allowed us to draft a bill which, I believe, will establish the best possible scheme for the Australian context.

The bill will amend the existing Commonwealth Privacy Act 1988, which currently regulates the handling of personal information by the public sector. The aim of this bill is to encourage private sector organisations and industries which handle personal information to develop privacy codes of practice. Where an organisation or industry does not put a privacy code in place, the national privacy principles will apply. The national principles will also provide the benchmark for industry codes. Before approving a code, the Privacy Commissioner will have to be satisfied that it provides at least the same level of protection as the national principles.

Where someone is not satisfied with the way an organisation is handling his or her personal information, they will be encouraged to take up their complaint with the organisation in question in the first instance. Organisations and industries will have the opportunity to establish approved complaint handling procedures as part of a privacy code. These procedures will be required to meet specific standards as to independence, transparency, fairness and so on. The complaint handling procedure will also have to be accessible.

Where a privacy code does not include a mechanism for handling complaints, the Privacy Commissioner will play that role. Whether the complaint is handled by an industry code adjudicator or by the Privacy Commissioner, the emphasis will be on achieving an outcome through mediation. The government's aim in establishing these processes is to provide an avenue for individuals to have complaints heard and dealt with quickly and simply and to provide maximum opportunity for complaints to be satisfactorily resolved.

It is also our aim to improve industry practice over time. The Privacy Commissioner will have a significant role in working with business, including the development and issue of best practice guidelines. If an individual and an organisation are unable to reach a satisfactory outcome through mediation and conciliation, the Privacy Commissioner or a code adjudicator will be required to make a determination. In both cases, the decision making process may be judicially reviewed under the Administrative Decisions (Judicial Review) Act 1977. A determination made by the Privacy Commissioner or a code adjudicator may be enforced in the Federal Court or the Federal Magistrates Court. While the bill puts in place a scheme which is intended to support self-regulation, there will be a level of judicial oversight to ensure compliance with decisions of code adjudicators and the Privacy Commissioner.

The government recognises that Australians consider their personal health information to be particularly sensitive and that they expect that it will be handled fairly and appropriately by all those who come into contact with it. Following consultation with health stakeholders, it was agreed that the national privacy principles be modified to accommodate the particular sensitivities surrounding the collection, use and disclosure of personal health information. The modified principles are designed to ensure an appropriate balance between privacy interests and other important public interests, such as the promotion of research and the effective planning and delivery of health services.

The balance between the interests of privacy and the need to facilitate medical research was an issue that the Privacy Commissioner and the government looked at closely. The bill provides that, where information is collected for research purposes, it must be collected with consent or, where this is not practicable, in accordance with strict safeguards set out in the bill. In addition, researchers must take reasonable steps to de-identify personal information before the results of research can be disclosed.

It is a fundamental principle of fair information handling that individuals be able to access and correct information about themselves. The bill provides for access to health information, except where legitimate and justifiable grounds exist for refusing access. Such grounds include situations where providing an individual with access to their health information would pose a serious threat to the life or health of that or any other person. In providing this right to health consumers, the bill supports what is already good practice among many health professionals.

The government acknowledges that the health profession already has a strong respect for the confidentiality of health information about individuals and maintains sound privacy practices in that respect. The bill is not intended to interfere with those professional values and standards.

Another area where special issues arise is where government services involving personal information are outsourced to the private sector. In these circumstances, it is important to ensure that personal information is given the same level of protection it would receive if it were held by government and that, in specified circumstances, the contracting government agency remains ultimately responsible for the acts and practices of its contractors.

Where an organisation provides services under contract to the Commonwealth government, the legislation makes clear that the contract will be the primary source of a contractor's privacy obligations in respect of the personal information collected or held for the purpose of performing the contract. The national privacy principles or an approved code will apply only to the extent that they are not inconsistent with the contract. As an extra safeguard, the bill provides that a contractor may not use or disclose personal information for direct marketing purposes unless this is required by the contract.

The bill is not intended to cover state and territory public sector agencies, as this is a matter for the states and territories themselves. The bill recognises that state and territory government business enterprises, or GBEs, take many forms and that the dividing line between the public and private sectors is not always clear. In order to ensure certainty, the bill provides that GBEs that are incorporated under the Corporations Law will automatically be covered by the bill unless they are prescribed otherwise by regulation. Those GBEs not incorporated under the Corporations Law, such as statutory corporations, will not be covered by the bill.

To meet the varying requirements of state and territory governments, however, the bill also provides a flexible opt-in opt-out mechanism for prescribing state or territory instrumentalities. This will be achieved by regulation and will be done only at the request of the state or territory government. The policy behind this mechanism is to ensure that state and territory government functions can continue unaffected by the bill, whilst ensuring that state and territory GBEs that are performing substantially commercial functions will be treated on a level playing field with other private sector organisations.

By introducing this bill, the Commonwealth intends to establish a single comprehensive national scheme for the protection of personal information by the private sector. However, state and territory laws will continue to operate to the extent that they are not directly inconsistent with the terms of the bill.

The national privacy principles recognise the operation of state and territory legislation and the common law. For example, while the principles provide for a right of access to personal information held about an individual, they also contemplate a situation in which that access may be denied if this denial is required or authorised by law.

While there may be some situations of direct inconsistency, I expect that, in the majority of cases, existing state and territory laws will continue unaffected by this bill. The existing law will simply be supplemented by the standards contained in the national privacy principles.

It is widely acknowledged that the right to privacy is not an absolute right. Like all rights, the individual's right to privacy must be balanced against a range of other community and public interests. The objects clause of the bill highlights this need for a balanced approach. The structure and principles underlying the legislation, as well as a limited range of express exemptions, ensure that the bill represents an appropriate and workable balance. The bill does not apply, for example, to information collected for personal, family or household affairs.

Similarly, while protecting privacy is an important goal, it must be balanced against the need to avoid unnecessary costs on small business. For this reason, only small businesses that pose a high risk to privacy will be required to comply with the legislation.

Small business is defined in the legislation as a business with an annual turnover of $3 million or less. Such businesses will be exempt unless they hold personal health information and provide a health service, trade in personal information, are a Commonwealth contracted service provider or are prescribed by regulation.

The power to prescribe small businesses, or particular acts or practices of small businesses, provides a flexible way to ensure that other risks to privacy can be brought within the legislation where that is necessary and in the public interest. In considering whether the circumstances justify bringing small businesses within the regulatory scheme, the Privacy Commissioner must be consulted. I also intend to consult with the minister for small business before making a decision on such a regulation.

In addition, small businesses will not be subject to the legislation for a period of 12 months after it comes into force. The government appreciates that small business needs to focus on implementing the new tax system. The extra time given to small business will provide ample opportunity for them to implement the changes to the tax system before turning to how they will handle personal information.

Even so, with the increasing demands from consumers and larger business partners for greater respect for privacy, more small businesses are recognising that good privacy practices are good business practices. The bill provides an excellent foundation for Australian small businesses to take the initiative voluntarily in relation to privacy. This will allow them to capitalise on the increased consumer and business confidence that results from proper practices.

The bill also includes an exemption for employee records. An `employee record' is defined to capture the types of personal information about employees typically held by employers on personnel and other similar files.

While this type of personal information is deserving of privacy protection, it is the government's view that such protection is more properly a matter for workplace relations legislation.

It should be noted, however, that the exemption is limited to collection, use or disclosure of employee records where this directly relates to the employment relationship. This is designed to preclude an employer selling personal information contained in an employee record to a direct marketer, for example.

The media in Australia have a unique and important role in keeping the Australian public informed. In developing the bill the government has sought to achieve a balance between the public interest in allowing a free flow of information to the public through the media and the individual's right to privacy. In order to achieve this balance, the bill does not apply to acts and practices of media organisations in the course of journalism.

A range of other provisions in the bill also recognise the important role of the media in facilitating the free flow of information to the public.

The bill also includes an exemption for political representatives where acts or practices are related to participation in the political process, including referendums and elections at the local, state or federal level.

Freedom of political communication is vitally important to the democratic process in Australia. This exemption is designed to encourage that freedom and enhance the operation of the electoral and political process in Australia. I am confident that it will not unduly impede the effective operation of the legislation.

In order to allow time for the private sector to develop codes, revise existing codes and put appropriate practices in place, the bill will only come into operation 12 months after it receives royal assent, or on 1 July 2001, whichever is later. In addition, as I have already noted, small businesses will have an additional 12 months before the legislation comes into operation in respect of their acts and practices.

This bill establishes a new approach to the protection and handling of personal information in the private sector. Because our approach is unique, I believe it would be extremely useful to have a report on the operation of the legislation in due course to ensure that it is achieving all our goals. I will ask the Privacy Commissioner to conduct a formal review of the operation of the legislation, and of all the exemptions, in consultation with key stakeholders after it has been in operation for two years.

In developing this legislation the government has drawn extensively on consultation and feedback provided by Australian business, consumers and privacy advocates. As a result, the bill will establish a scheme which is responsive to both business and consumer needs and that implements privacy protection in a realistic, balanced and workable way. It represents the very best of Australian policy development and law making and will help to ensure that Australian business and Australian consumers are in a position to take full and confident advantage of the future in the fast developing information economy. I commend the bill to the House and present the explanatory memorandum to the bill.