While privacy issues are now featured prominently in the daily news in Australia, the legal safeguards for personal information remain limited. Neither the Australian Federal Constitution nor the Constitutions of the six States contain any express provisions relating to privacy. There is continued debate about the value of a Bill of Rights, but no current proposals.[569] The Constitution limits the legislative power of the Commonwealth (federal) government, with areas not expressly authorized being reserved for the States. The constitutionality of federal laws imposing privacy rules on the private sector has been questioned, but not so far challenged. Most commentators believe that the Commonwealth could base any private sector privacy law on a "cocktail" of constitutional powers including those giving authority over telecommunications, corporations and foreign affairs (e.g., treaties).
Privacy Law in Australia comprises several Commonwealth (federal) statutes covering particular sectors and activities, some State or Territory laws with limited effect, and the residual common law protections.
In Australia there has until recently been no recognition of a general tort of protection of privacy. Very occasionally the common law been used in support of privacy rights through actions for breach of confidence, defamation, trespass or nuisance.
In its recent Lenah v ABC decision,[570] the High Court discussed the issue and effectively issued an invitation that a tort might be found if the right case came forward involving an individual (the Lenah case involved allegations of breach of corporate privacy). In June 2003, a Queensland District Court judge took up the invitation and in Grosse v Purvis[571] awarded the plaintiff AUD 178,000 for breach of privacy occasioned by intrusion and harassment over a sustained period. It remains to be seen if this affirmation of a common law right is upheld if appealed, or followed in other cases.
The principal federal statute is the Privacy Act of 1988,[572] which has four main areas of application and which gives partial effect to Australia's commitment to the Organization for Economic Cooperation and Development (OECD) Guidelines and to the International Covenant on Civil and Political Rights (ICCPR), Article 17. It creates a set of eleven Information Privacy Principles (IPP), based on those in the OECD Guidelines that apply to the activities of most federal government agencies. A separate set of rules about the handling of consumer credit information, added to the law in 1989, applies to all private and public sector organizations. The third area of coverage is the use of the government issued Tax File Number (TFN), where the entire community is subject to Guidelines issued by the Privacy Commissioner, which take effect as subordinate legislation. The origins of the Privacy Act derived from protests in the mid-1980s against the Australia Card scheme - a proposal for a universal national identity card and number. That controversial proposal was dropped, but use of the TFN was enhanced to match income from different sources with the Privacy Act providing some safeguards. The use of the TFN has been further extended to include benefits administration as well as taxation. Some controls over this matching activity were introduced in 1990.[573]
After several policy reversals, the conservative government introduced legislation to extend privacy protection to the private sector in April 2000. The Privacy Amendment (Private Sector) Act 2000 was passed in December 2000 and took effect in December 2001 (a year later for some small businesses). The law puts in place National Privacy Principles (NPPs) based on the National Principles for Fair Handling of Personal Information originally developed by the Federal Privacy Commissioner in 1998 as a self-regulatory substitute for legislation. Private companies are now required to observe these principles although they can apply to the Privacy Commissioner for approval of a self-developed Code of Practice containing principles that are an "overall equivalent" to the NPPs. The Act has been widely criticized as failing to meet international standards of privacy protection.
The NPPs impose a lower standard of protection in several areas than the EU Data Protection Directive. For example, organizations are required to obtain consent from customers for secondary use of their personal information for marketing purposes where it is "practicable"; otherwise, they can initiate direct marketing contact, providing they give the individual the choice to opt out of further communications. Controls on the transfer of personal information overseas are also limited, requiring only that organizations take "reasonable steps" to ensure personal information will be protected, or "reasonably believe" that the information will be subject to similar protection as applied in the Australian law. In addition, the Act provides for several broad exemptions for employee records (defined as a record of personal information relating to the employment of the employee including, for example, health information, contact details, salary or wages, performance and conduct, trade union membership, recreation and sick leaves, banking affairs, etc.); media organizations (defined very broadly); and small businesses (defined as having less than AUD 3 million annual turnover and not disclosing personal information for a benefit). According to the Federal Government the small business exemption will exempt about 94 percent of all Australian businesses but only 30 percent of total business sales.[574] There are also weaknesses in the enforcement regime including, for example, allowing privacy complaints to be handled initially by an industry-appointed code authority, although a right of appeal to the Privacy Commissioner was inserted by Opposition parties. The Act does, however, include an innovative principle of anonymity. Principle 8 states that: "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation."
In March 2001 the Article 29 Data Protecting Working Party of the European Commission expressed many reservations about the Act, suggesting that it would not, as currently written, satisfy the adequacy test in Articles 25 and 26 of the EU Data Protection Directive for data to flow to third countries.[575] The group recommended the introduction of additional safeguards to address these concerns. In response, the Attorney General issued a press release stating that the Committee's comments "display an ignorance about Australia's law and practice and do not go to the substance of whether our law is fundamentally "adequate" from a trading point of view." He acknowledged that officials from Australia and Europe would "obviously" continue to talk but that "Australia will only look at options that do not impose unnecessary burdens on business." In May 2003, the Attorney General convened a meeting of a consultative group to discuss, amongst other things, three proposed amendments to meet some of the criticisms by the EU. These would extend correction rights to non-Australians, extend the scope of the transborder data flow control (Principle 9) to data about non-Australians, and ensure that the Privacy Commissioner could approve Codes of Practice that voluntarily covered otherwise exempt acts and practices. The government hopes to make these amendments within the next year. But some of the key EU objections would remain and may prevent an 'adequacy' assessment.
A promised review for privacy protection for employee records has yet to commence, although an inter-departmental committee has been looking into the need for specific privacy protection for childrens' personal information.
The Office of Privacy Commissioner,[576] which enforces the Privacy Act, was initially established as a member of the Human Rights and Equal Opportunity Commission but has been operating as a separate statutory agency since July 1, 2000. The Office has wide range of functions, including handling complaints, auditing compliance, promoting community awareness, and advising the government and others on privacy matters.
The Commissioner has so far approved two Codes of Practice under the private sector regime for the General Insurance Industry, which has its own adjudicator for complaints, and for Licensed Clubs in the state of Queensland, which defaults to the Privacy Commissioner for complaints. The Commissioner is at various stages of discussion on several other Codes, including ones prepared by the Associations covering Market Research; the Internet Industry (representing Internet Service Providers and Casinos).[577]
The Commissioner's office, which had received cut backs in the late 90's, received additional resources to accompany its jurisdiction over the private sector, which has become one of its main focuses since 2001. However, these resources have proved inadequate to cope with a major increase in inquiries and complaints, leading to a growing backlog.
The number of complaints received in 2002-03 will exceed 1,000, a more than five-fold increase since 2000-01, and enquiries have risen from 9,000 to 25,000 in the same period.[578] The largest single category of private sector complaints concerns use and disclosure (44%, including 11% about spam), followed by access (18%), collection (18%), security (9%) and data quality (9%).
Section 52 of the Privacy Act provides that the Commissioner may make formal determinations in relation to complaints investigated. The determination by the Commissioner may dismiss the complaint, or may find the complaint substantiated and declare that the respondent should cease to breach the Act, take any reasonable steps to redress damage suffered by the complainant, or pay compensation to the complainant. Importantly though, Section 52 determinations are not legally binding on the respondent. The Commissioner, the complainant, or the adjudicator for an approved privacy code can commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce a determination. Recently, the Commissioner has reviewed several complaints regarding the sharing of information among government agencies. One complaint in particular dealt with the disclosure of sensitive personal information by a Commonwealth agency, where the complainant was employed, to another Commonwealth agency where the complainant had applied for a position.[579]
Of inquiries outside the Commissioner's jurisdiction, some of the most common concerns were workplace privacy, personal information on real estate tenancy lists (now being addressed under the private sector principles), video surveillance, and disclosure of information from public registers.
There are two other federal privacy-related laws for which the federal Privacy Commissioner is also the supervisory and complaint handling agency. The first one is Part VIIC of the Crimes Act,[580] enacted in 1989, which provides some protection to individuals who have had criminal convictions in relation to so-called 'spent' convictions (i.e.: convictions for relatively minor offences which they are allowed to 'deny' or have discounted after a set period of time). The second one is the Data-matching Program (Assistance and Tax) Act 1990[581] that provides detailed procedural controls over the operation of a major program of information matching between federal tax and benefit agencies.
In 2001 the Privacy Commissioner released the results of a comprehensive research project into public attitudes towards privacy issues that was commissioned earlier in the year.[582] The research findings were incorporated into three separate reports: Privacy and the Community; Privacy and Business; and Privacy and Government. The results indicate overwhelming support for privacy protection. For example, 91 percent of the public said that they would like businesses to seek permission before engaging in direct marketing; 89 percent would like organizations to advise them who would have access to their personal information and 92 percent would like to be told how it would be used; 42 percent have refused to deal with organizations they felt did not adequately protect their privacy. When asked what kind of data they considered most sensitive 40 percent identified financial details, 11 percent identified income, 7 percent identified medical or health information, 4 percent identified home address, 3 percent identified phone number and 3 percent identified genetic information.[583] The Privacy Commissioner is using the results of the survey in setting out a future work plan for the office including informing the marketing and communications strategy, and providing information for other areas of responsibility such as the development of industry codes and guidelines.
A complex mix of privacy standards applies to the telecommunications sector. The Telecommunications Act 1997[584] contains a detailed list of 'exceptions' from a basic presumption of confidentiality of customer records.[585] These exceptions are similar to those in the use and disclosure principles of the federal Privacy Act. An Industry Forum prepares detailed Codes and Guidelines, some of which are binding.[586] A Code of Practice on the Protection of Customer Personal Information that was binding on all telecommunications carriers and service providers, was de-registered once the private sector amendments took effect. The enforcement position remains confusing, with the Australian Communications Authority (ACA); the Telecommunications Industry Ombudsman and the Privacy Commissioner all having overlapping jurisdictions. There is also a binding Code of Practice on Calling Number Display (CND),[587] which requires carriers to offer free per call and per line blocking (but only on an opt-out basis) and attempts to impose guidelines on telephone users' use of CND information. Other Codes deal incidentally with privacy issues such as directories, numbering and emergency calls.
The Telecommunications (Interception) Act of 1979[588] regulates the interception of telecommunications. A warrant is required under the Act and it also provides for detailed monitoring and reporting. However, the Interception Act safeguards need to be read alongside Part 15 of the Telecommunications Act 1997 that places obligations on telecommunications providers to provide an interception capability and positively assist law enforcement agencies in relation to interception. There have been several changes to the interception regime in recent years, including broadening the range of offences for which warrants can be obtained; allowing more law enforcement agencies to apply for warrants and more of them to execute warrants themselves; and transferring the warrant issuing authority from federal court judges to designated members of the Administrative Appeals Tribunal (who are on term appointments rather than tenured and are arguably less independent). Significant loopholes exist within the legislation, and uncertainty in relation to allowable 'participant monitoring'.[589] There also remains considerable uncertainty as to the position of e-mail and other stored communications, under the telecommunications laws - it is not clear which communications are subject to the strict Interception Act safeguards and which only to the lesser controls of the Telecommunications Act.
Interception activity increased substantially in the last year reported, once again. In 2002-03, the number of warrants issued up to 2,514, with only 4 applications having been refused.[590] This excludes an undisclosed number of interception warrants issued to the Australian Security Intelligence Organisation by the Attorney General.
In April 2003, the National Office for the Information Economy (NOIE) released a final report of its review of the spam problem and how it can be countered.[591] The NOIE report makes several recommendations, largely endorsing proposals by the Privacy Commissioner, including outlawing spam, urging ISPs and consumers to use anti-spam software, and committing to working internationally on this issue. One recommendation of the NOIE Report proposes that the Australian Competition and Consumer Commission, the Australian Securities and Investment Commission and the Office of the Federal Privacy Commissioner should ensure that relevant legislation is fully applied to spam. The government hosted an industry consultation in June 2003 and legislation is expected to follow.
Electronic Frontiers Australia[592] and the Australian Privacy Foundation[593] have both criticized the international proposal for ENUM (or "electronic numbering"), a protocol for translating telephone numbers into Internet domain names and mapping telephone numbers to other means of communication such as e-mail, fax and mobile numbers. ENUM poses serious risks to privacy due to its creation of a unique individual identifier and, also, the currently proposed system requires personal information about individuals, who have an ENUM address, to be made publicly-accessible in a database on the Internet. It is likely that marketers, spammers, and malicious actors will mine the database for personal contact information. Since there are no statutory protections in place regulating the use of ENUM contact information, marketers and spammers may use the contact information for junk mail, unsolicited commercial e-mail, and other forms of commercial solicitations. The system could facilitate an unprecedented amount of spam because programs could be designed to send solicitations to all of the registrant's communications devices.
Public sector privacy issues continue to raise concerns. As part of reforms to the Australian tax system from July 2000, the Australian Taxation Office required all enterprises to obtain an Australian Business Number. The ATO collected registration details including address and e-mail contact, and planned to make this available to the public through the Australian Business Register and through selling it to database companies. A storm of protest occurred in June 2000 when it was realized that the register would include the home address and other details of almost 2 million individuals who were sole traders, contractors or even just had just a minor income from a hobby or some other activity. The Government agreed to amend the legislation, limit the content of the Australian Business Register and allow individuals to suppress their details. At the same time, the Government was forced into another back-down after receiving legal advice that the Australian Electoral Commission had illegally disclosed information on around 10 million registered Australian voters, after the Prime Minister had asked for this information in order to conduct a targeted direct mailing campaign outlining the benefits of the tax reform package.
During 2000, Commonwealth and State governments announced plans to move towards unique patient identifiers in the health sector, likely to be centered around a health smart card. Health services are primarily delivered by the public sector in Australia, with only around a third of the population having private health insurance. The responsibility for delivery of health services is shared between the Commonwealth Government, which is responsible for much of the funding of the health system, and the States, which operate hospitals and community health services. The Commonwealth's proposal, HealthConnect, is intended as a voluntary national health information network under which health-related information about an individual would be collected in a standard, electronic format at the point of care.[594] As a first phase of this system the Department of Health and Aged Care drafted the Better Management System Bill that would establish individual electronic medication records in order to improve access to information about drugs for doctors and patients. The system was widely criticized by consumers and doctors groups concerned about patient confidentiality and professional liability.[595] On July 30, 2001 the Department of Health announced that all negotiations on the implementation of this system and the introduction of the enabling legislation had been postponed due to "technical difficulties."[596]
A major report on genetic privacy was issued in March 2003 by the Australian Law Reform Commission and the Australian Health Ethics Committee of the National Health and Medical Research Council. "Essentially Yours" makes 144 recommendations about the ethical, legal and social implications of genetic privacy.[597] The report recommends that privacy laws be harmonized and tailored to address the particular challenges of human genetic information, including extending protection to genetic samples, and acknowledging the familial dimension of genetic information. Employers should not be permitted to collect or use genetic information - except in those rare circumstances where this is necessary to protect the health and safety of workers or third parties, and the action complies with stringent standards set by a new Human Genetics Commission of Australia (HGCA). The insurance industry should be required to adopt a range of improved consumer protection policies and practices with respect to its use of genetic information (including family history) for underwriting purposes. A new criminal offence should be created to prohibit someone submitting another person's sample for genetic testing knowing that this is done without consent or other lawful authority. DNA parentage testing should be conducted only with the consent of each person sampled (or both parents in the case of young children), or pursuant to a court order.
In 2001 the Prime Minister announced the establishment of a national digital database of DNA and fingerprint samples in order to facilitate law enforcement.[598] The national DNA database system is coordinated by CrimTrac, a Commonwealth agency. The system when fully operational will enable the comparison of DNA profiles across all Australia's jurisdictions for law enforcement purposes. The system is underpinned by Commonwealth, State and Territory legislation. A Report of a Review of Part 1D of the Crimes Act 1914 (the relevant federal law) was tabled in Parliament on 15 May 2003. The Review found that the national system is not yet operational and only one jurisdiction (New South Wales) has loaded profiles onto the relevant CrimTrac database known as the National Criminal Investigation DNA Database (NCIDD"). While there has been relatively little experience of the operation of Part 1D, the Review has recommended improved accountability arrangements both within and across Australia's jurisdictions. The Review sees effective accountability mechanisms as crucial to maintaining public confidence in the use of DNA analysis for law enforcement purposes. The Review recommends that the external scrutiny mechanisms be based upon existing cooperation between Australian Ombudsmen with involvement of Privacy Commissioners and other monitoring bodies.
Legislative amendments in 2002 and 2003 have given the Australian Security Intelligence Organization (ASIO) significant and highly controversial new powers, including the ability to detain and question individuals suspected of having information relevant to terrorism. Despite extracting many concessions and additional safeguards from the government, the Opposition allowed the final changes through in June 2003 without ruling out the possibility of indefinite detention without charges under repeated warrants.
The Crimes Act[599] also contains a range of other privacy related measures, such as offenses relating to unauthorized access to computers, unauthorized interception of mail and telecommunications and the unauthorized disclosure of Commonwealth government information.[600] In late June 2001, the Government introduced draft legislation targeting online crime. A recent Federal Court of Australia decision marks one of the first Australian cases to deal with a clear case of cybersquatting. In CSR Limited v. Resource Capital Australia, the court ordered the transfer of the domain and ordered Melbourne IT to set conditions on any future registrations by the defendant.[601] The court relied on the Trade Practices Act to find that the registration was misleading.
Currently, the Government is considering an online censorship bill, allowing the Australian Broadcasting Authority and the Office of Film and Classic Literature to withhold information regarding what online information is being restricted.[602] The proposed amendments to the Freedom of Information (FOI) Act are designed to further prevent public scrutiny (and potential criticism) of the operation of the Federal Internet censorship regime that became operative on January 1, 2000. The bill is meant to restrict the details regarding the net blocking system. Under Australia's FOI law, the agencies may withhold information regarding their practices and the details of their agency operations. As of May 2003, the proposal has passed the House of Representatives, but is expected to meet resistance in the Senate. The EFA and other civil liberties groups have opposed the Internet content regime put in place under the Broadcasting Services Act, and have tracked the operation of the laws through FOI applications.[603]
The federal Freedom of Information Act of 1982[604] provides for access to government records. The FOI Act is the mechanism through which the access right in the Privacy Act is implemented for public sector agencies. The Commonwealth Ombudsman promotes the FOI Act and handles complaints about procedural failures. Merits review (appeal) of adverse FOI decisions is provided by the Administrative Appeals Tribunal, with the possibility of further appeals on points of law to the Federal Court. Budget cuts have severely restricted the capacity of the Attorney General Department and Ombudsman to support the Act and there is now little central direction, guidance or monitoring.
The Australian States and Territories have varying privacy laws. New South Wales, the most populous State, passed the Privacy and Personal Information Protection Act 1998 which applies (since July 2000) to most state government agencies, although there are numerous and generous exemptions, and agencies can apply for Codes of Practice that can weaken the principles. The former Privacy Committee (which acted as an Ombudsman since 1975 and also issued several reports and guidelines on matters such as video surveillance and smart cards) has been replaced by a part time Privacy Commissioner with a very small staff.[605] The Act is based on a set of OECD-style Information Protection Principles and requires all government departments and agencies to develop a Privacy Management Plan demonstrating their compliance plans. It also allows for the development of Codes of Practice that weaken the Information Protection Principles, and several such Codes have already been made.[606]
New South Wales (NSW) enacted a Workplace Video Surveillance Act[607] in 1998 (partly in response to the Privacy Committee report). In a report issued publicly in early 2002,[608] the NSW Law Reform Commission reviewed the laws governing surveillance more generally, including the operation of the existing Listening Devices Act 1984.[609] The NSW government indicated in 2001 that it was disposed to legislate on e-mail monitoring in the workplace but this has not progressed. A separate NSW Health Records and Information Privacy Act[610] was passed in 2002, and will take effect in March 2004.
In July 2002, the Office of Information Technology (OIT), an agency of the state government of NSW, issued guidelines pursuant to the Privacy and Personal Information Protection Act of 1998. The guideline states that as a matter of good practice, each agency should have a designated privacy contact officer. It adds that the obligations of the chief information officer in each agency include ensuring there is a privacy management plan. The responsibilities of other staff, including librarians, web managers, human resources managers and records managers, are also described.[611]
The state of Victoria has enacted the Information Privacy Act 2000, which applies privacy principles (an almost exact copy of the NPPs in the federal Act) to most state government agencies. There are relatively few exemptions and while there is provision for Codes of Practice, they cannot weaken the principles. The Act created an office of Privacy Commissioner,[612] very active so far, with a monitoring, enforcement and education role and to conciliate complaints.
The Victorian Civil and Administrative Tribunal can determine unresolved complaints. Victoria has also passed the Health Records Act 2001to complement the information privacy legislation by requiring Victorian health service providers to handle health information responsibly. The Health Records Act also gives patients a right of access to their records held by private practitioners. The Victorian Law Reform Commission[613] received a reference in April 2001 to review the coverage of privacy law in Victoria, and published an Issues Paper in 2002 on workplace privacy.[614]
The government of the Australian Capital Territory (ACT), which used to be a local authority under Commonwealth (federal) law, and was consequently covered by the federal Privacy Act, achieved self-government as a separate Territory in 1989. The Privacy Act was amended to continue coverage, intended as an interim measure, but this remains the position, with the Privacy Commissioner in effect serving also as the ACT's Commissioner, responsible to its own government. However, in 1997 the ACT government passed its own Health Records (Access and Privacy) Act,[615] which applies to personal health information held by anyone - public or private sector. Its provisions are similar to those of the IPPs in the Privacy Act, and supercedes them for ACT government agencies in this area of data handling.
The self-governing Northern Territory has enacted a combined privacy and FOI law - the Information Act 2002,[616] which is due to take effect by July 2003. A Commissioner has been appointed but there is little information available about implementation.
Queensland had a purely advisory Privacy Committee from 1984 to 1991[617] and has a limited privacy statute[618] covering the use of listening devices, credit reporting (operating alongside the 1989 amendments to the federal Privacy Act) and physical intrusions into private property. In April 1998, after a year-long review, a Parliamentary Committee recommended comprehensive privacy legislation for the public sector.[619] The government indicated that it intended to legislate but no timetable has been set, and in 2001 the government adopted privacy principles on a hopefully interim non-statutory basis.[620]
The other states, Tasmania, South Australia and Western Australia, also operate administrative schemes based on variations of the standard sets of privacy principles.[621] In May 2003, the Western Australian government released a discussion paper[622] proposing a public sector privacy law.
All of the States and Territories also have FOI laws that include rights for individuals to access and correct personal information about themselves.[623]