16.08.2010
OECD Guidelines
18.8 The preamble to the Privacy Act notes that Australia is a member of the Organisation for Economic Co-operation and Development (OECD); that the Council of the OECD has recommended that member countries take into account in their domestic legislation the privacy principles set out in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)(OECD Guidelines); and that Australia has expressed its intention to participate in the recommendation. The privacy principles in the OECD Guidelines, which apply to personal data in both the public and private sectors, are the foundation for the two sets of privacy principles in the Privacy Act: the IPPs and the NPPs.
18.9 The OECD Guidelines were adopted by the OECD Council on 23 September 1980. They were designed to discourage the member countries of the OECD from introducing ‘incompatible and conflicting laws for the defence of privacy in the newly established databases of the interlinked information technologies’.[5] As such, the OECD Guidelines have influenced data protection laws in many jurisdictions.
18.10 The OECD Guidelines attempt to reconcile sometimes competing interests. The goal of protecting privacy and individual liberties is balanced with the desire to advance the free flow of personal information.[6] The Guidelines were developed to harmonise national privacy legislation and, while upholding human rights, simultaneously to prevent interruptions in the cross-border flow of information.[7]
18.11 The OECD Guidelines apply to ‘personal data, whether in the public or private sectors, which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties’.[8] On one hand, they are ‘minimum standards which are capable of being supplemented by additional measures for the protection of privacy and individual liberties’.[9] On the other hand, the OECD Guidelines deter member countries from creating unnecessary obstacles to cross-border flows of personal information in the name of the protection of privacy and individual liberties.[10]
18.12 Part Two of the OECD Guidelines sets out eight basic information privacy principles: collection limitation; data quality; purpose specification; use limitation; security safeguards; openness; individual participation; and accountability.[11] Most of these principles are reflected explicitly in the IPPs and the NPPs. Although there is no principle in the IPPs or NPPs called ‘Accountability’, aspects of the accountability principle are incorporated in other provisions in the Privacy Act, such as those dealing with investigations of complaints regarding privacy breaches.[12]
18.13 A critical question, faced both by the drafters of the OECD Guidelines and member states seeking to implement the Guidelines, is: what should be set out in general privacy principles and what should be set out in more detailed provisions? The Explanatory Memorandum to the OECD Guidelines states:
The choice of core principles and their appropriate level of detail presents difficulties. For instance, the extent to which data security questions … should be regarded as part of the privacy protection complex is debatable; opinions may differ with regard to time limits for the retention, or requirements for the erasure, of data and the same applies to requirements that data be relevant to specific purposes. In particular, it is difficult to draw a dividing line between the level of basic principles or objectives and lower level ‘machinery’ questions which should be left to domestic implementation.[13]
18.14 John Gaudin has expressed the view that the OECD Guidelines are grounded in the society, technology and culture of the 1970s and that the principles in the Guidelines are insufficiently flexible to accommodate the extensive changes that have taken place since they were promulgated.[14] He has stated that the OECD Guidelines reflect assumptions about the future development of information technology, which are now seen to be limited.[15] Justice Michael Kirby, who chaired the OECD Expert Group on Privacy, has stated extrajudicially:
There appears to be a need to review the 1980 OECD Guidelines, which are already showing signs of their age. Informed writers are already suggesting the necessity for privacy principles apt to contemporary technology … Clearly the ‘openness principle’ of the OECD Guidelines was always one of the weakest. The advent and potential of the internet require that there be new attention to it.[16]
18.15 In addition to the OECD Guidelines, on 26 November 1992, the Council of the OECD adopted the Guidelines for the Security of Information Systems. These further Guidelines aimed ‘to raise awareness of risks to information systems and of the safeguards available to meet those risks’, and ‘to create a framework to assist those responsible, in the public and private sectors, for the development and implementation of coherent measures, practices and procedures for the security of information systems’.[17]Due to the dramatic change in the information technology environment since 1992, those Guidelines were replaced by the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, which were adopted on 25 July 2002 (the OECD Security Guidelines).
18.16 The OECD Security Guidelines contain nine information systems security principles entitled: awareness; responsibility; response; ethics; democracy; risk assessment; security design and implementation; security management; and reassessment. The awareness principle provides that ‘participants should be aware of the need for security of information systems and networks and what they can do to enhance security’[18] and the response principle provides that ‘participants should act in a timely and cooperative manner to prevent, detect and respond to security incidents’.[19]
Information Privacy Principles
18.17 Section 14 of the Privacy Act contains 11 IPPs. The IPPs were included in 1988, in the original version of Act, and have not been amended since that time. Until 2000, the IPPs were the only privacy principles in the Act.
18.18 The IPPs regulate the collection, storage, use and disclosure of an individual’s personal information, and provide for individuals to access and correct their personal information. The IPPs apply to personal information handled by Commonwealth and ACT government agencies.[20]
18.19 The Privacy Commissioner has issued a series of guidelines on the interpretation of the IPPs.[21] The guidelines note that:
The IPPs set out minimum standards for agencies. Compliance with the IPPs is a legal obligation, but minimal compliance will not always be an appropriate approach for an agency to take … Especially where sensitive information is concerned, or where mishandling of personal information may have serious consequences, more care to protect individuals’ privacy may be appropriate than is required by the letter of the IPPs.[22]
National Privacy Principles
18.20 Schedule 3 to the Privacy Act contains 10 further privacy principles, the NPPs. Schedule 3 was not part of the original Act. It was introduced by the Privacy Amendment (Private Sector) Act 2000 (Cth).
18.21 The NPPs apply generally to private sector ‘organisations’, unless the organisation in question is subject to an approved privacy code.[23] The term ‘organisation’ is defined in s 6C as an individual, a body corporate, a partnership, any other unincorporated association or a trust. This definition is subject to a number of qualifications, however, exempting, among others: individuals acting in a personal capacity; small business operators; political parties; government agencies; and state or territory authorities and prescribed instrumentalities.[24]
18.22 The NPPs regulate the following aspects of the handling and management of personal information: collection; use and disclosure; data quality; data security; openness of data management policies; individuals’ rights of access to and correction of their personal information; the use of identifiers; individuals’ right to maintain their anonymity; transborder data flows; and how sensitive information should be treated.
18.23 The stated objectives of the NPP regime are:
(a) to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by those organisations; and
(b) to do so in a way that:
(i) meets international concerns and Australia’s international obligations relating to privacy; and
(ii) recognises individuals’ interests in protecting their privacy; and
(iii) recognises important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.[25]
[5] M Kirby, ‘Privacy Protection, a New Beginning: OECD Principles 20 years on’ (1999) 6 Privacy Law & Policy Reporter 25, 25.
[6] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Explanatory Memorandum, [25].
[7] Ibid, preface.
[8] Ibid, Guideline 2.
[9] Ibid, Guideline 6.
[10] Ibid, Guideline 18.
[11] See Ibid, Guidelines 7–14. The OECD Guidelines are set out in Ch 1.
[12] See Part F of this Report, which discusses data breach and the powers of the OPC.
[13] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Explanatory Memorandum, [19 (e)]. See also [50].
[14] J Gaudin, ‘The OECD Privacy Principles—Can They Survive Technological Change? Part II’ (1997) 3 Privacy Law & Policy Reporter 196, 199.
[15] See J Gaudin, ‘The OECD Privacy Principles—Can They Survive Technological Change? Part I’ (1996) 3 Privacy Law & Policy Reporter 143, 144.
[16] M Kirby, ‘Privacy Protection, a New Beginning: OECD Principles 20 years on’ (1999) 6 Privacy Law & Policy Reporter 25, 27. The question whether the Privacy Act should be technology neutral is addressed in Ch 10.
[17] See Organisation for Economic Co-operation and Development, Guidelines for the Security of Information Systems (1992).
[18] Organisation for Economic Co-operation and Development, Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002), Principle 1.
[19] Ibid, Principle 3.
[20] See Privacy Act 1988 (Cth) ss 13(a), 16. The definition of ‘agency’ in Privacy Act 1988 (Cth) s 6(1) includes: a minister; a Department; a body established for a public purpose; a federal court; and the Australian Federal Police. This definition is also discussed in Ch 5.
[21] See Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994); Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998); Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8–11: Advice to Agencies about Using and Disclosing Personal Information (1996). The status of guidelines is discussed in Part F of this Report.
[22] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998).
[23]Privacy Act 1988 (Cth) s 16A. See also the relevant Second Reading Speech: Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams—Attorney-General), 15749–15750. Privacy codes are discussed in Part F of this Report.
[24] The private sector exemptions to the Privacy Act are discussed in Part E of this Report.
[25]Privacy Amendment (Private Sector) Act 2000 (Cth) s 3.