16.08.2010
3.9 A threshold issue is whether national consistency in the regulation of personal information handling is important. All submissions that addressed this issue strongly supported national consistency.[13] Most focused on how a nationally consistent privacy regime would lessen unjustified compliance burdens and cost. For example, a number of stakeholders emphasised that national consistency is essential to lessen the compliance burden for organisations and agencies that operate across state borders.[14] Others argued that the use of technologies—such as the internet—justifies a harmonised approach to privacy regulation at a national and international level.[15]
3.10 A large number of stakeholders identified that state and territory legislation regulating the handling of personal information in the private sector is a major cause of inconsistency, complexity and costs.[16] In particular, stakeholders submitted that inconsistency in the regulation of health information is creating a number of problems, including a significant compliance burden and cost, and preventing projects that are in the public interest, such as medical research.[17] These problems arise, in part, because the handling of health information in the private sector is regulated by the Privacy Act and state and territory legislation in NSW, Victoria and the ACT.[18]
3.11 Some stakeholders noted, however, that while national consistency is a valuable objective, it should not be pursued to the detriment of the level of protection afforded by privacy legislation.[19] The OPC submitted that:
Consistency does not mean the elimination of multi-layered regulation. In many cases, additional protections that regulate particular sectors, or protect certain information, can enhance privacy (such as privacy codes and secrecy provisions). However, in the interests of all parties, it is critical to ensure these layers are not unnecessary, inconsistent, or poorly interactive.[20]
3.12 State governments and others maintained that the states and territories should be left to regulate the handling of personal information in their own public sectors. These stakeholders emphasised the benefits of having different levels of government to innovate or respond to local conditions;[21] the need for privacy legislation to interact with other state and territory legislation, such as freedom of information and human rights legislation;[22] and the advantages of having a local regulator to handle complaints and provide advice and training programs.[23]
ALRC’s view
3.13 Inconsistency and fragmentation in privacy regulation causes a number of problems, including unjustified compliance burden and cost, impediments to information sharing and national initiatives, and confusion about who to approach to make a privacy complaint. National consistency, therefore, should be one of the goals of privacy regulation.[24] This finding is consistent with the Senate Committee privacy inquiry and the OPC Review, which both concluded that privacy laws should aim to be consistent across Australia.[25]
3.14 The goal of national consistency can be achieved in a number of different ways, including:
the adoption of uniform privacy principles, any relevant regulations that modify the application of the Unified Privacy Principles (UPPs) and relevant definitions used in the Privacy Act at the federal, state and territory level;[26]
the harmonisation of the Privacy Act and other laws that regulate the handling of personal information;[27]
cooperation and coordination between privacy regulators;[28] and
consistency in the coverage of privacy laws—for example, the removal of the small business and the employee records exemptions.[29]
3.15 A nationally consistent privacy regime will ensure that Australians’ personal information will attract similar protection whether that personal information is being handled by an Australian Government agency or a state or territory government agency, a multinational organisation or a small business, and whether that information is recorded in a paper file or electronically. Ensuring national consistency also will assist:
individuals to determine what their rights are and how to enforce them;
agencies and organisations to understand their obligations and how to comply effectively and efficiently with them; and
regulators in managing the possible overlap of functions in some areas.[30]
3.16 The ALRC is also mindful, however, of the need for flexibility in some areas. A number of stakeholders noted that consistency of information privacy regulation across jurisdictions, between the public and private sectors, and between different kinds of business, can only be achieved if the regulation is flexible enough to accommodate the different interests, business practices, and accountability of those subject to the regulation.[31] Some sectors require specific laws when dealing with personal information, for example, the health sector, credit reporting industry and the telecommunications industry.[32]
[13] See Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Investment and Financial Services Association, Submission PR 538, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; AXA, Submission PR 442, 10 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007. See also Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [4.11].
[14] See, eg, Centre for Law and Genetics, Submission PR 497, 20 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Australian Federal Police, Submission PR 186, 9 February 2007; CrimTrac, Submission PR 158, 31 January 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AAMI, Submission PR 147, 29 January 2007; Victorian Society for Computers and the Law Inc, Submission PR 137, 22 January 2007; National Association for Information Destruction, Submission PR 133, 19 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.
[15] Microsoft Australia, Submission PR 113, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[16] See, eg, Investment and Financial Services Association, Submission PR 122, 15 January 2007; Microsoft Australia, Submission PR 113, 15 January 2007; Cancer Council Victoria, Consultation PC 75, Melbourne, 5 February 2007.
[17] See, eg, National Health and Medical Research Council, Submission PR 114, 15 January 2007. See also Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Telstra, Submission PR 185, 9 February 2007; National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; Investment and Financial Services Association, Submission PR 122, 15 January 2007; Australasian Compliance Institute, Submission PR 102, 15 January 2007.
[18]Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); Health Records (Privacy and Access) Act 1997 (ACT).
[19] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[20] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[21]Government of South Australia, Submission PR 187, 12 February 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.
[22]Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.
[23]Queensland Government, Submission PR 242, 15 March 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[24] Professor Fred Cate has stated that individuals should enjoy privacy protection that is as consistent as possible across types of data, settings, and jurisdictions: F Cate, ‘The Failure of Fair Information Practice Principles’ in J Winn (ed) Consumer Protection in the Age of the ‘Information Economy’ (2007) 341.
[25] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 3; Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), recs 2–7.
[26] See below and Ch 17.
[27] See, eg, Chs 15, 16.
[28] See, eg, Chs 14, 17, 49, 71.
[29] See Part E.
[30] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[31] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007. See also, Centre for Law and Genetics, Submission PR 127, 16 January 2007 in relation to health information; and AAPT Ltd, Submission PR 87, 15 January 2007 in relation to telecommunications.
[32] See Part G, Part H, Part J. See also the ALRC’s recommendations in relation to small business in Ch 39.