16.08.2010
Background
32.23 During the course of the Inquiry, stakeholders suggested that a ‘No Disadvantage’ principle or provision should be included in the Privacy Act. That is, a provision prohibiting agencies and organisations from unfairly disadvantaging an individual on the basis that he or she is seeking to assert his or her privacy rights. In the context of the ‘Anonymity and Pseudonymity’ principle, for example, unfavourable treatment may include the organisation charging a fee that only would apply to individuals who seek to conduct transactions anonymously, or withholding a product or service until the individual decides that he or she no longer wishes to conduct transactions anonymously.
32.24 The Privacy Actcurrently does not contain an express ‘no disadvantage’ provision. There is no such provision in the privacy legislation of any other Australian jurisdiction; nor is there such a provision in the OECD Guidelines or in the privacy legislation of other common law jurisdictions, such as the United Kingdom, Canada and the United States. The draft Asia-Pacific Privacy Charter, however, contains a ‘Non-discrimination’ principle that states:
People should not be denied goods or services or offered them on unreasonably disadvantageous terms (including higher cost) in order to enjoy the rights described in this Charter.
The provision of reasonable facilities for the exercise of privacy rights should be a normal operating cost.[30]
32.25 While the Privacy Act currently does not contain a specific ‘No Disadvantage’ provision, some of its provisions are directed towards a similar policy goal. For example, NPP 6.4 states:
If an organisation charges for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.[31]
32.26 A number of the IPPs and NPPs require agencies and organisations, respectively, to take ‘reasonable steps’ to protect individuals’ privacy rights.[32] Where asserting such privacy rights results in unfavourable treatment—for example, through the imposition of a fee—this may indicate that it is not a ‘reasonable step’ on the part of the agency or organisation.
Submissions and consultations
32.27 Privacy advocates supported the addition of a ‘No Disadvantage’ principle.[33] The Australian Privacy Foundation, for example, submitted that this would ‘ensure that data users do not use pricing or other sanctions to deter individuals from exercising their privacy rights’.[34] The Cyberspace Law and Policy Centre stated:
without a broader ‘no disadvantage’ principle, it is all too easy for data users to levy a charge for the exercise of privacy choices and rights, either directly, or by differential pricing, or to impose some other non-financial barrier.[35]
32.28 The Centre accepted that, if such a principle was not included as a separate principle in the model UPPs, the concept usefully could be incorporated into other privacy principles; in particular, through the requirement that agencies and organisations take ‘reasonable steps’ to protect individuals’ information privacy.[36] The OPC also supported incorporating the concept of ‘no disadvantage’ into other privacy principles.[37]
ALRC’s view
32.29 Individuals should not be disadvantaged unfairly by seeking to assert their privacy rights. In the ALRC’s view, however, a separate ‘No Disadvantage’ principle in the model UPPs is not the most appropriate vehicle to achieve this policy outcome. Instead, this concept should be incorporated, where appropriate, into other privacy principles.
32.30 Some privacy principles already include a ‘no disadvantage’ element. In particular, NPP 6.4 prohibits an organisation from charging excessive fees in respect of access to, and correction of, personal information held by the organisation. The ALRC recommends that this provision be retained in the model ‘Access and Correction’ principle.[38] Moreover, agencies currently are not permitted under the Privacy Act to charge individuals for access to personal information that the agency holds about them. The ALRC recommends that this position continue.[39]
32.31 The ALRC also recommends that, if an individual requests access to an agency’s or organisation’s Privacy Policy, the agency or organisation must take reasonable steps to make this available without charge.[40]
32.32 More generally, the ‘no disadvantage’ concept can be incorporated into the privacy principles through the obligation on agencies and organisations to take ‘reasonable steps’ to protect individuals’ information privacy. For example, the ‘Data Security’ principle requires agencies and organisations to take reasonable steps to destroy or render non-identifiable personal information that they no longer need.[41] This requirement should be interpreted to mean that costs associated with destroying or rendering the information non-identifiable should be treated as normal operating costs of the agency or organisation in question, and not a cost imposed on the individual involved.
32.33 Similarly, the ‘Anonymity and Pseudonymity’ principle states that, wherever it is lawful and practicable, agencies and organisations must give individuals the clear option of transacting anonymously or pseudonymously.[42] Implicit in this requirement is that agencies and organisations must not impose unreasonable disincentives on individuals seeking to exercise this option. For example, it would not be reasonable for individuals to be charged a punitive fee for choosing to remain anonymous in their transactions with an agency or organisation.
32.34 Finally, the ALRC’s recommendation, that the Telecommunications Act 1997 (Cth) should be amended to prohibit the charging of a fee for an unlisted (silent) number, is also underpinned by the concept of ‘no disadvantage’.[43]
[30] G Greenleaf and N Waters, The Asia-Pacific Privacy Charter, Working Draft 1.0, 3 September 2003 (2003) WorldLII Privacy Law Resources <www.worldlii.org/int/other/PrivLRes/2003/1.html> at 5 May 2008, Principle 5. A similar provision is included in the Australian Privacy Charter: Australian Privacy Foundation, Australian Privacy Charter <www.privacy.org.au/About/PrivacyCharter.html> at 31 July 2007, Principle 18.
[31] Agencies are not permitted to charge individuals for access to personal information that an agency holds about them. See Ch 29.
[32] See Privacy Act 1988 (Cth): s 14, IPPs 2, 3, 4, 5.1, 7, 8; and sch 3, NPPs 1.3, 1.5, 3, 4, 5.2.
[33] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[34] Australian Privacy Foundation, Submission PR 167, 2 February 2007. See also G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.
[35]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[36]Ibid.
[37]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[38] See Ch 29.
[39] Charging for access to personal information held by agencies is discussed in Ch 29.
[40] See Ch 24.
[41] See Ch 28. Note also that a similar obligation already applies to organisations: Privacy Act 1988 (Cth) sch 3, NPP 4.2.
[42] See Ch 20.
[43] Rec 72–17.