The Australian Consumers’ Association (ACA) is a not-for-profit,
non-party-political organisation established in 1959 to provide consumers
with information and advice on goods, services, health and personal
finances, and to help maintain and enhance the quality of life for
consumers. Independent from government and industry, the ACA lobbies and
campaigns on behalf of consumers to advance their interests.
The ACA has long advocated and anticipated legislative privacy
protection for Australian consumers – we regard such legislation as a
necessity. We consider that the Privacy Amendment (Private Sector) Bill
2000 makes a good start in defining the principles that should govern the
regulation of the collection and use of personal information in Australia.
However, we feel that the framework for the operation of privacy
protection that is established has flaws that will undermine the good
intentions of the Bill. The self-regulatory regime is not defined as a
co-regulatory model capped by an Authority with real power, serviced by an
complaints office of last resort, but rather as a weak default system and
We also have a number of concerns with the details of the Bill as
relates to Internet use and make specific recommendations for its
improvement from the consumers’ perspective, which are summarised below.
We feel that from an initial goal of simple legislation meshed with a
self-regulatory regime, the shape of the Bill embodies considerable
complexity based in legislative exception and definition, which will
ultimately make the operation of privacy protection opaque and uncertain.
In its current form it will fail to adequately protect the privacy of
The ACA does not object, in principle, to the self-regulatory approach
to the protection of privacy in Australia. However, we recommend three
changes to the framework of the Bill:
1. That the Bill be amended to provide penalties which apply to serious
breaches. There is no enforcement authority to monitor the operation of
the self-regulatory system. In the event of self-regulatory failure, such
an authority should be able to take action, both to redress offences
against individuals and to issue credible penalties against industry
2. That the Bill be amended to provide a mechanism by which decisions
of industry Code Authorities can be appealed to the Privacy Commissioner,
and that his findings become precedents for other Code Authorities. At the
least a system of review under which the Privacy Commissioner can issue
binding interpretation should be provided. In the absence of such an
appeal process, it is our concern that interpretations of what is
reasonable, impracticable, practicable, serious and imminent, frivolous,
excessive, related etc will come to be treated in different ways by
different Code Authorities. This will in all likelihood evolve what might
be termed "privacy silos", where the experience of privacy protection
for a consumer will vary from sector to sector, and even within sectors as
different industry associations create Privacy Codes.
3. The Commissioner should be empowered, and indeed required, to
undertake self-directed research, and their own motion investigations and
audits, extending across the full range of code administration schemes,
not just the default scheme. The Commissioner’s powers to approve, audit
and discipline recalcitrant players are uncertain in the Bill.
4. ACA has serious concerns relating to health provisions in the Bill.
As currently stated in the provisions, the consumer’s right of access to
their health records are substantially undermined by the range of
"exceptions" that can be used to deny access to health records. The
right of access in this Bill is substantially weaker than that under
legislation that gives consumers a right of access to public sector health
It is important that all health records have consistent rules with
regard to access and the right to correct incorrect details. Our
recommendation is that either the health provisions be removed from this
Bill and dealt with under a separate code or health be dealt with as an
enforceable code directly supervised by the Privacy Commissioner
A number of terms used in the Bill are critical to the successful
operation of privacy protection but are undefined. The Bill needs to deal
with them explicitly.
We recommend that Use of personal information be defined as any
operation or set of operations performed on personal data including
collection, recording, organisation, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, blocking, erasure or
destruction, including but not limited to the participation of that
information in a decision to do or to omit to do an act, and the
utilisation of that information in any act. This is particularly relevant
where conditions on ‘use’ are the primary safeguard for the sharing of
data across organisational boundaries. Is it a use of information simply
to store it, in other words to possess it? Does reading or browsing a
record imply use of it, or is it only when action results that use
eventuates? What crystallises use?
We recommend that Purpose be defined to ensure that information
applicable to an individual that has been derived from personal
information collected from the individual is protected to the same degree
in terms of purpose and the operation of the other Non-Primary Purposes.
Does the purpose of information change if it is computer-processed in some
way? For example, if purchasing records are correlated to infer
information about the health status of an individual, what is the purpose
of the information derived?