A History of Privacy in Australia

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Revision of 31 December 1998, updated 8 January 2002 but only in respect of the passage of the appalling Commonwealth Privacy Amendment (Private Sector) Act 2000.

© Xamax Consultancy Pty Ltd, 1998, 2002

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/OzHistory.html


Introduction

The purpose of this document is to provide a history of privacy in Australia. It can be read serially, but it has been designed in modular fashion, to enable readers with particular interests to go directly to the relevant segment.

If you're looking for the current situation, you may wish to go directly to the segment on the situation in late 1998, followed by that on what's actually needed and then the separate document on current developments.

For definitions of terms used in this document, see my introduction to privacy and dataveillance (Clarke 1997f).

I'm aware of very few sources of information on Australian privacy history. One is a brief review published by the Global Internet Liberty Campaign (GILC) in October 1998.

I'd greatly appreciate notification of additional sources, which I'll reference here.

The main entry-points are as follows:

Context:

The Early Phases of Australian History:

The Late 1990s:

The Situation in late 1998:

The Future:

References:


Context

This section provides information on the setting in which the history of Australian privacy has been played out. It is in three sub-sections, which are in a separate file, in order to keep the file-sizes manageable:


Australian Pre-History

Privacy was not a major item of discussion during the immediate post-war period. This was a time in which recovery, progress, the Communist menace, and the Cold War dominated.

At about the same time as privacy issus were beginning to attract attention in Europe and North America, the wake-up call was issued in Australia by Zelman Cowen (some years later Governor-General), in his ABC Boyer Lecture Series in 1969 (Cowen 1969).


The 1970s

In 1972, the N.S.W. Attorney-General, John Madison, commissioned a report into the law of privacy by a Professor of Law at the University of Sydney. Concerned about the prospect of the then still-nascent computer industry being strangled, the N.S.W. Branch of the Australian Computer Society actively lobbied the Government in an endeavour to prevent the imposition of excessive or inappropriate regulation.

Morrison (1973) approached privacy as an interest rather than a moral or legal right. He concluded that such privacy protections as existed were incidental rather than intentional, and that further study and experience were needed before any substantive legal protections were enacted. To achieve this, he recommended the establishment of a permanent Committee and staff, with responsibilities to undertake research and handle complaints.

The Morison report resulted in the N.S.W. Privacy Committee Act 1975. This created a complaints-investigation and research organisation. Its work is evident in its Annual Reports (NSWPC 1975-), and a long series of research reports and information brochures. An early contribution was a set of information privacy principles designed to provide guidance to organisations using computers (NSWPC 1977).

In April 1976, the Commonwealth Government of the (conservative) Liberal Prime Minister Malcolm Fraser gave the Australian Law Reform Commission a reference to study interferences with privacy arising under the laws of the Commonwealth or Commonwealth Terrritories.

During 1978-79, the OECD Expert Group met to prepare what became the OECD Guidelines. The Chair of the ALRC, Michael Kirby (now of the High Court of Australia) was elected to the Chairmanship of the Expert Group.

For an understanding of the issues that arose during this period, consult the Annual Reports of the N.S.W. Privacy Committee (NSWPC 1975-).


The Early 1980s

The ALRC took in an inordinate length of time to complete its Report (1976-83). As a result, it was not completed during the term of the Government that commissioned it, but was finally presented, in December 1983, to the then quite new Labor Government of Prime Minister Bob Hawke (ALRC 1983). The Government's first responses were cautiously supportive, but the issue had low priority for a new Government whose concerns were dominated by economic matters.

Australia acceded to the OECD Guidelines in 1984, but the momentum had been lost and no significant privacy-protective ctions were taken during this period.

For an understanding of the issues that arose during this period, consult the Annual Reports of the N.S.W. Privacy Committee (NSWPC 1975-).


The Mid-to-Late 1980s

Action was presaged by the Government for the August 1985 parliamentary session, but no Privacy Bill was tabled.

* The Australia Card Campaign, 1985-1987

Instead, the question of privacy became caught up in the maelstrom of a much more divisive issue. The Government committed itself to the introduction of a national, multi-purpose identification scheme, involving a computer-based register, a card, a unique identification number, and reporting and other obligations on all organisations and individuals. In an attempt to imply that to oppose the scheme was to be unpatriotic, it was named the 'Australia Card' scheme. Its stated purposes were to address tax evasion, welfare fraud and illegal immigration. For a summary of the proposed scheme, see (Clarke 1987).

The Privacy Bill 1986 was intricately interwoven with the Australia Card Bill. It was in any case attacked by privacy advocates as being completely inadequate.

The Australia Card Bill was defeated in the Senate, in December 1986 and March 1987, by the combined opposition of the three non-Labor parties. In contrast to the lengthy and emotionally charged Senate debate about the Australia Card, the Privacy Bill debate was restricted to a little over an hour. With the demise of the major Bill, it was left on the parliamentary table.

The Government used the opportunity afforded by the repeated rejection by the Senate of a Bill twice passed by the House of Representatives to call a double-dissolution election. The matter was barely mentioned during the campaign, however. Some months after winning a further term, the Government was overwhelmed by public opinion against the scheme and withdrew both Bills in September 1987. For histories of the Australia Card campaign, 1985-87, see Greenleaf & Nolan (1986), Clarke (1987), Graham (1986), Greenleaf (1987), Smith (1989) and Graham (1990).

* The Privacy Act 1988

During 1988, as an alternative to the withdrawn Australia Card proposal, the Government set out to significantly enhance the Tax File Number (TFN) scheme used by the Australian Tax Office. In order to gain the necessary support of the Senate, the Government introduced a Privacy Bill developed largely from the 1986 Bill. The Act and the Second Reading Speech made explicit reference to ICCPR (1966), OECD (1980) and ALRC (1983).

The Government accepted a number of amendments to it which were proposed by the Opposition. The two Bills were passed in December 1988, the Privacy Act (1988) was promptly submitted for assent, and a Privacy Commissioner was promptly appointed. He was Kevin O'Connor, who served from 1988-1997.

The Act effectively entrenched a great many existing practices within the Commonwealth public sector, but did establish a range of controls over agencies' practices, and has led to a greater degree of openness and confidence among agencies in their dealings with the public. Critically, it established a permanent 'watchdog', the Privacy Commissioner, who operated between 1989 and 1998 within the context of the Human Rights & Equal Opportunities Commission.

It contains some significant inadequacies, documented variously in Clarke (1989) and Clarke (1997b).

The Act's primary focus is the public sector. But it also applied from the very beginning to the private sector, in respect of the handling of the Tax File Number. It was extended in 1989 to consumer credit reporting.

* Rampant Privacy-Intrusive Government Actions

That the Privacy Act was regarded by government executives as a mere palliative to soothe public concerns was made abundantly clear by the rampant privacy-invasive measures undertaken during the years immediately following the Act's passage.

During the period 1989-1990, the TFN's usage was dramatically extended, in direct contravention of the then Government's undertakings (Clarke 1991).

Subsequently, there was an attempt to implement a highly privacy-intrusive scheme called the 'Law Enforcement Access Network' (LEAN) (Clarke 1992b). It was eventually reported to have not proceeded (Greenleaf (1994a). The failure of that project was in no sense a response to privacy concerns, but rather a reflection of Commonwealth-State jealousies and distrust.

Further evidence of the lack of penetration of privacy as a strategic variable in government executive thinking was provided by a 1994-95 Report on a federal government review of I.T. in the Commonwealth public service, called 'Clients First' (Clarke 1995b). This demonstrated abysmal ignorance of privacy issues. It also embodied presumptions that the Privacy Commissioner was a servant of the public sector, and that the privacy regulatory regime was to be adapted to suit the self-perceived needs of government executives.

Symptomatic of the difficulties confronting the Privacy Commissioner was the history of one of the key challenges facing him when he was appointed, which was to get data matching under control. Soon after his appointment, he likened data-matching to 'drift-net fishing'. But the rhetoric could not be matched by action, and he largely failed in that mission:

Executives of government agencies are professionals, and around for the long term. After the first flush of energy of a new Government subsides, Cabinet Ministers are 'easy meat' for their nominal servants. Privacy protection is against the interest of government executives, and their resistance is effective because Privacy Commissioners and even Cabinet Ministers have quite limited real powers.

More detailed documentation of this phase of Australian privacy history is in Clarke (1992).

* Extensions to the Privacy Act 1988

Despite these serious incursions, however, some further progress was made on specific matters. Coverage was extended as follows:

For an understanding of the issues that arose during this period, consult the Annual Reports of the N.S.W. Privacy Committee (NSWPC 1975-).


The Early-Mid 1990s

A long-running enquiry was held by the N.S.W. Independent Commission Against Corruption, relating to unauthorised access to records of the Department of Social Security, N.S.W. motor driver licensing, and the Health Insurance Commission (ICAC 1992. See also Clarke 1992c). This disclosed that serious abuses were occurring, some on a routinised basis, and with tacit approval from and participation of public servants.

The House of Representatives Standing Committee on Legal and Constitutional Affairs deliberated on the matter from 1992 until 1995, producing a report (LCA 1995), reviewed in Dixon (1995). The report proposed that the Privacy Act 1988 be amended to make private contractors liable for observance of the Information Privacy Principles. Like so many other government reports, it was never acted upon.

The N.S.W. Privacy and Data Protection Bill 1994 was introduced. It was heavily criticised (e.g. Greenleaf 1994b, Greenleaf 1994c). It was referred to a Parliamentary Committee, and never heard of again.

In 1995, the Commonwealth Labor Government, within its Innovate Australia Program, committed to legislating privacy protections applying to the private sector generally during 1995. (Under the Australian federal system there are some constitutional limitations, and some sectors are likely to need complementary State legislation; and the States and the Commonwealth seldom collaborate). Labor indicated a clear preference for aspects of what was at that time referred to as 'the New Zealand model' (NZ 1993), and in particular the enactment of statutory general principles and the creation of subsidiary industry and activity codes. See Greenleaf (1995b).

During the remaining 18 months leading up to the next election, no further action occurred, but privacy legislation remained in the party platform. Labor lost power to the Coalition in March 1996.

For an understanding of the issues that arose during this period, consult the Annual Reports of the N.S.W. Privacy Committee (NSWPC 1975-) and of the Privacy Commissioner (PCA 1991-).


Private Sector Excesses
* The Private Sector Generally

The focus during the 1970s and 1980s had been primarily on protection against abuses by the public sector. A primary reason was that public concerns were considerable (particularly following the Australia Card debacle, and because Commonwealth government agencies are among the world's leaders in the application of information technology, but in many cases have a cavalier attitude to the privacy of their 'clients', and in practice stress social control over service goals). An oft-repeated statement was that governments should gain experience in regulating their own practices first, before imposing regulation on the private sector.

During the 1990s, public concerns about private sector practices increased considerably. Important areas in which issues assumed greater prominence included debt collection, banking, insurance, direct marketing and telecommunications. From the mid-1990s, privacy aspects of the Internet in general, and of the World Wide Web in particular, were the subject of growing public nervousness.

* Telecomunications in Particular

Advances in telecommunications gave rise to a number of particularly privacy-intrusive practices (Raiche 1994a, Raiche 1994b, Greenleaf 1994d, Greenleaf 1994e, Smith 1995, Waters 1997, Raiche 1998).

A case study of the exercise in power is provided by Calling Number Display (CND) - also called Calling Line Identification (CLI), which was foisted on Australians during the latter part of the 1990s. Background to CND is provided by Robin Whittle's materials, at http://www.ozemail.com.au/~firstpr/cnd/

CND has some marginal social benefits, compared with some very substantial social costs. It has been deployed in Australia because telephone companies have seen it as a means of extracting revenue from consumer marketing corporations. Those companies apply it because it enables them to detect the incoming telephone number, and thereby:

The serious privacy concerns about CND were trampled upon in the rush to satisfy the needs of marketing interests. Because it was pursuing its strategy to divest itself of public assets, the Government supported anything that might increase Telstra's sales value. Successive, largely powerless committees proved completely unable to exercise any control over Telstra, which rode roughshod over the privacy interest. For example, Telstra gagged the advisory panel, refusing to permit them to communicate to their constituencies the actual 'public awareness' statistics. See Whittle (1996a, 1996b), Waters (1997) and Dixon (1997, 1998).

The CND debacle provides a case study in the abuse of power by a corporation that is not subject to effective privacy regulation. The public is heartily cynical about nominal self-regulation by powerful organisations whose primary role in life is, by definition and of necessity, not corporate citizenship, but rather long-term profit-making.

That Telstra is prepared to use its market and political power in relation to privacy matters more generally is attested to by the "rather muted endorsement of its privacy policies" that it gained from its privacy audit in 1995. For a report which concludes that "Telstra fails on the litmus test privacy principles - identifying purpose, obtaining consent, and internal use", see Haynes (1996) and Greenleaf (1996d).


Unsympathetic Commonwealth Government Ideology
* The 'Co-Regulation' Policy of March 1996

During the March 1996 federal election, both sides of politics had committed themselves to the passage of privacy regulation for the private sector. The new Government's platform included reform of privacy laws as "a matter of the utmost priority". The Coalition's platform had used the highly descriptive term 'co-regulation' to refer to the model supported by privacy advocates, business and government regulatory agencies alike. See Greenleaf (1996a)

On 12 September 1996, the Attorney-General, Darryl Williams, announced the direction of the Government's reform agenda for privacy in the private sector (Williams 1996). A Discussion Paper was published, as a basis for consultation between September and the end of November 1996. Explicit reference was made to New Zealand's 1993 legislation.

The Discussion Paper envisaged a set of Principles (related to those in the present Act) , and empowerment of the Privacy Commissioner to promulgate detailed Codes for particular industries. These Codes would be negotiated with industry associations, with public participation in the development process. A critique is provided in Clarke (1996d).

Over 100 submissions were received. They evidenced a consistent theme that uniform national legislation was essential (Greenleaf 1997a).

* The March 1997 Renege

In March 1997, however, the Prime Minister declared, seemingly without consulting with his Attorney-General, that there would be no such legislation. The justification was costs to business, particularly small business, and it appears that lobbying by the Chief Executive of the Australian Chamber of Commerce and Industry (ACCI), Mark Paterson, was intrumental in achieving the sudden policy turnaround.

This renege of an element of the Government's election platform was one of many, which it excused on the grounds of being 'non-core' promises.

The Prime Minister requested (or arguably directed) the Privacy Commissioner to produce a set of 'National Principles', which were to guide businesses and industry associations in their establishment of self-regulatory arrangements, which, it was asserted, would be effective, and cheaper than a statutorily-backed scheme.

The matter was examined in Greenleaf (1997b).

* Severe Budget Cuts, 1996-98

The Coalition Government of March 1996 to October 1998 was dominated by rationalist-economic ideology, and severe budgettary cuts were imposed on the Commonwealth public sector generally. The Human Rights & Equal Opportunities Commission (HREOC), a Labor creation, and a reflection of social rather than economic values, suffered substantial cuts.

During 1998, the decision was announced that the Office of the Privacy Commissioner was to be separated from HREOC. The savage cuts (of the order of 40%) were applied nonetheless. Moreover, no additional funding was provided to enable the Privacy Commissioner to undertake the Prime Ministerially-imposed provision of guidance to the private sector. This further harmed the Commissioner's already seriously weakened capacity to deal with her Office's core responsibilities relating to the public sector.


The Privacy Commissioner's Principles

In compliance with the Prime Minister's request, the Privacy Commissioner conducted a consultation process was conducted during 1997. The privacy advocates initially boycotted the process, on the grounds that a set of principles that was not backed by statutory authority was worthless. Inadequacies of the process were documented in Clarke (1997h). The Privacy Commissioner separated the question of enforcement from that of the statement of principles, and with all parties agreeing that the principles would be neutral as regards the manner of implementation, the privacy advocates agreed to participate in the process.

The Privacy Commissioner issued a Consultation Paper (PCA 1997), which was re-published in Greenleaf (1997c). Consultations ensued.

On 20 February 1998, the Australian Privacy Commissioner released a document entitled 'National Principles for the Fair Handling of Personal Information' (hereafter FHIP). These were reviewed at length in Greenleaf & Waters (1998).

There are many ways in which the FHIPs are a conventional implementation of the OECD's 1980 framework. Unfortunately, however, not all voices in the consultations were accorded equal force, and as a result they contain a number of important deficiencies that need to be addressed before they are applied. These are detailed in Clarke (1998b). A summary is in Greenleaf (1998b).

During 1998, the Privacy Commissioner has conducted consultations in relation to the implementation of the principles. The privacy advocates have boycotted these consultations, on the grounds that implementation through purely self-regulatory arrangements are worthless.

In late 1998, the Privacy Commissioner held consultations to consider whether changes were needed to the Principles. The inadequacies of the document were presented by privacy advocates in consolidated form. Under pressure from industry advocates, the Privacy Commissioner chose to make very limited, and inadequate amendments.

As a result, privacy and consumer organisations have withheld endorsement of the FHIPs, and may yet reject them (Greenleaf 1998b).


The Privacy Amendment (Private Sector) Act 2000

Between the end of 1998 and the end of 2000, the Government undertook a series of steps that at first appeared potentially positive for privacy in Australia, but transpired to be extremely bad for privacy.


* Government Policy Turnaround, late 1998

During the latter part of 1998, particularly after the election in October, a series of industry associations publicly urged the government to implement 'light-touch' legislation. The situation was summarised in 'The Australian Financial Review' of 24 November 1998.

In 'The Age' of Friday 27 November 1998, and on page 1 of 'The Australian's Computer Pages of 1 December 1998, the Minister for Communications, Information Technology & the Arts, Senator Richard Alston, signalled a commendable turnaround in the government's policy. Speculation was rife that a paper was to be tabled in Cabinet soon, with draft legislation in the short-to-medium term. On 9 December, 'The Australian Financial Review' quoted from a Prime Ministerial adviser's letter to an industry association, as follows: "the Commonwealth will be reviewing options for private-sector data protection on a national basis".

On 16 December, a joint Press Release by the Minister for the Information Economy and the Attorney-General announced that "the Government will legislate to support and strengthen self-regulatory privacy protection in the private sector". It is to be "a light touch legislative regime based on the Privacy Commissioner's National Principles for the Fair Handling of Personal Information".

The quality of the regime, and its enforceability, were thrown into immediate doubt, however, by the statement that "The scheme will be based on industry codes and apply a legislative framework only where industry codes are not adopted". In addition, the press release made no mention of any involvement in the process of privacy and consumer advocates and representatives.

Given that the Labor Party Platform proposed a co-regulatory scheme, and the Democrats have always been strongly pro-privacy legislation, it would be reasonable to expect that a reasonable Bill would meet with approval in the Senate.

* Pseudo-Consultative Processes 1999

During March-May 1999, a 'Core Consultative Group', assembled at the invitation of the Attorney-General's Department, met to provide advice to the government on the shape of legislation to regulate the private sector. Tabling of a Bill was originally intended for the second half of 1999. Staff turnover, among other things, resulted in delays, and by mid-August, it was not anticipated that a discussion draft would be available before September 1999.

In September 1999, the Attorney-General's Department released an information paper on the Government's proposed legislation. This largely reflected the outcomes of discussions of the Core Consultative Group, together with the limitations placed on that Group's deliberations by the Government's prior policy decisions. The Department subsequently stated that it received over 50 submissions in response to the paper. The media industry conducted a concerted campaign aimed at ensuring that either the legislation did not proceed, or media use of personal data was exempted from it, in the interests of freedom of the press.

By late 1999, the schedule had been slid back to the first session in 2000. A major media blitz occurred in early December. The Murdoch press started the snowball by publicising the kinds of information that a Packer company intended collating, and storing in a database called InfoBase, run by a large U.S. company called Acxiom, based in Arkansas.

* Release of a Government Bill

On 14 December 1999, the Attorney-General issued a press release, and published segments of the draft Privacy Amendment (Private Sector) Bill, in RTF and PDF formats, together with a an overview, also in RTF and PDF formats.

Submissions were invited by 17 January 2000. He stated that "Government policy is settled in respect of the Bill", so it was unclear what impact submissions could possibly have on the Bill, unless the lobbyist were to speak with a great deal of force. In addition to employee information, media now gain a substantial exemption, health information is subject to a number of qualifications, and the Privacy Commissioner's Principles have been "revised to accommodate legislative language" (which may or may not have been used as an opportunity to modify their effect).

In fact, the Bill completely ignored the outcomes of the 'consultative' processes that the Attonrey-General himself has instigated. Two possible interpretations may have been that the extremist industry associations (especially ADMA, and possibly also ACCI) may have negotiated separately with the Attorney-General; and that the Department of Prime Minister and Cabinet (to which Williams has always been subject) gave its instructions and Williams meekly concurred. Either way, the release of the Bill made a mockery of both the man and the process.

* Passage of the Bill

The Bill was appalling - not merely the world's worst privacy legislation but a downright anti-privacy statute. For detailed critique and submissions, see Submission to the Commonwealth Attorney-General (January 2000), 'Privacy Bill needs much more work' (February 2000), Submission to the House of Reps. Inquiry (May 2000), and Submission to the Senate Inquiry (September 2000).

The Labor Opposition (never a friend of privacy) let it through with minimal changes. It became [in]effective on 21 December 2001. See 'Beyond the Alligators of 21/12/2001, There's a Public Policy Swamp' (October 2001).

The resulting statute is at Privacy Amendment (Private Sector) Act 2000. It became [in]effective on 21 December 2001.

The consolidated 243 pp. of verbiage is at Privacy Act 1988 - complete but unofficial. That consolidation includes the amendments of December 2000, but is not official. Eventually, the official consolidated version is likely to appear at Privacy Act 1988 - official (but currently inadequate).


Other Commonwealth Parliamentary Activities
* The Privacy Amendment Bill 1997

During 1997, Democrat Senator Natasha Stott-Despoja led a campaign in an attempt to embarrass the Government into reestablishing its policy to introduce privacy legislation. This culminated in the tabling of a private member's Bill in August 1997. The Labor Opposition sided with the Government to preclude consideration of the Bill by the Senate Legal and Constitutional Committee (Stott-Despoja 1997).

* Genetic Privacy Bill 1998

In March 1998, Senator Stott-Despoja introduced a Private Members Bill called the Genetic Privacy and Non-discrimination Bill 1998. This addresses collection, use and disclosure issues relating to measures of human DNA. The matter was referred to the Senate Legal and Constitutional Committee.

* Outsourcing

In 1996-97, in line with its rationalist-economic credentials, the Commonwealth Government pursued a major programme of outsourcing of government I.T. services. At first, the initiative contained no commitment to ensuring appropriate privacy protections. Immediate reactions by privacy advocacy groups (Dixon 1997, Clarke 1997d), reported by the media, wrung out a change in policy from the Minister for Finance.

The Privacy Amendment Bill 1998 was introduced, to extend the provisions of the Privacy Act 1988 to companies to which government agencies' data processing is outsourced (Waters 1998b). The Amendment Bill was tortuous in the extreme, and the inevitable weaknesses and limitations are accordingly very difficult to detect. It is abundantly clear that the draftsman has made strenuous efforts to ensure that there is no accidental increase in the extent of existing privacy protections.

The Bill passed the Government-controlled House of Representatives. In the Senate, where the Government did not enjoy a majority, it was referred to the Senate Legal & Constitutional Committee.

That Committee held public hearings. Submissions included those of myself (Clarke 1998f) and of the Campaign for Fair Privacy Laws (CFPL 1998). Its report was due for completion on 9 September 1998. Parliament was prorogued shortly before that date for the October 1998 elections, because the Government exercised its prerogative to run for a period shorter (in this case by 6 months) than the 3 years for which it was elected. It is not clear whether the report will be published.

In any case, the Privacy Amendment Bill 1998 lapsed with the end of that Parliament.

* The Senate Review

A relatively small proportion of the Senate Committee's time was spent on the Privacy Amendment Bill. The primary questions that were investigated related to the need for statutory regulation of the private sector generally.

Relevant submissions included mine at Clarke (1998f), (Clarke 1998h), and that of the Campaign for Fair Privacy Laws (CFPL 1998).

There appeared to be a very high likelihood that the Committee would have concluded, by majority, with Government members in the minority, that legislative action was essential. It is highly unlikely that this would have made any difference, but the report may have been a useful summary of the state of play in mid-late 1998.

Hansard is available for the public hearings in Brisbane on 27 July, Sydney on 28 July, Melbourne on 29 July, and Canberra on 5 August 1998.

Developments since late 1998 are continued in a companion document.


Private Sector Codes

There has been some degree of activity among industry associations during recent years. Purely self-regulatory schemes have proven themselves to be worth almost nothing, because consumers by themselves have insufficient power and persistence to enforce conformance. On the other hand, industry codes that are negotiated among all stakeholders, and are subject to effective sanctions, are an essential part of the co-regulatory scheme that all parties (except the Government of 1997-98) regard as being necessary and inevitable.

Examples of industry codes include the following:


N.S.W.

Through the 1990s, successive N.S.W. Attorneys-General made approximately annual promises to introduce legislation. A 1994 Bill was entirely inadequate, and was in any case still-born. In 1996, the commitment, reported on in Greenleaf (1996b), extended to the naming of the Privacy Commissioner-designate (Chris Puplick, previously a Liberal Senator, and long involved with civil rights matters, and for many years the N.S.W. Anti-Discrimination Commissioner).

Finally, on 17 September 1998, a Bill was tabled in the Legislative Council and given a second reading. It would replace the long-standing Privacy Committee with a Privacy Commissioner who would continue to exercise the same kind of investigative and reporting functions as the Committee.

In addition, the Bill contains a set of enforceable information protection principles that would apply to public sector agencies and to IT outsourcing providers, but otherwise not to the private sector. Agencies would be able to develop privacy codes with input from the Privacy Commissioner, in order to vary the principles. There is a very wide range of exemptions to the principles. There are also provisions for restricting disclosure of personal information from public registers.

The Bill would also implement recommendations of the Independent Commission against Corruption's 'Report on Unauthorised Release of Government Information' (ICAC 1992) to penalise corrupt disclosure and trade in personal information held in the public sector.

The Second Reading Speech (Hansard, 17 September 1998, pp. 7598-7601) contained a recitation of the arguments why privacy protection is so important. Unfortunately, analysis of the Bill showed that it to be so completely riven with exemptions as to be worthless. It was decribed as a 'betrayal' by the Australian Privacy Foundation, and was even attacked by the Privacy Commissioner-designate (AFR 1998).

The Government has a slim majority in the lower house (the Legislative Assembly), and is in minority in the upper house (the Legislative Council). Because the Attorney-General is a member of the uppoer house, that is where the Bill has been introduced. The Bill has been savagely attacked by advocates because of its inadequacies. Given that opposition, the Government may have some difficulties in getting the Bill passed, at least in its current form.

Developments since late 1998 are continued in a companion document.


Victoria

Virtually nothing of consequence in relation to privacy protection appears to have occurred in Victoria until the mid-1990s. Then, in mid-1996, the Government announced the formation of a Data Protection Advisory Council (Greenleaf 1996c). The initiative was driven by the motivation to ensure that impediments to the adoption of multi-media, electronic commerce and electronic services delivery were overcome.

This Council recommended the form of legislation to regulate the public, and probably also the private, sector. It reported to the commissioning Minister, Alan Stockdale, on 20 December 1996. [Declaration of interest: I was a member of that Council].

Shortly afterwards, in March 1997, the Prime Minister reneged on his party's election promise. He requested State Premiers not to introduce laws regulating the private sector, but to instead rely on self-regulation based on the Principles that he had requested the Privacy Commissioner prepare.

As a result, the tempo eased for some time. Following the publication of the Privacy Commissioner's FHIPs in February 1998, the Victorian Government re-asserted its intention to legislate. In July 1998, it published a Discussion Paper ( MMV 1998). It is assessed in Greenleaf (1998a).

My Submission to the Victorian Minister for I.T. & Multimedia, Alan Stockdale, concluded that "The privacy-protective regime described in the Discussion Paper has many excellent features. It has three very serious weaknesses, which would undermine public acceptance if they were not addressed, together with a number of additional weaknesses of consequence" (Clarke 1998g).

The three very serious weaknesses are in the following areas:

Progress with the preparation of the Bill was suspended during the election campaign of August/September 1998.

Developments since late 1998 are continued in a companion document.


Other States and Territories
* The A.C.T.

The Commonwealth Privacy Act 1988 also applies to the public sector in the Australian Capital Territory. This is because, when self-government was imposed upon it, the A.C.T. chose to sustain for its citizens the public sector regulation previously afforded by the Commonwealth Act.

In February 1998, the Health Records (Privacy And Access) Act 1997 came into effect. This provides A.C.T. residents with comprehensive information privacy rights in respect of all personal health information, held in both the public and the private sectors. See Waters (1998a).

This legislation was in response to the Breen v. Williams case, which had established in the High Court of Australia in November 1995 that patients have no legal right to access to the records about them held by medical practitioners (Gaudin 1996).

Developments since late 1998 are continued in a companion document.

* Queensland

An ineffectual attempt to regulate credit reporting was made in 1971. A statutory Committee which operated from 1984 until 1992, but appears to have achieved very little. Nor did the Fitzgerald enquiry into corruption in the late 1980s provide any momentum. A brief review is at Mason (1995).

In 1996-97, a Committee of Queensland's unicameral parliament succeeded in broadening the terms of reference of an inquiry into the law of confidence into a privacy enquiry (QP 1997). The Committee subsequently published a very reasonable report, and recommended privacy legislation ( QP 1998). See also Newton (1998).

The Government quickly decided to do precisely nothing. The one tiny outcome was that the Scrutiny of Legislation Committee is now explicitly authorised to consider privacy when reviewing regulations.

* South Australia

Very little of consequence appears to have occurred in South Australia.

* Western Australia

Very little of consequence appears to have occurred in Western Australia.

* Tasmania

Very little of consequence appears to have occurred in Tasmania.

* Northern Territory

Very little of consequence appears to have occurred in the Northern Territory.

Developments since late 1998 are continued in a companion document.


The State of Australian Law in Late 1998

Privacy has multiple dimensions, including privacy of the person, of personal behaviour, of personal communications, and of personal data.

* Privacy of the Person

As regards privacy of the person, there appear to be very limited protections. This area intersects with civil rights more generally.

The N.S.W. Privacy Committee can investigate complaints relating to invasions of privacy of the person, but has very limited powers to do anything as a result of unreasonably actions. In principle, it is limited to matters that are subject to the jurisdiction of N.S.W. No other body currently has even that limited capability.

* Privacy of Personal Behaviour

As regards privacy of personal behaviour, there may be some legislation that affects video-surveillance, but such protections as do exists are highly inadequate. There appears to be very little at all that protects against unreasonable incursions by the media. The Press Council and AJA are classics of self-regulation, providing next-to-nothing beyond the ability to say that something exists.

The N.S.W. Privacy Committee can investigate complaints relating to invasions of privacy of the person, but has very limited powers to do anything as a result of unreasonably actions. In principle, it is limited to matters that are subject to the jurisdiction of N.S.W. No other body currently has even that limited capability.

* Privacy of Personal Communications

This is subject to the Telecommunications Act, the Telecommunications (Interception) Act, (perhaps someday) some Codes under the Telecommunications Act and ACIF arrangements, and to some extent the Telecommunications Industry Ombudsman.

Combined, these provide very limited and very patchy coverage of the needs.

The N.S.W. Privacy Committee can investigate complaints relating to invasions of privacy of the person, but has very limited powers to do anything as a result of unreasonably actions. In principle, it is limited to matters that are subject to the jurisdiction of N.S.W. No other body currently has even that limited capability.

* Privacy of Personal Data

Some limited intrinsic protections exist. These include economics (i.e. invading privacy costs money), political factors (e.g. negative media exposure might cost the perpetrator credibility with an important constituency), and social factors (e.g. employees may feel discomfort in invading the privacy of their employers' clients; and professionals may be prevented by their Codes of Ethics from some kinds of behaviour). There is little evidence, however, that such factors act as a significant control on privacy invasions.

There are also a number of largely accidental protections in the common law, such as the torts of confidence and passing off. Studies during the last thirty years have shown that these protections are limited in scope, complex, and of negligible effect.

For reviews of the law in Australia, see:

The primary Commonwealth laws are:

The primary N.S.W. law is the N.S.W. Privacy Committee Act 1975, which established the N.S.W. Privacy Committee. This Committee and its staff have made major contributions throughout its history, but it has been chronically under-funded and largely ignored by the State Government. Under the Privacy and Personal Information Protection Bill 1998, the Privacy Committee and its staff would be disestablished, and replaced with a Privacy Commissioner and an associated Office.

In the A.C.T., the primary laws are:

There appear to be no statutes of consequence in any other State or Territory.

Developments since late 1998 are continued in a companion document.


The State of Public Concerns

The level of public concern about privacy matters is high, and increasing. Further information can be found in a reference list of surveys of the attitudes in Australia (Clarke 1998i).

Evidence of the long-standing high levels of concern among the Australian public is provided in Clarke (1987), PCA (1995), Clarke (1996c) and MasterCard (1996, reviewed in Clarke 1997a). Of particular significance were the findings (PCA 1995, summarised in Clarke 1996c) that, even during the early 1990s:

For an understanding of current issues, consult recent Annual Reports of the N.S.W. Privacy Committee (NSWPC 1975-) and of the Privacy Commissioner (PCA 1991-).

A mature public interest advocacy community exists, centred on the Australian Privacy Foundation, and comprising many groups and individuals with interests and competence in specific areas. For an outline of the structure, see the Australian Privacy Foundation and Campaign for Fair Privacy Laws.

In addition to general privacy protections, public pressure is building for specific, targeted legislation in relation to particular threats such as video-surveillance in the workplace and in public spaces, and in relation to specific industry sectors such as health care, direct marketing, insurance and banking.


The State of Political Understanding

Politicians have been progressively discovering that privacy is a potentially major political factor.

This is evidenced not just by the serious embarrassment caused to the then Government in the Australia Card debacle in 1987, but also by studies undertaken by agencies of Australian governments which have reached similar conclusions (e.g. FBCA 1997, NACCA 1997, JCPAA 1998. See also PLPR 1998). The last of those concluded unequivocally that "the Australian Government should introduce privacy legislation, with specific reference to information communications, to govern the use of personal information in the private sector".

The Prime Minister's stance during the period following March 1997 is unsustainable in the face of the still-growing momentum.


What's Actually Needed
* What 'Co-Regulation' Means

Purely self-regulatory schemes have been given their opportunity, and have failed to deliver. They are inadequate to control the mavericks, in any industry, private or public sector. The inconsiderate actions of the mavericks harm not only the privacy of individuals, but also public confidence. As a result, the reputation and costs of 'fair dealing' organisations suffer as well. In addition, if individual corporations have to demonstrate their compliance with EU standards, those companies will bear higher costs than if the nation were to impose the same conditions through legislation.

Formal regulation brings with it considerable costs and bureacracy. The Privacy Act 1988 is, in any case, an inappropriate model for the private sector. Better alternatives exist, which are capable of satisfying the needs of individuals for protections against abusive behaviour; as well as the needs of 'fair dealing' organisations for protections against the excesses of other companies in their sector; at the same time as ensuring consistency nationwide, and containing costs. It is important to appreciate that no clear demonstration has ever been provided that privacy regulation results in major costs to large or small business, provided that public awareness and education campaigns are conducted, no meaningless registration process is imposed, and phasing-in periods are implemented.

During the mid-1990s, a meeting of the minds has occurred between privacy advocates on the one hand, and industry associations and corporations on the other. The general shape of a workable regulatory regime has emerged. It involves:

I've expressed specifications of what's needed in way of a regulatory regime in the following places:

* Beyond Fair Information Practices

As long ago as the mid-1980s, it was apparent that the OECD Guidelines were inadequate, because they are based on the limited Fair Information Practices notion. I've expressed the areas of shortfall of the OECD Guidelines in several places, including

See:

The Organisation for Economic Cooperation and Development is so far adopting a disappointingly static approach to the relationship between its 1980 Guidelines and the Internet. See OECD (1998) 'Implementing the OECD 'Privacy Guidelines' in the Electronic Environment: Focus on the Internet', Committee for Information, Computer and Communications Policy, Organisation for Economic Cooperation and Development, Paris, 12 June 1998, at http://www.oecd.org/dsti/sti/it/secur/news/


Current Developments

Developments since late 1998 are described in a companion document.


References

This section contains the references for works cited in this document. It is in two sub-sections, which are in a separate file, in order to keep the file-sizes manageable:


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 10 October 1998 (mainly by consolidating materials from multiple earlier papers of the last decade and more, and bringing them up to late 1998)

Last Amended: 31 December 1998, updated 8 January 2002 but only in respect of the passage of the appalling Commonwealth Privacy Amendment (Private Sector) Act 2000.


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916