Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Privacy and the Media'

Privacy and the Media
The Privacy Needs

Version of 16 January 2012

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2011-12

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

This is a supporting document for

1. Introduction

As is shown in the primary paper, and in greater detail in a companion document, in 2011, the privacy protections available against inappropriate media behaviour fell vastly short of the public's need.

This document presents the requirements for the effective protection of privacy, balanced against the public interest. The purposes of the analysis are to state requirements, to provide outline arguments in support of them, and to lay the basis for a short-form statement or template code that can be used as a reference-point against which extant and proposed codes can be assessed.

The position adopted in this paper is largely consistent with that of the Australian Privacy Foundation, which has worked on the problem for several years. A long series of sources is listed in the Reference List below. The primary references are (APF 2009 and 2011c).

2. The Framework for Privacy Protection

Privacy protection depends on 'infrastructure within an architecture', more commonly referred to as a framework. The necessary elements are:

  1. Principles and Standards Articulated into Codes
  2. Privacy Protections
  3. Processes for Assimilation and Application
  4. Processes for Review and Redress
  5. A Single Regulatory Body
  6. Legal Authority
  7. A Statutory Cause of Action

The following sections deal with each of those elements in turn.

2.1 Principles and Standards Articulated into Codes

It has long been accepted that the quality of journalism is dependent on respect for a range of principles. For example, the Australian Journalist's Association's Code dates to 1943. Almost every media organisation has some kind of document of this nature. The Privacy Act amendments in 2000, which regulated (some of) the private sector, exempted media organisations provided that they subscribe to a Code. Such Codes deal with many topics, but they all include privacy as a Principle.

What has been less well accepted is that Principles are valueless as a means of protecting privacy unless they are articulated to a sufficient level of detail that they provide guidance to the practice of journalism, and establish criteria whereby the appropriateness of media behaviour can be assessed. In order to be relevant to the hectic operations of media organisations, Principles must be expressed more specifically, in the form of Standards.

However, Principles and Standards are insufficient to solve the problem. Journalists have always worked under time-pressure. Their plight has been exacerbated in recent years by the sharpening of competition, and cost-pressures resulting in fewer resources with which to sustain quality. In these circumstances, more than ever, the Principles and Standards must be expressed in ways and forms that are readily accessible to them.

The appropriate way to achieve this is to ensure that each media professional has a Code available to them that operationalises the Principles and Standards, and is structured and expressed in ways useful to media professionals and that enable them to quickly locate and drill down to what they need.

Two important aspects of a Code are that it be targeted at a specific context, and that it include examples designed to encapsulate accumulated experience in that context. Generally, examples need to be based on real-world situations, including those encountered by professionals working in the particular context and relevant cases that have been determined by complaints-handlers, but some may beed to be contrived in order to convey key aspects of the balancing among interests.

A Code Template that reflects the requirements expressed in this document is a companion document to this analysis.

2.2 Privacy Protections

The Principles and Standards must be primarily protective of privacy rather than of media organisations. They must encompass all relevant aspects of media behaviour, and in particular must cover both data gathering and publication activities. The protections must, however, be balanced against other important interests. Examples include certainty and cost. The most critical of the competing interests, however, is the public interest.

More specifically, the following are Foundation Principles:

  1. Information Gathering:
    1. Personal data must not be sought or gathered, by or for a media organisation, unless a clear justification exists
    2. Personal behaviour must not be observed or recorded, by or for a media organisation, unless a clear justification exists
    3. In either case, the justification must be based on either:
      • consent by the person to whom the data relates; or
      • an over-riding public interest
    4. The nature of the activities, and their degree of intrusiveness:
      • must reflect the nature and extent of any consent provided; and
      • must be proportionate to the nature and significance of the public interest arising in the particular circumstances
  2. Publication:
    1. The identities of individuals, personal data about them, and records of their behaviour must not be published unless a clear justification exists, and any undertaking in relation to anonymity must be respected
    2. The justification must be based on either:
      • consent by the person to whom the data relates; or
      • an over-riding public interest
    3. The content and style of publication:
      • must reflect the nature and extent of any consent provided;
      • must be relevant to the public interest arising in the particular circumstances; and
      • must be proportionate to the nature and significance of the public interest arising in the particular circumstances
    4. Publication cannot be justified based on prior publication alone, whether the prior publication was by another media organisation or by anyone else, including by the individual concerned
  3. Review Processes and Remedies:
    1. Effective complaints-handling processes must be available to people who believe these Principles have not been respected

The interpretation of 'the public interest' is absolutely central to privacy protection. It must not be infected with elements of 'what the public is interested in'. Keating (2010) put it this way: "The public interest means publication or non-publication guided by what is in the interest of the public as a whole, not what readers or an audience might find interesting or titillating".

A definition of 'the public interest' has been used by ACMA since at least 2000, and has recently been adopted by ACMA. It derives from a UK judgement in London Artists v Littler (1969) 2 QB 375 at 391. Lord Denning, then Master of the Rolls, said that "There is no definition in the books as to what is a matter of public interest. All we are given is a list of examples, coupled with the statement that it is for the Judge and not for the jury. I would not myself confine it within narrow limits. Whenever a matter is such as to affect people at large, so that they may be legitimately interested in, or concerned at, what is going on; or what may happen to them or to others; then it is a matter of public interest on which everyone is entitled to make fair comment" (emphases added).

The words "people at large ... may be legitimately interested in" appear to open the scope out to 'what the publuc is interested in' . However, those comments were made in a very specific context. In defamation law, the defence of fair comment is dependent on the comment being made "on a matter of public interest". The term 'a matter of public interest' is very different from the term 'the public interest'. Moreover, a number of statutes use the term 'the public interest', and that term's meaning has to be interpreted in each specific context within which it is used. Any suggestion that Denning's interpretation has any legal authority in the very different context of privacy is entirely spurious. The APC-ACMA definition is emphatically not an appropriate basis for privacy protection.

Another serious inadequacy that is frequently embodied in discussion about the public interest is the loose notion of a 'public figure' and the assumption that a public figure necessarily sacrifices their privacy. On the contrary, people about whom media activities are justified in the public interest need to be considered individually, and compromises of their privacy must be justified in the particular circumstances that apply.

A News Ltd lawyer was quoted in Keating (2010) as saying that "the main problem is 'public interest' is a nebulous concept that is difficult to define and even more difficult to weigh against the circumstances of a case.  It's the practical application that will cause the problems". Keating argued that "Rather than abandoning the public interest, the media needs to put more time and effort into fostering a better practical understanding of the term". Yet, over a year earlier, the APF's Policy Statement had proposed a specific process, and specific interpretations of six public interest elements (APF 2009). The six elements are:

  1. Relevance to the Performance of a Public Office. This encompasses all arms of government, i.e. the parliament, the executive and public service, and the judiciary. The test of relevance is mediated by the significance of the role the person plays. Publication of the fact that a Minister's private life has been de-stabilised (e.g. by the death of a family member, marriage break-up, or a child with drug problems) is more likely to be justifiable than the same fact about a junior public servant. Publication of the identities and details of other individuals involved (e.g. the person who died, or the child with drug problems) is also subject to the relevance test, and is far less likely to be justifiable
  2. Relevance to the Performance of a Corporate or Civil Society Function of Significance. The relevance test needs to reflect the size and impact of the organisation and its actions, the person's role and significance, and the scope of publication
  3. Relevance to the Credibility of Public Statements. Collection and disclosure of personal data may be justified where it demonstrates inconsistency between a person's public statements and their personal behaviour, or demonstrates an undisclosed conflict of interest
  4. Relevance to Arguably Illegal, Immoral or Seriously Anti-Social Behaviour. This applies to private individuals as well as people performing functions in organisations. For example, in the case of a small business that fails to provide promised after-sales service, or a neighbour who persistently makes noise late at night, some personal data is likely to be relevant to the story. Collection and disclosure of other personal data will, on the other hand, be very difficult to justify
  5. Relevance to Public Health or Safety. For example, disclosure of a person's identity may be justified if they are a traveller who recently entered Australia, they are reasonably believed to have been exposed to a serious contagious disease, and their present whereabouts is unknown
  6. Relevance to an Event of Significance. This is challenging, and requires care. For example, a 'human interest' story such as a report on bush fire-fighter heroics, may well justify the publication of some level of personal data in order to convey the full picture. Generally, consent is necessary; but where this is impractical and the story warrants publication, the varying sensitivities of individuals must be given sufficient consideration. This is especially important in the case of people caught up in an emergency or tragedy, who are likely to be particularly vulnerable

Other public interest elements may need to be recognised. However, in the handling of a complaint, any such justification must be argued, and the onus lies on the media organisation to demonstrate that the benefits of information gathering or publication outweigh the privacy interest.

By 'an over-riding public interest' is meant that the public interest must be of sufficient consequence that it outweighs the person's interest in privacy and any other conflicting interests such as public security and the effective functioning of judicial processes

When assessing whether the public interest is sufficient to over-ride the privacy interest, and when assessing proportionality, several additional factors may need to be considered. The following factors have the effect of reducing the zone of privacy protection and increasing the scope for publication and to some extent also for information gathering:

  1. Self-Published Information. Where an individual has published personal data about themselves, that person's claim to privacy in respect of that data is significantly reduced. However it is not extinguished. In particular, justification becomes more difficult the longer the elapsed time since the self-publication took place, and the less widely the individual reasonably believed the information to have been made available. Further, only information published by the individual themselves affects the relevance test, not publication by another individual, even a relative or close friend or associate.
  2. Public Behaviour. Where data about an individual arises from public behaviour by that individual, the person's claim to privacy in respect of that behaviour is reduced. However, public behaviour does not arise merely because the individual is 'in a public place', because there are many circumstances in which people in a public place have a reasonable expectation of privacy. For example, 'public behaviour' does not include a quiet aside to a companion in a public place.
  3. Attention-Seekers. In the case of people who are willingly in the public eye (e.g. celebrities and notorieties), consent to collect and publish some kinds of personal data may be reasonably inferred. But this does not constitute 'open slather', and in particular denial of consent must be respected. Moreover, this mitigating factor is not applicable to the attention-seeker's family and companions.

On the other hand, there are factors that increase the zone of privacy protection and reduce the scope for information-gathering and publication, especially:

  1. Vulnerability of the Person whose privacy is being invaded, and of the people associated with them. Examples include children, the mentally disabled, homeless people, accident victims, and the recently bereaved

2.3 Processes for Assimilation and Application

Principles, Standards and Codes achieve nothing unless they are carried through into practice. To achieve this, the following process aspects are particularly important:

To ensure that new entrants to the profession are well-prepared, the educational processes for journalists must include emphasis on the ethical and legal obligations associated with news-gathering and publication. Within the workplace, induction and training must ensure that journalists have access to, and a clear understanding of, the Code. Periodic reminders and refreshers must be built into journalists' working life-cycles.

There must be unequivocal mechanisms whereby journalists are subject to the Code, in particular the reading of the Code into their terms of employment or terms of contract. Not only the media organisation, but also individuals, must have positive and legally-enforced obligations to apply the Code.

In order to ensure the Code's application, controls must be incorporated into media organisations' workflows, such that sub-editors and editors detect and address breaches by individual journalists and ensure that inappropriate information-gathering practices are clamped down on, and that inappropriate exposure of personal data does not survive through to actual publication.

2.4 Processes for Review and Redress

There must be a positive obligation on media organisations to handle complaints about behaviour by media organisations and by individual employees of and contractors to media organisations. The reference-point for complaints-handlers needs to be the relevant Code, if one exists, or failing that then the Principles and Standards.

Complaints processes must be straightforward and accessible. There is a well-established international standard with which the processes need to comply (ISO 10002:2004). Because the Codes articulate and operationalise the Principles and Standards, most complaints should be able to be investigated quickly and resolved promptly.

The threshold tests for a complaint to succeed must not be set unduly high. In particular:

Serious sanctions must be available when the seriousness of the breach calls for them. But most complainants want an acknowledgement of error, and correction, retraction or clarification. The limited remedies available in print form, such as further publication and letters to the editor are complemented in networked media by such possibilities as changes to the archived copy.

There must be a clear channel whereby those people who are not satisfied with the media organisation's handling of the matter can seek review by an independent organisation, which must in turn have the obligation, the requisite powers, the resources and the commitment to resolve problems, and to impose sanctions where they are deserved.

2.5 A Single Regulatory Body

Self-regulation is an excuse, not a solution. The abject failure of the various self-regulatory models is regularly demonstrated. A recent example is the Telecommunications Industry Ombudsman (ACCAN 2011). Self-regulation cannot be persisted with.

On the other hand, given the importance of the decisions, the fine judgement needed in making them, and the considerable risk of direct or indirect interference in the process by the government of the day or by public servants, a government regulatory agency for the media is not appropriate.

The appropriate governance model is a public regulatory body, with the following elements:

The notion of 'co-regulation' has been much-abused. A properly-implemented scheme, however, offers considerable advantages for all parties. The requirements described in this document reflect the criteria summarised in Clarke (1999).

The risks to privacy are common to all forms of media, and the process of convergence reinforces the need for the regulatory body's scope to encompass all media forms, including all print media, all broadcast media and all networked media, and both private and public sector organisations. The scope definition needs to be expressed broadly in order to ensure that the further new media that will doubtless emerge in the future are automatically within the regulatory body's ambit.

The regulatory body must have the power to determine and promulgate the Principles and Standards and the Codes that articulate them. However, in preparing and revising Principles, Standards, Codes and associated business processes, the regulatory body must have obligations:

There must be a positive obligation on the regulatory body to handle complaints about behaviour by media organisations and by individual employees of and contractors to media organisations. There needs to be a policy that complaints should be first handled by the media organisation whose behaviour is being complained about; but the regulatory body needs to have a discretion to handle complaints at first instance when the circumstances make that a more practicable procedure.

As with internal complaints-handling, the reference-point need to be the relevant Code, if one exists, or failing that then the Principles and Standards; and complaints processes must be straightforward, accessible and compliant with the international standard (ISO 10002:2004). Because a clear framework is in place, most complaints should be able to be investigated quickly and resolved promptly.

The regulatory body must have available to it a comprehensive, gradated range of measures available to it in the form a 'compliance pyramid', with a broad base of education and guidance, mediation and arbitration, together with sanctions and enforcement mechanisms available when necessary to deal with serious or repeated breaches. There must be effective means whereby non-compliance by media organisations with the Principles, the Standards, the Codes or the regulatory body's determinations is subject to further sanctions sufficient to deter other organisations from such behaviour.

The regulatory body must have an obligation to apply the review processes and remedies and to apply them appropriately, and the requisite resources to apply them.

The regulatory body must have the powers necessary to protect the interests of the intended beneficiaries, and to protect itself.

The regulatory body must have the resources necessary to enable it to perform its functions.

2.6 Legal Authority

The regulatory framework must be underpinned by legislation that imposes obligations on media organisations, and both empowers the regulatory body and requires it to operate in a responsible manner.

2.7 A Statutory Cause of Action

A statutory cause of action is a necessary complementary privacy-protection measure. The privacy right of action is not specifically about the media; but it must apply to the media as well as every other individual and organisation. The media must be understood to be just one specific area of application, and one which to which a clear, strong and extensive definition of the public interest defence applies.

The reasons the cause of action is necessary are that:

Many offensive intrusions arise in society generally, including leaks of personal data, surveillance of behaviour, interference with a person's body, and abuse of powers by government agencies. In addition, there are many instances of offensive intrusions by the media. These are of great concern where they affect 'ordinary people', although the scope of the cause of action must also extend to 'celebrities'.

The most desirable form of the cause of action would reflect the following refinements to the ALRC's Recommendations:

The threshold for a successful court action should be higher than that for an administrative complaints process. The 'highly offensive' notion is too high, however, whereas 'offensive' alone is sufficient. There is an argument that the appropriate reference-point may be 'offensive to a person of ordinary sensibilities' rather than 'reasonably causes offence to the person concerned', but only if the assessment is context specific. For example, 'a person of ordinary sensibilities' who just experienced an accident or the loss of a loved one is very likely to be particularly vulnerable and sensitive.


APF (2007a) 'Submission to the Australian Law Reform Commission's Review of Privacy - Answers to questions in ALRC Issues Paper 31' Australian Privacy Foundation, January 2007, at pp. 14-15 of

APF (2007b) 'Submission to 'Australia's Right To Know' Coalition's Independent Audit into the State of Media Freedom in Australia' Australian Privacy Foundation, August 2007, at

APF (2007c) 'Supplementary Submission to 'Australia's Right To Know' Coalition's Independent Audit into the State of Media Freedom in Australia' Australian Privacy Foundation, October 2007, at

APF (2007d) 'Submission to the Australian Law Reform Commission re the Review of Australian Privacy Law - Discussion Paper 72' Australian Privacy Foundation, December 2007, at p. 68 of

APF (2009) 'APF Policy Statement re Privacy and the Media' Australian Privacy Foundation, March 2009, at

APF (2010) 'Privacy Aspects of the ABC Code' Letter to the Managing Director of the ABC, Australian Privacy Foundation, 18 August 2009, at

APF (2011a) 'A Privacy Right of Action' Policy Statement, Australian Privacy Foundation, 21 Jul 2011, at

APF (2011b) 'A Statutory Cause of Action' Submission to PM&C / Attorney-General's Dept, Australian Privacy Foundation, 4 Nov 2011, at

APF (2011c) 'An Appropriate Public Regulatory Body for Media Privacy' Submission to the Independent Media Inquiry, Australian Privacy Foundation, 18 Nov 2011, at

APF (2011d) 'Privacy Guidelines for Broadcasters' Letter to ACMA, 16 Dec 2011, at

APF (2012) 'ACMA's Revised Privacy Guidelines for Broadcasters' Supplementary Submission to the Independent Media Inquiry , Australian Privacy Foundation, 9 January 2012, at

Clarke R. (1999) 'Internet Privacy Concerns Confirm the Case for Intervention', Communications of the ACM, 42, 2 (February 1999) 60-67, at

Clarke R. (2009) It's Time for Guidelines on 'Privacy and the Media' Online Opinion, 18 May 2009, PrePrint at

ISO (2004) 'Quality management--Customer satisfaction--Guidelines for complaints handling in organizations' International Standards Organisation, ISO 10002:2004

Declarations and Acknowledgements

The author has been a Board member of the Australian Privacy Foundation since 1987 and its Chair 2006-12. This paper draws heavily no the APF's Policy Statements, and hence on the work of fellow Board members, particularly Nigel Waters.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 14 October 2011 - Last Amended: 16 January 2012 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy