PRIVACY INQUIRY - Queensland Parliament

LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMITTEE

PRIVACY INQUIRY

SUBMISSIONS RECEIVED

TO

27 AUGUST 1997

LEGAL, CONSTITUTIONAL AND ADMINISTRATIVE REVIEW COMMITTEE

SUBMISSIONS RECEIVED-PRIVACY IN QUEENSLAND

SUBMISSION RECEIVED FROM

1. Adoption Privacy Protection Group (Inc).

2. The Royal Australian College of Medical Administrators

3. J L Morgan

4. Sr Marianne Whyte

5. Mr Noel Barwick

6. Girls' Grammar School, Rockhampton

7. Credit Reference Association of Australian Limited

8. Retailers Association of Queensland Limited

9. Credit Union Australia

10. Bank of Queensland Limited

11. Su-King Hil

12. Ms Kharla Kedgley

13. R C Sadler

14. CONFIDENTIAL

15. Building Services Authority

16. CONFIDENTIAL

17. Gold Coast City Council

18. Queensland Rail

19. Department of Environment

20. Sunshine Coast Rural Landholders Assoc Inc

21. CONFIDENTIAL

22. Residential Tenancies Authority

23. Australian Direct Marketing Association

24. The University of Queensland

25. CONFIDENTIAL

26. The Chiropractors and Osteopaths Board of Queensland

27. Main Roads and Transport

28. WorkCover Queensland

29. Department of Justice

30. P Henderson

31. Logan City Council

32. The Prince Charles Hospital and District Health Service

33. Mr & Mrs R Milne

34. CONFIDENTIAL

35. Department of Emergency Services

36. Australian Bankers Association

37. Federation of Australian Commercial Television Stations

38. The Real Estate Institute of Queensland

39. Australian Press Council

40. Office of the Information Commissioner

41. Mr Alex Bowman

42. Electoral Commission Queensland

43. Australian Corporate Lawyers Association

44. Access Community Housing

45. Anti-Discrimination Commission Queensland

46. Tenants' Union of Queensland Inc

47. Community Housing & Information Centre Inc

48. Insurance Council of Australia Limited

49. American Express

50. Chartered Secretaries

51. CONFIDENTIAL

52. I J Graham

53. Rockhampton City Council

54. CONFIDENTIAL

55. Queensland Nurses Union

56. Department of Training and Industrial Relations

57. Redland Shire Council

58. The Institute of Chartered Accountants in Australia

59. Queensland Chamber of Commerce and Industry

60. The Australian Privacy Charter Council

61. Dept of Families, Youth and Community Care

62. Queensland Council for Civil Liberties

63. Australian Finance Conference

64. Criminal Justice Commission

65. Anonymous

66. Market Research Society of Australian - Queensland

67. Brett Mason

68. CONFIDENTIAL

69. Human Rights and Equal Opportunity Commission - Federal Privacyssioner

70. CONFIDENTIAL

71. G J Seeds

72. Department of Public Works and Housing

73. Credit Union Services Corporation

74. International Commission of Jurists

DEPARTMENT OF

30 July 1997

mergencySERVICES

Judy Gamin MLAChairmanLegal, Constitutional and Administrative Review CommitteeLegislative Assembly of QueenslandParliament HouseGeorge StreetBRISBANE QLD 4000

Dear Ms Gamin

QUEENSEANUGOVERNMENT

Contact Officer: Fiona McKersieTel: (07) 3247 3969Fax: (07) 3247 4094

Our Ref.: s: Ipam.1privacy. iss


5 AUG 1997

Thank you for the opportunity to review and respond to the Privacy in Queensland Issues Paper . Officers of theDepartment of Emergency Services and Office of Sport and Recreation offer the following comments forconsideration.

Any privacy guidelines or legislation considered should be consistent with and linked to the Information AccessPrinciples of the draft Queensland Government Information Access Policy from the Information PlanningBranch, Department of the Premier and Cabinet. Privacy and confidentiality is of major concern whenconsidering information access.

In order for there to be consistency throughout the Private and Public Sector, Queensland requires somemechanism to co-ordinate and enforce privacy legislation. The legislation should complement Commonwealthlegislation and capture the eleven Information Privacy Principles (IPPs) as outlined on page 3 of the discussionpaper.

The issues outlined on pages 10 and 11 of the Privacy in Queensland Issues Paper are addressed below:

Issues with respect to privacy protection

General

1. Are there valid concerns relating to privacy protection which need to be addressed by legislative and/oradministrative action? If so, whatparticular concerns are most pressing?

The current application of s44 of the FOI Act is not subject to the "I neither confirm nor deny" statementregarding the existence or non-existence of documents. In some circumstances this can have the effectof confirming the existence of documentation. This can lead to privacy being breached.

It is important that any Privacy Act does not act contrary to the FOI Act. That is, that it does notcurtail or restrict the information that is currently available under FOI.

2. Is the current law in Queensland adequate with respect to privacy protection?

No.

There are many concerns held with regard to privacy protection in Queensland. Legislation isrequired to protect the individual's right to privacy as both Queensland (and Commonwealth laws)are inadequate especially in view of the rapidly expanding information technology market.

A reference to Privacy legislation in the current FOI Act is needed.

3. Should Queensland introduce one or a combination of the following means of regulation:

• IPPs - Yes, based on the commonwealth model (as on page 6 of the Issues Paper)• Statutory tort of privacy - No• A privacy committee/privacy commissioner - Yes

It is extremely important that the privacy commissioner/privacy committee be independent fromthe Information Commissioner under the FOI legislation. Preference is for a privacy commissionerrather than a privacy committee as the privacy commissioner (as is the Information Commissioner)would be selected on the basis of specialist skills. While the advantages of a privacy committee (asdiscussed on page 5) are acknowledged, it must be seen that a Privacy Commissioner would not beworking in isolation and expert advice would be available on issues such as information technology.

Option - Information privacy principles

4. If IPPs are introduced what information should they provide?

The IPPs should be similar to those of the commonwealth system (page 6). These appear to be verycomprehensive. Any legislation should be carefully drafted to minimize the need for amendmentsto the legislation.

5. Should IPPs be in the form of guidelines or legislation?

While guidelines would allow greater flexibility as opposed to primary legislation with amendmentsbeing time consuming and expensive, it is felt that legislation would allow IPPs to be enforced.Primary legislation should be developed which provides for a regulation making power whichshould if possible provide a head of power for the development of the IPPs by way of subordinatelegislation. Subordinate legislation would allow for greater ease of amendments as opposed toamending primary legislation. Without enforceability, IPPs could degenerate into a "feel-good"project that has no teeth and would therefore be unacceptable in the long term.

6. Should individuals have to pay (a reasonable amount) to exercise their right to privacy?

No

2

Under FOI, no charge is made for applications for documents which relate to the applicant'spersonal affairs . It would appear inconsistent if one piece of legislation was to charge a fee for aperson to protect their personal affairs while other legislation (eg. FOI Act) already adoptsprinciples which protect personal affairs at no cost. No doubt the cost of this regulatory regimewould be a factor for consideration.

7. Would the costs associated with IPPs outweigh the public benefit flowing from their

implementation?

Until a Regulatory Impact Statement/cost benefit analysis is developed, the Department is unableto comment on this question.

Option - A privacy commissioner/privacy committee

8. If an office of the privacy commissioner/ committee is established:• how should its independence be ensured;

Preference would be for a separate Privacy Commissioner or Council underpinned by legislationwhich sets forth IPPs. FOI should remain as a quite separate legislative regime. The Privacycommissioner/committee must be seen to be independent.

• should the office be accountable to the Parliament;

Yes

• should the office be combined with that of the Information Commissioner or any other officer?

No. See comments above.

10. What powers should a privacy committee%ommissioner have? For example: Should these includethe power to:

• Enforce IPPs through sanctions such as fine/disciplinary actions?

Yes

Although fines and/or disciplinary actions can lead to court action and associated costs, it isconsidered that some form of deterrent is essential. Penalty Units should be imposed.

11. Would the costs associated with an office ofprivacy commissioner/committee outweigh the public

benefit fowingfrom the establ ishment of such an office?

Until a Regulatory Impact Statement/cost benefit analysis is developed, the Department is unable

to comment on this question.

3

Scope of a privacy regime

12. Should privacy regulation apply to the privacy sector as well as the public sector?

Yes

13. Should privacy regulation apply to government owned corporations?

Yes

14. Should privacy regulation apply to local government activities?

Yes

Officers of the Department were unanimous in their decisions for Q.12-14 that privacy regulationshould apply across the board. An individual's right to privacy should not be dependent on which

body they are dealing with.

15. Would the costs associated with privacy regulation ofthe private sector;government owned corporations;local, government activities;outweigh the public benefit to be gained by that regulation?

Until a Regulatory Impact Statement/cost benefit analysis is developed, the Department is unableto comment on this question.

17. Should there be co-operative arrangements between the states, territories and the commonwealthwith respect to matters such as formal complaints regimes?

Yes.

On an international level, Australia must be seen to have comprehensive privacy laws. This wouldbe facilitated if states, territories and the commonwealth were involved in co-operativearrangements. These arrangements would allow consistency and have the potential to be a cost-

cutting measure.

18. How should any privacy protection interrelate with freedom of information legislation? For

example, should the access to, and amendment of, personal information be regulated by a Privacy

Act alone?

No. However, the legislation needs to be consistent with the FOI Act with respect to definitions

and intent. It is important that a Privacy Commissioner is separate to the InformationCommissioner, as the objectives of the two areas are in contradiction (or somewhat opposed).

4

22 What forms of regulation should be introduced with respect to privacy issues arising in the areasof

• personal privacy, including surveillance (visual and listening) both in public and private places;

• telemarketing and direct marketing;• the workplace;• medical records , including access; and• genetics?

The Ambulance Service Act 1991, section 134A of the Evidence Act 1977 and the FOI Act alreadyprovide a legislative framework for the release of ambulance, fire and other governmental records.

Individuals have a right to know when methods of scrutinising personal information are to beemployed eg. Surveillance of electronic mail. This would enable persons to be aware of suchscrutiny and behave accordingly, or choose not to use the service based on that knowledge.

I trust these comments will be of assistance to the Legal, Constitutional and Administrative ReviewCommittee when considering the Privacy in Queensland Issues Paper.

Yours sincerely

JOHN HOCKENDirector-General

5

LEGAL, CONSTITUT IONAL ANDADAUNISTRATIVE REVIEW COMMITTEE

Z:1 1-UL .19 7RE. PRIVACY PROTECTION

Dear Sir/Madam,

(30/7/97)

We believe that concerns relating to privacy protection are valid,

and that current laws are inadequate.

A combination of regulatory methods would probably be the best

solution, (eg. an independent privacy commissioner/committee, as well

as IP. Principles through legislation.)

The regulation should apply to all areas of Government, state or local,

as well as the public and private sector. Co-operative arrangements

between the states and the commonwealth would be helpful in this regard.

Infringements to privacy laws should carry stiff penalties,including

imprisonment for serious offences.

Self-regulation/ industry codes would not provide adequate protection;

we need uniform legislation.

There is already enough information out there, readily available, and

yet more and more is constantly being sought from us. We are told that

it is for our benefit, but is it all REALLY necessary ? (For example,

the census form, which seems to get more intrusive each time.)

As for any costs incurred in implementing greater privacy protection

measures; these should not be an issue. What can be more important than

an individual's right to privacy ?

Yours Sincerely,

QUEENSLAND HEALTH

THE PRINCE HOSP ITALand DISTRICT HEALTH SERVICE

30 July 1997

The Research DirectorLegal, Constitutional and Administrative

Review CommitteeParliament HouseBRISBANE Q 4000

Dear Sir/Madam

LEGAL, CONS OVAL ANDADMINISTRATIVE REVIEW COMMIT-t?""'

31 JUL197

PRIVACY IN QUEENSLAND

Attached is a submission prepared under the direction of the District Manager, ThePrince Charles Hospital and Health Service District.

The content of the submission is a distillation of views of medically qualifiedadministrators who act as data custodians of clinical data and information andexperienced clinicians.

Should you or the Committee require further information by way of clarification of thecontents of the submission or expansion of the content, I would be happy to providethis verbally or in writing.

Yours sincerely

(J an Collie)edical Superintendent

"To Serve With Honour - To Proceed With Excellence"

Office: The Prince Charles HospitalRode RoadCHERMSIDE 4032

Postal : Rode RoadCHERMSIDE 4032

Phone : 011-61-(07) 3350 8111

Fax: 011 -61-(07) 3359 5756

Department:Medical SuperintendentDr Jean Collie

Enquiries: (07)3350 8226Phone: (07)3350 8825Fax:

Our Ref:

Your Ref:

JC:aa

SUBMISSION

TO

THE LEGISLATIVE ASSEMBLY OF QUEENSLAND

ON


BY THE PRINCE CHARLES HOSPITAL

AND HEALTH SERVICE DISTRICT,

BRISBANE

Submission to the Queensland Legislative Assembly - Privacy in Queensland


AS IT RELATES TO HEALTHCARE

Privacy of health data and information is considered to be a fundamental tenet in the

practice of health care. Health care information has been defined as ". . . any data or

information, whether oral or recorded in any form or medium, that identifies or can

readily be associated with the identity of a patient or other record subject; and 1)

relates to a patient's health care; or 2) is obtained in the course of a patient's health

care from a health care provider, from the patient, from a member of the patient's

family or an individual with whom the patient has a close personal relationship, or

from the patient's legal representative" I. The assurance of patient confidentiality and

privacy enables direct health care providers to work with patients in an open and

trusting environment to achieve optimal health outcomes for the individual patient and

society. The purpose of this submission is to promote a framework where privacy is

valued and protected in the health industry.

The purpose of privacy as a principle is to protect patients from misuse or abuse of

their personal data or information. It is not to restrict access or use of health

information for appropriate and worthwhile activities. The purpose of legislation

should be to enable appropriate use of health information without removing the

protection of privacy for individual patients.

A model for understanding privacy or confidentiality breaches is presented in figure 1.

' Source: Internet address (http://www.arentfox.com/newslett/health/hltle.htm) in article by Sonya

Savkar and Robert L. Waters (1995) Telemedicine -- Implications for Patient Confidentiality and

Privacy, page 1, in referring to The American Health Information Management Association's Health

Information Model Legislation Language definition.

The Prince Charles Hospital 30/07/97 Page 1


Figure 1 Model of breach of confidentiality / privacy

Data / Information

Patient

Secondary users /third party.

Breach of privacy.

Further transmission of Data, Information, KnowledgeThe same test apply to every subsequent transmission

Published means communication through any medium (oral, written, electronic, signs, gesturesetc.) to any person other than the patient concerned.



This model is elaborated by the following points:

1. The patient's data or information is transmitted to direct health care service

providers, e.g. doctors, nurses, clerical staff, pathology staff, medical imaging staff.

2. The data may be then transmitted to secondary users or third party users.

3. The following conditions are necessary for there to be a breach of confidentiality /

privacy:

• The material is confidential, that is, would be considered by an ordinary

person to be confidential or private information. For example: the medical

diagnosis would be considered to be confidential by most ordinary persons,

but saying a patient prefers coffee instead of tea would not.

• The material must be published, that is, transmitted to another person other

than the patient. This can occur through any medium - action, verbal, paper,

electronic, light or radio-wave.

• The material must adequately identify the patient, that is, can be reasonably

demonstrated to be specific to a particular patient.

• There is no informed consent from the patient for secondary user or third

party access to the patient's data or information.

• There is no reasonable sanction or statutory privilege for the secondary user

or third party to access or transmit the data or information. For example,

provision of information in an emergency situation for the benefit of the

patient would be sanctioned even without informed consent, and statutes

permits police access to health information in relation to motor vehicle

accidents, but in non emergency situation and without statutory cover the

same information flow could constitute a breach of confidentiality.

4. Where the material is not confidential, is not published or does not adequately

identify the patient, the question of breach of confidentiality does not arise, that is,

no breach of privacy is possible.

5. Confidential material which is published and adequately identifies the patient does

not breach privacy if the patient has given informed consent for it to occur.



6. Confidential material which is published and adequately identifies the patient does

not breach privacy even if the patient does not give informed consent, if it is

sanctioned on reasonable grounds or by statute.

7. Any further transmission of data, information or knowledge regardless of how it

was obtained, in no breach or in breach of privacy, can lead to further appropriate

use or further transgressions, and the same tests need to be applied to every

subsequent transmission.

RECOMMENDATION

With respect to privacy legislation, it should examine every step and decision in the

model described in figure 1. It is recommended that at each and every step, the issues

of privacy protection and enabling appropriate access should be comprehensively

addressed in the health care context.

The next section provides the view of The Prince Charles Hospital on the questions

posed in the Issues Paper.



RESPONSE TO QUESTIONS RAISED IN THE ISSUES PAPER

GENERAL

1 a. Are there valid concerns relating to privacy protection which need to beaddressed by legislative and/or administrative action?

Yes

lb. If so , what particular concerns are most pressing?

• Protection of patient confidentiality• Authorisation of access to users and potential users of confidential patient

information or data• Managing privacy of patient information in the transition from a paper based to an

electronic/computer base systemCreation of health information databases

=> Linkages between and among health information databases= Specification and use of a unique patient identifier

Information system design and implementation standards for storage andtransmission of sensitive medical dataInformation systems policy for health information

= Access control mechanisms to address security risks= Information audit trail or tracking= Defenses against electronic misappropriation of health information

• Mechanisms for enforcing breaches of patient confidentiality by primary,secondary or third party users

• Guidelines or regulation for non direct patient care users of patient data in both thepublic and private sector

• Informed consent from patient to use their health information• Patient access to their own medical/clinical records• Access by relatives and other parties including legal professionals to clinical

records• Policies and procedures to protect patients' privacy in telemedicine activities


No



3. If not, how should the right to privacy be protected in Queensland? For example,should Queensland introduce one or a combination of the following means ofregulation: information privacy principles (IPPs); a statutory tort of privacy; aprivacy committee/privacy commissioner; or some other means to protect privacy?

Legislation should be drafted to deter and punish deliberate or commerciallymotivated abuse of private information. Gross breaches of privacy should beprosecuted by law.

In addition, information privacy principles should be adopted to set the standard forthe use of private information. Industry, organisations or professions should developtheir own codes of practice consistent with the IPPs.

In addition a privacy committee/privacy commissioner should oversee and implementthe privacy legislation and principles. Specific cases as they arise should be directedto the privacy committee/privacy commissioner for resolution. The role of the privacycommittee/privacy commissioner should also include reviewing the legislation andIPPs as necessary.

The ways that privacy can be protected by information technology should beinvestigated, cryptography, encryption and access control mechanisms are examples.


4. If IPPs are introduced what should they provide?

A legislative guideline to what is a high standard of care and diligence in relation tothe management of health information.


They should be in legislation which organisations should follow and the privacycommittee/privacy commissioner would assure that a mechanism for publicaccountability exists.

6. Should individuals have to pay (a reasonable amount) to exercise their right to

privacy?

No. Ensuring privacy should be the responsibility of the organisation which obtainsthe information.



7. Would the cost associated with IPPs outweigh the public benefit flowing from theirimplementation?

The cost associated with compliance with IPPs could be considerable, however, themeasure of the public benefit is dependent the value the public place on privacy. IPPsas risk management means that benefits are expressed in terms of losses or riskaverted. The measure of risk is dependent on perception of risk, and potentially atleast considerable public risk exists if privacy is not maintained. In general, taking thelong term view and the growing risk associated with the rapid expansion ofinformation technology, the view that cost associated with the implementation of IPPsis not outweighed by the public benefit is advocated.


8. If an office of privacy commissioner/committee is established:• how should its independence be ensured;• should the office be accountable to the Parliament , for example, via a

parliamentary committee (with perhaps responsibilities in relation to matters suchas appointments, suspensions , budgets and strategic reviews); and

• should the office be combined with that of the Information Commissioner or any

other office?

= Independence of the privacy commissioner/committee should be assured bymaking the appointment for a fixed term of seven years, and delineating thespecific conditions in which the position may be vacated. In particular, the ministerrequires two third majority support in the Legislative Assembly to request thegovernor to dismiss the officer at anytime.The office should be accountable to the Parliament on administrative matters butnot on legal principles or interpretations.

= The office should be separate from the information commissioner but work in closeconsultation with the information commissioner on common issues.

9. What functions should a privacy committee/commissioner have?

The education, enhancement, protection and promotion of privacy as a principle andpractice in society. Where privacy as a principle and practice conflict with otherprinciples or practices, the privacy committee/commissioner should advocate orresolve the dispute, such that the privacy outcome optimised. Where there is potentialfor breach of privacy, the privacy committee/commissioner should adjudicate.



10. What powers should a privacy committee/commissioner have? For example,should these include the power to:• enforce IPPs through sanctions such as fine or disciplinary action; and• exercise coercive powers such as powers of access?

=>The privacy committee/commissioner should have the power to interpret theinformation privacy principles, investigate and make judgements on breaches ofprivacy. If the IPPs are legislated then sanctions such as fines or disciplinaryaction are within its direct scope.Coercive powers should be available where a case of gross abuse is suspected orestablished on reasonable grounds.

H. Would the costs associated with an office of privacy commissioner/committeeoutweigh the public benefit flowingfrom the establishment of such an office?

The cost associated with an office of privacy commissioner / committee could beconsiderable, however, the measure of the public benefit is dependent the value thepublic place on privacy. An office of privacy commissioner/committee should have arisk management function. This means that benefits are expressed in terms of losses orrisk averted. The measure of risk is dependent on perception of risk, and potentially atleast considerable public risk exists if privacy is not maintained. In general, taking thelong term view and the growing risk associated with the rapid expansion ofinformation technology, the view that cost associated with an office of privacycommissioner / committee is not outweighed by the public benefit is advocated.


12. Should privacy regulation apply to the private sector as well as the public sector?

Yes.


Yes.


Yes.



15. Would the costs associated with privacy regulation of- the private sector;- government owned corporations;- local government activities;outweigh the public benefit to be gained by that regulation?

This question is beyond the capacity of this submission to give an informed answer.

16. If the private sector is not to be covered, how should privacy regulation apply tobodies performing services which the government has outsourced?

In the relationship with the outsourcing partner, privacy as a principle and practiceshould be reviewed. The risk of breaches of privacy occurring in the privateorganisations should be assessed. If the risk is unacceptable, measures should berequested prior to any further commitment to the relationship. Where the issue cannotbe satisfactorily resolved then alternative outsourcing partners or arrangements shouldbe pursued.

17. Should there be co-operative arrangements between the states, territories and thecommonwealth with respect to matters such as formal complaints regimes?

Yes.

18. How should any privacy protection legislation interrelate with the freedom ofinformation legislation? For example should access to, and amendment of, personalinformation be regulated by a Privacy Act alone?

The privacy protection legislation and the freedom of information legislation shouldremain as separate legislation, however, due care should be exercised in drafting newlegislation to ensure that the two are complementary. Optimising privacy outcomeremains an important priority, though may not the foremost in relation to freedom ofinformation legislation.

19. What additional measures, if any, should be taken with respect to.,- the 1995 European Directive; and- the OECD Cryptography Policy Guidelines?

The European directive and OECD Cryptography Policy Guidelines require a higherlevel of practice than is current required in Australia. With the internationalisation oftrade and rapid information transfer, compliance with these standards would likelyconfer benefits in international data interchange. An empirical study of theimplications of compliance and non compliance is advocated. In general, additionalmeasures to comply with these standards is supported.



Smart cards and electronic banking

20. How should smart cards be regulated? For example, by national legislation, state

legislation or industry codes?

National legislation should be introduced to regulate smart cards.

21. What form of regulation should be introduced with respect to the various types of

electronic banking and cash (not including those systems which use smart cards)?

This question is beyond the capacity of this submission to give an informed answer.

Other privacy concerns

22. What form of regulation should be introduced with respect to privacy issues

arising in the areas of• personal privacy, including surveillance (visual and listening) both in public and

private places;

• telemarketing and direct marketing;• the workplace;• medical records, including access; and

• genetics?

Queensland Health has a "Corporate Clinical Records Policy: On the Retention,Storage and Disposal of Information Relating to Patient Care in Hospitals andCommunity Health Facilities" which directly relates to medical records. Inaddition, the Department has had in place "Privacy Guidelines for Hospital" for anumber of years. These documents may be of interest in the development of

privacy regulations.

= The areas where regulation could be introduced are as follows:

0 Transparency of record keeping, where personally identifiable data are kept,it should also be known and traceable on request.

0 Individuals should have the means of determining what personalinformation has been recorded and how it is used.

0 Individuals should have the means of preventing personal informationobtained for one purpose being used or available for other purposes without

their consent.0 Individuals should have the means of being able to correct or amend

personal information.0 Organisations creating, maintaining, using, or disseminating personal data

must assure the reliability of the data for their intended use and takereasonable precautions to prevent misuses of the data.

0 Limits are placed on the disclosure of specified or sensitive personalinformation to third parties.



0 The third party access to and uses of personally identifiable data should beclarified and specified. Both information and the authority to access shouldbe graded. Only appropriate access to appropriate information should be

sanctioned.

Genetics is a growing area, genetic information should be treated as confidential

health information, with the rights of privacy and not a basis for unlawful

discrimination.

23. Generally, what should be done to ensure that the law keeps abreast with

development in technology affecting individuals ' privacy?

Technology itself is privacy neutral but how the technology is used or abused is of thegreatest concern . The law should via various mechanisms, such as, expert panels,

consultative forums and research , gaze into the future and investigate scenarios sothat a pro-active approach is adopted to preventing the misuse or abuse of privateinformation that is enabled as a result of technological advances.


31Your Ref:

Enquiry Phone: Mr G Tosh (3826 5212)Please Quote File: 110473/128024

LOGAN 30 July 1997CI COUNCIL

Research DirectorLegal, Constitutional andAdministrative Review Committee

Parliament HouseGeorge StreetBRISBANE QLD 4000

Dear Sir/Madam

SUBMISSION - PRIVACY IN QUEENSLAND

WPTOWN: ID: 26343GJT:JMD

LE13AL, C TU MAL ANOADMINISTRATIVE REVIEW COMM1tTF11

31 JUL 1997

Reference is made to the enquiry being conducted by the Legal,Constitutional and Administrative Review Committee on the subjectof Privacy in Queensland. Council submits the following commentsin relation to various matters listed in Issues Paper No 2 datedMay 1997.

GENERAL

The framework for privacy protection should be based on standard,flexible and equitable approaches. In relation to additionalissues not canvassed in the Issues Paper the following commentsare raised:-

i. Protection of health, safety and amenity is in no small wayreliant on the community's sense of civic duty and communitypride. These factors, as well as personal interest, docompel complaints to be made to Council for investigation.The particulars are frequently furnished on the proviso thatcomplainant confidentiality is guaranteed.

ii. The 'powers of entry' provisions of the Local Government Act1993, particularly with respect to investigating complaints,potentially compromise the Council's ability to efficientlyand expeditiously rectify Local Law breaches, and are clearlyunrealistic in areas. (These concerns have been previouslyraised by Council with the State Government).

CONSISTENCY IN LEGISLATION IN ALL STATES OF THE COMMONWEALTH

All communicationsto be addressed to: Privacy Legislation should be consistent for all states and asChief Executive Officers uch should be controlled by the Commonwealth ie "The Pri vacy Act

P.O.Box226 1988 (Commonwealth )" which is based on the Guidelines on theWOODRIDGE Q 4114 Protection of Privacy and Transborder Flows of Personal Data.

This Act could be extended (if the states agree ) to include allLogan City CouncilAdministration CentreWembley RoadLogan Central Q 4114Ph (07) 3826 5555Fax (07) 3808 0014

states of the Commonwealth.

110473/ 128024 - 2

INFORMATION PRIVACY PRINCIPLES

Review Committee

In response to the eleven principles, Council submits that Clause9 be amended to read:-

"9. Allow use of personal information only for relevantpurposes for which it was obtained."

and Clause 11 be amended to read:-

"11. Prevent disclosure of personal information to any otherperson or agency, subject to certain exceptions whichshould be limited to Government agencies ie, Taxation,Health etc."

PRIVACY COMMISSIONER

The Commonwealth also has at its disposal the office of a PrivacyCommissioner who is prescribed a range of functions primarilydesigned to ensure compliance with the Act. This role could beenhanced further to allow for heavy penalties for breaches of theAct, particularly if the Act was to be extended to include thestates and the private sector.

It is evident that the states haven't addressed this issue; theyshould have, hence Council's views that the application of Privacylegislation should be a commonwealth power to give consistency andlegitimacy to individuals privacy on a national basis.

Furthermore, Council supports the establishment by legislation ofa Privacy Commissioner to investigate complaints and makedeterminations in relation to breaches of privacy, and to fulfilla range of developmental and educational roles in respect ofprivacy.

PRIVACY LAW AT THE INTERNATIONAL LEVEL

The discussion paper gives brief comments about Privacy lawsoverseas. Whilst these might be adequate in those countries,Australia has the opportunity of developing its own very tightprivacy laws that have legitimacy and really will protect therights of citizens. They could be a world model if thecommonwealth and states agreed to a centrally controlled andpoliced Privacy Act.

Privacy laws should also extend to the private sector in line withthe eleven criteria in the current commonwealth legislation.

PRIVACY PROTECTION AND FREEDOM OF INFORMATION

Information obtained by banks, insurance companies, hospitals,doctors and indeed any form of business that collects data onindividuals must be kept confidential by all organisations. Thosedetails should not be allowed to be accessed or provided in listsfor such things as telemarketing or direct marketing. However,they should be available to the individuals they concern withoutthe need of an FOI application to check them.

110473/128024 - 3 Review Committee

Access would need to be granted by way of Commonwealthrequirements, ie for taxation, health purposes or, for securityand police related requirements. The legislation and itsadherence to it by all organisations in the public and privatesectors would be policed by the Privacy Commissioner. Anybreaches of the Privacy Act would carry substantial fines to suitthe seriousness of the breach of an individual's or company'sprivacy.

These comments will ensure balance in the debate to enableconsistent and enforceable privacy legislation to be eventuallydrafted. However, it must be at a commonwealth and not a statelevel if it is going to be achievable and workable as well asconsistent across the nation.

PRIVACY AND COMMUNITY WELFARE SERVICE

The Council advises that in relation to community welfareservices, major structural reform of the sector is under way.Governments have been moving to devolve service delivery functionsover the last decade to the community sector. The new developmentis that, increasingly, services will be delivered by privatesector providers. In these circumstances, a fresh set of concernsdoes arise about accountability for information which in manyinstances will concern sensitive personal matters.

CONCLUSION

While Council concurs with most of the opinions canvassed in theIssues Paper under discussion, it trusts that the above commentscontained in this submission are noted and may be of assistance inthe review of Privacy in Queensland.

Should you require any further information in relation to thissubmission, please contact Council's Acting Executive ServicesOfficer, Mr Greg Tosh on telephone (07) 3826 5383.

Yours faithfully

M G PickeringACTING CHIEF,XEZITIVEOFFICER

30.

P Henderson,P 0 Box 70PADDINGTON Q 4064

29 July 1997

The Research Director,Legal , Constitutional and Administrative Review CommitteeParliament HouseBRISBANE QLD 4000

ADMINIS'l`t'iA E REVLEGAL

A;;; 1991

Dear Reader,

MY QPEU-SSJ_BMISSI-G -GN_THE_LSSIZES-PAPE - RLVACY IN UEENSLAND

After receiving a copy of the issues paper No 2, I telephoned the office of ParliamentaryCommittees to ascertain the objectives of the paper.

I was reassured that it was compiled with the intention of appraising the committee ofhow the issue of privacy legislation might be handled ie. not an end in itself.

GENERAL

I have just completed reading the following related issues papers which have beenissued concerning contemporary privacy type issues in this State and in NSW .

1. Review of Police Powers Discussion Paper

2. "Surveillance" (Issues paper number 12 , May 1997) published by the Law ReformCommission of New South Wales (ISBN 0 7313 1010 1).

The QPS issues paper greatly expands your committee 's brief reference to surveillancein paragraph 11 of your paper.

"Surveillance" conducted by private individuals and entities, or by or on behalf ofgovernment is a major trespass across an individual's right to privacy . It needs to becarefully examined in view of the competing interests of differing parties - thetrespassers' rights versus an individual subject's claim to be left alone.

The concept of privacy protection is one which other jurisdictions have thoughtsufficiently complex enough to entrust the evaluation of the consequences to a standingLaw Reform Commission. This is consistent with those other jurisdictions which havebeen grappling with the concept of privacy rights / intrusive police powers for severalyears, including some where troublesome unexpected consequences have arisen fromtheir already enacted privacy legislation.

L.C.A.R.C. 2 of 5 28 July 1997.

New Zealand has attempted to engraft the problems of police powers associated withcovert and overt surveillance on to existing privacy legislation, which in turn had beenengrafted on to that country's earlier Official Information Act (F 0 I).

The issues have been adequately canvassed in a series of fact sheets issued by MrBrian Blane, the holder of the office of Privacy Commissioner in NZ. (Available on theInternet at:

http://io.knowledge- basket. co.nz/privacy/facts/factl 1.htm ).

And of course, the question of computer encryption et al has not yet been resolved byPresident Clinton at USA Federal level. This has been claimed to be due to concernexpressed by that country's law enforcement agencies that they would lose some oftheir present powers to detect and solve serious crime presently aided by their use ofcovert surveillance and wiretapping protocols.

Whilst that is probably a very legitimate concern, the countervailing public concern thatcitizens should not lightly forfeit their right to privacy is just as vital.

Hanging in a prominent National building in Canberra is a mural with the inscription:

"Freedom is like oxygen. One doesn't appreciate how valuable it is until it is takenaway"

The additional proposed police powers do more than merely affect the rights of a citizento maintain personal privacy. They could also enable a coercive agency of the state tooperate within a framework of negative privacy ie hiding behind privacy laws whichmight prevent a citizen from detecting any law enforcement agencies' infringement ofuse of their coercive powers.

This possibility is a dangerous aspect of the concept of negative privacy. I suggest thatthere are presently no proper safeguards in place to superintend the tactical andstrategic operational activities or the intelligence gathering data of the coercive lawagencies of the State of Queensland.

Quis custodiat ipso custodes?

A TASK FOR THE QUEENSLAND-LAWREFQRM-COM_M1SS1QNIn the absence of the E . A. R. C, the Queensland Law Reform Commission would bethe appropriate body to conduct the final "big picture" analysis of privacy concerns. Thiswould prevent unsafe conclusions being drawn in haste , possibly resulting in thepremature grant of additional (and unbridled) coercive powers to the Queensland PoliceService or the Criminal Justice Commission.

L.C.A.R.C. 3 of 5 28 July 1997.

If these powers were to be prematurely granted, costly detriment to both the lawenforcers and to citizens could ensue.

From the Courts Reform Amendment Bill 1997 one can detect that the executiveaccepts the Queensland Law Reform Commission as the competent body to examineand appraise the need for this novel law. Certainly the Commission's previous reportsillustrate its fitness for the task.

It is my view that the Queensland Law Reform Commission should be commissionedto conduct a comprehensive analysis of all the issues after it has received informedpublic submissions in response to a fully comprehensive issues paper.

RESPONSES TO ISSUES RAI ED.JNT_HE_P_RE_SENT_P_APER

12.1 Provisions would be needed to:

(A) prevent the misuse or abuse of coercive powers by crown employees or by theircontractors. le private contractors receiving data held by government. Currently, privateenquiry agents associated with government are exempt from registration pursuant tothe Security Providers and Crowd Controller's legislation. Any person engaging inprivate surveillance work should be appropriately registered, whether acting as a privateor government operative. They should be in no different position from other governmentlicensees i.e. Real Estate Agents. There should be no exemption for those working asservants or contractors of the government as there is at present.

(B) prevent public officials from creating and preserving public documents whichdeliberately would attract a claim for privilege or for exemption from access under FOIlegislation or from discovery in the Court processes.

(C) prevent one agency of government providing collected data to benefit anotheragency of government against the interests of the subject, directly or through the lawofficers of the Crown.

(D) allow equal access by individual and government alike to public search repositories.Motor vehicle registration details are currently provided to QPS , governmentdepartments and to contributors to CITEC and to Solicitors. But a member of the publicis not allowed this access. The QueenslandTransport Department currently refuses thataccess on the "grounds of privacy" (quite unlawfully). Citizens should be able to accessthese records by CITEC's searchcall facility as they do for records from the Departmentof Natural Resources. A user of searchcall has to provide identification anyway sothere is no exceptional loss of privacy. A police officer can instantly ascertain the ownerof a vehicle involved in a mishap. A citizen can't . A citizen could help the police byidentifying an offending vehicle well ahead of the extended call out time - and at theirown expense!

L.C.A.R.C. 4 of 5 28 July 1997.

12.2 The law is inadequate but it should not be prematurely changed, without acomprehensive analysis of the issues.

12.6 No

12.8 By creating a standing tribunal with its members to be selected from an equalcombination of private and government panel members. They should be obliged toelectronically record (tamper proof) and deposit contemporaneous record ofapplications. Panel members to be sworn to secrecy. Limited tenure should apply toprevent build up of institutionalised status. The tribunal should be accountable to aParliamentary Committee with equal bi partisan representation.

The office of Privacy Tribunal should be entirely separated from that of the InformationCommissioner, which in turn should be separated from that of ParliamentaryCommissioner for Administrative investigations (Ombudsman).

The last report by the E. A. R. C on Review of administrative Decisions (Q I C A R)1993 per David Solomon - recommended that no determinative power be vested in theOmbudsman, because that power was inconsistent with the nature of theOmbudsman's reporting relationship with Parliament.

The offices of Ombudsman, Information Commissioner and the office of PrivacyTribunal should each be discrete and mutually exclusive.

10. Any coercive powers of the tribunal should be restricted to being againstGovernment agencies and only then upon reasonable suspicion of the concealment ofdocuments to which an applicant entitled to access or disclosure is being denied thataccess.

12. No

13 Yes

14 yes

16 By automatic application of a mandatory term set out in the out sourcing contract.Pre assessment of damages could be a term of the contract.

17 If compatible, yes

18. The Privacy Tribunal should have effective powers of enforcement against agencyresistance and be independent of executive government.

19 This has not yet been satisfactorily resolved in any jurisdiction. Good luck!

L.C.A.R.C. 5 of 5 28 July 1997.

20. National.

21. Nationally uniform.

22. Surveillance- The public to be made fully aware of current interception methods andproposed additional ones. Full public debate is required.

23. Reinstate an upper house in Queensland. Have both houses provided with qualityadvice from experts in international privacy laws.

Institute a judiciary education program, with any citizen having equal electronic accessto the same program. Everyone should know the rules!

Applications for warrants to empower trespassory powers should be obtained followingthe consent of a majority chosen by computer random sample from a panel of three ofQueensland's Supreme Court Judges. Severe penalties or dismissal from a public officeshould be imposed on any officer of the crown for incomplete or misleading contentssworn within affidavits supporting such applications. The secrecy of the applicationsshould be lifted after the outcome desired from the operation has been finalised.

Yours faithfully

P Henderson

28.

Cover

OUR REF: j:\bad\pmib\letters\privacy.wpd

29 July 1997

Mrs J M Gamin MLAMember for Burleigh andChairmanLegal, Constitutional andAdministrative Review CommitteeParliament HouseGeorge StreetBRISBANE QLD 4000

Q UEE N SLAN D


30 JUL 1997

Dear Mrs Gamin

Reference: Privacy in Queensland - Issues Paper

Thank you for your invitation to submit a response to the Privacy in Queensland issues paper.

In order to complete our submission, WorkCover consulted with relevant staff including those who

have extensive experience with the Freedom of Information Act 1992 and the associated provisions of

this Act. Input from these areas has been incorporated in our response which is enclosed.

If you require any further information regarding our submission please do not hesitate to contact myselfor Sharon Campbell, Manager, Policy and Management Information Branch on (07) 3235 9650.

Yours sincerely

Rhonda PashenGeneral ManagerBusiness Development Division

POLICY & MANAGEMENT INFORMATION BRANCH13th Floor, 280 Adelaide Street GPO Box 2459 Brisbane Q 4001 Fax: (07) 3235 9460

ATTACHMENT 1

Comments for Privacy in Queensland - Issues Paper

General

WorkCover does not have any immediate concerns relating to the protection of personalinformation of its clients and WorkCover itself. The current legislative provisions forprivacy, in the state and federal arena, is sufficient to protect the individual and the

employer.

• The current laws relating to privacy in Queensland provide sufficient protection of ourclients i.e. injured workers, employers, self-raters and self-insurers. WorkCover requests

and obtains information from an employer which is directly related to their premium andfrom an injured worker, information directly related to the management of their injury.

• WorkCover has introduced internal systems which have the ability to monitor employeeaccess to individual records. A series of password based systems have been introducedto limit the number of WorkCover employees able to access particular systems andmonitor access to individual records.

• Claimants may seek their claim information from WorkCover under the Freedom of

Information Act 1992.

• Section 519 of the WorkCover Queensland Act 1996, provides an administrative

arrangement for claimants in response to requests for personal information. This wasestablished prior to the inception of WorkCover and was expanded to include workersof self-rated and self-insured employers to enable them to access the same personalinformation as would be available from WorkCover under the Freedom of Information

Act 1992.

• The WorkCover Queensland Act 1996 provides an exemption from the Freedom of

Information Act 1992 for documents relating to WorkCovers commercial activities andcommunity service obligations , however this does not restrict access to personal

information.

• To further protect the personal information of its clients under the WorkCover

Queensland Act 1996, WorkCover has the power to prosecute WorkCover officers for the

unauthorised disclosure of information.

Information Privacy Principles

• WorkCover does not support the introduction of Information Privacy Principles (IPP's)in addition to those currently outlined in Commonwealth legislation.

• The introduction of further principles at a state level would add to the administrativecosts associated with providing access to personal information.

2

A Privacy Commissioner/Privacy Committee

WorkCover does not support the creation of a Privacy Commissioner/Privacy Committee.

WorkCover regards the regulation of access to information concerning personal affairsby the Ombudsman and Information Commissioner as sufficient . However, theOmbudsman is often unable to meet timeframes regarding investigations. In respect to

this, WorkCover supports the increase of support staff to the Ombudsman to enabletimeframes to be met rather than the appointment of a Privacy Commissioner.

• The Ombudsman compiles an annual report on WorkCover' s performance regarding themanagement of privacy matters.

• Additionally, the costs associated with the introduction of an increased regulatory rolewill add to the costs already contained in the protection of personal affairs information.

Scope of a Privacy Regime

• WorkCover believes the current privacy laws should be extended to the private and

public sector. However, respective legislation should not impede the legislativeprovisions currently operational in authorities.

• As mentioned previously, WorkCover has a number of provisions within the WorkCover

Queensland Act 1996 that directly relate to protecting the personal information ofindividuals whilst enabling them to access their information.

• WorkCover does not support the introduction of further complex legislation to supersedethe provisions already existing within the WorkCover Queensland Act 1996. The

provisions in the Act have been specifically written to apply directly to the businessneeds of WorkCover.

• The current regulatory role of the Information Commissioner should be increased toenable the current arrangements to extend to the private sector.

Other Privacy Concerns

• Due to the nature of WorkCovers' business i.e. workers ' compensation insurance,surveillance is often required in the detection of fraud.

• The operation of surveillance is an integral function of the Loss Investigation Unit inWorkCover. The report detailing the findings of the Inquiry into Workers' Compensationand Other Related Matters (conducted in 1996) made mention of an increase in fraudulentactivity throughout the scheme.

-3-

In particular, a recommendation was made that access to common law be precluded ifinvestigations of either the statutory or the common law claim lead to a successfulprosecution for fraud.

• In the 1996/97 year 1098 fraudulent cases were identified resulting in 88 prosecutionswith 87 convictions made. Due to the activities of the Loss Investigation Unit,WorkCover has made approximate savings of $2.6M for the 1996/97 year.

• WorkCover strongly believes the introduction of an increased regulatory instrumentwould greatly impede our investigations into fraudulent matters and the associatedrecovery of previously claimed benefits and costs.

• In respect to surveillance operations currently in progress, WorkCover complies with theFebruary 1992 Guidelines stated in the `Covert Optical Surveillance in CommonwealthAdministration'.

• Finally, WorkCover believes that the Freedom of Information Act 1992 providessufficient access to and protection of the personal affairs of individuals.

• Any alterations to the current position would incur costs outweighing the benefitsassociated with the implementation of additional regulation. The introduction of furtherregulation would only increase the complexity of an already complicated matter.

kMain RoadsQUEENSIAND

T -QUEENSLANDGOVERNMENT

Corporate ServicesLegal and Legislation BranchGPO BOX 1549 BRISBANE QLD 40017th Floor, 85 George StreetBRISBANE QLD 4000

Enquiries: Graeme HealeyTelephone: (07) 3237 9868Facsimile: (07) 3237 9858Our Ref:Your Ref:

407-2-145 GH:GH

LEGAL, CONSTITUTIONAL AND

28 July 1997

Mr Neil Laurie

Research DirectorLegal, Constitutional and AdministrativeReview CommitteePARLIAMENT HOUSE, BRISBANE QLD 4000

Dear Mr Laurie

Privacy in Queensland

ADMINISTRATIVE REVIEW COMMITTEE

4 WIG 19 93-

I refer to the Legal, Constitutional and Administrative Review Committee Issues Paper no 2,Privacy in Queensland, and thank you for the opportunity for the departments of Main Roadsand Transport to provide a submission on the issue of Privacy in Queensland.

The following submission addresses the issues with respect to privacy protection inQueensland in the format as specified within the issues paper.

General

Both departments have concerns relating to privacy protection that hopefully will beaddressed if the government implements some form of privacy regime. QueenslandTransport is responsible for the custody and maintenance of 2.2 million drivers licencerecords and 4.5 million vehicle registration records. Both Main Roads and Transporthave systems that record various personal details of members of the public anddepartmental staff, including - name and address, dates of birth, bank account details,salary information, property values and criminal history searches on individuals.

While the departments have policies in place to try and protect the privacy of thisinformation and ensure its appropriate use, the absence of state legislation addsdifficulties to the development and enforcement of these policies.

We also have concerns relating to the use of client records for marketing or locatingpeople who do not wish to be found, eg. direct marketing, divorcees and victims ofdomestic violence.

2. The current laws in Queensland dealing with privacy related issues do not adequatelyprotect the rights of individual's and individuals have little recourse if their privacy isbreached in any way.

Issues such as data gathering, data sharing within government departments and accessby individuals to their own records are currently not adequately addressed.

National uniform privacy legislation would be the ideal solution to the privacy issues inQueensland. If Queensland does implement a privacy regime, it could consideradopting the approach the Commonwealth has taken to privacy with the establishmentof the Privacy Commissioner and the establishment of Privacy Principles. If a regimeis implemented it should be acceptable under the European Directive and the OECDguidelines.


The preferred option is for the establishment of IPP's in line with the Commonwealthlegislation and the OECD and European standards of privacy protection.

5. With the rapid rate of change in technology that is occurring, legislative based [PP'scould have considerable difficulty keeping pace with the changes. However, guidelines,while being more flexible are more easily circumvented and do not provide anysanctions for those who breach the principles.

Some form of fee structure associated with the privacy legislation is appropriate.However, fees should only serve as a deterrent to frivolous claims and not as a basis ofreducing the number of honest complaints regarding breaches of privacy.

7. While the initial cost of establishing the IPP's would be significant, these costs wouldlessen once the IPP's became part of management systems within agencies.


8. The establishment of a commissioner or committee should be viewed with caution ascosts associated with investigating complaints and reporting would be substantial. Tominimise costs it may be advisable to have the privacy commissioner combined withthe office of the Parliamentary Ombudsman.

9. The functions listed on page 5 of the issues paper are a good starting point for thefunctions of a privacy commissioner. The functions of a commissioner in Queenslandshould be very similar to those of the federal privacy commissioner.

10. If a commissioner or committee is established they should have the powers of accessand the ability to enforce the IPP's through sanctions such as fines or disciplinaryaction.

11. The importance placed on this issue by members of the public and internationalorganisations would justify the potential cost of a privacy watchdog. If Queenslanddoes not implement a internationally conforming privacy regime our international tradeprospects could be effected.


12. Ideally privacy regulation should apply to the private sector as well as the public sectoras areas within both sectors are in competition.

13. Government owned corporations should be subjected to a privacy regime in the sameway as other private sector corporations.

14. Local government should be subjected to a privacy regime in the same way as

government agencies.

15. Ideally the right to privacy protection should be available to all members of thecommunity in their dealings with both the public and private sectors. After the initialburden of establishment, the costs of protecting privacy should be minimal.

16. If the private sector is not covered by privacy legislation, all outsourced services wouldbe bound by privacy clauses included in any contractual arrangements.

17. Uniform legislation and co-operative arrangements between the states, territories andthe commonwealth is highly desirable. Queensland government agencies haveestablished data sharing arrangements within Australia that could be at risk shouldlegislation not be nationally uniform.

18. Freedom of information legislation and privacy legislation should be compatible and

consistent.

19. Any privacy legislation in Queensland should be consistent with the European directive

and the OECD guidelines.


20. Smart cards should be regulated under national legislation as they are a medium thatwill effect every Australian. The possibilities for smart cards is enormous, for example,Queensland Transport is evaluating the possibility of using smart cards as a futurereplacement for drivers licences in Queensland.

21. If regulation focuses on the information rather than the storage medium, then smartcards and electronic banking should be included in privacy legislation.


22. Surveillance needs to be limited to public areas with justification that there is a need toprotect the rights of the community.

Regulation of telemarketing and direct marketing needs to be in legislation.Information obtained from one source for a particular purpose needs to be protectedfrom being made available to another source, unless the original confider of theinformation has given their consent.

Workers may need to be protected in the workplace from unscrupulous employers thatmay invade an employees personal privacy via visual or listening surveillance.

23. Principles relating to privacy should be enshrined in legislation and the legislationshould be objective based, rather than prescriptive. The role of the commissionershould ensure that the rights of individuals are protected in the face of technologicalchanges that threaten privacy rights.

The privacy contact officer within Main Roads and Queensland Transport is Mr GraemeHealey, Manager (Administrative Law). Mr Healey can be contacted on (07) 3237 9868should you require any further information.

(W J Rodiger)DIRECTOR (LEGAL AND LEGISLATION)

TELEPHONE 3227 7111FAX No 3225 2527

The Chiropractors and Osteopaths 2&Board of Queensland

Please address all correspondence to:-

The RegistrarTHE CHIROPRACTORS AND OSTEOPATHSBOARD OF QUEENSLANDG.P.O. BOX 2438BRISBANE 4001

19th FLOORFORESTRY HOUSE160 MARY STREETBRISBANE 4000

IN REPLY PLEASE REFER TCC RECORD

No .............................1 :i ...c..........

2 8 -

The Research DirectorLegal, Constitutional and Administrative Review CommitteeParliament HouseBRISBANE Q 4000

Dear Sir/Madam

2 9 J 1991

I refer to the document titled "Privacy in Queensland", which was recently supplied to theChiropractors and Osteopaths Board of Queensland.

The Board considered this document at its recent meeting when it asked me to write to you:

► thanking you for supplying it with a copy of the document;

► advising that it does not have any comments to make on the document.

The Board looks forward to receiving any subsequent documents which may be forwarded to itfor consideration.

Yours sincerely

D RamsayACTING ASSISTANT REGISTRAR

UL 1997

'TIC"'AL ANDfiv" Ctl

E:\ADMIN\CONNELL\POSNER\TEAM1\C O-1\CORRMEET\JULY97.WK

SECRETARY AND REGISTRAR

MR D. PORTER

25 July 1997

The Research DirectorLegal, Constitutional and AdministrativeReview CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir/Madam

CONSTITUTIONAL AND

29 JUL 1997kTIVE REVIEW COMMITTH

THE UNIVERSITY OF QUEENSLANDBrisbane Qld 4072 Australia

Telephone (07) 3365 T 310

International +61 7 3365 1310

Facsimile (07) 3365 2680

Email [email protected]


Thank you for forwarding to the University a copy of the Issues Paper in respect of the above,and for affording the University the opportunity to comment on issues associated with theprotection of personal privacy in Queensland.

The University of Queensland as an institution has consistently and strongly recognised theneed for protection of personal privacy in our practices and procedures. Indeed, we haverecently drafted an administrative policy, which will be placed before the next meeting of theUniversity Senate for approval, which confirms our continuing commitment to maintainingthe privacy of the personal information which we collect from our students, our staff andmembers of the community (for example, research subjects). For the reference of the

Committee, a copy of this draft policy is enclosed.

My principal comment relates to point 4 of the items listed in the Issues Paper forconsideration. One aspect of the information privacy principles which is potentially ofconcern to the University is the exception to non-disclosure which apply in relation to lawenforcement activities (contained in Information Privacy Principle 11). The University

supports the endeavours of law enforcement agencies to ensure that our campuses are freefrom criminal activity, and in this regard, recognises the importance of assisting suchagencies to prevent criminal activities or to detect the perpetrators of crimes where these arein some way associated with the University community, property, facilities or with University

functions or activities.

However, we would be most concerned that the traditional independence from government ofthis and other Universities will be undermined if this exception to the limitations ondisclosure were to be invoked by law enforcement agencies pursuing more generalisedintelligence gathering functions. It is the University's submission that any legislative oradministrative scheme which is put in place should recognise that, if this exception to non-disclosure is invoked in accordance with Information Privacy Principle 11, that agencies beprovided with sufficient information to determine that the request is based on legitimate lawenforcement grounds.

2

A further issue with which Universities must occasionally grapple is the intersection betweenCommonwealth and State legislation . The University obtains large amounts of research grantfunding from Commonwealth agencies , and these agencies generally require the University toabide by the Commonwealth Privacy Act 1988 in respect of the activities to which the grantof funds may relate . The University would be substantially concerned if there were a conflictbetween the obligations imposed in the Commonwealth Act and the scope or content of any

scheme for the protection of privacy proposed in the Queensland jurisdiction.

Yours sincerely

Douglas PorterSecretary and Registrar

Enc

PRIVACY MANAGEMENT POLICY

The University holds a large amount of personal information concerning staff, students andother persons, as a natural consequence of our teaching, research and administrative

functions. Some personal information is collected from the persons concerned, while otherinformation is generated by the University in the course of our activities (for example,

examination results). The privacy of persons about whom the University holds personalinformation must be respected, and the University's policy addresses the circumstances in

which privacy issues may arise.

Personal information is information not in the public domain which identifies an individualand which is capable of being associated with a specified individual. In the Universitycontext, examples of personal information include home address, home telephone number,

date of birth, marital status, next of kin; salaries and wages of University staff, all

information concerning students, their enrolment, academic performance, personal welfare(such as medical matters) and records of an individual student's library borrowings;information concerning persons who apply to the University for appointment or admission;information collected from or concerning human research subjects. It may include visual

information, such as photographs of people. For the purposes of this policy, personal

information is given a broader meaning than in the Freedom of Information Act 1992 (the

FOI Act refers to "personal affairs information", meaning matters of private concern to

individuals).

Collection impersonal information

Information should be collected only where it is necessary to carry out a particular function oradministrative activity. For instance, it is rare that information concerning a student's maritalstatus is required for normal administrative functions associated with enrolment or study.Where the information is not required for any specific purpose, it should not be collected.

Where information is collected for a particular purpose, it should not normally be used forany other purpose. For instance, it is not acceptable to supply the names and addresses ofstudents to commercial providers of goods or services, even where particular benefits may beoffered to those students, since such information has been collected by the University only forenrolment and study-related purposes. If personal information is likely to be used for someother purpose, this should be disclosed at least by the time that information is collected andpreferably before it is requested. In certain circumstances, information collected for oneUniversity purpose may be used for another but the unexpected use should be approved by

the Secretary and Registrar.

Access to and use of personal information stored in records

There are several important principles which staff should consider when dealing withpersonal information held by the University.

2

1. Personal information should be accessed and used only for University purposes - Accessto either paper-based or computerised records should be sought and granted only where thereis a demonstrated need for this because of a staff member's functions or responsibilities.Even where access is granted, it would be inappropriate, for instance, if an address, hometelephone number or other information were accessed and used by a staff member for privatereasons eg to forward personal correspondence to a former flatmate, or to ascertain the resultsof friends and associates. This is so even if the person to whom the information relates gives

permission.

2. Personal information should be secured - Paper-based records should not be left wheremembers of the public, or others to whom the information they contain is not generally made

available, may access them. Records containing personal information should be filed

securely.

Appropriate arrangements should be put in place at the departmental level to ensure thataccess to computerised records is granted only to staff requiring such access in the course oftheir duties. Computer access passwords are intended as security devices and hence staffshould not disclose their password to others (for further details see VCIT's draft Information

Technology Security Policy).

Sometimes personal information will be obtained orally, for instance, in an interview with a

student concerning course progress. The information may or may not be recorded in

documentary form. Nonetheless, privacy should be respected, and the information should notbe discussed with others, except where this is necessary to undertake functions concerning thestudent or staff member who has provided the information.

3. Personal information should not be disclosed to third parties, except in the circumstances

outlined below.

As a general rule, information not publicly known concerning staff and students should betreated as confidential, and should not be disclosed to anyone but University staff who have ademonstrated need for this information to carry out their duties. There are several exceptions

to this general rule.

(a) Disclosure to the staffmember or student to whom the personal information relates:

Information privacy principles in general entitle those about whom information is held toaccess that information. This enables them to ensure that information about them is accurate,relevant, up-to-date, complete and not misleading. Thus, a staff member or a student wouldbe entitled to request access to their personal file or to view information held in computerisedformats about them. This general entitlement is given effect by the Queensland Freedom of

Information Act, and is subject to its detailed provisions.

In most cases where access is requested, it will be possible for access to be obtained withoutthe need to make a formal application under the FOI Act. For further advice on dealing withrequests, refer to the Freedom of Information Management Policy (Section 3.58 in theHandbook of Administrative Information, Volume 1) or the Senior Administrative Officer,

Freedom of Information Office.

3

Sometimes, persons supply original documents to the University, such as birth certificates, orcertified academic records of study undertaken elsewhere. Where it is practicable to do so,

original documents supplied by a person may be returned to them, and should be returnedupon request. If this occurs, University records relevant to the transaction should include anannotation indicating that original documents have been sighted and returned.

(b) Disclosure to third parties only with the consent of the student or staff member

concerned:

Personal information may be disclosed to third parties with the consent of the student or staffmember concerned. Such consent cannot be assumed, and should be given expressly and in

writing. It cannot be assumed, for instance, that the University has implied consent toroutinely supply student details routinely to professional associations, potential employers or

parents.

Except in the special cases mentioned below (see items (d) and (e) below), the fact that theenquirer may hold an official position, for example, as an officer of a government department,or in some other way may claim a special or even official right to get information makes no

difference to this position. Nor does it matter whether the enquiry is made informally or by

means of a formal written document.

Details of a student's academic record should not be given to third parties even though the

results may have been published at the time of release in the normal way. If an enquiryconcerning a student's record is made by a person or body clearly having a valid reason forseeking the information, eg another university or a prospective employer forwarding detailsof the record as furnished to the enquirer by the student, the enquiry should be referred to theAcademic Registrar, who will, if appropriate, verify the record so furnished.

Heads of departments and sections may from time to time receive enquiries, often bytelephone, from credit providers, in connection with applications by staff for credit facilities,and from real estate agents, in connection with rental of premises by staff. The enquirer

usually asks for confirmation of employment and salary. The University is willing to assistthe staff member in these cases and will provide confirmation of employment and salary

level. This should only be done however where the staff member in question has advised thehead of department in advance that an enquiry may be made by a credit provider or real estate

agent.

Where no prior advice has been received from the staff member concerning the possibility ofan inquiry by the credit provider or other enquirer, the enquirer should be advised to make a

request in writing. Such a request should include written evidence that release of thisinformation has the staff member's consent or be checked with the staff member before anyinformation is given.

Occasionally, persons undertaking research or those seeking genealogical information maymake enquiries for access to personal information concerning former staff or students. Suchenquiries may also be made by persons needing details for honours, obituaries and the like.

4

These enquiries must be referred to the University Archivist for assistance (telephone

extension 52889).

(c) Disclosure of matters of public record:

Additionally , there is a limited amount of apparently personal information held by theUniversity which in fact amounts to a matter of public record . A notable example is the

status of a person as a graduate of the University of Queensland . Where members of thepublic enquire about the status of persons as graduates of the University , they may be

encouraged to use the publicly available source in the University Library (bound volumes

entitled "Programs for Conferral of Degrees", Library Call No LG711. 5.C4 Fryer Per) or

alternatively may write to the Academic Registrar. Where the association with the University

is more than 20 years old, enquiries should be directed to the University Archivist. The

University ' s official graduation records are held in Central Administration.

The fact that a student is enrolled at the University is not treated as a matter of public record.Consequently , such information should be disclosed only in the circumstances outlined in this

policy.

It should not automatically be assumed that divulging apparently innocuous information, such

as staff lists, is acceptable. This is because of the opportunities which exist for usingsophisticated software technologies to consolidate that information with other publiclyavailable information and produce selected mailing list, for example, for the direct marketingindustry. Such requests should be referred to the Secretary and Registrar.

(d) Disclosure of personal information under statutory or other legal authority:

In some cases, legislation has conferred upon certain public officers the right to demand andreceive information, even though it would otherwise be regarded as confidential. A typical

example is the Income Tax Assessment Act under which the Commissioner can authorise

officers of that department to require any person to answer any question or to produce any

document for inspection. The Commonwealth Departments of Employment, Education,Training and Youth Affairs, Social Security, or Immigration may also have powers to obtainaccess to personal information in specific circumstances.

In cases where enquiries are received from public officials, the relevant statutory authority toobtain access to such information should be requested. Statutory authority should be detailed

in writing, as should written verification of appointment as a person entitled to require the

information. When this authority is produced, the enquiry should be referred to theUniversity Legal Officer for confirmation, or where the Legal Officer is unavailable, to the

Secretary and Registrar.

Until such confirmation is obtained, inspection of University documents is not permitted, nopersonal information should be released verbally and copies of documents should not be

provided.

5

Similarly, where disclosure is sought in the course of legal proceedings, eg by service of asubpoena or writ of third party discovery, this must at all times be referred promptly to theUniversity Legal Officer for action.

(e) Disclosure in instances of wrongdoing associated with University activities:

Staff in Faculty offices and in various sections of Central Administration often obtaintranscripts of the academic record of persons seeking admission to a particular course ofstudy, or who apply for a position on the University staff or for various forms of financial

assistance. Occasionally, such staff may become aware that such records appear to have beenfalsified in order to obtain admission or appointment. These are examples of a wider class ofinstances where wrongdoing in connection with University affairs is suspected.

Where staff suspect that some form of record falsification or other wrongdoing has occurred,any reporting of the issue should be to their supervisor in the first instance and then to theSecretary and Registrar. At no time should staff disclose such information directly to entities

outside the University.

Occasionally, police officers or other law enforcement agencies involved in investigations ofoffences associated with University activities or the misuse of University property, will makeenquiries for personal information about staff or students to assist with their enquiries. Inexceptional circumstances, the University may consider release of such information. All suchenquiries must be referred to the University Legal Office, who will in conjunction with theSecretary and Registrar determine what information, if any, should be released.

(f) Requests associated with bona fide research activities

The University is willing to assist bona fide researchers undertaking studies, for example, bythe distribution of questionnaires within the University community. Any assistance must be

approved by the Secretary and Registrar.

Material to which such requests relate and which will be forwarded to staff/students mustcontain a clear statement of purpose, and responses must be entirely voluntary and made

directly to the researcher.

Usually, the University will either distribute the material within the University internal mailsystem or provide name/address labels under stringent conditions associated with thepreservation of individual privacy. Costs will normally be recovered from the researcher.The University will provide no other follow-up or forwarding services.

Grievance procedure

Privacy issues can be discussed with the Senior Administrative Officer (Freedom ofInformation Office), if necessary, on a confidential basis. If individuals believe that theirprivacy has been breached, a complaint may be made in writing to the Senior AdministrativeOfficer (FOI Office). In order to enable such a complaint to be properly investigated, itshould identify the person whose privacy appears to have been breached. Anonymous

complaints will not be dealt with.

6

An investigation will be conducted in consultation with the relevant Head of Department or

section. The Secretary and Registrar will have final responsibility for resolving the

complaint.

Further information

General enquiries concerning the application of this policy may be directed to the SeniorAdministrative Officer, Freedom of Information Office, in the first instance.

AUSTRALIAN DIRECT MARKETING ASSOCIATION

24 July 1997

The Research DirectorLegal, Constitutional and Administrative Review CommitteeParliament HouseCnr George & Alice StreetsBRISBANE QLD 4000

Dear Research Director

`PRIVACY IN QUEENSLAND'

Attached for your consideration is the Australian Direct Marketing Association ' s submission to

`Privacy in Queensland'.

Please be in contact if you require any further information.

Yours faithfully

Robert L Eddwa ds 'CHIEF E) CUTIVE OFFICER

Att.

AC N 002 909 800

SUITE 1 LEVEL 5 100 WILLIAM STREET EAST SYDNEY NSW 2011 AUSTRALIAPO BOX 464 KINGS CROSS NSW 2011 PH 02 9368 0366 FAX 02 9368 0866


AUSTRALIAN DIRECT MARKETINGASSOCIATION

PRIVACY SUBMISSION

TO THE


AUGUST 1997

ACN 002 909 800

SUITE 1 LEVEL 5 100 WILLIAM STREET EAST SYDNEY NSW 2011 AUSTRALIAPO BOX 464 KINGS CROSS NSW 2011 PH 02 9368 0366 FAX 02 9368 0866



EXECUTIVE SUMMARY

q ADMA represents 400 corporations whose activities include use of marketing

databases which are fundamental to the success of Direct Marketing and

communicating with customers.

q Queensland members include financial institutions, charities which market

nationally and Queensland based national and international companies.

q Direct Marketing now accounts for nearly half the total marketing and

advertising spend in generating annual sales of more than $10 billion annually.

q New media technologies are driving the globalisation of markets.

q ADMA continues to be a strong advocate of uniform national privacy

regulation in order to harmonise with regulatory regimes elsewhere.

q Queensland should introduce a privacy legislation covering State and localgovernment departments and agencies in line with the Commonwealth Privacy

Act.

q In relation to the private sector the Legal, Constitutional and AdministrativeReview Committee is well-placed to play a major role in the privacy debatewhich will be triggered by the release shortly of an Issues Paper by the

Commonwealth Privacy Commissioner.

q The Queensland Consumer Affairs Minister should support the ADMAposition in relation to the Distance Selling Code in the interests of consistent

and uniform privacy regulation.

Australian Direct Marketing Association


1. INTRODUCTION

The Australian Direct Marketing Association (ADMA) is an association with 400

corporate members including all of the major banks, financial institutions, insurancecompanies, airlines, motor vehicle manufacturers, oil companies, the hospitality industry,traditional direct marketers such as Reader's Digest and Time Life as well as the widerange of companies and agencies which supply the direct marketing sector. Every

ADMA member has a significant interest in the ongoing use of their marketing databases,a core issue in any future private sector privacy regime.

ADMA's Queensland membership covers leading financial institutions including

Suncorp-Metway and RACQ, charities such as RSL War Veterans Homes Art Union

and Multiple Sclerosis Society plus Queensland-based major national and international

corporations including Fisher and Paykel and National Photographic Marketing. Mr

Rob Tolmie, Managing Director of National Photographic Marketing is Immediate Past

President of ADMA.

2. DIRECT MARKETING IN AUSTRALIA

Direct Marketing is increasingly delivering significant benefits to consumers throughoutAustralia. It is overcoming inequities in access to goods and services, which isparticularly relevant in a large State such as Queensland.

As banking becomes increasingly electronic, retail banking centres are being centralised

and branches closed. However, in remote areas or small centres which can no longersupport a retail bank consumers enjoy the same level of financial service as city customers

thanks to Direct Marketing.

Lack of access to services is not confined to consumers in remote areas. As country andsuburban department stores centralise operations, consumers particularly those lackingmobility are finding themselves disadvantaged. This is being addressed by DirectMarketing both in terms of selling and customer service.

Direct Marketing improves access to goods and services, and removes inequities of

distance and disadvantage. Far from disadvantaging consumers, direct marketing can

ensure better delivery of goods and services. In the case of financial services such asinsurance, appropriately conducted direct marketing can ensure better information thantraditional methods relying on go-betweens such as agents.

3


Consumers are turning to Direct Marketing for convenience and lifestyle reasons. With

increasing levels of workforce participation, individuals and families have lessopportunity or desire for traditional retail shopping.

Companies are turning to direct marketing to improve efficiency which benefitsconsumers in terms of price and service as well as access and equity. However, partly dueto factors common to the rest of the world and partly due to factors peculiar to Australia,there is a need to address the legislative and regulatory framework relating to Direct

Marketing and the use of customer data.

The regulatory framework should be capable of addressing current issues andconcerns rather than trying to cope with problems which may or may not emerge inthe future . At the same time , the framework should be flexible enough to cope withchanging circumstances which are foreseeable.

3. SIZE AND EXTENT OF DIRECT MARKETING IN AUSTRALIA

In 1995 Direct Marketing challenged the main media for the first time in terms of moneyexpended by advertisers representing 48% of the amount spent on advertising. By

comparison, in the United States, 58% of all media spend is related to direct marketing.

This will give some indication of the likely growth.

Research shows that growth in the Direct Marketing sector grew a further 14.5% between1995 and 1996 at a time when the general economy is growing at a quarter of this rate.

Companies are increasingly embracing direct communications with their customers andprospects because of the proven effectiveness of Direct Marketing. Consumers respondpositively to correctly targeted offers and communications.

Direct Marketing is media driven. The new emerging technologies such as the Internet

are moving us closer to globalisation of markets. The role of government should not be toimpede growth, but to monitor trends, identify systemic problems and ensure that anyregulatory regime does not disadvantage Australian companies.

Given the significant size of this industry sector and its reliance upon marketing databasesany ill-considered moves to regulate may have a dramatic effect upon our internationalcompetitiveness and employment, and hence on government revenues by impacting upon

the dynamic growth of this burgeoning industry sector.

The following statistics are drawn from Commercial Economic Advisory Service ofAustralia (CEASA), the most recognised research firm in the area.

4


TOTAL DIRECT MARKETING MEDIA SPEND

Medium Media Spend 1996 Comparison with 1997

Direct Mail 915,754,000 +6.5

Call Centre/Telemarketing 1,603,000,000 +17.6

Catalogues 1,129,645,240 +3.6

Stuffers 86,704,914 -2.0

The Internet 328,780,000 +171.7

Mail Order 374,400,000 +4.0

Television 70,000,000 +7.7

Newspapers 35,948,781 +1.9

Magazines 25,273,800 +37.0

Radio 36,900,000 -

Classified Directories 861,300,000 +3.4

Shopper Dockets 22,000,000 +2.7

Exhibitions 827,000,000 +25.5

Total 6,316,706 ,735 (+14.5%)

4. Low LEVEL OF COMPLAINT

Despite the level of media attention to privacy, the number of recorded complaints

remains low.

In the 7th Annual Report of the Privacy Commissioner 1994-95, 793 written enquirieswere received ranging from general privacy concerns to specific Privacy Act complaints."These are very similar figures to those of the previous year and indicate that the level of

complaints and enquiries has now stabilised."

In the Commissioner's 8th Annual Report, it was stated "During the year (1995-96) 516written enquiries were received ..." This represents a drop in enquiries of more than 20

per cent.

Similarly the Telecommunications Industry Ombudsman reported a decrease of three percent in privacy related cases between 1994-95 and 1995-96. Austel's 1996 Annual Reportlists "a steady flow" of 328 privacy complaints or enquiries, 24 of these related totelemarketing complaints, which is hardly significant given the millions of telemarketing

calls made each year.

5


5. PRIVACY REGULATION IN QUEENSLAND

The overwhelming requirement for privacy regulation is consistency. Queenslandcompanies, charities and consumers will all be disadvantaged if privacy regulations areintroduced which are different from those in other states or countries.

• Suncorp-Metway is a major financial services institution which competes with banks

and insurers from elsewhere. Any regulation which impacts on Queensland

institutions more heavily than non-Queensland institutions will impose additionalcosts and hence make the Queensland institutions less competitive.

• Queensland charities such as the RSL War Veterans Homes Art Union are marketed

nationally. Privacy requirements such as requiring the prior consent of donors before

they can be asked to contribute would put Queensland charities at a severe

disadvantage.

• Queensland consumers would find a range of goods and services unavailable to themif Queensland adopted the "opt-in" requirement for privacy regulation instead of theinternationally accepted "opt-out" standard whereby consumers can elect not toreceive information.

Although the need for consistency with other national and international jurisdictions isparamount, the Queensland Government does have a key role to play in relation to

privacy regulation.

6. PRIVACY IN THE QUEENSLAND PUBLIC SECTOR

ADMA believes it is quite inappropriate to extend privacy regulation to the private sector

until coverage has been extended to the whole of the public sector. Both the

Governments of New South Wales and Victoria have stated their intention of moving tocover their departments and agencies but, at the time of preparing this Submission,

legislation has not been introduced to either jurisdiction.

In most cases, the personal information about individuals held by companies and charitiesare no more than contact details. If more details are held it is usually with the individual'sconsent or to meet some existing legal requirement. In any even information is only heldfor benign purposes, mainly to be able to offer goods and services better targeted and

delivered. State Government-held information is compulsorily acquired and if not

protected could lead to very serious consequences.

ADMA believes therefore that it is inappropriate for a government to extend privacyregulation to the private sector before its own departments and agencies are covered by

appropriate legislation.

Recommendation : The Queensland Government legislate primary protection measures

consistent with the Commonwealth Privacy Act in relation to its own Departments,

agencies and local government bodies.

6


7. PRIVACY PROTECTION IN THE PRIVATE SECTOR

The Queensland Minister for Consumer Affairs will be called on to consider most of theissues raised in the Privacy Issues Paper at the Commonwealth-State Ministerial Councilon Consumer Affairs on 29 August 1997. One of the agenda items is consideration of aDraft Distance Selling Code of Practice. This has been developed by a Working Group

on which Queensland was not represented. The Draft Code covers fair trading,

information privacy protection, telemarketing and complaint handling.

In relation to privacy protection at the national level, events have overtaken the Distance

Selling Code. A Discussion Paper on privacy in the private sector is expected to be

released by the Commonwealth Privacy Commissioner shortly to be followed by a majorforum in which no doubt the Legal, Constitutional and Administrative Review committee

will participate.

The Privacy Commissioner's Discussion Paper and Forum is the initiative of the PrimeMinister, and the privacy regime being mooted will apply to all sectors of the economy.For these reasons, ADMA believes the Consumer Affairs Ministers should not make any

decisions which pre-empt consideration of the Privacy Commissioner's Paper.

However a considerable amount of work has been devoted to developing the Draft

Distance Selling Code. ADMA is proposing to up-date its own Code of Conduct in line

with the fair trading and telemarketing sections of the Code. The Consumer Affairs

Ministers are being asked to consider this as a more acceptable alternative than adopting

the whole Code.

As this Committee's Issues Paper makes specific reference to telemarketing, the

Telemarketing Section of the Draft Distance Selling Code is attached for information.The Committee may wish to draw on this part of the Code in the knowledge that it hasbeen considered by government, industry and consumer representatives as well asspecifically incorporating the recommendation of the AUSTEL Privacy Advisory

Committee's report on telemarketing..

Recommendation: In relation to the private sector, therefore, ADMA recommends that

in the interests of consistent and comprehensive privacy regulation:

• The Legal, Constitutional and Administrative Review Committee take note of the

Commonwealth Privacy Commissioner 's forthcoming Discussion paper and

actively participate in the subsequent consultation.

• The Queensland Minister for Consumer Affairs be urged to support ADMA's

position on the Draft Distance Selling Code of Practice at the forthcoming

Ministerial Committee on Consumer Affairs meeting.

7

Draft Distance Selling Code of Practice . 18/06/9749f96/GT 0:01 PM142S-AM

Part N. Telemarketingn

74-3. This Part of the code covers additional requirements for personsengaging in telemarketing.

Identification information

724. At the oarliest possible opportunity in an outbound telemarketing call,telemarketers shall:

a. identify themselves;78

b. identify the distance seller they represent;79

c. clearly state the purpose of the call;80 and

d. if calling from outside of Australia , state the country from which they arecalling.81

735. When making an outbound telemarketing call, a telemarketer shall notblock the transmission of the calling line identity to the receiving service.

746. The name, address and telephone number of the distance seller and,where different, the telemarketing organisation, must be in a telephonedirectory, or, if a new listing, available through a Directory AssistanceService.

77 The working group's understanding of the application of state and Territory door to door tradinglegislation to telemarketing Is discussed in the attached paper. Note that , as the door to door tradingrequirements are found In Acts of Parliament , any conflict between this code and the door to doortrading legislation will be resolved in favour of the legislation . Where the legislation does apply totelemarketing , telemarketers will have to comply with the legislation , regardless of what the Codeprovisions are.

Ts Similar to ADMA Standards of Practice Part 1, section 2(a)(ii).

78 Similar to US Telemarketing Rules 310.4(d)(1) and ADMA Standards of Practice Part 1, section2(a)(ii).

80 Similar to US Telemarketing Rules 310.4(d)(2).

81 It Is recognised that there are Jurisdictional problems Involved with this provision but it is thoughtworth trying to include it. As we understand it, there is nothing preventing us including this provision,however, It would be very difficult to enforce.

283

Draft Distance Wing Code of Practice . 18/06/974SF8610Z 9:01 PM4446-AM

751. Where the purpose of the call is to sell a good or service telemarketersshall not represent that they are undertaking market research-82

Information to be provided on request

768. When telemarketers or distance sellers contact a consumer they shall, atthe request of the consumer , provide the following information:

a. the telemarketer 's name , contact details , including at least its telephonenumber and street address , and the name of a person within theorganisation who is responsible for handling consumer complaints; and

b. details of the source from which the telemarketer or distance sailorobtained the consumer's personal information.

Permissible hours of calling

77-9. Without a consumer 's consent , a telemarketer shall not make anoutbound telephone or automatic Calling Equipment call to contact aconsumer before 8 am or after 9 pm local time at the consumer's location oron the following public holidays:

- Christmas Day,

- Good Friday, and

- Easter Sunday.8 sa

82 Similar to ADMA Standards of Practice Part 1 , section 1(I)(vi).

83 Similar to ADMA Standards of Practice Part 1 , section 1(I)(), although Standards allow calls atother hours if the caller has justifiable reason to believe that caps at other times would be moreacceptable%oonvertient to the consumer . Also implements the recommendation of the Austel PrivacyAdvisory Committee in its report on telemarketing . Under the US Telemarketing rules , calls arepermitted between Sam and 9pm on any day (310.4(c)). The requirements under door to doortrading legislation (which may apply to telemarketing) In some States and Territories are moreonerous and would conflict if they apply to telemarketing (see attached paper on door to doortrading).

The Issue of which days should be Included In this clause was debated In the first working group andIn the Austel report . However, some members of this working group are uncomfortable with the factthat non-Christian religions are not considered . The working group seeks comments on whether callsshould be prohibited on particular days, and if so . what those days should be.

sa Within Its first twelve months of operatlon . the CAA will carry out a survey and consultation withkey rellolous and ethnic organisations to develop a auldellne fortelemarketers for what times anddays would not be suitable for telemarketers to contact consumers

293

Draft Distance Selling Code of Practice.

Line disconnection times

18106/9748!88187 9:01 PM44t26-AM

7.880. Where a telemarketer uses the telephone to contact a consumer, thetelernarketer shall release the line within 5 seconds of the consumerhanging up or otherwise indicating that he or she requires the telemarketerto release the line.

Frequency of calling

X881. A telemarketer, or its agents, shall not contact a consumer more thanonce in any 30 day period for the same or similar campaign without thatconsumer's prior consent.

303

2•

Officer: Telephone: (07) 3361 361 1

xt: Facsimile: (07) 3361 3695

in reply please quote: Toll Free: 1800 177 188

Ref: RE/97/0020/r:/subs/privac eSl eftlzl 10-.. L_11ci S AuthorityCnr Herschel St & North Quay, Brisbane

GPO Box 390 Brisbane Q 4001

23 July, 1997


Review CommitteeParliament HouseBrisbane Qld 4001

Dear Sir/Madam

LEGAL, CONS AL ANDM1NISTRATIVE REVIEW COMMITTEE

25 JUL 1991

Please accept the following as the Residential Tenancies Authority's submission to Privacy inQueensland (Issues Paper No 2) distributed by the Legal, Constitutional and Administrative

Review Committee.

The Residential Tenancies Authority is a statutory authority established under the Residential

Tenancies Act 1994. Under the Act, the Authority has the following functions:

• to ensure the proper administration and enforcement of the Act• to receive, hold and pay rental bonds under the Act• to provide advice to the Minister about residential tenancy issues generally and the

operation of the Act in particular• to provide information, educational and advisory services about the Act's operation• to collect and analyse information about residential tenancy issues• to act a referral agency for referring mediation parties to disputes about agreements• to intervene in, or support, proceedings about the application of the Act• to perform other functions given to the Authority under the Act• to perform functions incidental to its other functions

The Authority's Board of Directors reports directly to the Minister for Public Works andHousing. The Authority provides rental bond custodial and dispute resolution services and hasan investigative and compliance section to enforce the Act.

This submission to the enquiry into privacy matters is limited to raising an issue of concern tothe Authority. The Authority has received complaints about the operation of tenancy databaseswhich act as central collection points for information about tenants and provide this informationto subscribers, generally larger lessors and real estate agents, assessing applications from

prospective tenants. One stated aim of the tenancy databases is to establish a network ofsubscribing members that creates a deterrent to `problem' tenants applying for rental housing.Members are able to enter information into the database through modem access. The Authorityhas received reports that the tenant database companies do not corroborate any of the informationthey receive or distribute and do not accept any responsibility for its accuracy. As well, there is

no formal mechanism for tenants to view any of the information kept about them or to have suchinformation amended or removed.

The Authority has no formal role in this area as the Residential Tenancies Act 1994 does not

extend to the operation of tenant database services. As they are not credit reporting agencies, thetenant databases are not subject to regulatory mechanisms such as codes of practice.

In considering whether or not it is appropriate to regulate tenancy databases and other suchagencies the Authority believes it is important to take into account the capacity of such databasesto avoid regulation by offering their services through the Internet. Implementing Queensland-based mechanisms to regulate their activities could drive these companies interstate or offshorewhere no regulation exists. The accessibility of the Internet would ensure they were able toprovide their services easily and inexpensively without fear of contravening any regulation.

I trust this information is of assistance in your investigation into privacy issues in Queensland.If you require further information or seek clarity on the matter raised in this submission, pleasecontact me on telephone 3361 3600 or Ms Karen Wing, Principal Review ImplementationOfficer, on telephone 3361 3665.

Yours sincerely

TERRY HOGANGeneral Manager

2®

SUNSHINE COAST RURALLANDHOLDERS ASSOC. INC.

♦ Protecting the rights of the rural landholder O -^PO Box 243, Palmwoods, Q$d. 4555 . LEGAL , CONSTITUTIONALAND

Secretary - Phone a/h 07 5445 0485 . ADMINISTRATIVE REVIEW COMM

24 JUL 1017

22nd July 1997

The Research Director

Legal, Constitutional & Administrative Review Committee

Parliament House

Brisbane, Q. 4000

Dear Sir,

I refer to the PRIVACY IN QUEENSLAND Review and wish to submit that,-

Whilst the committee retains the right to determine those issues it willconsider, issues outside the generally accepted scope of privacy intrusionmay be raised by submission.

Issues of infringement of the rights to privacy of private rurallandholders, generally are referred to with advice to seek resolutionthrough the Courts, at the victims expense, with little expectation of justresult. In fact our members are not aware of a single action which hasupheld the rights of private landowners in this regard.

The Invasion of Privacy Act prohibits entry to a private dwelling housewithout the consent of the owner, yet the same Act does not appear toadequately protect owners from unlawful trespass of their privately heldlands, nor intrusion into an owners private business or investment affairsby such as planners and the like.

Issues raised that such actions taken against owners of rural land, withouttheir consent, but not against the owners of any other lands wasdiscriminatory, brought the advice from the Anti-Discrimination Commission"that these areas of concern were not within their jurisdiction" and it wouldappear, from the information provided in the Issues Paper, that these acts ofblatant intrusion and discrimination against a minority section of thecommunity may well be outside the jurisdiction of this Committee.

Should this be the determination, your advice as to within which jurisdictionadministration responsibility for such issues falls.

Yours faithfully

RAY KNIGHSecretary

M AL,O0NgT . 0

6NAL ANDADMINISTAAflVE fl VIEW C0'MMtTTEF

24 ! !! L f917-

QUEENSLAND GOVERNMENT

Department of Environment160 Ann Street ® Brisbane Queensland • PO Box 155 ® BRISBANE ALBERT STREET QLD 4002

Telephone (07) 3227 7111 m Facsimile (07) 3227 6534

Enquiries co

Telephone

Your reference

Our reference

22 July 1997

The Research DirectorLegal, Constitutional andAdministrative Review CommitteeParliament HouseBRISBANE Q 4000

Dear Sir

I refer to the letter of 16 May 1997 from Mrs Judy Gamin MLA, Chairman of the Legal, Constitutionaland Administrative Review Committee. I would like to thank her for the opportunity to comment on theIssues Paper "Privacy in Queensland".

A key issue in relation to privacy which arises throughout the Department is the need to protect theidentity of complainants under environmental legislation from retribution from the subject of thecomplaint. It is the Department's policy to not provide this information unless release of that informationis acceptable to the complainant. This approach reflects that adopted pursuant to the Freedom ofInformation Act 1992 for personal information of individuals.

In the course of fulfilling its statutory responsibilities the Department obtains information aboutindividuals and organisations to fuel its regulatory decisions . The nature of the information collected isrestricted to that necessary to make informed decisions pursuant to the legislation and the public interest.This information is not disclosed to third parties either as a result of a request under the Freedom ofInformation Act 1992 or otherwise.

Nevertheless , in both instances , the reliance on the Freedom of Information Act 1992 to protectinformation of these sorts indicates the necessity for any privacy legislation introduced to be consistentwith the provisions of the Freedom of Information Act 1992 . Indeed, it may be beneficial to offer theprotection found for individuals in the Freedom of Information Act 1992 to corporations and other entities.

I trust that this information is of assistance to you. However, if you require any further information pleasecontact Ms Ellen Howard on telephone 3227 772 1.

Yours sincerely

Tom TolhurstDirector-General

100% recycled paper

Chief Executive

Research DirectorLegal, Constitutional andAdministrative Review CommitteeParliament HouseGeorge StreetBRISBANE QLD 4000

Dear Sir/Madam

GPO Box 1429Brisbane Qld 4001

Floor 14 Railcentre 1305 Edward StreetBrisbane Qld 4000

Telephone 07 3235 1371

Facsimile 07 3235 1856

QUEENSLA ND RAIL

I refer a letter dated 16 May 1997 from Mrs Judy Gamin MLA, Chairman of yourcommittee inviting interested parties to provide input concerning an issues paperentitled 'Privacy in Queensland'.

The opportunity for Queensland Rail to provide a submission in respect to Privacy inQueensland is greatly appreciated.

QR, as a large organisation, gathers and holds considerable information concerning itsemployees, customers and other individuals who have dealings with QR. Typicalinformation held by QR would be:

employees' personal detailsemployees' and customers' residential addressesemployees' tax file numbersemployees' medical recordspensioner details andfare infringement notice records

QR recognises that there is considerable public concern in respect to the gathering,use and storage of this type of information and, as a responsible organisation, alreadyhas in place various systems and procedures to prevent the misuse of this information.QR also believes that other organisations that gather private information are aware ofand honour their responsibilities in this regard.

In addition, QR is not aware of any complaints against it in respect to allegations ofmisuse of this information and nor is it aware of any major misuse of privateinformation in the community at large. It is noted that the issues paper does notdocument any cases of serious misuse of private information or contain evidence ofsignificant public concern in this area.

2

In view of this, QR considers that a minimalist approach only is required to address thisissue rather than enacting complex legislation when there is no evidence to warrantsuch a course of action. It is QR's view that an appropriate approach would be toappoint a Privacy Commissioner whose role would be to establish privacy guidelinesand to investigate and monitor complaints into breaches of these guidelines. Should itthen become apparent that detailed legislation is required, this could be recommendedby the Privacy Commissioner and a further issues paper produced to examine andevaluate the details of the legislation proposed.

It is considered that a suitable holder of this office would be the Ombudsman as healready has been established with the resources to conduct any investigationsrequired. Furthermore, as he also holds the office of the Information Commissioner,the roles would be complimentary.

At this point in time, it is difficult to estimate the costs of any privacy regulation as thiswill be entirely dependent upon the regime introduced. However, QR considers thatthe approach outlined above would result in little additional cost to government or thebusiness community.

Should it be decided to enact detailed legislation, QR would not have any concerns inprinciple if it were to apply equally to both the private and public sectors. Such aproposal would maintain the 'competitive neutrality' principle contained in theGovernment Owned Corporations (GOC) Act 1993.

However, should it be proposed that the legislation apply only to the public sector, thenQR, as a GOC, would seek an exemption for GOCs generally.

GOCs are required to operate in competitive commercial environments and QR inparticular operates in the highly competitive industry of transport. Section 20 of theGovernment Owned Corporations (GOC) Act 1993 provides that a key objective of aGOC is that it must be commercially successful in the conduct of its activities whilstSection 19 outlines the principles of corporatisation and the elements contained withinthese principles. The principle of competitive neutrality provides that, whereverpossible, each GOC shall compete on equal terms with the private sector and that anyspecial advantages or disadvantages of the GOC shall be removed, minimised ormade apparent.

It is clear, therefore, that it is the intention of Parliament that GOCs should be free ofthe encumbrances that are normally associated with government. Parliamentobviously then believes that GOCs should, as far as possible, be allowed to complywith the competitive neutrality principle. Compliance will aid GOCs in meeting theobjectives of corporatisation by improving their effectiveness and efficiency as well astheir accountability. This enables government to improve Queensland's overalleconomic performance and increases the government's ability to meet its socialobjectives.

3

QR's opinion is that any privacy legislation that applies to GOCs and not the privatesector would inhibit their ability to comply with the competitive neutrality principleoutlined in the GOC Act. The additional burden imposed would not be shared with theprivate sector and would disadvantage GOCs through the additional costs associatedwith compliance.

In view of this, QR believes that if privacy legislation is enacted in Queensland in thepublic sector only, then all GOCs should be exempt from this legislation.

However, should it be decided that GOCs should be included, then QR would arguethat this should only be to the same extent as GOCs are required to comply with otheradministrative laws such as the Freedom of Information Act 1992 and the JudicialReview Act 1991. Such a decision would ensure legislative consistency and removeany confusion in the application of the proposed legislation.

Yours sincerely

Vince O' RourkeChief Executive

July 1997

Date';ontact.ocafon

TelephoneYour ReferenceOur Reference

16 July 1997T AverayCorporate Services Nerang LEGAL, CONSTITUTIONAL A1(07) 5582 8251 ADMINISTRATIVE REVIEW COM MITTEEIssues Paper No. 2 of May 19972/27(3) U( 1997

Gold Coast City Council

Research DirectorLegal, Constitutional and AdministrativeReview CommitteeParliament HouseGeorge StreetBRISBANE QLD 4000

Dear Sir/Madam


Address all correspondence toChief Executive OfficerPO Box 5042Gold Coast MC QLD 9729 AUSTRALIA

exof od sioKNerang Office Telephone (075) 78 0211

Fax (075) 96 3653

1-1

Surfers Paradise Office Telephone (075) 81 6000Fax (075) 81 6346Telex (075) AA41461

DX42161 Bundall

I refer to your call for submissions on privacy issues in Queensland. One of the mainareas of potential impact within Local Government of changes to privacy provisionswould be in public access to land records. Section 591 of the Queensland LocalGovernment Act 1993 specifies that a land record is open to inspection free of chargeto owners, lessees or occupiers of the land and adjoining land, and to other personsupon the payment of a fee. Currently there are no further restrictions in place limitingthat fee-based access. Council provides monthly updates of land records to a numberof real estate agents and some community organisations.

Council has received a number of complaints from persons claiming they havereceived `junk' mail after their names were secured from information provided byCouncil through the land records updates.

Yours faithfully

Douglas DainesCHIEF EXECUTIVE OFFICER

TAA

Our Vision ... is to ensure our City is the premier place to live, work and play.

Nerang Office - Nerang Southport Road, Nerang Surfers Paradise Office - 135 Bundall Road, Surfers Paradise

BUILDING SERVICES AUTHORITYContact Officer: Matthew Miller Your Ref:

Telephone: 3225 2930 Our Ref:

Facsimile: 3225 2939

16 July 1997

The Research DirectorLegal, Constitutional and AdministrativeReview CommitteeParliament House, Brisbane Q 4000

MM:

LEGAL, CONS OVAL ANDADMINISTRATIVE REVIEW COMM ITTE E

18 JUL 1997

Dear Sir / Madam

Re: Issues Paper - Privacy in Queensland

I refer to the issues paper released in May 1997 in relation to Privacy in Queensland.

The BSA is unable to comment on the issues summarised on pages 10 and 11 of the issuespaper. However, it would seek to have the following concerns taken into account in anyassessment of the protection of privacy in Queensland.

(1) Register of Licensees

Section 39 of the Queensland Building Services Authority Act 1991 provides that the BSAmust keep a register of licensees. The register contains specified information pertaining tothe licensee including details of any disciplinary action taken against him / her and anydirections to rectify defective work.

Such detail is an essential component of the BSA's consumer advice objective allowingconsumers to obtain information which may be crucial in the choice of a Builder / TradeContractor and which may otherwise be unavailable. The BSA would seek to ensure thatthe statutory right to maintain the register and provide reports indicating contractorperformance is not affected by the introduction of legislation governing privacy in

Queensland.

(2) Freedom Of Information

Applications to the BSA for material under Freedom of Information have increased byapproximately 300% over the past three years. An increase in the complexity of requests

for material under Freedom of Information has also been noted.

The BSA appreciates that the principles underlying FOI and Privacy legislation are not

11 Edmondstone Street (Cnr Russell Street), South Brisbane, Q. PMB 84, Coorparoo DC, Q. 4151

Telephone: (07) 3225 2800 Facsimile : (07) 3225 2999

Australian Quality Awards 1996 - Achievement in Business Excellence

TTA BUILDING SERVICES AUTHORITYContact Officer: - 2 - Your Ref:

Telephone:

Facsimile:

Our Ref:

necessarily the same. However, the BSA would seek to ensure that the introduction of anylegislation governing privacy in Queensland does not add further complexity to theassessment of material which may be made available under FOI principles.

Contact

The BSA appreciates the opportunity to outline its concerns on issues which may berelevant to the introduction of legislation governing privacy in Queensland. Please do nothesitate to contact the BSA's Policy Officer, Mr Malcolm McDiarmid (Ext. 52968) shouldyou have any queries in relation to this correspondence.

Matthew MillerGeneral Manager

11 Edmondstone Street (Cnr Russell Street), South Brisbane, Q. PMB 84, Coorparoo DC, Q. 4151

Telephone : (07) 3225 2800 Facsimile : (07) 3225 2999

Australian Quality Awards 1996 - Achievement in Business Excellence

The Research Director.ICARC.Parliament HouseP I sbane t,OOO

R . CP.C. Sadler13

LEGAL, WN51 U BNAL AND Kookaburra Park6TAf?MNIVWIVEREVIEWCOMMiTTE9 C=TN ITN Old Iz671

16 JUL 199710/7/O"7

Dear Sir,

T read with interest, and some concern, your issues Parer 112 on Privacy inieensl and ,

The rarer gives an excellent summary of the increasingly difficult Problemof maintaining rersonal. rrivacy in this electronic are, and the NSW privacycommittee correctl v identified the credit card as "Big 'Brother's little helperI am sure Stan Dashew had no idea what a monster his 1956 credit cardinvention would become.

Not onl y does its use rose Privacy Problems , but commercial electronic datastorage now noses a threat from criminal ' hacking ' invasion of computers toobtain information on valuable purchases via EFTP OS that conveniently recordsc,,istomer name,address , Phone and item value , for future robbery, or even forextortion.

There is a further threat from the increasing Pressure by banks toward al_l-electronic accounting and fund transfer, which, carried to their desiredextreme, =,enul d eliminate 'coin of the realm' as currency, thereby forcingeverybodv into clastic card use vu.xnerabil_ity.

The two dominant nol_itical system aims have not been helpful, with Labourn'ishing socialist information gathering by the State, followed by the Liberal/National rolicv of 'privatisation' making gathered information publiclyavailable when former govern--!ent departments are 'privatised'.

As corrertlrr mentioned, encr-rrtion is not a solution whilst governmentsinsist on holding conie of encrcrrtion keys. Likewise, given the adeptnessof the current legal system in using the adversary system to enable clientsto evade the 'sniri.t of the law' it is unlikely that legislation in the formof IPP' s will he very effective either.

Arart from the now impossible task of ^omnletel r banning the use of electronicdata storage, or even making compliance with it ontional, which would upsetthe bureacracy, there arrears to be only one Possible solution, which is, inessence caveat emntor.

Ler,i_sl.ati.on. has forced tobacco companies to state that their Product isdangerous to health, thus making their customers aware of their risk.Similarly, companies inviting,or requiring the use of credit cards could beren^z_red to make consumers explicitly aware of the risk to their privacyinvolved in the service offered, thus enabling customers to assess risk versusconvenience in the transact ion.

`'There there is no ontion, such as with transactions with some govern-gentdepartments, severe penal-ti-es should be legislated for breaches of privacyso that the risk is related to mi-s-use rather than non-optional use.I,egi slation may also eventually be necessary to maintain "cash" as legaltender.

Tn The Australian newsrarer, July 5/6, in its S(TE section, rage 5, there ismention of a new Swedish Phone service offering 'free' Phone calls if theuser allows the insertion of ten second advertisements during the call. Ifa nri.vat e comnrny is al' owed to tar in. o a Phone line to insert information,what stops them extracting information bu the same but reverse oroceedure.

`'here is a very informative ARC narerback by John Nieuwhenhuizen, Asle-n atthe wheel, on the problems associated with credit cards and electronic privacywhich T would Suggest that at least some committee members should read.

T wish ''Irs Gamin ALA success in this difficult but important task.yours sincerely

LiGAL, 00N1°iftW'1QNAL ANDADMINI ThAtft fl /iEw CoWrre

16 JUL 19§7

8 Beck StreetClontarfOLD 4019

July 11th, 1997

The Research DirectorLegal, Constitutional and AdministrativeReview CommitteeParliament HouseBrisbane QLD 4000

Dear Research Director.

My name is Kharla Ingrid Kedgley and I amwriting this submission as a member of the public who hassubstantial concerns about the lack of adequate privacy

legislation in this country.

The current law in Queensland is not, in my opinion, adequatewith respect to privacy protection. At present the Privacy Act

(1988 ) regulates mainly the public sector - the private sectorare only regulated to the extent of credit reporting and tax filenumbers. This needs to be addressed with legislation extending tothe private sector.

The concept offered by the Prime Minister early this year ofself-regulation by the private sector is a ridiculous one.Self-regulation has rarely been successful in any industry andprivacy concerns are too grave and valid to be ignored by thegovernment and passed back to the private sector who are oftenguilty of invading the privacy of individuals.

I believe there are two steps to be taken to safeguard privacy inQueensland. Firstly, the state government of Queensland shouldregulate the private sector by implementing privacy legislationgoverning private agencies and organisations. information privacyprinciples (IPPs) such as that in the commonwealth Privacy Act

should be introduced to relate to both the public and privatesectors in Queensland. They should also be extended in order thatit is made a legal necessity for collectors of private data todisclose the nature of any organisations they may pass this datato as well as exactly which organisations the data is passed to.This might be given in the form of a listing of companies.

This extension of the IPPs is important. Currently when a directmarketing organisation solicits information from a consumer (suchas their age, gender, address, likes and dislikes etc.) they maysometimes, but not always, state that this information will beused to pass on to other companies that might have products to

suit the customer. And they certainly never give informationabout the nature of these companies, let alone provide a list ofcompanies they pass on these details to. This means that there isno control over who receives the customer's details. With thedata being of such a personal nature and including identifyingdetails it is all too easy for the information to fall into thehands of potential burglars, assailants or stalkers. Thisinformation can then be used to locate the personal dwellingand/or workplace of the individual and to carry out all manner of

unlawful activity - all because there was no way of governing theprivate sector in regards to the passing on of private data.

In other words, the lack of adequate IPPs in relation to theprivate sector means that an individual's privacy can be invadedand an individual's personal details can be used by some peopleto engage in activities prohibited by the Invasion of Privacy Act1971 Old). The IPPs should therefore make it necessary for anymarketing company or other private organisation to disclose whothey may or will pass personal details to. In this way, theindividual has the right to know who holds personal details aboutthem and to avoid, if they wish, passing details on if they donot approve of the organisations listed as potential recipientsof their personal details.

Secondly, the right to privacy should be protected in Queenslandby instituting a privacy committee which operates in the samemanner as the Anti-Discrimination Board. It should not only beable to investigate complaints about breaches of privacy but beable to fine an organisation for such breaches, on the behalf ofan individual who is able to prove to the committee that theindividual's privacy has been breached. The committee should beable to pass on all or part of the proceeds of the fine to thecomplainant. This will cut down on the court costs which wouldotherwise be involved if remedies to the privacy breach weresought in the common courts of law. The other option would bethat the privacy committee could give legal aid andrepresentation to complainants in the court system. However, Ibelieve my first suggestion is a more desirable one.

My other concern relates to the rights of access to medicalrecords. The 1995-1996 High Court decision that the property inmedical records rested in doctors and not patients is, I believe,a blatant denial of the rights of an individual. Medical recordsrelate to an individual's body and mind and their state of health- not that of the doctor. The records should therefore beaccessible to the patient. Without this accessibility it is tooeasy for misdiagnosis and biased personal opinions by a doctor tobe passed on to other medical personnel. For example, a patientmay change doctors after months of poor medical and/or personaltreatment. However, the new doctor might be sent medical recordsfrom the previous doctor which contain comments reflecting theoriginal doctor's negative attitude towards or misdiagnosis ofthe patient. The new doctor may take these comments 'on board'and so the patient may end up having the same misdiagnosis ofsymptoms or being treated poorly. And the patient does not havethe ability to find out why or to remedy the situation becausethe patient is denied access to their own medical records. Suchan,example is not fiction. It is fact because these cases havehappened and will continue to do so, unless the Breen v. Williamsruling is overturned. I have encountered victims of thissituation in ray practice as a Professional Counsellor and itseems to be endemic. What is the doctor so afraid of that he musthide behind the notion that the records are his exclusiveproperty, or that they reflect his opinions which are governed bythe right to privacy, in order to avoid their disclosure to thepatient whom the records concern? If the medical records are tobe seen as the doctor's property, then by extension, so must thepatient's body and mind be seen as the doctor's property! Sincethis is blatantly not the case then the High Court ruling must be

overturned so that patients have access to any medical recordsconcerning them.

This concludes my concerns and my submission to the Legal,Constitutional and Administrative Review Committee for its reviewof privacy issues in Queensland. I trust that my suggestions aregiven serious attention and I hope to see them implemented in thefuture.

Yours sincerely,

(Ms.) Kharla Ingrid Kedgley.

j`.

LEGAL, CONSTITUTION AND ADMINISTRATIVE

REVIEW COMMITTEE OF THE QUEENSLAND

LEGISLATIVE ASSEMBLY

Issue Paper No.2

SUBMISSIONS ON PRIVACY IN QUEENSLAND

Name : Su-King HII

Status: Individual

Address: 3 Chotai Place , Coopers Plains, QLD 4108

Telephone: (07) 33459942

INTRODUCTION:

Much have been written about individual privacy in recent times, especially in light of

the advancement of information technologies , these privacy issues clearly reflect the

community concern of its development . In the past week , the Courier Mail has published

numerous reports on proposed increase in police powers in dealing with alleged suspects

in criminal activities, power to detain suspects up to i 8 hours, increased "bugging" power

etc. Many other issues also surfaced in the past few years with little public submissions

on those issues. For example, the recent High Court decision in Breen v Williams (1995-

1996) 186 CLR 71 where it was held that the property in medical records rested in a

doctor and not a patient . This paper will explore those issues of community concern in

detail.

CURRENT PRIVACYLA WINQUEENSLAND

It is clearly recognised that the common law does not protect the right to privacy in

Queensland or other states in Australia . The only protection afforded in Queensland is

granted by Invasion of Privacy Act 1971. This legislation does not go far enough in that

it regulates credit reporting agents, prohibits the use of listening devices and preventing

any persons from entering a dwelling house by force. No doubt the legislation fails to

provide adequate protection to individuals from infringement arising from sophisticated

methods (i.e. Internet , e-mail , smart cards etc.) The Queensland Government has

certainly moved in a right direction in introducing reforms in recent times. This is

evident from the policy released during the election campaign in 1995 . The most notable

one is the establishment and the enforcement of guidelines for the collection , use and

storage of personal information for state agencies and departments . Also, the move to

ensuring that any adverse impact of a bill or guideline is minimised . One major concern

in this area is the question of extending the privacy legislation to the private sector. As

an increasing amount of personal information is being held by private sector agencies,

this question becomes crucial.

PRIVATE SECTOR

It is submitted that state legislation is necessary in covering the private sector despite the

suggestion to the contrary. The Prime Minister has offered the services of the Federal

Privacy Commissioner to assist private sector in developing voluntary codes of conduct

to meet privacy standards and it will be up to each state to determine the manner in which

it will regulate the privacy protection. It should be noted that this practice certainly has

its advantages and disadvantages. It will reduce regulatory burdens and compliance costs

but it has failed to provide a uniform and consistent requirement between the states and

as page 7 of the issue paper puts it, "it is not only potentially administratively

cumbersome and expensive, but could be to the detriment of interstate trade and, given

the 1995 European Directive, also to international transaction." This approach is clearly

undesirable. It is my submission that there should be a uniform requirement in the code

of conduct to meet privacy standards. This can be achieved by each state enacting state

legislation conforming to a national standard, with some allowance made to

accommodate the needs of each state.

PROTECTION OF PRIVACY IN QUEENSLAND

Suggestions have been made as to the method(s) of protecting privacy in this state.

Alternatives include: statutory tort of privacy, the establishment of privacy

committee/commissioner, information privacy principles.

Before I discuss the merits of a statutory tort, common law protection should be

mentioned. The law of defamation indirectly protects Right to privacy. However, it does

not protect lawful publication of materials that is private or of personal nature. The

arguments for statutory tort certainly have some merit. The main advantages are: it can

be a general or specific formulation of the right of actions and may prevent frivolous and

vexatious claims for breach of privacy. A STP may also specify certain exemptions and

defences for breaches of privacy rights. Privacy rights must reflect the attitudes of the

community and certain breaches may well be justified. For example, public interest must

outweigh the rights of an individual in the case of serious criminal offences and steps

have to be taken to ensure community interest is preserved.

Remedies are also available in the event of breach . However, care must be taken in terms

of framing the damages to prevent frivolous claims. On the other hand , a STP is

potentially vague and nebulous . Hence , the courts may ultimately resolve the ambiguity.

David Yarrow, in his article , Developments in the Law of Privacy - Law and Policy,

expressed concern about STP in that "the cost associated with litigation , the use of the

courts may restrict access to privacy protection." Also, "depending upon its formulation,

it could adversely affect freedom of the press, speech and information."

It is my submission that after balancing the advantages and disadvantages , STP is an

inappropriate option.

INFORMATION PR!VACY PRINCIPLES (IPP)

IPPs are clearly needed to establish a well-documented guideline and standards for

handling access, collection, storage and use of personal information. It is submitted that

these principles do not cover every situation exhaustively. Certain degree of flexibility

must be introduced into these guidelines, especially when the personal information has

high probative value for public interest purposes. The IPP should also provide for

sanctions for breach of privacy rights. These principles should be reviewed on a regular

basis to accommodate changes in the law and must also reflect public concern and

attitude. Because of this, it is my submission that IPP should be implemented by

legislation. Without the authority of legislation, the principles are seriously hampered by

its unenforceability and have little value. To have the status of legislation, the IPP must

therefore clearly set out its content and guidelines. IPP must be able to clearly identify

the contentious areas of privacy that needs protection. For example, who has access and

under what circumstances, the sanction for breach, circumstances under which access

may be refused. The IPP must compel the authority with the information to give reasons

for refusal.

This takes us to the question: Should individuals have to pay a reasonable amount to

exercise their right to privacy? It must be borne in mind that the implementation of IPPs

would cost a significant amount of money in "system modification and training both in

terms of implementation and ongoing cost." Having said this, there are arguments to the

effect that individual should not be made to pay to access their own information. It is my

submission that a reasonable amount is acceptable. Higher charges may be imposed for

unreasonable requests or if the access to personal information involves voluminous

paperwork or resources in terms of time and human resources.

PRIVACY COMMISSIONER /PRIVACY COMMITTEE

Establishment of privacy commissioner or committee is needed for researching the

development of policy on privacy protection. It is my submission that this committee's

function is to inform the public and generate discussion on privacy protection. This

committee/commissioner should set up a system of complaint handling, similar to that of

a commonwealth ombudsman. It should also act on the information privacy principles

and be responsible for the review of IPP. This body should act the peak advisory body to

the Government on privacy issues and because of its importance, steps must be taken to

guarantee its independence. Like the IPP, this body should be authorised by legislation

and have the status of a statutory body. Due to the public interest in this area, the privacy

committee should be constituted in the following manner.

It must be established by legislation for it to be enforceable.

Delegates from the interest groups should also be included (i.e. Civil Liberty

groups, church, human rights organisations etc) These delegates may be elected

or appointed. However, at this stage, this option may not be practical. Education

on this area is needed and constant information is necessary before this step can

be taken.

Formulation of new policies can only be made after extensive public consultation.

This committee must work closely with the Information Commissioner because

many areas are overlapped. However, the two should not be combined because

the independence of the Information Commissioner may be compromised. The

Privacy committee should be made accountable to the Parliament in relation to

matters of appointment, budgets. In order to ensure public confidence in the

committee, it should be free of Government interference. That is why public

consultation is imperative and the members of the committee need to be drawn

from a range of professions to ensure a balance of views.

POWERS OF THE PRIVACY COMMITTEE

Certain powers are needed to carry out its function effectively. As discussed above, this

body should engage in the review of IPP and the implementation of policies and handle

complains. Hence, extensive powers should be attached to the committee. One

suggestion is that the committee be given power to enforce IPPs through sanctions such

as fines and disciplinary actions. It is indeed a valid suggestion, only if the committee is

authorised by legislation to do so. This body should also possess powers to investigate

government departmental procedures in handling personal information of individuals and

make appropriate recommendations to the Parliament as to the course of action to be

taken to remedy the defect in the system. If necessary, the committee may impose

arbitrary requirements or standards on a particular industry in accordance with the

legislation. Hence, it is important for the Act to set out the ambit of powers of the

committee. These powers should be made reviewable by the parliament to ensure there is

sufficient check and balance in the system. The Privacy Committee shall also have

powers to amend the IPPs after extensive consultation. It is my submission that should

the Committee be given the powers to enforce the IPP through sanctions, proper methods

and considerations must be taken into account in making the decision. The committee

must consider:

(1) The nature and seriousness of the "breach"

(2) Steps taken to remedy these breaches

(3) Whether the sanction would hamper the function of the department in the future

(4) Whether it is appropriate to prescribe a standard procedural requirement in that

particular department

The committee must table all findings and decisions to the parliament.

The privacy committee should identify areas of public concern and involve the public in

the discussion. Also, the committee should find ways to educate the public in this area

through media, schools. It is vital that the public be informed about their rights and the

procedures of lodging requests and complaints.

Where possible, the functions of this committee can be combined with the Information

Commissioner to prevent the overlapping of function. However, care must be taken in

that the independence will not be compromised . To solve this potential problem, the

legislation or TPP should define the scope of function clearly and codify it.

SMART CARDS AND ELECTRONIC BANKING

Smart cards have been utilised in several countries for the purposes of collection of, and

access to medical records and for billing purposes . The former Keating Government has

rejected this proposal . It is submitted that the use of smart cards will seriously jeopardise

the right to privacy of an individual , especially when medical history will be exposed and

financial situations closely monitored by the relevant agencies . Smart cards have some

"privacy pluses", for example, they are more difficult to copy than the current magnetic

stripe cards and protected from unauthorised entry by a coding system. Despite its

advantages , the disadvantages outweigh the advantages for the following reasons.

(1) The capacities of smart cards to aggregate detailed information about our daily

lives poses a real and substantial risk to the privacy of personal information.

(2) The data bases are likely to be used as "clearing houses to process and reconcile

smart card transactions, and are likely to be used as a back up to restore the

information in the event that the card is damaged or lost.

It is my submission that smart cards are highly undesirable . However, should this system

be introduced, strict guidelines must be conformed to ensure right to privacy is not

infringed . Donna Bain in her article , Smart Cards: A Federal Privacy Perspective, has

made some suggestions on the regulation of smart cards. These include:

(1) Transparency - The parties in the smart cards and the circumstances of its use

must be clearly defined and elucidated.

(2) Limits on collection and use -

(a) Public consultation is needed to determine the scope of the use and the type of

activities the cards will apply;

(b) The smart cards should be used on a voluntary basis;

(c) Prior consents be obtained from the card holders if the information are used in

a manner which is potentially damaging or embarrassing;

(d) The information must not be used for peripheral purposes . Hence, it is

necessary to codify the standards as in IPP and sanction must follow in the

event of breach . The Privacy Committee may enforce this.

(e) Steps must be taken to ensure the information collected is accurate and

secured . For example , unauthorised access or disclosure of information must

be prevented at the administrative level.

Smart cards are best regulated by a uniform national standard, supported by legislation.

In comparison with the regulation by industry code, the code does not normally address

or provide mechanisms for client or customer complaints. Also, industry codes cannot

clearly define the scope , that is, "clearly identifying the organisations and applications

that falls within its ambit ." A national privacy standard would overcome the problems

and difficulties associated with the industry code. Smart cards may be regulated by the

Commonwealth Privacy Act. The Act should also provide sanctions for breach and

remedies for the complainant. Clear principles must be set out, similar to IPP, to define

the scope of use of the personal information . States may also enact supplementary

legislation.

OTHER PRIVACY CONCERNS

(1) Surveillance (visual and listening)

The Invasion of'Privacy Act has set out prohibition against eavesdropping and

unauthorised entry of property . Penalties have also been prescribed for the

offence . The recent statement by the Police Minister, Mr Russell Cooper on the

proposed increase in police "bugging" power has caused some concern in the

community, especially the human rights group and the Civil Liberty. Proposals

have also been made about "detaining a suspect for questioning up to 18 hours,

conducting covert searches on the suspicion of serious offences and the use of

tracking devices, hidden cameras and "bugs" for serious indictable offence." (The

Courier Mail, Wednesday , July 2) At the first instance, this proposal will clearly

alarm the Aboriginal community, especially with the focus on the recent Summit

on Aboriginal death in custody . It is my submission that the increase in powers is

(1)

clearly necessary in combating crimes in our community. The issue is about

balancing the rights of an individual against the public interest served by the

increased ammunition against crime. Hence, some proposals may include:

Standard guidelines must be formulated in exercising the power to "bug"

premises. The guidelines must include considerations as to the seriousness of the

crimes alleged or suspected, the "perishable" nature of the evidence of

commission of crime, the suspect's age, intelligence, the community's attitude. It

is my submission that 18 hours of interrogation clearly constitutes a breach of

human rights and also privacy for that matter. From a legal point of view, any

evidence of admission or confession derived during these period may be excluded

on the grounds of fairness discretion. Hence, careful steps and formulation of this

policy is needed to serve both the public interest and individual's right.

Remedies should be provided for breach of conduct.

For less serious offences, the police should first obtain the approval from a justice

of the Supreme Court. Also, the police department should also have an internal

review mechanism to monitor the police's conduct.

(2) Access to Medical Records

As mentioned earlier, the ability of a patient to obtain his or her own medical

record is seriously hampered by the High Court decision in Breen v Williams. It

should be noted that the decision is based on common law principles of contract,

fiduciary duties and property rights. This decision has caused some concern, in a

sense that privacy right is breached by the inability to access own medical record.

The High Court held that the duty of a doctor to advise and treat a patient with

reasonable care does not impose a general duty to grant access to medical records

relating to the patient. The patient has no proprietary interest in the records and

that there is no common law principles of the "right to know". Chief Justice Sir

Gerard Brennan did remark that access should be granted under certain

circumstances, namely when

(a) refusal to make the disclosure might prejudice the general health of the

patient;

(b) the request for disclosure is reasonable having regard to all the

circumstances, and;

(c) Reasonable reward for the service of disclosure is tendered or assured.

It is implicit in the judgement that the onus of proof lies with the patient. In my

submission, the judgement does not adequately protect the interest and privacy rights of

the patient although the Chief Justice has elucidated the circumstances under which

access may be obtained. The Legislative Assembly may consider legislating the right to

obtain records subject to certain condition. Firstly, the onus should be on the doctor to

prove the refusal is in the best interest of the patient. Secondly, patient should not be

made to pay for the access, especially when it can be shown that the refusal will prejudice

the general health of the patient. Thirdly, clear guidelines must be set out to regulate the

disclosure. In granting access, the doctor should consider the points (a) to (c) elucidated

above. The legislation should also set out conditions under which access may be refused.

Access should be refused if the granting of access will seriously hamper the function of

the doctor to perform his or her duty. Provisions should also be set out to review the

doctor's decision although this is a radical step. The policy in this area must reflect the

community's concern. That is, a patient should have a general right to access his or her

own record. Access can only be refused in limited situations where it would hamper the

doctor's performance or disclosure will prejudice the health of the patient.

CONCLUSION

Strong legislative decisions must be made with respect to the issues elucidated above. It

must be recognised that no definite, concrete guidelines can be applied. Hence, the

legislature must assure the community that public is extensively consulted. Also, the

committee should also engage in rigorous debate and involve the public in the discussion.

Only then can privacy rights be protected.

Author of Submission:

10.

Bank of Queensland LimitedACN 009 656 740

Established 1874

ADMINISTRATION

In your reply please quote : CoSec/JTE

If telephoning kindly ask for : John Lemon

Ms Judy Gamin MLAChairmanLegal, Constitutional and Administrative Review CommitteeLegislative Assembly of QueenslandParliament HouseGeorge StreetBRISBANE 4000

Dear Madam

PRIVACY IN QUEENSLAND - ISSUES PAPER

229 Elizabeth Street Brisbane Old 4000

GPO Box 898 Brisbane Qld 4001Telephone (07) 321 2 3333

Fax (07) 321 2 3399DX 240 Brisbane Telex AA41565

9 July 1997


1 6 fl u 1997

Thank you very much for your letter of 16 May 1997, and for inviting Bank of Queensland ("theBank") to make a submission on a matter of considerable interest and concern to the Bank, as wellas to the wider community.

At the outset the Bank submits that any review of privacy protection should take place on a nationallevel, and not on a State-by-State basis. The reasons for this include the one adverted to on page 7of Issues Paper No. 2, viz. a State-by-State approach is potentially administratively cumbersome andexpensive, imposing an unnecessary burden on business, which could ultimately also result inincreased costs to consumers.

You would be aware that the Privacy Commissioner, whose office is constituted under the Privacy Act1988 (Cth), is considering the development of a national Privacy Code, which may ultimately leadto national privacy legislation for the private sector. The Bank believes that the degree ofinconsistency between the laws and regulations of various States within Australia, and the degree ofoverlap between Commonwealth and State laws and regulations, is to be deplored. The Bankexpressed similar sentiments in its submission last year to the Small Business Deregulation Task Forceestablished by the Federal Government.

In relation to the banking industry specifically, it is submitted that customers of banks presently havean adequate level of privacy protection. Banks are subject to a long established common law duty ofconfidentiality and also to equitable duties of confidentiality, and have implemented privacy protectionarrangements pursuant to the Code of Banking Practice. Any code or legislation which may beimplemented should, it is submitted, exclude banks (and other commercial entities where applicable)from its operation.

031016JE.06

41

-2

Much of the current examination of the level of privacy protection in Australia stems from theEuropean Union's Privacy Directive which requires that adequate privacy protection mechanisms bein place in countries to which European companies send data. However, as recently pointed out bythe Federal Attorney General (refer page 4, Australian Financial Review, 23 May 1997), the EUdirective stipulates "an adequate level of protection", not an identical or even equivalent level ofprotection to that used in the EU. In this regard Mr John Tuckwell of the EU recently advised theDirector Legal, Australian Bankers' Association that in considering the adequacy of another country'slaws the EU would be prepared to consider the adequacy of rules applicable to a particular sector asdistinct from an entire country. As referred to above, it is submitted that an adequate level of privacyprotection already exists in the banking industry.

Finally, it is submitted that if regulation of the private sector in relation to privacy protection is to bemandated, then various industries should be left to develop codes of practice which are appropriate

for those industries.

Thank you again for the opportunity to provide this submission. If you wish to discuss any aspect of

it please do not hesitate to contact me.

031016JE.06

The speech, made to a banlang an adequate level or protection . -"We don 't foresee any prtth ff dS

But the positive news ofHans van Leeuwen - European Union could be affected, is tempered by the fact that

The Federal Government has hitbecause the EU's Privacy Directive retains around 1 .7 million

back at critics of its decision' torequires, adequate privacy protect phone users - all of whom P

scrap, planned privacy protectiontion mechanisms to be in place in to migrate to digital technccountries to which European com- January 1, 2000.laws for the private : sector.. - pies send data ' Despite an 8 percent dro

The Attorney-General, Mr Daryl However, Mr Williams said the last 12 months , Optus alsoWilliams, said yesterday that trade protective :mechanisms - the <EU '725,000 analog customers.with the European Union would not required of Australian companies Concerns : . `raised _. bybe affected by the decision and did not have to be the same as the Olympic organisers andprivacy would be protected because ones used in the EU. "The directive - phone users, over-the Govebusinesses had a commercial incen-- does' not require identical protec- plan - to phase-out analogtive to provide privacy protection to tions. It doesn't even require equiv- - phones by the 2000, ha- t.their customers. alent protections. The term used is downplayed by Telstra. -

e irscon erence m ney, wasytime the Government has respondedto heavy criticism from privacygroups. The criticism followed theannouncment by the Prime Minister,Mr John Howard, in March that theGovernment would not be imple-menting privacy laws in the privatesector and, instead, would rely onindustry to regulate itself.

Personal information is aleadyprotected by law in the public sectorand some States are consideringprivacy regulation for business.

Mr Williams said Commonwealthlaw was unnecessary: there would bevoluntary compliance with industry-designed privacy codes, becauseconsumers would, demand it.

"Consumer trust and loyalty areimperative to good business," hesaid. "That trust and loyalty can bedestroyed if personal informationof customers is misused, or consum-ers fear it may be misused.

.If privacy is inadequately pro-tected in the new informationtechnology environment, the confi-dence of users, and potential users,of such technologies may be under-mined, preventing optimal use ofthose technologies." But critics havesaid Australian trade - with the

He said that there. were many, with meeting the. Governdeadline," Telstra MobileN.

A . Industry should aging director,- Ms Danita

develop a unified setsaid last night.

Australia's digital mobileof privacy - market is now above 2 millic

O sus announcin a 360nnci les. P U, P

p p 7 increase since April 1996 t

exemptions to the Directive andcompanies also had the option ofwriting the required privacy stan-dards into their contract, regardlessof Australia's legal framework.

Mr Williams also hosed downbusiness fears there would be apatchwork of - inconsistent Stateprivacy laws for the private sector.

He said the PM had asked theStates to follow the Federal Gov-ernment's example of relying onvoluntary codes. He called forindustry to develop a unified set ofprivacy principles similar to that inthe Government's aborted draftprivacy legislation.

"This approach would provide auniform privacy standard acrossthe entire private sector. [It] wouldalso provide a basic starting point[for] the _. development of moredetailed codes.

Steve Lewisand Chelsey Martin

The dramatic growth of Audigital mobile phone marksno signs of abating, withreaching the 1-. million cmark and Optus :yesterda}ing it now has fewer analdigital customers.

than 750,000 customers.Vodafone is running _a

third with just over 300,0(tomers, giving it a market sabout 15 per cent.

But the UK based VoEwhich has flagged planssharemarket listing in ALwithin three years, claims its s"digital revenues exceeds 20 pe

Optus business marketingager, Mr Rick Wakeham.more than 75 ' per cent o:customers since March hadfor the. digital network, withthan half of their 1.5 million icustomers now using digitalthan analog technology. ,

Optus has a big financialfive to switch analog cussover to digital because of the"interconnection " ' -fees it paNstra for use of its analog net

Ms Lowes said Telstrvforecasting "very good growl

• Would suit qualified Accountant/Systems expert• Client/Server applications with workflow

2 July 1997 V

The Research DirectorLegal, Constitutional and AdministrativeReview CommitteeParliament House, Brisbane, Qld 4000

Dear Sir/Madam,

Re: PRIVACY IN QUEENSLAND - ISSUE PAPER

We refer to the Issue Paper of May 1997 in relation to the

above matter.

Pursuant to your invitation to make submissions to beconsidered in relation to this topic we comment as follows:-

We think it would be helpful to have a clarification of therequirements in order to establish that the person speaking tous on the phone is the person they claim to be. The currentPrivacy legislation prohibits disclosing credit informationabout someone to another person however does not provide astandard to follow to ensure that we are speaking with theperson in question. When we contacted the PrivacyCommissioner's office we were advised that we must take"reasonable steps" to establish the identity of the person inquestion. We were then advised that they could not tell uswhat questions would be considered "reasonable" in thisregard. We were further advised that we could not submit aletter outlining our current practice for their approval.Therefore until such time as there is a complaint to thePrivacy Commissioner's office, we can not be sure that ourcurrent practice is considered reasonable by the them.

Our suggestion therefore is that when legislation is draftedit provides for a standard that is considered reasonable inrelation to questions to ask someone over the phone toestablish their identity. Alternatively the legislation couldprovide for a process of query to, and answer from, thePrivacy Commissioner's office as to whether a particularpractice is sufficient.

If you have any queries in relation to the above submissionplease do not hesitate to contact us.

Yours faithfully,

Bernard Luton

July 9 1997

LEGAL, CONST if UTONAL ANDADMINISTRATIVE REVIEW COMMIT i EE

16 JUL 1997Retailers Association

of QueenslandLim ited

Ms Judy Gamin MLAChairmanLegal, Constitutional and Administrative Review

CommitteeLegislative Assembly of QueenslandParliament HouseGeorge StreetBRISBANE Q 4000

Dear Ms Gamin


Union of EmployersA.C.N. 009 664 073

Representing

The RAQ is pleased to make a submission on the issues paper released by your Committee on May

16, 1997.

We appreciate the closing dates for submissions is August 1, 1997 and hope should you require itthat you will contact us if further clarification is needed.

By way of background the RAQ represents the communal interests of 2000 member retailers

across Queensland.

Our membership operates approximately 5000 outlets and is responsible for transacting 70% ofbusiness in retail turnover each year in this state.

The RAQ is vitally interested in the issue of privacy and how it may impact on the ability of ourmembers to run their businesses.

We believe a retailer has a fundamental right to protect their property, stock and employees fromtheft, damage or physical attack and threat using both overt and/or covert surveillance.

Within the retail industry, visual surveillance is used for the monitoring of activity within the

workplace.

By way of example Close Circuit Television (CCTV) is used by our members for the purposes of:

2

• Perimeter security• Access security• Monitoring pedestrian traffic• Monitoring high risk safety areas• Overt merchandise and property protection

• Covert merchandise and property protection

As a general rule CCTV is not used in change rooms, fitting rooms, toilet cubicles or any areaswhich may be considered to be of an intimate nature, or where shoppers would reasonably expectto have privacy.

Our members are very careful to ensure all staff using a security aid are properly instructed andsupervised in its use.

Some members notify the customer of its intention to conduct video surveillance.

A shopper who then enters a store which displays a notice implies that they accept the condition ofentry.

In return our members operate such cameras ethically. Retailers take responsibility to ensure thatappropriate disciplinary action is taken if camera operators are found to be conducting surveillancein an inappropriate or unethical manner.

Moreover research indicates that elderly shoppers in car parks or shopping malls feel more securein the knowledge that surveillance has become a feature of modem day retailing.

The key to avoiding disputes with the shopping public and employees over this practice lies inproviding as much information as possible in the first instance.

We recommend to members that they:

1. Notify the customer of the intention to conduct video surveillance

2. New and existing staff are advised of the use of video surveillance

As a result of these steps the smoked domed camera, as an example, is well recognised in retailshops by the public and staff as containing video cameras.

Many retailers place cameras behind smoked domes largely for aesthetic reasons plus to ensurethat the criminals are not able to tell whether or not the camera is pointed at them.

Any measure to restrict a retailer's ability to prevent crime will lead to further losses by ourmembers and should be resisted.

In Queensland each year the equivalent of 2% of total turnover conducted in our shops is lost totheft. In dollar terms this figure approaches $300 million per annum.

3

Not surprisingly we view this issue very seriously.

If we can be of any further assistance to your committee please contact the undersigned on 32211588 at your earliest convenience.

Yours sincerely

PATRICK McKENDRYExecutive Director

cc RAQ CouncilRAQ Security Committee

LS: PMc K\9jul2patri ck

LEGAL, CONSTITUTIO'L&L ANDADMINISTRATIVE REVIEW COMMITT

16 1Ut 1997

4197

The Research DirectorLegal, Constitutional & AdministrativeReview CommitteeParliament HouseBrisbane QLD 4000

Dear Sir


e® ® n Y

CREDIT REFERENCE ASSOCIATION

OF AUSTRALIA LIMITEDW 000 602 862

Level 590 Arthur StreetNorth SydneyNSW 2060

PO Box 966North SydneyNSW 2059

DX 10538North Sydney

Telephone 02 9951 7555

Facsimile

Administration 02 9951 7880Information Services 02 9935 8550

Member Services 02 9951 7829

In response to Issues Paper No. 2, we enclose a submission which considers thepotential cost of privacy legislation, the risks associated with unilateral Statelegislation, and privacy protection in the context of access to public registers.

The Credit Reference Association of Australia Ltd and its members haveconsiderable experience of operating under the Commonwealth Privacy Act (1988)and we therefore hope our comments will be of some value to the Members of theCommittee.

Yours sincerely

BRUCE BARGONCHIEF EXECUTIVE OFFICER

Att.

cc: Ron Hardaker , Executive Director, Australian Finance Conference LtdRod Wyatt , State Manager , QueenslandAndrew Woods, General Manager , Credit Bureau

SUBMISSION BY THE CREDIT REFERENCE ASSOCIATIONOF AUSTRALIA LTD


THE SCOPE OF THIS RESPONSE

The Credit Reference Association acknowledges the importance of balancingthe wish of individuals for a degree of personal privacy, and the legitimateinformation needs of government and the business community.

This submission highlights the potential costs of privacy regulation. Itaddresses issues with respect to privacy protection and access to informationcontained in public registers. It also considers the risks associated withunilateral state privacy legislation in an area (consumer credit information)which transcends state boundaries.

The submission touches on the costs and inefficiencies of existingQueensland and Commonwealth privacy legislation and the effect this canhave on consumer credit interest rates.

PRIVACY LEGISLATION Page 1 of 7 7 JULY 1997BRUCE BARGON

DIRECTOR & CHIEF EXECUTIVE OFFICER

INTRODUCTION TO CRAA

Credit Reference Association Of Australia Limited (CRAA)

CRAA and its members have a strong interest in any review or considerationof privacy legislation , because the company plays a central role in theprovision of risk management information services to the Australian businesscommunity.

CRAA is owned by its members . The company is the pre -eminent consumercredit reporting in Australia , responsible for 98% of all consumer creditreports used by financial institutions.

In 1996/97, over 85% of all new consumer credit loans, (worth $60 billion andcovering a wide range of credit facilities from motor vehicle loans, to propertymortgages) were approved subject to credit information held by CRAA..

The CRAA consumer credit database holds records on the financial dealingsof 11 million Australians.

The company is also one of the two principal commercial credit reportingagencies in the country, with a database of over one million companies andbusinesses. CRAA information plays a key role in the provision of credit toAustralia's small and medium business enterprises.

CRAA' s 4,000 members include all banks and finance companies, credit cardissuers , communications carriers , most credit unions and some 3,000manufacturers , wholesalers and service providers.

In the current financial year, credit risk information provided by CRAA willdirectly contribute $300 million to its members' profitability. This is principallyfrom the avoidance of bad debts and reduced administration costs. CRAAmodelling indicates this saving to financial institutions is equivalent to a 1.1 %saving in consumer credit interest rates.

Compliance costs to CRAA and its members are an issue which should betaken into consideration in any proposal for unilateral state privacylegislation.

Existing Queensland legislation , the Invasion of Privacy Act 1971, alreadyhas some adverse impact nationally on credit reporting in Australia.

PRIVACY LEGISLATION Page 2 of 7 7 JULY 1997BRUCEBARGON


PRIVACY LEGISLATIO N - THE N EED FOR BALA NCE

Any proposal by the Queensland Government to regulate or restrict theexchange of personal information should be subject to extensive consultationto ensure that a balance is maintained between the protection of individualprivacy and the need for businesses to continue to operate efficiently. Theextension of privacy legislation to the private sector will have a cost, and thatcost needs to be recognised by all parties involved.

Nowhere is this more evident than in the provision of financial services.

The Australian credit market (excluding trade credit) is worth $494 billion tothe economy. It is critically important to the health and continuing growth ofAustralia.

All credit transactions involve risk. Fast, effective access to reliable riskassessment information is an essential element in managing that risk.

Financial institutions in today's increasingly competitive market areessentially in the information business. Banks, finance companies, creditunions and others, take risks associated with lending and use their access toinformation to manage those risks.

The development of sophisticated computer-based credit assessmentprograms has meant that financial institutions no longer need to accumulatelarge amounts of detailed personal information about their customers.

Instead, in a competitive, rapidly changing market, financial institutions andsuppliers of goods and services, rely more than ever on fast access to arange of proprietary and public third party databases. Customer loyalty isfragmented and as customers move from one supplier to another, so theneed for some external, constant source of information grows. Specialistbodies, such as credit reporting and rating agencies are the sources ofinformation which all credit providers now increasingly use as a basis for theirrisk taking decisions.

As a result of previous privacy related legislative initiatives , Australia has oneof the most highly regulated credit reporting regimes in the world. There is acost to the community from such regulation and this is addressed later in thissubmission.



ISSUES WITH RESPECT TO PRIVACY PROTECTION

CRAA is concerned that any proposed extension of privacy legislation inQueensland should take into account the central role of public registries andthe needs of business to have access to the information contained in thoseregistries.

CRAA supports balanced privacy legislation. The company first introduced aright of access, complaint and correction to people recorded in its files in1973, several years prior to any State or Commonwealth legislation, providingsimilar rights.

The Association accepts that people have a right to expect that personalinformation provided by them to service providers and government agencieswill be respected and will not be used for unrelated purposes.

Our concern lies with the possible application of future privacy legislation tokey information held in the Queensland public sector.

Broadly speaking, information held in the public sector is collected to supportlegal processes and to ensure accountability. Public registries hold a widerange of data, from State registries of land ownership, vehicle ownership,business names, debt judgement details, addresses, occupations, etc.Federal agencies maintain company records, details of individual directorshipand shareholdings, charges over property, industry, statistical andemployment and marketing information.

Some of these registries are a crucial source of information to business ingeneral and the credit process in particular. They make an extremelyvaluable economic contribution to the market place. For example, informationabout land ownerships, registered securities, debt judgement information,and business name registries occupy a central position in the credit process.Any limitation in access to such information would have an immediate impacton the cost of credit in Queensland.

Further, the information held in public registries in Queensland is both animportant source of revenue to the Queensland Government, from accessfees and charges and a key source of competitive advantage (or lack ofadvantage) in attracting business to the State. Access to information will bean increasing influence on new investment decisions. Public registriesshould be viewed as important capital and business access to them shouldbe taken into account in any consideration of privacy issues.



PRIVACY LEGISLATIO N - U N IFORM ITY IS CRITICAL

Commercial enterprises and their customers are spread across Australia andincreasingly , beyond Australia ' s boundaries . The flow of information betweentrading organisations and their customers , and with one another , transcendsState boundaries.

There is a very real danger that unilateral State privacy legislation in additionto the Commonwealth Privacy Act will add an unnecessary level of complexityand cost to normal commercial transactions between private sectororganisations and their customers.

Three States, Queensland, New South Wales and Victoria, have announcedthe possible introduction of privacy legislation. There are reports that otherStates are considering similar moves. The cost to the private sector inattempting to comply with possibly nine different, conflicting privacy regimes,could be substantial.

CRAA believes it is most important that the Queensland Government, otherState Governments and the Commonwealth reach agreement on uniformprivacy legislation. If individual State proposals are implementedindependent of the development of Commonwealth legislation, there willalmost certainly be a proliferation of non-uniform requirements governing thecollection and use of personal information, with consequential complianceproblems for industry.

State and Federal Governments in Australia do not have a good record onuniform legislation. National credit providers for many years operated undera multiplicity of sometimes contradictory consumer credit laws. They canattest to the very high costs of compliance and the confusion which can arisefrom attempting to reconcile the demands of differing State andCommonwealth bureaucracies, which, if not competing, often do notcooperate.



EXISTI NG PRIVACY LEGISLATION ADDS UNNCESSA RYCOSTS

Existing privacy legislation, covering the collection and use of personalinformation for credit risk purposes, has already resulted in added operatingcosts for credit providers. These added costs are equivalent to 1% inconsumer interest rates.

CRAA detailed the various inefficiencies resulting from the Privacy Act 1988(Cth) in its submission to the Financial System Inquiry and in its response tothe Commonwealth Discussion Paper , `Privacy Protection in the PrivateSector' (pages 3 to 6).

The Invasion of Privacy Act 1971 (QId) adds to the administrative burden ofthe Commonwealth Privacy Act in several ways. The Queensland Act wasformulated at a time when all credit reporting agencies maintained manualrecords and operated within individual State boundaries . In addition , creditassessment decisions at that time were made by individual branches ofbanks , finance companies etc based within various State boundaries.

The problem can best be illustrated by two examples:

• Section 24.(1) of the Invasion of Privacy Act, Deletion of StaleInformation requires a credit reporting agent to annually deletefrom its records all information that relates to any act, matter orcircumstance, that occurred more than 5 years previously. Thisincludes all reference to current and previous bankruptcy orders.

• Section 24.(2) prohibits a credit reporting agent from publishing anysuch information, which is more than 5 years old.

• The Commonwealth Privacy Act recognises that bankruptcyinformation is of particular relevance to credit providers inassessing risks and as such S. Section 18F (2)(f) permitsbankruptcy data to remain in a credit report for a period of 7 yearsand allows the release of this information to a credit provider for aperiod of 7 years.

Given the serious nature of bankruptcy, CRAA believes the 7 year limit in theCommonwealth Act should override the 5 year period in the Queensland Act.



2. • Section 25.(1) Invasion of Privacy Act, Demanding Payment byThreats prohibits any person writing to a debtor demanding thepayment of money, where the writing contains any threat in relationto the debtors credit worthiness, credit standing or eligibility forcredit.

• S. Section 2.7 of the Credit Reporting Code of Conduct (issuedunder S. 18A of the Commonwealth Privacy Act) requires a creditprovider to write to debtor to advise him or her that if payment of adebt is not made, then the fact of the debts non payment will bemade known to a credit reporting company.

CRAA believes the requirement that a creditor must notify an individual of anintention to report an overdue debt to a credit bureau is in the best interestsof both the credit provider and the individual concerned. The Commonwealthlegislation does not permit a credit provider to report an unenforceable debt.

In the two examples given, CRAA and its members face two sets of privacylegislation, both carrying substantial penalties for non compliance. Thedifficulty of attempting to quarantine credit files affected by the Queenslandlegislation, and applying special edit rules to the data contained in those files,is such that CRAA has felt the need to apply the time limitations of S. Section24.1 of the Queensland Act to its national database. The result is thatsignificant, relevant bankruptcy information, recognised by contemporaryCommonwealth privacy legislation is not available to any credit provider inAustralia. The potential conflict between Sections 25(1) of the QueenslandAct and 2.7 of the Code of Conduct (Commonwealth Act) remain unresolved.



- (!trio ' (!rammar'r . urri, ttulck1 amptnn.

from the PrincipalMr R J Kollar

RJK:Ipr

26 June 1997

The Research DirectorLegal, Constitutional and Administrative Review CommitteeParliament HouseBRISBANE Q 4000

Dear Sir,PRIVACY IN QUEENSLAND : " ISSUES PAPER" SUBMISSION

Concerning Section 12, Item 22, page 10: "OTHER PRIVACY CONCERNS"

Cnr Agnes & Denham StreetsRockhampton Q. 4700Tel: (079) 300900Fax: (079) 224809

AREA OF CONCERN: Invasion of the privacy of telephone subscribers by nuisance callers including persons who placeunwanted calls, e.g. such as threatening, abusive or distasteful calls that the receiver would normallynot wish to receive.

Examples of recent actual unwanted calls which have been received by the workplace at which I am employed include:

• a person calling to talk about female students' underwear in a totally unacceptable manner

• a bomb threat

• abusive calls to young students using obscene language.

Proposed solution/step towards solution:

(I) Relaxing of the current ban on allowing telephone callers' own numbers to be displayed on handsets during calls; and

(ii) recording complete numbers on telephone accounts in order to permit tracing of such unwanted calls.

Whilst this may not always result in offenders being apprehended the existence and advertising of such a facility and process couldcontribute greatly to the reduction of such unwanted calls.

Rationale:

Telephone callers who have no reason to remain anonymous would not be disadvantaged in any way from being thus identifiedsince the nature of their telephone calls is, without doubt, legitimate.

Only non-legitimate telephone callers would have reason not to want to be identified by the receiver.

Mobile telephones are increasingly being manufactured with the facility to list the source numbers of "missed calls" but,presumably, legislation prevents such a facility from being activated.

Again, those who are not "breaking the law" should have no reason for remaining anonymous since they wish to speak with thereceiver of the call for some legitimate reason.

I urge those conducting the enquiry into the general issue of privacy to consider seriously the proposal I have made for the good ofmembers of the public and as a safety and security issue.

Yours sincerely,

R J KOLLAR (MR)

EXTENDING TODAY'S HORIZONS word6/fi1es/prin/privacy.doc

FOR THE WOMEN OF TOMORROW

Suite 40615 Albert Avenue

Broadbeach QLD 4218

11 Jun 1997

M Whyte157 Brookfield RdKenmore HillsQueensland 4069

Dear M Whyte,

I was speaking with my colleague Marie Chancel last week and she asked me in confidence tolook at your file and see if, as she suspected from her intuition, you might benefit from my study ofnumerology. From the moment I looked at your file I knew I could help you, but it also made me realisewe haven't got a moment to waste! It's strange how sometimes these things have such an immediatereaction on me, so I decided to treat your case as a top priority as I shall now explain to you in thisletter.

M Whyte, as I said at the start of this letter, I have felt a strong affinity with you - from the veryat., `• f:dence) to took ^tollr file Since than T haSTe been nrmmnt?r1

Marlc 1-A-ml I,.

Chanecked ne f:

rnoli.cnt 1Y11aal l -- Ella vVi111 +.ua.-v^ .at

] v-•. -^ - - - t.-„---`

by my own curiousity to examine your astral chart in some depth and found out that there is, I believe, atotal disharmony between the positive astral forces that encompassed you on your birth, and the lifethat you lead today.

It seems inevitable to me that we were bound to meet up sooner or later - as if some invisibleforce was involved.

Yes, although you did not request it - I was sufficiently interested in your case to do some furtherresearch into your astral chart. The timing is fortunate - you are now entering into a period of warmthand brilliance, a so called golden wave which is generally referred to by us as a "Hot Period" that couldbe so helpful in changing your life positively, over the next three months.

To make the most of this "Hot Period" in your life you will need guidance. There have beenperiods in the past when similar opportunities have occurred which could have so positively changedyour life... but either you chose to ignore them or simply did not recognise, these opportunities.... orpossibly did not believe them. You must put your trust in me - you have nothing to lose by it, andeverything to gain.

As I have already mentioned, I was sufficiently interested by your case - which prompted me tocontinue to study it, and I discovered that my initial instincts were confirmed. You are indeed enteringinto a really beneficial golden wave "Hot Period". At this moment I am in a position to give you essentialinformation, usually referred to as the Golden Steps, that will guide you for the next three months inmatters affecting your money and love life.

This help will include your most favourable numbers to play Lotto, horse racing, football poolsand favourable times for friendships, so you can maximise the opportunity for the duration of your "Hot

Period".

Please don't let this opportunity pass you by - these positive "Hot Periods" to which I refer, last atmost only for two to three months and occur usually over seven to nine year cycles. There is noguarantee they will visit you again, if indeed you are able to recognise them if they do. Make the nextthree months really count. Some of the most successful and powerful people of this century have reliedon numerology knowing when to act and when to make their decisions. All you need to do now is makeyour decision to do it... take the first step by simply sending me your request for your personal GoldenSteps chart and Numerological Horoscope below. You've nothing to lose and everything to gain.

You can discover by this simple action how you can open new doors to your future, without anyrisk. I have already done the calculations for your Golden Steps chart, which is of course why I amwriting to you now. In a few days your whole life could change and you could achieve everything youdesire... money, love and personal satisfaction. The timing is perfect now - do not miss out on thisopportunity.

Yours sincerely,

P.S. As a final word you must understand that if at any time within the next two months you canhonestly say that not a single positive event has turned your life around as I have indicated - you needonly write to me, and I will refund to you without question - the charge for your forecast numerologyhoroscope analysis. This is a guarantee in writing, valid for two months, with all the legal guarantees...you have nothing to lose, and everything to gain from this real opportunity.

q Yes, I would like to receive my personal Golden Steps chart and NumerologicalHoroscope without delay and fully understand that if I don't experience a positiveturnaround in my life over the next two months, you will refund in full its cost on return ofthe document to you.

q I enclose a cheque/money order for $48 (plus $1.95 to cover postage and handling) - atotal of X49.95 made payable to "Ella Rostov".

q I wish to pay by MasterCard / Visa / Bankcard.

Card No: ............................................................................. Expiry Date:..........................

Signature: ................................................................. Date:................................

Confirmation of Birth Date: .....................................

Please return to Ella Rostov , Suite 406, 15 Albert Street, Broadbeach, Q 4218

ECM0003 V1707120M Whyte157 Brookfield RdKenmore HillsQueensland 4069

Ie e 2'ti'evc&^)

Ct t ,

1j

^.

3.

//C k! ';'mot

1e

IP t1aboo

'teel^i Iell-flf-vwl

el" --?44a'lf'lVlqjf

j to

C % I'W/- - X r4^yW/

1", a1vtAl

lla,A^ pea"4',

14d

0

V/4

G

111*1' 1 , 9

4et

4^t^- le ki-d

411elolt)i

y

THE ROYAL AUSTRALIAN COLLEGE OF MEDICAL ADMINISTRATORS'(QUEENSLAND STATE COMMITTEE)

DEPARTMENT OF ANAESTHESIARAYMOND TERRACE, SOUTH BRISBANE QLD 4101

PHONE: 07-3840 8646 FAX: 07-3840 1805

12 June 1997

Mr Neil LaurieResearch DirectorLegal, Constitutional & Administrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Mr Laurie

RE: PRIVACY IN QUEENSLAND, ISSUES PAPER No 2, MAY 1997

It is important that collectors and record keepers of personal information should besubject to the restrictions of the Commonwealth Privacy Act 1988.

The Commonwealth established the Office of a Privacy Commissioner to ensurecompliance with the Privacy Act 1988. New South Wales established a Privacy

Committee in 1975 with functions including research, education and the investigationof complaints. Queensland presently has no similar official or committee.

A Privacy Committee/Commissioner should be established for Queensland and coulddraft and administer legislation on privacy issues. The Commonwealth Privacy Act

appears essentially to deal with 11 information privacy principles and, for instance,does not address the use of surveillance cameras in public places . A Queensland

Privacy Committee could monitor public opinion on such issues and ensure adequatepublic debate; this would lead to well prepared and acceptable legislation.

If the Commonwealth were to enact Australia wide Privacy Codes, then much of theneed for State Privacy Codes and bodies to police them would cease to exist.However it appears that the present Commonwealth government is unlikely to enact

such laws.

Concerns about privacy in relation to surveillance telemarketing, the workplace,medical records and genetics are justifiable and provide examples where a Committeeor Commissioner could issue guidelines and lead public debate on solutions.

Page 1

Submission to the Legal, Constitutional & Administrative Review CommitteeIssues with Respect to Privacy Protection

General

1 Yes. The most important is the establishment of a Committee orCommissioner to focus public debate and to guide legislation.

2 The question seems to be what law? The Queensland Privacy Committee Act1984 lapsed in 1991, and only the Invasion of Privacy Act 1971 (Qld) is currently inforce.

3 By the establishment of a Privacy Committee or Commissioner and ofinformation privacy principles.Legal costs might make a statutory tort unavailable for many people, and it would bean excellent means of "gagging" by lengthy legal action for those able to pay largelegal fees.

Option - Information Privacy Principles

4 I P Ps should provide controls in the collection, maintenance & use of personalinformation similar to the 11 principles of the Privacy Act 1988 (Cth).

5 I P Ps should be in the form of legislation so that all affected parties mustcomply with them.

6 Payment by individuals to exercise their rights to access information aboutthemselves would diminish frivolous requests. However legislation should set areasonable maximum charge relevant to the quantity of information sought.

7 We are not competent to answer this question.

Option A Privacy Commissioner/Privacy Committee

8 If an office is established its independence should be ensured by a fixed termof appointment.The office should be accountable to a Parliamentary Committee.The office should not be combined with any other office.

9 The functions of the Privacy Commissioner should be as set out under Section6.2.

10 The Privacy Committee/Commissioner should have powers of access andpower to initiate court action for breaches. We think that the Committee should nothave the power to levy fines but should rely on count action.


Page 2

Scope of a Privacy Regime.

12 We think that this should apply to the private sector.

13 Yes, it should apply to government owned corporations.

14 Yes, it should apply to local Government activities.


16 This problem is the reason for our answer to question 12.

17 There must be co operation to ensure the maximum uniformity.

18 Publicity owned information should still be available under the Freedom of

Information Act.

19 The 1995 European Directive and the 0 E C D guidelines seem to apply to

"countries". Obviously it would be appropriate to comply with these, but it seems tobe more appropriate to the Commonwealth Government rather than the State of

Queensland.

Smart Cards & Electronic Banking.

20 Smart cards should be regulated by National Legislation : this would obviateconcern about State laws interfering with freedom of commerce between the States.



22 a) Surveillance of public places, by reducing illegal activity, promotes thefreedom of lawful access by the public. It should be encouraged. Surveillance inprivate places would only be appropriate in the investigation of serious crime andrequire authorisation as at present applicable to telephone tapping or police searches

of premises.b) Telemarketing - no commentc) The workplace. Employers are entitled to ascertain that their employees are

fit for the duties allocated to them. It would be inappropriate for a person to beemployed to drive a train or to practice medicine if that person were unable to performthese duties safely, either by reason of an illness or by intoxication with alcohol ordrugs. The employer's responsibility to the public in these circumstances is

preeminent.Employers' decisions on the use of information from medical reports, drug testinggenetic testing should be appropriate to the work undertaken.

d) Medical records. There are 2 parts of medical records, one is a record offacts about the patient's stated history and of physical signs, test results, and treatmentgiven or offered, another part is the doctor's record of his opinions and thoughts. It is

Page 3

reasonable that the first part should be available to the patient without restriction, butthe doctor may claim privacy with regard to his/her thoughts and opinions.

e) Genetics. This complex area is full of future challenges. While genetictesting may provide evidence that one candidate may not have sufficient productivelife to recompense the cost of training for a career, we must avoid a situation whereonly the totally genetically healthy are accepted for any form of employment.This is a case where informed public debate is necessary and ill advised legislationcould do serious harm.

23 This is the function of a privacy committee by public education and byadvising the Minister on new legislation and on amendment of old legislation.

Yours sincerely

...................................................................Dr Alison M HollowayChairman, Queensland State ExecutiveThe Royal Australian College of Medical Administrators

Page 4

ADOPTION PRIVACY PROTECTION GROUP (INC).P.O.Box 470, Stones Corner, 4120. Ph. 3843-2388 Ph/Fax 3397-0967

To:The Research Director,Legal Constitutional and Administrative Review Committee,Parliament House,George Street,Brisbane , Q'ld,4000.

SUBMISSION

We submit:

That the retrospective changes to the Adoption of Children Act of 1964 - 1988, known asthe Adoption of Children Amendment Act, 1990, No. 8. and the subsequent Amendments

to the Amendments , 1991 , have constituted a grave invasion of the privacy of Adopteesand Birth parents and the families of these on the following grounds:

1. that identifying information about either party is now released on application to theDepartment of Families Youth and Community Services, without the knowledge or consent of

the subject.

2. that it is possible for a person unknown to the subject, e.g. a birth relative, to obtain acertified copy of the amended birth entry of the Adoptee without the knowledge or consent ofthe Adoptee. [Adoption of Children Amendment Act, 1990, Section 39c(b)(i).]

3. that, in order to prevent this information being released, the party/ies concerned must entertheir names on a Government Register, known as the "Objection to Contact" and/ or"Objection to Release of Identifying Information" Register. No other citizen is required to dothis in order to prevent the release of confidential information about him/herself, and so thelaw is also discriminatory.

4. that absence of an "Objection", or "Veto" as it is commonly known, should not be taken asconsent for release of identifying information, as many people object to having to go on aGovernment Register in order to preserve the privacy they had hitherto enjoyed.

5. that a fundamental principal of information privacy is:that information obtained for one purpose should not be used for a differentpurpose unless with consent e.g. the range of'non-identifying' information releasedto Adoptees and Birth parents about the other party is such that identification isrelatively easy and has actually resulted in an Adoptee being identified by the Birthmother without the Adoptee's consent.

6. that there are nine groups of people vulnerable to invasion of the privacy of their homes andfamilies who are not able to place a 'veto' . (see enclosure 1)

7. that the legislation, as it stands, contravenes the United Nations International Covenant onEconomic, Social and Cultural Rights.(Article 12) which states:

No-one shall be subject to arbitrary interference with his privacy, family home orcorrespondence nor to attacks upon his honour and reputation . Everyone has the

right to the protection of the law against such interference or attacks.

8. that the Amendments of 1991 have introduced new legislation for Adoptions processedsubsequent to the Amendments. This does not allow for a choice of continued privacy orconfidentiality for either Adoptee, Birth parent or Adoptive Family, as there is disclosure ofthe identity of either party to the other upon request, once the Adoptee has attained the age of18 years.

SIGNED ........., ...... '^d....:..

Rita M. Carroll. (Research Officer) 2. 6. 97.

B THE PEOPLE WHO CANNOT LODGE A VETO

* Adopters unaware of their Adoption.

* Adoptees / Birth parents who are living interstate or overseas and aren 't aware ofchanges to the legislation.

* Relatives of an Adoptee who is deceased.

* Relatives of a Birth mother who is deceased.

* The extended families of Birth mothers and Adoptees.

* Adoptees under the age of 18 years, who have been traced by an ever-increasing list ofso called 'non-identifying ' information released by Family Service and CommunityDepartments.

* Intellectually handicapped or disadvantaged people.

* Putative fathers.

* Adoptive parents -- the legal parents.

* All the above groups of people have been represented in reports of distress orharrassment from unwanted contact since the Adoption records have been opened.

* ADOPTIONS EFFECTED AFTER JUNE 1st. 1991, ( in Queensland) AND AFTERLEGISLATIVF CHANGES IN ALL OTHER STATES, CARRY NO RIGHT OFVETO ON INFORMATION OR ON CONTACT ONCE Till:; ADOPTEE TURNS 18YEAkS OF AGE IDENTIFYING INFORMATION IS AVAILAJ3LF `1'O BOTHADOPTEF, AND BIRTH MOTIiER ON APPLICATION.

"LA 3 i, VETO"

IN CTI f NS [ , R,NI IT IS POSSIBLE TO LODGE AN I ' OBJECTION TO CONTACT EVEN HIDENTIFYING INFORMATION I-IAS BFEN RFI J ASI3F) AND CONTACT HAS Bi I N

MAI )E.

MUTT AL CONSENT REGISTERS WOULD AVOW MOST OF THEDISTRESS CAUSED BY THIS "VETO -BASED " LEGISLATION.

Department ofJustice Submission

TO THE LEGAL , CONSTITUTIONALADMINISTRATIVE REVIEW COMMITTEE


July 1997

[This page is left deliberately blank]


SUMMARY OF RECOMMENDATIONS

The page number appearing after each recommendation is thepage in the body of the Submission where the recommendationappears.

General

Recommendation I (page 2)

That number of valid concerns relating to privacy protection inthe public sector need to be addressed by a combination oflegislative and administrative action.

Recommendation 2 (page 5)

That the right to privacy be protected in Queensland, to the extentit applies to the public sector, by establishing the Office ofPrivacy Commissioner as an independent statutory officer taskedto protect the right to privacy of Queenslanders that may beinfringed by State government departments and agencies.


That the introduction of privacy for the public sector beimplemented in three stages:

Stage 1 The establishment of the Office of PrivacyCommissioner as an independent statutory officertasked to protect the right to privacy ofQueenslanders, that may be infringed by Stategovernment departments and agencies

Stage 2 The development of guidelines or principles andaccompanying exemptions for the protection ofinformation held by State government departmentsand agencies.

The development of these guidelines or principlesto be one of the first tasks of the PrivacyCommissioner and to be carried out in closeconsultation with State government departments

Page (iii)

Recommendations

Department of Justice Submission

and agencies.

The guidelines or principles to be based uponstandards set by the Organization for EconomicCo-operation and Development (Attachment A),but the final product be tailored to suit Queenslandgovernment needs and ultimately be approved byCabinet and issued as a Cabinet AdministrativeInstruction.

All exemptions to be dealt with in Stage 2, forexample, a public interest exemption - that is - forthe Commissioner to make a written determinationthat an act or practice which breaches a principlemay nevertheless be allowed if the public interestin the agency doing that act outweighs the publicinterest in adhering to the principle.

In this sense , the adoption of the guidelines orprinciples would be similar to a pilot scheme inwhich any possible concerns and problems couldbe identified, assessed , and dealt with beforebinding legislative principles are implemented.

Stage 3 The administrative guidelines or principles may, atsome future date, have a legislative underpinning.It should be noted that both NSW and SA, the onlytwo States with privacy guidelines, have been inStage 2 for 22 and 9 years respectively. NSW waspreparing legislation, but it appears unlikely toproceed at this time.


That aPrivacy Commissioner Bill be enacted to implement Stage1 and facilitate Stage 2 in accordance with the draftinginstructions attached to this Submission as Attachment B.


That a statutory tort of privacy not be considered at this time.


As discussed under Recommendation 3 this Submission proposesa staged approach to the protection of privacy to the extent it

Page (iv)

Recommendations


applies to the public sector. Although the Submission proposesthat the guidelines be developed by the Privacy Commissioner inStage 2, for the purposes of informed discussion and debate, twooptions are canvassed herein for the content of the guidingprinciples.

Both options involve adoption of the principles by way of CabinetAdministrative Instruction. However, they vary in the degree ofcommitment and obligation to comply.

Recommendations 6 to 9 are not intended, in any way, to detractfrom our preferred position set out in Recommendation 3 that thedevelopment of guidelines or principles be one of the first tasksof the Privacy Commissioner in Stage 2.


That Option 1 is the preferred option for the basis of the CabinetAdministrative Instruction as between:

Option 1 The OECD Guidelines as modified and set out inthe Cabinet Administrative Instruction atAttachment C; or

Option 2 The IPPs as modified and set out in the CabinetAdministrative Instruction at Attachment F.


That if Option 1 inRecommendation six is adopted, the OECDGuidelines be modified in two ways:

the term "personal data" be replaced with "personal affairsinformation" to maintain consistency with the Freedom ofInformation Act.

"Personal data" has a much broader application, coveringbasically all information about an individual including non-private work related information.

• Principle No. 7, the Purpose Specification Principle, bealtered by adding the words "or are directly related to thepurpose for which the information was obtained."

OECD Principle No 7, the Purpose Specification Principle,provides that information is to be used for the purpose for

Page (v)Recommendations


which it was originally intended. The Commonwealthprinciples extend the concept to include not only the originalpurposes but also "related purposes".

These two modifications are reflected in the Draft CabinetInstruction giving effect to the OECD Guidelines set out atAttachment C.


That if Option 2 inRecommendation six is adopted , the IPPs bemodified in the following ways:

• the principles commence a minimum of 6 months after theInstruction is issued to allow for the development of the morespecific guidelines, provide a lead in time for Departmentsand allow time to consider the more crucial exceptions fromthe Principles.

• the term "personal information" be replaced with "personalaffairs information" to maintain consistency with the Freedomof Information Act.

• The South Australian version of IPP I be adopted.

It simply provides that "Personal information should not becollected by unlawful or unfair means, nor should it becollected unnecessarily". This tempered version would allayany concerns about the extent to which IPP 1 covers routineinformation that is passively received by agencies.

• The South Australian version of IPP2 be adopted.

This alleviates the concern about the degree of specificityrequired to discharge the obligation to inform individual'sabout the bodies or persons to whom the information isfurther disclosed. It requires that the individual be notifiedabout such subsequent disclosure "in general terms."

The South Australian version of IPPs 6 and 7 be adoptedwhere there is a direct link between accessing records ofpersonal information and access entitlements under theFreedom of Information Act.

These modifications are reflected in the Draft CabinetInstruction giving effect to the IPPs set out at Attachment F.

Page (vi)Recommendations



That Option 1 is the preferred option as to who should grantexceptions from the Principles/Guidelines as between:

Option 1 The Privacy CommissionerOption 2 The CEO of each DepartmentOption 3 The Office of the Public ServiceOption 4 An IDC


That the modified OECD guidelines or IPPs should be in the formof guidelines. The administrative guidelines or principles may,at some future date, have a legislative underpinning.


That the question of individuals paying a reasonable fee toexercise their right to privacy should be addressed by the PrivacyCommissioner during Stage 2.


That any costs, for departments and agencies, associated withprivacy implementation in Stage 2 will be minimal and should bemet from within existing budgets. This would mean that the costassociated with implementation of the modified guidelines orIP.Ps outweigh the public benefit flowing from theirimplementation.



That the Privacy Commissioner be an independent statutoryofficer appointed by the Governor in Council in an arrangementsimilar to that for the Anti-discrimination Commission inQueensland.


That the responsibilities of the Privacy Commissioner not becombined with those of the Information Commissioner or any

Page (vii)

RecommendationsDepartment of Justice Submission

other office. However, the Office of the Privacy Commissionercould be combined with that of the Information Commissioner orany other office, for purpose of administrative and otherconvenience.


That the Privacy Commissioner have the following functions:

• to ensure the protection of information privacy. One of theCommissioners's first tasks would be the development ofguidelines (including exemptions) for the protection ofinformation held by State government departments andagencies. The guidelines, including the exemptions, would beapproved by Cabinet and issued as a Cabinet AdministrativeInstruction

to receive and investigate complaints and make reports onnon-compliance with the privacy protection scheme, in asimilar fashion to the Ombudsman.

education including informing State government departmentsand agencies of their responsibilities for privacy protection.

publishing guidelines - Once the privacy guidelines are issuedas formal principles by a Cabinet Administrative Instruction,one of the Commissioner's functions would be to prepare andpublish other guidelines or recommendations to assistdepartments and agencies to avoid acts or practices that mayinterfere with the privacy of individuals or which mightotherwise have an adverse effect on the privacy of theindividuals.

• inquire generally into any matter covered by the PrivacyCommissioner Act 199...

• general power of reporting - At the request of the responsibleMinister, the Commissioner would be able to report to theresponsible Minister from time to time on the need for ordesirability of taking action to improve the privacy of theindividual that may be infringed by State governmentdepartments and agencies.

• conducting audits - When requested to do so by a departmentor agency, the Commissioner would be able to conduct auditsof records of personal information maintained by state

Page (viii)Recommendations


government departments and agencies for the purposes ofascertaining whether the records are maintained according tothe information privacy guidelines, once issued.


That the Privacy Commissioner's functions relate only to Stategovernment departments and agencies.


That the Privacy Commissioner have all the powers, rights andprivileges that are specified in the Commissions of Inquiry Act1950.


That thePrivacy Commissioner Bill 199.. contain three offences:

• without lawful excuse to hinder or obstruct the Commissionerin an investigation

• without lawful excuse to refuse to comply with a lawfulrequirement of the Commissioner

• to make false or misleading statements

Proceedings for offences may be disposed of summarily by amagistrate sitting alone. The maximum penalty is 10 penaltyunits.


That the costs associated with an Office of the PrivacyCommissioner do not outweigh the public benefit flowing fromthe establishment of such an office.


That, at this time, privacy regulation should only apply to thepublic sector and not to the private sector. However, thatQueensland be supportive of the role that the CommonwealthOffice of the Privacy Commissioner is playing in assistingbusiness in the development of voluntary codes of conduct and inthe meeting of privacy standards, if necessary, on an internationallevel.

Page (ix)Recommendations



That privacy regulation only apply to government ownedcorporations to the same extent it applies to the private sector. Asthis submission recommends that the private sector not becovered, it also recommend that GOCs not be covered by anyprivacy regulation at this time.


That out sourcing is a matter that is best dealt with by the PrivacyCommissioner in the development of the guidelines andexemptions in Stage 2.


That an administrative privacy scheme which contains a modifiedversion of either the OECD guidelines or the IPPs, refer to'personal affairs information'.

Therefore, access and alteration of documents will be dealt withunder the Freedom of InformationAct and gathering, use, storageand disclosure of personal affairs information will be dealt withunder the administrative privacy scheme.

This is consistent with Recommendations 7 and 8. These twomodifications are reflected in the Draft Cabinet Instructionsgiving effect to the OECD Guidelines and the IPPS set out atAttachments C and F respectively.


That the Committee note:

the progress the Commonwealth Government is making inseeking clarification in relation to the 1995 EuropeanDirective from the European Commission;

the development of an ISO standard that could assuageforeign concerns about Australia's lack of privacy legislation;

that codes of practice, which could be embodied in an ISO orStandards Australia standard, may be deemed sufficient tomeet European Directive guidelines.

Page (s)Recommendations



That the Committee note that a national approach to theregulation of smart cards is being developed and that specifically:

the SCOCA Working Party is developing a strategy tomonitor the introduction of smart card fees and charges andother issues of concern to the community.

the Consumer Education Advisory Committee (CEAC, whichis a Committee of SCOCA) is developing a national smartcard education strategy; and


That an audit be undertaken to establish the use or intended useof smart cards and other means of electronic commerce in thepublic sector (with a particular focus on health and transport) andportfolio specific codes of conduct and best practice guidelines bedeveloped consistent with the national approach.


That, in keeping with recommendation 20 that privacy regulationshould not apply to the private sector at this time, the regulationof smart cards and other means of electronic commerce in theprivate sector should be by way of national industry specificcodes of conduct and best practice guidelines.


That regulation of telemarketing and direct marketing in theprivate sector should be by way of the development andimplementation of the national Draft Distance Selling Code ofPractice on a voluntary basis which is currently being prepared bythe Standing Committee of Consumer Affairs Officials WorkingGroup.

Page (xi)Recommendations



ATTACHMENTS

Attachment A OECD Guidelines

Attachment B Drafting Instructions for a PrivacyCommissioner Bill 199..

Attachment C Draft Cabinet Instruction giving effect tothe OECD Guidelines

Attachment D Cwlth Information Privacy Principles

Attachment E Examples of, and notes about, theoperation of the IPPs

Attachment F Draft Cabinet Instruction giving effect tothe IPPs

Attachment G Costings for the establishment and runningof the Office of Privacy Commissioner

BACKGROUND

Privacy is important to Australians

The extent to which privacy is seen as an important issue byAustralians can be gauged, in part, by a recent surveyconducted by the then Commonwealth PrivacyCommissioner, Mr Kevin O'Connor. That survey, CommunityAttitudes to Privacy, showed that privacy ranked above theeconomy and the environment as a social concern - onlyeducation ranked higher.

ISSUES WITH RESPECT TO PRIVACY PROTECTIONRAISED BY THE COMMITTEE IN ITS ISSUE PAPER

This paper addresses a number of issues raised by theCommittee in its Issue Paper. For ease of reference by theCommittee, they are dealt with in the order set out by theCommittee.

Page 1


General

1. Are there valid concerns relating to privacyprotection which need to be addressed bylegislative and/or administrative action?If so , what particular concerns are most pressing?

Recommendation I

That number of valid concerns relating to privacy protectionin the public sector need to be addressed by a combinationof legislative and administrative action.

Discussion

There are a number of valid concerns relating to privacyprotection in the public sector that need to be addressed by acombination of legislative and administrative action.

Besides the continued call from the civil liberties groups,there is a real and immediate need for privacy protection insome form. Information that governments can create aboutindividuals is ever expanding, particularly in a technocraticsociety. There is so much information exchange that it isextremely difficult to keep abreast of the flow.

Whenever there is a complex web of information beingexchanged, there is always the risk that exchanges can occurinadvertently in defeat of another initiative. For example, allTransport Department vehicle registration informationrecently was marketed through CITEC. Previously, thatinformation was not generally available. The ease with whichit can now be accessed might jeopardise the effectiveness ofthe domestic violence orders which can involve an order thatthe whereabouts of the victim be suppressed. This is but oneexample of the need to conduct a complete audit of allinformation exchanges throughout the public sector andanalyse the legitimacy of that exchange.

Besides the added benefit of ensuring that informationexchanges are not incompatible with initiatives elsewherepursuant to other government policy objectives, protection ofprivacy is also important as a fundamental individual right.The Commonwealth Privacy Commissioner has been veryeffective in ensuring the protection of this right. As recentlyas 1992, some 4 years after the federal act was introduced and

Page 2Department of Justice Submission

agencies were presumably familiar with the legislation, theCommissioner exposed a gross breach of privacy by theDepartment of Social Security. At a peaceful protest outsideParliament House in Canberra, the Australian Federal Policesought and obtained the addresses of protesters from DSSrecords, on the assumption that most of the protesters wouldbe "registered" DSS clients. After the exposure by thePrivacy Commissioner, both DSS and the Police were red-faced, issued apologies and undertook not to engage in suchunderhanded techniques under the pretext of law enforcement.

There are many reasons why the protection of privacy ofindividuals is essential in a democratic society:

• It reduces the intrusion of big government into ourprivate lives

Many issues, particularly the growth of informationtechnologies, have focussed attention on the storage anduse of large amounts of personal information whichhave the capacity to significantly impair an individual'sright to privacy.

• It reduces the rapid exchange of information amonggovernment departments

The Queensland system of justice acknowledges that aperson's affairs should remain private unless there is acompelling reason. Personal information obtained bythe Crown (often under legislation which requires thatinformation) should not automatically be available toothers.

• It creates uniformity in the storage , use anddissemination of information

A scheme which protects information privacy wouldintroduce a uniform policy approach to the storage, useand dissemination of personal information inQueensland. The absence of such a uniformity in NewSouth Wales was considered to be a contributing factorin the extensive unlawful trade in governmentinformation, by the Independent Commission AgainstCorruption (ICAC) in its Report on UnauthorisedRelease of Confidential Government Information inAugust 1992.


It increases the quality and reliability of storedinformation

Experience in other jurisdictions suggests thatinformation privacy protection tends to increase thequality and reliability of stored information. It requiresinformation to be scrutinised at various stages of theadministrative process. In this way, information privacyprotection reflects the requirements of best practice forpublic administration. Improved quality and reliabilityof stored information also has consequences for thequality of decisions based upon that stored information.

It is consistent with the Freedom of Information Act1992

Part 4 of the Freedom of Information Act 1992 allowsan individual to apply to amend information that isinaccurate. The protection of privacy will impose aduty upon a decision maker who uses information totake reasonable steps to ensure the information isrelevant and accurate.

® It gives effect to Australia 's international obligations

The protection of information privacy gives effect toAustralia's international obligations:

► under the International Covenant on Civil andPolitical Rights (ICCPR), which recognises ageneral right to privacy; and

► under the OECD Guidelines Governing theProtection of Privacy and Transborder Flows ofPersonal Data.

► Complaints may be made to the United NationsHuman Rights Committee under the first optionalprotocol of the ICCPR. It is possible that such acomplaint could arise in Queensland in relation toprivacy.

2. Is the current law in Queensland adequatewith respect to privacy protection?

3. If the current law in Queensland is notadequate , how should the right to privacy

Page 4


be protected in Queensland ? For example,should Queensland introduce one or a combinationof the following means of regulation:

• information privacy principles (IPPs)• a statutory tort of privacy• a privacy committee/ privacy commissioner• or some other means to protect privacy?

Recommendation 2

That the right to privacy be protected in Queensland, to theextent it applies to the public sector, by establishing theOffice of Privacy Commissioner as an independent statutoryofficer tasked to protect the right to privacy ofQueenslanders that may be infringed by State governmentdepartments and agencies.

Recommendation 3

That the introduction of privacy for the public sector beimplemented in three stages.

Stage 1 The establishment of the Office of PrivacyCommissioner as an independent statutoryofficer tasked to protect the right to privacy ofQueenslanders, that may be infringed by Stategovernment departments and agencies

Stage 2 The development of guidelines or principles andaccompanying exemptions for the protection ofinformation held by State governmentdepartments and agencies.

The development of these guidelines or principlesto be one of the first tasks of the PrivacyCommissioner and to be carried out in closeconsultation with State government departmentsand agencies.

The guidelines or principles to be based uponstandards set by the Organization for EconomicCo-operation and Development (Attachment A),but the final product be tailored to suitQueensland government needs and ultimately beapproved by Cabinet and issued as a Cabinet

Page 5


Administrative Instruction.

All exemptions to be dealt with in Stage 2, forexample, a public interest exemption - that is -for the Commissioner to make a writtendetermination that an act or practice whichbreaches a principle may nevertheless be allowedif the public interest in the agency doing that actoutweighs the public interest in adhering to theprinciple.

In this sense, the adoption of the guidelines orprinciples would be similar to a pilot scheme inwhich any possible concerns and problems couldbe identified, assessed, and dealt with beforebinding legislative principles are implemented

Stage 3 The administrative guidelines or principles may,

at some future date, have a legislative

underpinning. It should be noted that both

NSW and SA, the only two States with privacy

guidelines, have been in Stage 2 for 22 and 9years respectively. NSW was preparinglegislation, but it appears unlikely to proceed atthis time.

Recommendation 4

That a Privacy Commissioner Bill be enacted to implementStage I and facilitate Stage 2 in accordance with thedrafting instructions attached to this Submission asAttachment B.

Recommendation 5

That a statutory tort of privacy not be considered at thistime.

Discussion

Further discussion on the protection of privacy in the publicsector, the Office of the Privacy Commissioner and theprivacy guidelines or principles occurs later in thisSubmission under the specific issues raised by the Committee.Similarly, issues related to the private sector are alsoaddressed later.


A statutory tort of privacy

A statutory tort is legislation which creates a private right fora person to recover damages for certain conduct of another.An example of a statutory tort is s. 52A of the Trade PracticesAct 1974 which makes misleading and deceptive conduct, inthe course of trade, unlawful. Every person who suffers lossas a result of misleading or deceptive conduct is entitle to sueto recover that loss.

A statutory tort of privacy was first mooted in Australia in theearly 1970's. Bills were tabled in Parliaments in SouthAustralia, Tasmania and Western Australia. These Billslapsed.

In 1972, the Younger Committee Report was tabled in theUnited Kingdom Parliament. This report was acomprehensive study of the law of privacy at that time. TheCommittee took the view that:

"it would be unwise to extend this kind of uncertainty [aboutprivacy/ into a new branch of the law, unless there werecompelling evidence of a substantial wrong, which must berighted even at some risk to other important values."

In response to public concern, the Standing Committee ofAttorneys-General considered the issue of privacy protection.The New South Wales Minister for Justice commissioned areport which was tabled in the NSW Legislative Assembly inFebruary 1973. This report proposed the interim response ofestablishing a committee with investigative powers to makerecommendations about the protection of privacy. New SouthWales was the only jurisdiction to implement therecommendations of this report with the Privacy CommitteeAct 1974 (NSW). The report did not recommend the creationof a tort of privacy and stated:

"[There is] greater merit in the establishment of a right ofprivacy, actual or threatened infringement of which would beremedied by proceedings for declaration of the plaintiff'srights and, at the court's discretion, an injunction to restrainfuture infringements."

The issue of a statutory tort arose in South Australia in 1990when a private members Bill which created a tort of privacywas presented to the House of Assembly. The Bill was

Page 7


considered by a Select Committee of the House of Assemblywhich commended the Bill but expanded the exceptionsprovided in the Bill. Ultimately, the Bill lapsed.

In South Australia, the media was particularly critical of anyattempt to circumscribe its operations. It is anticipated thatthe same would occur in Queensland. Some practices of themedia would be contrary to a right of privacy. For example,`walk ins', where a reporters enters private premises toconduct unannounced interviews, may violate a right toprivacy.

Two provinces in Canada have enacted legislation whichoperates to create a tort of invasion of privacy . The relevantlegislation is the Privacy Act 1968 (BC) and the Privacy Act1970 (Man), which are identical in operation.

The Privacy Act 1968 (BC) has been considered by theSupreme Court of British Columbia on a number ofoccasions:

• In Lee v Jacobson, the Act was the basis of anaction against a `peeping tom' in which the twoplaintiffs recovered $4500 and $27500respectively, including punitive damages. Thecourt noted that there was no basis at common lawfor civil action against a `peeping tom'.

• In Davis v McArthur the Supreme Courtconsidered the use of a tracking device on the carof a husband by a private investigator employed bya wife. The Court held the action of theinvestigator infringed the privacy of the husband.On appeal, the Court of Appeal of BritishColumbia held that the wife had a legitimateinterest in the actions of her husband and thereforethe investigator, as her agent, did not violate theprivacy of the husband.

• In Silber v British Columbia Broadcasting SystemLtd the Supreme Court held that the televisionbroadcast of a person involved in a scuffle arisingfrom industrial action was not a violation of theright of privacy considering that it took place incircumstances where it could hardly be expectedthat events would be private (in a car park).


A tort of privacy would operate in respect of all four aspectsof the right of privacy - that is - territorial privacy, personalprivacy, information privacy and communications privacy.

Government would be entitled to adopt a risk managementapproach to a statutory tort of privacy, as it does to other legalduties such as negligence. Privacy issues would only arise inresponse to initiated legal proceedings.

There is some uncertainty associated with the creation of astatutory tort of privacy. The scope of exceptions andqualifications to the right that is created are the fundamentalissues for resolution in respect of the creation of such a tort.

One would expect a statutory tort to apply to both the publicand private sector. Any statutory tort which did not would besusceptible to criticism that it lack credibility andeffectiveness.



As discussed under Recommendation 3 this Submissionproposes a staged approach to the protection of privacy to theextent it applies to the public sector. Although theSubmission proposes that the guidelines be developed by thePrivacy Commissioner in Stage 2, for the purposes ofinformed discussion and debate, two options are canvassedherein for the content of the guiding principles.

Both options involve adoption of the principles by way ofCabinet Administrative Instruction. However, they vary inthe degree of commitment and obligation to comply.

Recommendations 6 to 9 are not intended, in any way, todetract from our preferred position set out inRecommendation 3 that the development of guidelines orprinciples be one of the first tasks of the PrivacyCommissioner in Stage 2.

Recommendation 6

That Option 1 is the preferred option for the basis of theCabinet Administrative Instruction as between:

Option 1 The OECD Guidelines as modified and set out in


the Cabinet Administrative Instruction atAttachment C; or

Option 2 The IPPs as modified and set out in the CabinetAdministrative Instruction at Attachment F.

Recommendation 7

That if Option 1 in Recommendation 6 is adopted, theOECD Guidelines be modified in two ways:

the term "personal data" be replaced with"personal affairs information" to maintainconsistency with the Freedom of InformationAct.

"Personal data" has a much broader application,

covering basically all information about anindividual including non private work relatedinformation.

Principle No. 7, the Purpose SpecificationPrinciple, be altered by adding the words "or aredirectly related to the purpose for which theinformation was obtained "

OECD Principle No 7, the Purpose SpecificationPrinciple; provides that information is to be usedfor the purpose for which it was originallyintended The Commonwealth principles extendthe concept to include not only the originalpurposes but also "related purposes':

These two modifications are reflected in the Draft CabinetInstruction giving effect to the OECD Guidelines set out atAttachment C

Recommendation 8

That if Option 2 in Recommendation 6 s adopted, the IPPsbe modified in the following ways:

the principles commence a minimum of 6 monthsafter the Instruction is issued to allow for thedevelopment of the more specific guidelines,provide a lead in time for Departments and allow


time to consider the more crucial exceptions frontthe Principles.

® the term 'personal information "be replaced with"personal affairs information " to maintainconsistency with the Freedom of InformationAct

The South Australian version of IPP1 beadopted

It simply provides that "Personal informationshould not be collected by unlawful or unfairmeans, nor should it be collected unnecessarily '%This tempered version would allay any concernsabout the extent to which IPP1 covers routineinformation that is passively received byagencies.

The South Australian version of IPP2 beadopted

This alleviates the concern about the degree ofspecificity required to discharge the obligation toinform individual 's about the bodies orpersons towhom the information is further disclosed Itrequires that the individual be notified aboutsuch subsequent disclosure "in general terms. "

The South Australian version of IPPs 6 and 7 beadopted where there is a direct link betweenaccessing records ofpersonal information andaccess entitlements under the Freedom ofInformation Act.

These modifications are reflected in the Draft CabinetInstruction giving effect to the IPPs set out at Attachment F.

Discussion

As discussed earlier under Issue No. 3, this Submissionproposes a staged approach to the protection of privacy to theextent it applies to the public sector. Stage 1 is theestablishment of the Office of the Privacy Commissionerthrough the enactment of a Privacy Commissioner Bill.

Once that office is established Stage 2 will commence. The


Privacy Commissioner's first task in Stage 2 would be thedevelopment of guidelines or principles and accompanyingexemptions for the protection of information held by Stategovernment departments and agencies. This would becarried out in close consultation with State governmentdepartments and agencies.

It is proposed that the guidelines or principles will be basedupon standards set by the Organization for Economic Co-operation and Development (Attachment A), but the finalproduct will be tailored to suit Queensland government needsand ultimately be approved by Cabinet and issued as aCabinet Administrative Instruction.

Although the guidelines are to be developed by the PrivacyCommissioner in Stage 2, for the purposes of informeddiscussion and debate, two options are canvassed for thecontent of the guiding principles. Both options involveadoption of the principles by way of Cabinet AdministrativeInstruction. However, they vary in the degree of commitmentand obligation to comply.

Option 1 adopts a modified version of the OECD Guidelines

Option 2 is the adoption of the far more specific andmandatory Information Privacy Principles (IPPs) as containedin the Commonwealth Privacy Act. Option 2 would place ahigher obligation on public sector agencies.

Option 1 : Adopt a slightly modified version of the OECDPrivacy Guidelines

Option 1 is the voluntary adoption of the OECD PrivacyGuidelines to operate as an overarching statement of principleendorsed by Cabinet.There is clearly a marked difference between the IPPs and theGuidelines. The OECD Guidelines form the basis of the morespecific Commonwealth IPPs. Although not totally unrelated,the Guidelines, being developed by an international body, arecouched in the more general and less obligatory languagecustomary in international instruments.

As well, the guidelines also have the usual internationalqualifications - for example, that the guideline is to beadopted `where appropriate' and `as far as is reasonablypossible in the circumstances'. In international law, suchterminology is accepted as giving the signatory latitude to


both interpret and apply the principle in a way that best meetsthe domestic situation.

A full copy of the OECD Guidelines is at Attachment A. Insummary -

Principles 7 -9 deal with the collection and quality of data,requiring that information should be collected only by fairmeans, the data should be relevant to the purpose of itsintended use or some other purpose that is not incompatiblewith the original purpose and, where possible, should only becollected with the knowledge of the data subject.

Principle 10 places limits on the disclosure of the datacollected - it should not be disclosed otherwise than for thepurpose for which it was collected unless the subject hasconsented or by operation of the law.

Principle 11 requires reasonable security safeguards tominimise loss, unauthorised access, destruction and similarrisks.

Principle 12 asserts a general policy of openness aboutpolicies with respect to personal data and suggests thatmechanisms should be in place so that individuals can learnof the existence and nature of personal data, the purpose of itsuse and where it is kept.

Principle 13 acknowledges the right of individuals to accessdata about themselves, to be given reasons if access is deniedand ultimately to challenge or correct inaccurate data.

Principle 14 suggests that data collection agencies should beaccountable.

Some may argue that adopting the OECD Guidelines maycreate potential for inconsistent application of the guidelinesacross the public sector, particularly as agencies would beresponsible for assessing the guidelines and determiningstandards within diverse legislative and policy frameworks.Some of this concern can be dissipated by:

including a reporting mechanism from the PrivacyCommissioner to the relevant Minister aboutinitiatives taken to implement the Guidelines.This is included in the drafting instructions.


As well, if the Office of the Privacy Commissionerdevelops uniform Implementation Guidelines, (inthe same way that the Commonwealth PrivacyCommissioner issued implementation guidelineson the IPPs), the possibility of inconsistent orvaried application throughout the public sectorwill be significantly reduced.

This, it might be argued, accords with how privacyhas been addressed at both the international andfederal level which commenced initially withbroad statements of principle (OECD Guidelines)from which the more specific IPPs were refined.

Adoption of the OECD Guidelines will lend itself to a cheaperimplementation process. This is discussed in detail later inthe Submission under Issue 15 on costs. As well, it might beargued that this Option probably best reflects the fact that,Stage 3, a legislative underpinning, may occur at some futuredate.

It is suggested that the OECD Guidelines be modified in twoways:

• Firstly, it is noted that the Guidelines use the term"personal data". The common terminology withwhich most agencies are familiar throughexperience with the Freedom of Information Act is" personal affairs information".

It seems that "Personal information/data" has amuch broader application, covering basically allinformation about an individual including non-private work related information.

It is recommended that the Guidelines be altered torefer to "personal affairs" information to maintainconsistency with the FOI legislation. It is worthnoting that, when the Commonwealth introducedthe Privacy Act, which refers to "personalinformation", the subsequent amending of the FOIregime to equally cover this broader category ofinformation caused chaos initially among decisionmakers.

® Secondly, of particular concern is OECD PrincipleNo 7, the Purpose Specification Principle, which

Page 14


provides that information is to be used for thepurpose for which it was originally intended. TheCommonwealth principles extend the concept toinclude not only the original purposes but also"related purposes". It is proposed that thePrinciple No. 7 be altered by adding the words "orare directly related to the purpose for which theinformation was obtained"

A Draft Cabinet Instruction giving effect to the OECDGuidelines , with the two minor modifications discussedabove, is at Attachment C.

Option 2: Adopt a modified version of theCommonwealth Information Privacy Principles (the IPPs)

The IPPs are far more specific and mandatory in tone. A copyis attached as Attachment D and examples of, and notesabout, the operation of the IPPs are set out in Attachment E.They are derived from the OECD Guidelines. From the IPPs,the Commonwealth Privacy Commissioner has issuedguidelines which more specifically flesh out the practicalitiesof implementation.

As the IPPs impose responsibilities, should Option 2 bepreferred it is suggested that they be commenced some 6months after the Instruction is issued to allow for thedevelopment of the more specific guidelines, provide a leadin time for Departments and allow time to consider the morecrucial exceptions from the Principles.

Following is a discussion of each Principle withrecommendations for variations in some cases.

The Principles refer to "personal information". As notedunder Option 1 , it is preferable to maintain consistentterminology with the Freedom of Information Act. For thesame reasons as under Option 1, it is therefore recommendedthat "personal information " be replaced with "personal affairsinformation".

IPP I provides that personal information shall not be collectedunless the information is collected for a purpose that isdirectly related to a function or activity of the collector andthe collection is necessary for or directly related to thatpurpose. Nor shall information be collected by unlawful orunfair means. Some concern has been expressed about the


stringency of this requirement being related to the function ofthe agency.

Most Departments receive numerous Ministerials frommembers of the public who misunderstand the functions of theDepartment to which they are writing. As a matter of course,the Department may on forward the correspondence but keepa record as evidence that the individual has been sent a reply.There is an implicit responsibility of all agencies that recordsbe kept of correspondence sent and the Archives Act prohibitsthe destruction of documents without approval. On manyoccasions, this information does not relate directly to thefunctions of the agency. Yet it would impede efficient publicadministration were those records required to be destroyed.

The Commonwealth Privacy Commissioner's Office hasadvised that the concept of `collect' does indeed cover thissituation - it does not necessarily require some positive actionon the agency but will also extend to information that isvoluntarily given. However, in the situation outlined, theCommissioner's office is of the view that it is within theagency's function to make a decision as to whether a matter iswithin its responsibilities in the same way that a Court canmake the threshold decision as to its own jurisdiction. Thismay seem an artificial distinction. Nevertheless, therequirement that the information be directly related to theagency's functions sets a relatively high standard.

The South Australian Administrative Instruction hassignificantly toned down IPPI. It simply provides that"Personal information should not be collected by unlawful orunfair means, nor should it be collected unnecessarily". Thistempered version would allay any concerns about the extentto which IPP 1 covers routine information that is passivelyreceived by agencies.

It is therefore recommended that the South Australian versionof IPP 1 be adopted.

IPP 2 deals with information that is actually solicited from anindividual. In such cases a higher obligation is imposed onthe agency, requiring that it inform the individual at the timeof collection, or as soon as possible thereafter, of

the purpose for which it is collected;if it is collected pursuant to an authorisation orrequirement under law; and


® any usual practice to disclose the information toany other person, body or agency.

IPP2 covers information that is consciously solicited by theagency. There is some concern about the degree of specificityrequired to discharge the obligation to inform individual'sabout the bodies or persons to whom the information isfurther disclosed. For this reason, the equivalent SouthAustralian instruction requires that the individual be notifiedabout such subsequent disclosure 'in general terms'. TheSouth Australian example is recommended.

IPP 3 also deals with information that is solicited but, whereasIPP2 is confined to information solicited from an individual,IPP3 covers the more general situation of information that issolicited from other organisations or agencies. It requires acollector to take reasonable steps to ensure that collectedinformation is relevant to the purpose for which it is collected,is up to date and does not intrude unreasonably upon thepersonal affairs of the individual concerned.

The concept of 'personal affairs' is a term that Queenslandagencies are reasonably familiar with through the Freedom ofItformation Act 1992 (Qld). No changes to this Principle areproposed.

IPP 4 deals with the storage and security of personalinformation. It requires a record-keeper to ensure that itsrecords are protected by reasonable security safeguards toprevent loss, unauthorised access, use, modification ordisclosure.

Further, IPP4 deals with the common situation of 'outsourcing' to external consultants or community organisationsby requiring an agency to do everything reasonably within itspower to prevent unauthorised use or disclosure.

This would entail, for example, standard confidentialityclauses in contracts or reviewing information storage systemsand similar types of remedial action. 'Out sourcing' seems tohave been omitted from the South Australian Instruction.

IPP 5 requires agencies to take all reasonable steps topublicise the type of personal information they possess orcontrol, the main purpose of its use, and the steps required toaccess the information. In fulfilling this obligation, therecord-keeper must develop quite an extensive register

Page 17


detailing all categories of personal information held as well asindicating the usual period of time that each record is kept andthe classes of individuals about whom records are kept.

At first sight, IPP5 seems similar to the already existingobligation under the Freedom of It formation Act requiring anagency to publish a Statement of Affairs. However, the FOIobligation targets more generally the demarcation of portfolioresponsibilities - of the Corporate mandate of the Department.It does not require a detailed account of the type of personalinformation ordinarily kept by an agency. Nevertheless, thereis nothing to prevent Cabinet from directing that theStatement of Affairs document be further expanded toaccommodate IPP5. Much of the information in theStatement of Affairs will be equally necessary for IPP5.Rather than imposing a requirement on agencies to producetwo separate documents, it seems sensible to merge the IPP5requirements within the agency's Statement of Affairs.

This seems in accord with the intention of paragraph 2 ofIPP5 which expressly says that the Principle is not intendedto give information if an agency is required or authorised torefuse to give that information under any other law.

IPP 6 and 7 deal with access to documents and the right toseek corrections if the information is inaccurate or untrue. In1992, South Australia amended its Administrative Instructionto directly link the equivalent of IPP 6 and 7 to the accessentitlements under the Freedom of Information Act. It isproposed to cross reference to the Queensland FOI Act.Otherwise , there is the inefficiency of unnecessarilyduplicating an administrative procedure.

It is understood that, since FOI was introduced, someQueensland Departments have introduced administrativesystems streamlining access to reduce the number of formalFOI applications (for example , the Health Department'spatient registry and the Worker 's Compensation register). Thealtered IPP should not be worded in a way that willunwittingly confine access applications to formal processesunder the FOI Act. The link to the FOI Act should simply bewhether there is an entitlement under that Act to access - itwill not imply that access can be given only pursuant to aformal application under that Act.

In this regard , it is recommended to follow the SouthAustralian precedent and cross reference to the FOI Act.


IPP 8 and 9 cumulatively require a record-keeper to takereasonable steps to ensure personal information is accurate,up to date and complete and is only used for the purpose forwhich it is collected.

Principle 8 imposes an onerous responsibility on agencies tomake some effort to ensure that the information upon whichit relies in any particular case is accurate . There is no readingdown or alteration of this principle that can occur without itbecoming vacuous. Either it is adopted or not - there cannotreasonably be a midway compromise.

IPP 10 and 11 are perhaps the most controversial andsignificant of the principles , placing stringent limits on thecircumstances in which personal information can be disclosedand thus shared among agencies. It is IPP 10 and 11 whichhas attracted the most criticism by agencies at theCommonwealth level.

These principles significantly restrict the free exchange ofinformation between agencies and will have the most impact.The principles provide that personal information that wasobtained for a particular purpose shall not be used for anyother purpose (principle 10) or disclosed to any other personor agency (principle 11) unless:

the purpose of the further use is directly related tothe purpose for which the information wascollected;

the individual consents to that further use ordisclosure or is reasonably likely to have beenmade aware of that further disclosure underPrinciple 2;

® the record-keeper believes on reasonable groundsthat the further use or disclosure of the informationis necessary to prevent a serious and imminentthreat to the life or health of the individualconcerned or another person;

the further use or disclosure was required orauthorised by or under the law; or

the further use or disclosure is reasonablynecessary for the enforcement of the criminal lawor a law imposing a pecuniary penalty or the

Page 19


protection of the public revenue.

When the further use or disclosure is for the purposes of theenforcement of the criminal law or revenue protection, therecord-keeper must keep a note of that further use ordisclosure. The Commonwealth Privacy Commissioner hastaken the view that the law enforcement exemption willjustify policing in the 'conventional sense '- where there is atransfer of information when there is prior suspicion of theindividual concerned or where the individual is specificallyrelated to the investigation of a particular offence. However,the Commissioner views IPP 10 and 11 as inconsistent withpro-active law enforcement techniques like data-matching,data-profiling and routine monitoring of large sections of thecommunity.

In summary, it is largely IPP 10 and 11 which will generatethe most controversy for the agencies involved in lawenforcement. It is equally IPP 10 and 11 which are seen asthe cornerstone for privacy protection by the peak interestgroups. To introduce the Privacy Principles with theexception of IPP 10 and 11 would attract strong criticism.

The advantage of Option 2 is that, being more onerous, it willdemonstrate a clear commitment of government to theprotection of information privacy. The disadvantage is thatit will probably cost more to implement and will place agreater burden on existing resources.

Who should grant exemptions?

Recommendation 9

That Option I is the preferred option as to who should grantexceptions front the Principles/Guidelines as between:

Option 1 The Privacy CommissionerOption 2 The CEO of each DepartmentOption 3 The Office of the Public ServiceOption 4 An IDC

Discussion

Four options are presented as to what organisation should beresponsible for granting exceptions from thePrinciples/Guidelines:

Page 20


the Privacy Commissionerthe Chief Executive of each agency

® the Office of the Public Service® an interdepartmental committee consisting of the

chief executives of peak agencies.

It is unrealistic to assume that Information Privacy protectioncan be introduced without providing an avenue for agenciesto apply for an exception from the application of thePrinciples or Guidelines. Even the relatively stringent regimeof the Commonwealth allows the Commissioner to make awritten determination that an act or practice which breachesa principle may nevertheless be allowed if the public interestin the agency doing that act outweighs the public interest inadhering to the principle. Similarly the South AustralianPrivacy Committee may consider and authorise specificexceptions to the principles.

For the purpose of facilitating discussion, several examplesare set out where the public interest in using or disclosinginformation would override the public interest in privacy

• the Family Services Department in assessing afamily's suitability to be a foster parent should bepermitted to access relevant child abuse records

• the Fire Brigade should be permitted to givereports on arson to the insurance companyinvolved

• the Queensland Police Service should be permittedto provide details such as burglary reports toinsurance companies

• the Queensland Ambulance Service should bepermitted to provide information to insurancecompanies for verification of call out and accidentdetails

• the Department of Justice and Attorney-General,when it receives complaints about solicitors,should be permitted to refer them to theQueensland Law Society for action if the conductof the solicitor does not disclose a breach of thecriminal law

• the Police and the Director of Prosecutions should


be permitted to disclose relevant information tovictims of crime

As mentioned above, both the Commonwealth PrivacyCommissioner and the South Australian Privacy Committeeare empowered to grant exceptions from the IPPs when anoverriding public interest indicates such necessity. Forexample, exceptions have been granted for the disclosure toteachers, foster agencies, and the police by the SADepartment of Child Welfare of information about personswho have allegedly abused children.

There are essentially four options concerning the granting ofexceptions:

Option 1- The Privacy Commissioner

The Privacy Commissioner could be vested with theresponsibility of granting exemptions. The main problemwith this unit having such responsibility is that it is a workunit within one agency being vested with government-wideresponsibility for the granting of exemptions. It may not beseen to have the requisite degree of impartiality and conflictsmay be seen to arise when the Department of Justice itselfneeds to sponsor an application for an exemption. Evenwithin the Commonwealth Privacy Commissioner's office, theeducative functions are quite separate from the quasi-judicialfunctions.

Option 2 - The CEO of each Department

It could be left to each chief executive to grant the exceptionson a case by case basis when it can be justified in the publicinterest. The advantage is that individual chief executives aremore aware of the practical effect of the principles in any onecase. The disadvantage is that there is no guarantee ofconsistency in decision making.

Moreover, it places the Chief Executive in a difficult positionbecause, unlike the other occasions where she or he exercisesa discretion, in this situation the decision is of direct benefitto the Department. The scope for conflict of interest arise andthis is particularly important when there is the possibility thatthe Chief Executive can be called to account by theOmbudsman or the Supreme Court.


5. Should IPPs be in the formof guidelines or legislation?

Option 3 The Office of the Public Service

The Office of the Public Service, whose corporate mission isthe effective and efficient administration of the Service,would be at an appropriate arms length distance to provide abalanced approach to this issue.

However, the OPS will not have the same expertise in privacyas the Privacy Commissioner.

Option 4 An DC

The establishment of an Inter-Departmental Committee onPrivacy whose primary function would be to consider anddetermine exemptions. It is suggested that the Committeeconsist of the chief executives of Justice and Attorney-General, 2 of the 4 peak agencies on a rotational basis (Police,Family Services, Health and Education), Premiers and/or adelegate of the Information Policy Board, and the OPS.

Recommendation 10

That the modified OECD guidelines or IPPs should be inthe form of guidelines. The administrative guidelines orprinciples may, at some future date, have a legislativeunderpinning.

Discussion

This Submission recommends a staged approach to privacy:

Stage 1 is legislation to establish the Office of the PrivacyCommissioners.

Stage 2 is the development of guidelines or principles andaccompanying exemptions for the protection ofinformation held by State government departmentsand agencies . The guidelines are to be issued as aCabinet Administrative Instruction.

Stage 3 The administrative guidelines or principles may, atsome future date , have a legislative underpinning.

Page 23


In this sense, the adoption of the guidelines or principleswould be similar to a pilot scheme in which any possibleconcerns and problems could be identified, assessed , and dealtwith before binding legislative principles are implemented.

It should be noted that both NSW and SA, the only two Stateswith privacy guidelines , have been in Stage 2 for 22 and 9years respectively . NSW was preparing legislation, but itappears unlikely to proceed at this time.

It is considered that the administrative introduction of privacyprotection will:

(a) allow the scheme to be introduced rapidly;

(b) result in cost savings when compared with alegislative scheme because compliance costs areless in relative terms ( see Issue 11 on costs); and

(c) allow Government to assess the need for alegislative information privacy regime at a futuretime.

A privacy protection scheme which is administrative in naturecannot create private rights which may lead to expensivelitigation. This will not significantly detract, however, fromthe important aim of privacy protection . Both NSW and theCommonwealth report that well over 90% of complaints arehandled by telephone alone and that virtually all complaintsare resolved to the parties satisfaction.

In addition , compliance with the scheme will be ensuredthrough the powers given to the Privacy Commissioner in thePrivacy Commissioner Bill 199 .. See the discussion underIssue 10 on the Commissioner' s powers and the draftinginstructions at Attachment B.

Although the administrative protection of information privacywill not operate to create any legal right to privacy forindividuals, the Privacy Commissioner will be able to receiveand investigate complaints and make reports on non-compliance with the privacy protection scheme , in a similarfashion to the Ombudsman.

Under section 13 of the Parliamentary Commissioner Act1974, the Ombudsman is entitled to investigate any complaintabout administrative action taken by an agency. The


Ombudsman can make recommendations about anadministrative action. Under section 24, on completion of aninvestigation, the Ombudsman may report to the appropriateagency and the responsible Minister. Under 24(5) ifappropriate steps have not been taken by the appropriateagency within a reasonable time, the Ombudsman may reportto the Premier or cause a report to be laid before theLegislative Assembly.

It is proposed that the same reporting regime be applied to thePrivacy Commissioner. This will be addressed in greaterdetail under Issue 9 raised by the Committee - "Whatfunctions should a privacy commissioner have? "

An administrative information privacy protection schemecannot operate to alter the existing provisions of legislation.Therefore, where disclosure is authorised or required by law,the administrative scheme will not change this.

In addition , the powers of Ministers to make directions aboutpolicy to certain bodies, such as government ownedcorporations under the Government Owned Corporations Act1993, are provided for by legislation . This is discussed indetail under Issue 13 raised by the Committee - "Shouldprivacy regulation apply to government ownedcorporations? "

The administrative introduction of a privacy protection meansthat the provisions of the Freedom of Information Act 1992must be reconciled with the proposed scheme. This isdiscussed in detail under Issue 18 raised by the Committee -"How should any privacy protection legislation interrelate

with fr-eedonz of information legislation?"

In summary, the administrative protection of informationprivacy is a desirable Stage 2 approach which delivers ameasure of protection until such time as Stage 3 - a legislativeunderpinning for the guidelines- is appropriate. A stagedapproach to information privacy is a desirable. It is theapproach adopted by NSW for the last 22 years and by SA forthe last 7 years. As yet, neither jurisdictions has legislation,although NSW is currently preparing a Bill.

6. Should individuals have to pay (areasonable amount) to exercisetheir right to privacy?

Page 25


Recommendation 11

That the question of individuals paying a reasonable fee toexercise their right to privacy should be addressed by thePrivacy Commissioner during Stage 2.

Discussion

Applications for FOI attract a $30.00 fee for non-personalmatters. For personal matters there is no fee. Photocopyingis charged out at $.50 per page. While it would appear logicalthat individuals would have to some reasonable fee, this is amatter that should be addressed by the Privacy Commissionerin Stage 2.

7. Would the cost associated with IPPsoutweigh the public benefit flowingfrom their implementation?

Recommendation 12

That any costs, for departments and agencies, associatedwith privacy implementation in Stage 2 will be minimal andshould be met from within existing budgets. This wouldmean that the cost associated with implementation of themodified guidelines or IPPs outweigh the public benefitflowing from their implementation.

Discussion

It is submitted that any costs, for departments and agencies,associated with privacy implementation in Stage 2 will beminimal and should be met from within existing budgets.This was the method used in the Commonwealth, NSW andSA - the three jurisdictions with privacy principles governingthe public sector. Departments and agencies met any costsfrom within existing budgets.

However, to achieve this four things must occur:

® There must be a staged implementation of theguidelines over several years. The guidelinescannot be implemented fully in one year.

What this Submission proposes is that the Stage 2guidelines, once developed, are just that -


guidelines only and not binding principles thatdepartments must follow. There are no severesanctions if they do not. The only sanction isreporting to the responsible Minister andultimately the Premier - similar to theOmbudsman.

Often it is assumed that the privacy principles forQueensland will be the same as theCommonwealth Information Privacy Principles.This is not being suggested here. The Submissionproposes that the guidelines are be based uponstandards set by the OECD, as are theCommonwealth Information Privacy Principles,but the final product must be tailored to suitQueensland government needs.

• All capital costs cannot be been incurred in theinitial year. Under this proposal there are no timelines. Compliance with the guidelines will beimplemented over time, as changes are made indue course in departments - for example, whencomputer systems are updated the guidelines willbe followed in making those changes.

Both New South Wales and South Australia, the only twoStates with privacy guidelines, have been in this stage for 22and 9 years respectively. This emphasizes the concept ofchange over time - not all at once in year 1 and 2.

The Privacy Commissioner will need to work closely withdepartments and agencies to assist them in this process.

Many departments have already been following theseprinciples and have privacy protection mechanisms in place.For them little change will be required. For example, theDepartment of Transport has about four million records, ofwhich:

• 2.5 million are motor vehicle registrations;• 1.5 million are drivers' licences; and• the 18+plus cards (identification cards for those

over 18 without a drivers' licence)

Transport has already developed several model draft policieson the basis of the Commonwealth privacy guidelines,governing access to and the release of information on:

Page 27


® Drivers' licensesLocal Government parking noticesMotor vehicle registrations

It is understood that Transport would be very close to 100%compliance with the Commonwealth guidelines within a veryshort time period.

Other departments and agencies already follow best practiceprocedures. This contemporary management practicedemands the requisite standards of information privacyprotection be observed by public sector agencies as part of theapplication of best practice principles.


8. If an office of privacy commissioner/committee is established:

• how should its independence be ensured;

o should the office be accountable to the Parliament,for example , via a parliamentary committee(with perhaps responsibilities in relation tomatters such as appointments, suspensions,budgets and strategic reviews); and

should the office be combined with thatof the Information Commissioner or any other office?

Recommendation 13

That the Privacy Commissioner be an independent statutoryofficer appointed by the Governor in Council in anarrangement similar to that for the Anti-discriminationCommissioner in Queenslanrb

Recommendation 14

That the responsibilities of the Privacy Commissioner not becombined with those of the Information Commissioner orany other office However, the Office of the PrivacyCommissioner could be combined with that of theInformation Commissioner or any other office, for purposesof administrative and other convenience.


'D iscuss ion

This Submission supports the proposal that the PrivacyCommissioner be an independent statutory officer appointedby the Governor in Council. The staff in the office would bepublic servants. This would be an arrangement similar to thatfor the Anti-discrimination Commissioner in Queensland.There would be a requirement to report annually toParliament.

The Submission does not support a proposal that theresponsibilities of the Privacy Commissioner be combinedwith those of the Information Commissioner or any otheroffice. This is because the responsibilities of the PrivacyCommissioner are to onerous. Nevertheless, the Office of thePrivacy Commissioner could be combined with that of theInformation Commissioner or any other office, for purpose ofadministrative and other convenience.

9. What functions should a privacycommittee/ commissioner have?

Recommendation 15

That the Privacy Commissioner have the followingfunctions:

• to ensure the protection of information privacy. Oneof the Commissioners 's first tasks would be thedevelopment of guidelines (including exemptions) forthe protection of information held by Stategovernment departments and agencies. Theguidelines, including the exemptions, would beapproved by Cabinet and issued as a CabinetAdministrative Instruction

• to receive and investigate complaints and makereports on non-compliance with the privacy protectionscheme, in a similar fashion to the Ombudsman.

• education including informing State governmentdepartments and agencies of their responsibilities forprivacy protection.

• publishing guidelines - Once the privacy guidelinesare issued as formal principles by a Cabinet


Administrative Instruction, one of the Commissioner'sfunctions would be to prepare and publish otherguidelines or recommendations to assist departmentsand agencies to avoid acts or practices that mayinterfere with the privacy of individuals or whichmight otherwise have an adverse effect on the privacyof the individuals.

® inquire generally into any matter covered by thePrivacy Commissioner Bill 199...

general power of reporting - At the request of theresponsible Minister, the Commissioner would be ableto report to the responsible Minister from time to timeon the need for or desirability of taking action toimprove the privacy of the individual that may beinfringed by State government departments andagencies.

conducting audits - When requested to do so by adepartment or agency, the Commissioner would beable to conduct audits of records of personalinformation maintained by state governmentdepartments and agencies for the purposes ofascertaining whether the records are maintainedaccording to the information privacy guidelines, onceissued

Recommendation 16

That the Privacy Commissioner's functions relate only toState government departments and agencies.

Discussion

Details of the proposed functions are set out in the draftinginstructions for a Privacy Commissioner Bill 199.. attached tothis Submission as Attachment B.

Guidelines for the protection of information privacy

The Privacy Commissioner 'sfirst function would be to ensurethe protection of information privacy. One of theCommissioners's first tasks would be the development ofguidelines for the protection of information held by Stategovernment departments and agencies.


These guidelines and their accompanying exemptions wouldbe developed in close consultation with State governmentdepartments and agencies. The guidelines will be based uponstandards set by the OECD Guidelines (Attachment A), butthe final product would be tailored to suite Queenslandgovernment needs.

Issues such as whether out sourcing activities - for example,the out sourcing by the Premier 's Department of IT to CITEC-should be exempt would also be dealt with in the guidelines.

The legislation would be broad enough to allow the guidelinesto provide an avenue for agencies to apply for an exceptionfrom the application of the guidelines. Even the relativelystringent regime of the Commonwealth allows theCommissioner to make a written determination that an act orpractice which breaches a principle may nevertheless beallowed if the public interest in the agency doing that actoutweighs the public interest in adhering to the principle.Similarly the South Australian Privacy Committee mayconsider and authorise specific public interest exceptions tothe principles.

The guidelines, including the exemptions, would be approvedby Cabinet and issued as a Cabinet AdministrativeInstruction.

Receive, investigate complaints and report on non-compliance

The second function of the Commissioner will be to receiveand investigate complaints and make reports on non-compliance with the privacy protection scheme, by Stategovernment departments and agencies, in a similar fashion tothe Ombudsman.

Under section 13 of the Parliamentary Commissioner Act1974, the Ombudsman is entitled to investigate any complaintabout administrative action taken by an agency. TheOmbudsman can make recommendations about anadministrative action . Under section 24, on completion of aninvestigation , the Ombudsman may report to the appropriateagency and the responsible Minister . Under 24(5) ifappropriate steps have not been taken by the appropriateagency within a reasonable time, the Ombudsman may reportto the Premier or cause a report to be laid before theLegislative Assembly.

Page 31


It is proposed that the same reporting regime be applied to thePrivacy Commissioner.

Education

Education will be integral to the Commissioner's function. Inparticular, the Commissioner will be given the task ofinforming State government departments and agencies of theirresponsibilities for privacy protection.

Publishing guidelines

Once the privacy guidelines are issued as formal principles bya Cabinet Administrative Instruction, one of theCommissioner's functions will be to prepare and publish otherguidelines or recommendations to assist departments andagencies to avoid acts or practices that may interfere with theprivacy of individuals or which might otherwise have anadverse effect on the privacy of the individuals.

General power of inquiry

At the request of the responsible Minister, the Commissionerwill be able to inquire generally into any matter covered bythe Act.

General power of reporting

At the request of the responsible Minister, the Commissionermay report to the responsible Minister from time to time onthe need for or desirability of taking action to imprqve theprivacy of the individual that may be infringed by Stategovernment departments and agencies.

Conducting audits

When requested to do so by a department or agency, theCommissioner will be able to conduct audits of records ofpersonal information maintained by state governmentdepartments and agencies for the purposes of ascertainingwhether the records are maintained according to theinformation privacy guidelines, once issued.

10. What powers should a privacycommittee/commissioner have?For example, should these includethe power to:

Page 32


enforce IPPs through sanctionssuch as fine or disciplinary action; and

® exercise coercive powers such as powers of access?

Recommendation 17

That the Privacy Commissioner have all the powers, rightsand privileges that are specified in the Commissions ofInquiry Act 1950.

Recommendation 18

That the Privacy Commissioner Bill 199.. contain threeoffences:

without lawful excuse to hinder or obstruct theCommissioner in an investigation

• without lawful excuse to refuse to comply with alawful requirement of the Commissioner

to makefalse or misleading statements

Proceedings for offences may be disposed of summarily bya magistrate sitting alone The maximum penalty is 10penalty units.

Discussion

The Privacy Commissioner should have all the powers, rightsand privileges that are specified in the Commissions ofInquiry Act 1950. This is the model used:

for the Ombudsman (section 19 of theParliamentary Commissioner Act 1974)

for the NSW Privacy Commissioner (section 16(2)of the NSW Privacy Committee Act 1975

Offences

It is important that departments not be buried in complaintsand that if complaints are made against departments, thesanction is not damages or monetary penalties, but reportingto the agency and responsible Minister, and ultimately to the

Page 33


Premier. This is the essence of Recommendation 15 whichallows the Privacy Commissioner to receive and investigatecomplaints and make reports on non-compliance, in a similarfashion to the Ombudsman.

Nevertheless, there is still a need for some offences. Threeoffences are proposed:

• without lawful excuse to hinder or obstruct theCommissioner in an investigation

• without lawful excuse to refuse to comply with alawful requirement of the Commissioner

• to make false or misleading statements

Proceedings for offences may be disposed of summarily by amagistrate sitting alone. The maximum penalty is 10 penaltyunits.

11. Would the cost associated with an officeof privacy commissioner/committee outweighthe public benefit flowing from the establishmentof such an office?

Recommendation 19

That the costs associated with an Office of the PrivacyCommissioner do not outweigh the public benefit flowingfrom the establishment of such an office

Discussion

The proposed Privacy Commissioner Bill 199.. wouldestablish the office of the Privacy Commissioner. It isexpected there would need to be three to five staff in theoffice. It is suggested that they be public servants.

The costings for the establishment and running of the Officeof Privacy Commissioner are Attachment G to theSubmission. The estimates to establish the office with theCommissioner and up to 5 staff will be:

est. 97-98 allocation from 1 September $657,000est. 98-99 allocation full year $613,000est. 99-00 allocation full year $613,000


SCOPE OF A PRIVACY REGIME

12. Should privacy regulation apply tothe private sector as well as the public sector?

Recommendation 20

That, at this time, privacy regulation should only apply tothe public sector and not to the private sector . However,that Queensland be supportive of the role that theCommonwealth Office of the Privacy Commissioner isplaying in assisting business in the development of voluntarycodes of conduct and in the meeting of privacy standards, ifnecessary, on an international level.

Discussion

In January 1996, a Standing Committee of Attorneys-General(SCAG) Privacy Officers' Working Group was established atthe suggestion of the Commonwealth. It has facilitated theexchange of information on privacy law reform developmentsbetween members of SCAG.

In November 1996, the Commonwealth Attorney-Generalwrote to SCAG Ministers providing a copy of a DiscussionPaper on Privacy Protection in the Private Sector and askingfor Ministers' agreement for the issue of privacy protection tobe formally placed on the SCAG agenda. All Ministersagreed to this course.

The Commonwealth Privacy Act 1988 currently covers theCommonwealth public sector, banking and credit reportingagencies. At the 14 March 1997 meeting of SCAG, theCommonwealth proposed privacy legislation to govern all ofthe private sector. The Commonwealth intended to use thefull range of their constitutional powers to provide ascomplete a coverage of the private sector and CommonwealthGovernment business enterprises as possible. TheCommonwealth legislation would cover the field in theprivate sector with the exception of sole traders who do notoperate on an interstate basis.

At that SCAG meeting, Queensland took the position that itdid not object in principle, at that time, to the Commonwealthenacting privacy legislation to govern the private sector,subject to a future assessment of the legislation and subject to

Page 35


any recommendations that are made by the Queensland Legal,Constitutional and Administrative Review Committee. Atthat time the Committee had not formally announced thisInquiry or defined its precise scope.

This matter was subsequently raised by the Prime Minister atthe Premiers Conference on 21 March 1997. TheCommonwealth's plan to introduce a privacy regime forindustry now appear to have been scrapped as part of thefederal Government's drive to reduce business red tape. Inmaking this decision, the Prime Minister made it clear that theGovernment was concerned not to increase compliance costsfor Australian businesses, both large and small. The PrimeMinisters was quoted in the Australian Financial Review on24 March 1997 as saying:

"At a time when all heads of government acknowledge theneed to reduce the regulatory burden, proposals for newcompulsory regimes would be counterproductive. "

Business submissions, in response to the Commonwealthdiscussion paper, contained a strong message of concernabout the possibility that a patchwork of State and Territoryprivacy legislation might develop. Being required to complywith a range of differing, if not inconsistent, privacy lawswould have implications for the costs and efficiency ofbusiness.

For this reason, at the Premiers' Meeting of 21 March thePrime Minister asked Premiers and Chief Ministers not tolegislate to implement a private sector privacy regime. Sincethat time it is understood that all States and Territories (exceptVictoria) have confirmed that, for the present, they will notpursue State legislation for the private sector but rathersupport a national approach to privacy and the pursuit ofvoluntary codes of conduct.

The Federal Government's decision not to implement privacylegislation for the private sector followed extensiveconsultation based on a discussion paper released inSeptember last year. More than 100 submissions werereceived in response to the discussion paper, many of whichprovided detailed comments. As well as formal submissions,a number of organisations took the opportunity to meet withthe Attorney's advisers and the relevant officers of theDepartment to discuss areas of specific concern.


While overall the submissions rated privacy protection forpersonal information as important, views differed on how thisought to be achieved in the private sector. Some submissionargued strongly that there was no clear need for legislation inorder to ensure privacy protection. There was considerableconcern about the potential costs which would be imposed onbusiness by legislation. There was particular concern abouthow a legislative regime would impact upon small andmedium enterprises. The view was put that privacy protectioncould be achieved through a voluntary approach.

The Commonwealth Government has now decided to pursuea voluntary approach. The services of the federal PrivacyCommissioner, Ms Moira Scollay, have been made availableto assist business in the development of voluntary codes ofconduct and to meet privacy standards.

This builds on the experience that already exists within theOffice of the Privacy Commissioner. The PrivacyCommissioner's Office has been actively involved in assistingthose businesses that have already taken the initiative ofintroducing good privacy practices.

One approach to developing a voluntary approach to privacyprotection in the private sector would be to continue todevelop codes for particular sectors or to cover particularfunctions. Alternatively, one overall set of privacy principlesappropriate for application across the entire private sectormight be developed.

13. Should privacy regulation applyto government owned corporations?

Recommendation 21

That privacy regulation only apply to government ownedcorporations to the same extent it applies to the privatesector. As this submission recommends that the privatesector not be covered, it also recommend that GOCs not becovered by any privacy regulation at this time.

Discussion

The proposals in this submission are directed at the publicsector only. In keeping with this philosophy, only publicsector departments and agencies will be covered. As there is


no intention to cover the private sector and assuming thatGOCs and statutory authorities are to be on a level playingfield with the private sector, it is recommended that thelegislation not apply to GOCs and statutory authorities.

This is consistent with the approach of exempting some GOCsfrom other measures such as the Freedom of Information Act1992.

In addition, a Cabinet Administrative Instruction could applyonly to those bodies which are required to act on a directionfrom Cabinet. GOCs are not government agencies amenableto Cabinet direction. This is because the powers of Ministersto make directions about policy to certain bodies, such asgovernment owned corporations under the GovernmentOwned Corporations Act 1993, are provided for bylegislation.

14. Should privacy regulationapply to local government activities?

This Submission does not address this issue.

5. Would the costs associated with privacy regulation of.

the private sectorgovernment owned corporationslocal government activities;

outweigh the public benefit to be gained by that regulation?

As this Submission recommends that the private sector andGOCs not be covered by privacy regulation and makes nocomment on local government, there is no need to address thisissue.

16. If the private sector is not to be covered,how should privacy regulation apply to bodiesperforming services which the government has out sourced?

Recommendation 22

That out sourcing is a matter that is best dealt with by thePrivacy Commissioner in the development of the guidelinesand exemptions in Stage 2.

Page 38


D iscussion

This is an important issue of particular concern to theInformation Planning Branch of the Department of Premierand Cabinet from the perspective of the impact of theprinciples on the Government electronic services and inparticular, whether or not the privacy guidelines would applyto out sourcing activities especially those where the outsourcing related to the general functions or management ofthe database - for example, the out sourcing of theirinformation technology to CITEC.

Out sourcing is a matter that, in our view, is best dealt with inStage 2. Although no particular view is expressed in thisSubmission, it is likely that out sourcing would be covered bythe principles.

17. Should there be co-operative arrangementsbetween the States, Territories and the Commonwealthwith respect to matters such as formal complaints regimes?

As this Submission recommends that the private sector not becovered at this time, this issue has not been addressed.

18. How should any privacy protection legislationinterrelate with freedom of information legislationFor example , should the access to, and amendment of,personal information be regulated by a Privacy Act alone?

Recommendation 23

That an administrative privacy scheme which contains anzoded version of either the OECD guidelines or the IPPs,refer to 'personal affairs information'.

Therefore, access and alteration of documents will be dealtwith under the Freedom of Information Act and gathering,use, storage and disclosure of personal affairs informationwill be dealt with under the administrative privacy scheme

This is consistent with Recommendations 7 and 8. Thesetwo modifications are reflected in the Draft CabinetInstructions giving effect to the OECD Guidelines and theIPPS set out at Attachments C and F respectively.

Page 39


D iscussion

The administrative introduction of privacy protection meansthat the provisions of the Freedom of Information Act 1992must be reconciled with the proposed scheme.

The IPPs regulate the solicitation, use, storage anddissemination of 'personal information', a term which meansinformation or an opinion about an individual whose identitycan be ascertained from the information or opinion. TheFreedom of Information Act 1992 uses the term ' personalaffairs information '. This term appears throughout theFreedom oflnformation Act 1992 but most importantly, undersection 44 , documents containing 'personal affairsinformation' which relate to an individual (not a corporation)are exempt from disclosure except to the person to whom theyrelate unless disclosure is in the public interest.

The term ' personal information ' in the Privacy Act 1988 (Cth)includes more information than 'personal affairs information'in the Freedom of Information Act 1992.

The protection of 'personal information' under anadministrative privacy scheme would not restrict the right ofaccess which exists under the Freedom of Information Act1992 to those documents which do not contain 'personalaffairs information'. Clearly, the use of the term 'personalinformation' in an administrative privacy scheme is untenable.Any other approach would require amendments to theFreedom of Information Act 1992.

An administrative privacy scheme should contain a modifiedversion of the IPPs which refer to 'personal affairsinformation'. Therefore, access and alteration of documentswill be dealt with under the Freedom of Information Act andgathering, use, storage and disclosure of personal affairsinformation will be dealt with under the administrativeprivacy scheme.

This is consistent with Recommendations 7 and 8 that, ifadopted:

the term "personal data " in the OECD Guidelinesbe replaced with "personal affairs information" tomaintain consistency with the Freedom ofInformation Act.


® the term " personal information" be replaced with"personal affairs information " to maintainconsistency with the Freedom of Information Act.

These two modifications are reflected in the Draft CabinetInstructions giving effect to the OECD Guidelines and the IPPSset out at Attachments C and F respectively.

19. What additional measures , if any, should be taken with respect to:

® the 1995 European Directive; andthe OECD Cryptography Policy Guidelines

Recommendation 24

That the Committee note:

the progress the Commonwealth Government isnarking in seeking clarification in relation to the1995 European Directive from the EuropeanCommission;

the development of an ISO standard that couldassuageforeign concerns about Australia's lackof privacy legislation;

that codes of practice, which could be embodiedin an ISO or Standards Australia standard, maybe deemed sufficient to meet European Directiveguidelines.

D iscussion

European Union Directive

The European Union Directive on the Protection ofIndividuals with regard to the processing of Personal Data andon the Free Movement of Such Data has been raised in themedia as having the potential to impede trade betweenEuropean Union countries and Australia.

The Commonwealth Government advised SCAG Ministers attheir most recent meeting in Brisbane on 17-18 July 1997,that it does not believe that the Directive will necessarilycause significant constraints for Australian business.Although the Directive regulates the flow of personal


information to non-European Union countries which do nothave "adequate" privacy protections, it does not provide clearcriteria as to how "adequacy" will be assessed. This is amatter on which the Commonwealth Government is seekingclarification from the European Commission.

In addition, the issue of information flows from EuropeanUnion countries to Australia will not turn solely on thequestion of "adequacy". The Directive permits transfers ofpersonal information in a number of circumstances regardlessof whether the country is considered to have "adequate"privacy protection. These include cases where:

the person concerned has given their consent to thetransfer;

the transfer is necessary for the performance of acontract with the person concerned or theimplementation of pre-contractual measures inresponse to a request from the person concerned;

the transfer is necessary to implement a contractconcluded in the interests of the person concerned.

The Directive also allows European countries to authorisetransfers to countries which are not considered to have"adequate", privacy protection if there are "adequatesafeguards" in the particular case, such as appropriatecontractual clauses.

In addition, the adoption of an international privacy standardsimilar to those adhered to for quality control could also helpget Australian businesses around international privacy laws.The Federal Privacy Commissioner recently attended thepreliminary meeting of the International StandardsOrganization (ISO) Working Group in New York, which isdeveloping privacy standards. The ISO's Australianrepresentative, Standards Australia, is also believed to bedeveloping a local privacy standard that could assuage foreignconcerns about Australia's lack of privacy legislation.

Finally, Mr Steve Orlowski, Special Advisor on InformationSecurity Policy for the Federal Government, was quoted inthe Australian Financial Review on 29 May 1997 as saying itwas increasingly likely that codes of practice, which could beembodied in an ISO or Standards Australia standard, wouldbe deemed sufficient to meet European Directive guidelines.

Page 42


Smart Cards and Electronic Banking

20. How should smart cards be regulated?For example , by national legislation, statelegislation or industry codes?

21. What form of regulation should be introducedwith respect to the various types of electronicbanking and cash (not including those systemswhich use smart cards)?

Recommendation 25

That the Committee note that a national approach to theregulation of smart cards is being developed and thatspecifically:

• the SCOCA Working Party is developing astrategy to monitor the introduction of smart cardfees and charges and other issues of concern tothe community.

• the Consumer Education Advisory Committee(CEAC, which is a Committee of SCOCA) isdeveloping a national smart card educationstrategy; and

Recommendation 26

That an audit be undertaken to establish the use or intendeduse of smart cards and other means of electronic commercein the public sector (with a particularfocus on health andtransport) and portfolio specific codes of conduct and bestpractice guidelines be developed consistent with the nationalapproach.

Recommendation 27

That, in keeping with recommendation 20 that privacyregulation should not apply to the private sector at this time,the regulation of smart cards and other means ofelectroniccommerce in theprivate sector should be by way of nationalindustry specific codes of conduct and best practiceguidelines.

Privacy issues relating to new technologies were identified


with the introduction of EFTPOS (electronic funds transfer atpoint of sale). Smart Card systems are being developed inAustralia at a much more rapid rate than EFTPOS, and arelikely to have a much greater impact on personal privacy.The relevant issues are the following:

• collection of information and customer profiling -commercial smart card payment systems can facilitatethe collection of much larger amounts of information incomputerised form than any previous payment system.Records of the date, time and location of all movementson public and private transport systems, along withdetails of any other activities paid for by smart cardsmaybe processed and stored and used to create detailedcustomer profiles. Most smart card providers areactively promoting the development of customerprofiles as a selling point to potential smart card retailoutlets.

• anonymity - smart cards are offered as an alternative tocash. It may be that the cost of producing disposablesmart cards is likely to mean card issuers will preferre-chargeable cards, however, one of the many benefitsoffered by cash is that consumers can enter transactionsanonymously. Even with "anonymous" re-chargeablesmart cards, the anonymity of the card holder mayeasily be compromised in a number of everydaysituations, for example if a card is re-charged at anEFTPOS terminal, or where cards carry a record ofname and address of card holder in the event of damage,refund or other benefits or where a name and addressmust be supplied for goods to be delivered.

marketing - smart card operators are promoting theirsmart card systems as a means to collect detailedinformation about customers - profits are made by usingthe information obtained to target customers moreaccurately for marketing purposes, or by providingcustomer information to third parties. In some cases,loyalty schemes are another privacy invasive form ofmarketing, involving the collection and exchange ofdetailed personal information which would otherwise beunobtainable.

• law enforcement/litigation - many governmentagencies, including the Australian Taxation Office andthe Department of Social Security have sweeping


powers to access such records. Law enforcementagencies and private litigants may also be able to gainaccess to smart card records, giving them a detailedinsight into the private lives of card holders.

• alternative applications - potentially, smart cards canbe programmed to provide a number of functions on theone card. Smart card promoters may offer only a smallnumber of functions on each of their cards, but thecapability is there to expand in the future without theneed to incur any major costs. eg, medical records,telecommunications, access control and nationalidentification functions. A concern in this regard is toreduce the potential for information on one part of acard to be accessed by someone involved in a differentoperation.

On 18 September 1995, the former Minister for Industry,Science and Technology, Senator Peter Cook officiallylaunched the Asia Pacific Smart Card Forum - Australia,which has adopted as a priority the development of IndustryCodes of Conduct to safeguard community concerns overprivacy issues . It was suggested to the Forum by KevinO'Connor, the former Privacy Commissioner that the Codesof Conduct should be formulated around three principles:

• a transparent information handling system;

• limits on the collection and use of personal information(to what is essential to the central purpose of thesystem); and

• personal information that is collected should be accurateand secure.

In January 1996, a draft Smart Card Industry Code of Conductwas released for comment, under the umbrella of which theSmart Card Forum intends to prepare a number of subcodes- including a stored value card subcode. As a result of thatdraft, a working party was established containing consumerrepresentatives to do further work in relation to a code ofconduct, which was released in November 1996.

The Smart Card Advisory Network (SCAN), whose memberscomprise government , industry, banks and privacy interests,is based in Sydney and meets every two months . Its mostrecent work is the development of draft best practice


guidelines for the operation of stored value smart cards. It isessential that card issuers clarify the rights, obligations andrisks borne by consumers, merchants and other participants innew systems before these products are widely introduced.

A further response which has been proposed by the NSWPrivacy Committee is a licensing requirement monitored bya body such as the Reserve Bank of Australia. This wouldhelp to ensure that card issuers were financially sound, andthat consistent standards were applied to the development ofsmart card systems. The Reserve Bank might also wish totake steps to ensure that smart cards remain counterfeit proofif they are to take the place of currency.

The Consumer Survey

In March 1996, the Standing Committee of Officials ofConsumer Affairs (SCOCA) formed a working party,comprising Queensland, NSW and the ACT, to develop anational approach to smart cards (including stored valuecards) and prepare a report for the Ministerial Council onConsumer Affairs (MCCA) in September. The four pilotswere regarded as a good opportunity to survey theparticipants of these pilots, as well as other people with viewsabout smart cards in order to gather information aboutpeople's experiences with, and views on, smart cards.

On 17 July 1996, a phone-in was conducted by theQueensland Office of Consumer Affairs, in conjunction withNew South Wales and the Australian Capital Territory. Onthat day, consumers from Qld, NSW and the ACT were askedto phone in and answer a questionnaire covering such issuesas the advantages and disadvantages of smart cards, use ofinformation and the role of government, banks and cardissuers and retailers.

The purpose of the phone-in was to capture consumer issuesin relation to the possible introduction of smart cards to thecommunity, and to promote discussion on areas of concern inthe community. This project has been a good opportunity todevelop a co-ordinated approach to obtaining consumer inputto the new technology and to compare the results obtained inthe two States and the ACT. A summary of the responses wasas follows:

® Advantages : when asked why they would use a smartcard and what they regarded as the advantages of this


type of card, consumers overwhelmingly identifiedconvenience, including no need for exact change, afeeling of security with less change and the likelihoodof faster transactions. Many callers indicated that theseadvantages would be conditional upon some kind ofsafety or security measures put in place to ensure thatfinances were protected, something like a personalsecurity or PIN number.

• Disadvantages : when callers were asked if they hadexperienced any problems while using the smart card ina trial, over half of those who had been involved in atrial indicated that they had and the responses includedretailers being unaware of the trial, the card only beingavailable at certain outlets and that they were unhappywith fees and charges on the card.

Callers were also called upon to comment on thedisadvantages they could see in using this type of cardand they responded with the following comments: lossof privacy of personal information and/or transactiondata; fees and charges involved with the cards; and theneed to continue to use cash for some services, such as,transactions carried out at garage sales, in theemployment of domestic help, by buskers and bycommunity groups relying on door-to-door donations.Some callers also expressed concern that cards may failto fully represent their cash equivalent to the user, andconsumers may be encouraged to spend more than theywould if they were handling cash.

Information : information disclosure and privacy ofinformation were issues highlighted in the phone-in.When asked what banks should do with consumers'personal application information and everydaytransaction information callers suggested that banksshould keep it for their use only; there should be noneed for the bank to even have this information; that theinformation should be destroyed after initial use; or thata bank should not use information without a consumer'sconsent. Some callers recognised that this sort ofinformation could possibly be used for marketingpurposes and were happy for the information to be usedin an anonymous form. However, concern wasexpressed over the possibility of receiving more junkmail as a result of this information being made availablefor these purposes.

Page 47


• Responsibilities : consumers nominated the governmentand banks as having a role in consumer protection inrelation to the introduction and use of smart cardtechnology in everyday financial transactions. Seventypercent of callers considered that government has someresponsibility in the introduction and regulation of thesmart card industry to the community. Seventy-eightpercent of callers indicated that the industry should beregulated by government in some way, in order toprotect consumers' personal and transaction information.Suggestions in relation to this role included governmentinvolvement in the planning stages of a card'sintroduction, government regulation of fees and interestrates charged by the banks on smart cards, andgovernment ensuring that consumers' choices to usecash or to protect their privacy are not limited by themandatory introduction of smart cards. Two-thirds ofthose who called also indicated that banks and retailershad a responsibility to the consumer to offer adequateservices, consumer choice of services and protection ofconsumer information.

• Fees: when asked about a range of possible fees, a largemajority of callers objected in principle to paying feesfor what they regarded as a cash replacement andeffectively paying to use their own cash. Anotherobjection raised by a small number of callers was that inaddition to charging fees, banks were earning interest oncash transferred to a smart card but the consumer orcash owner was not.

• Cashless Society: all callers were asked if theyconsidered that we were heading towards a cashlesssociety and a large majority said they thought it wouldbe inevitable that cards would replace cash but manywere not supportive of the move for any of thefollowing reasons: removing consumer choice; thatthere continues to be a need for cash for sometransactions; that callers considered there is no costattached to cash; and the fear that financial transactiontimes might lengthen.

• Summary of responses : the primary consumerconcerns emerging from the phone-in revolve aroundthe topics of privacy of personal and transactioninformation, consumer choice, security and fees and

Page 45


charges. Most callers felt strongly about these issuesand indicated that there was a role for government toplay protecting the consumer from possible detriment.It is clear that these issues need to be addressed in orderto ensure that smart cards are introduced into themarketplace with due regard for consumer protection.

As the result of the phone-in, the following specificrecommendations were made:

• that the report be used by the Consumer EducationAdvisory Committee (CEAC, which is a Committee ofS COCA) in order to develop a national smart cardeducation strategy; and

• that the SCOCA working party to develop a strategy tomonitor the introduction of smart card fees and chargesand other issues of concern to the community.

The report of the survey was intended to promote discussionabout the privacy and other consumer issues related to thesmart card industry and to contribute to the development ofappropriate practices and policies throughout the community.The widespread introduction of smart card technology toAustralia is being heralded as a great benefit in cutting downon fraud, making information storage safer and in increasingefficiency in the delivery of a wide range of services. Assmart cards will be used in the private and public sectors, byfinancial and non-financial institutions and for a wide varietyof activities, the challenge will be to develop a consumerpolicy that can accommodate the full range of applications,current, planned and imagined.


22. What form of regulation should be introducedwith respect to privacy issues arising in the areas of.

• personal privacy, including surveillance (visualand listening) both in public and private places;

• telemarketing and direct marketing• the workplace;• medical records, including access; and• genetics?

Page 49


Recommendation 28

That regulation of telemarketing and direct marketing in theprivate sector should be by way of the development andimplementation of the national Draft Distance Selling Codeof Practice on a voluntary basis which is currently beingprepared by the Standing Committee of Consumer AffairsOfficials Working Group.

D iscussion

Direct marketing and telemarketing commonly involvetransactions initiated at a distance and include a wide range ofindustries and selling methods. Some methods will remain thesame however modern technology brings a plethora of newmarketing techniques and products. Consumers are nowfinding it increasingly difficult to make informed choices orretreat from solicitations of this nature.

When consumers are approached by direct marketers usuallythey do not have the opportunity to physically examine theitem, to compare quality and price, or to discuss the purposefor which it is wanted with a qualified sales representative.

The consumer is often pressured to act quickly, payment isusually required up front and delivery can be weeks away.The sales information may be deficient or the item may beunsuitable or defective and it is often more difficult to contactthe seller. In any case, when the seller is some distance awayit can be difficult to pursue redress.

In particular, consumers' details are commonly recorded,reused and sold for use by other direct marketers andtelemarketers. In most cases this occurs without the consentor knowledge of the consumer. Many have expressed extremedissatisfaction with the lack of regulation in the industry.

Current data gathering systems used by consumer agencies inAustralia do not provide a discreet category for directmarketing or telemarketing complaints. Neverthelesscomplaints received and feedback from community groupsindicate an increasing demand for regulating these practices.Consumers commonly identify privacy as a major area ofconcern and seek a level of protection from the regularintrusions unique to this type of marketing.


This trend is also evident in America and Europe whereauthorities have substantially increased the level of consumerprotection in these areas.

In Australia, in September 1996 the Ministerial Council onConsumer Affairs (MCCA), which is largely comprised ofMinisters responsible for consumer affairs in state and federalgovernments, recently endorsed the release of a draftvoluntary code of practice on direct marketing for publicdiscussion.

Development of the Distance Selling Code of Practice isexpected to provide a significant advance in consumerprotection in this area of the marketplace. It would addresskey issues in the areas of fair trading, information privacyprotection, telemarketing, and complaint handling procedures.It would also include processes for administration and theestablishment of a Code Administration Authority. Thecurrent draft is attached.

The Draft Code was developed cooperatively by industry,government, consumer organisations and the Office of thePrivacy Commissioner. Some guidance was taken from theAustralian Direct Marketing Association guidelines, theAustralian National Guide on Codes, the Information PrivacyPrinciples, the 1981 OECD Guidelines on the Protection ofPrivacy and Transborder Flows of Personal Data, the Councilof Europe Recommendation on the Protection of PersonalData used for the Purposes of Direct Marketing, the EuropeanUnion Directive on the Protection of Consumers in respect ofDistance Contracts, the United States Federal TradeCommission Guidelines on Telemarketing and the UnitedKingdom Direct Marketing Association Code of Practice.

The Draft Code covers a range of issues specific toinformation privacy. For example, consumers would have tobe advised when their information is likely to be disclosed toa third party for direct marketing purposes and industryparticipants would be expected to comply with a consumer'srequest not to be contacted if they object. Also, consumerswould have the right to know the source of information andpursue a complaint if their name is not removed from acontact list.

It would require the express consent of the consumer inrespect to the collection and use of sensitive information suchas racial origin, political opinions, religious beliefs, sexual


preference or health.

The Code would require telemarketers to identify themselvesand the organisation they represent, and would restrict theirtelephone calls to specified hours. It would ensure that aconsumer's telephone line is promptly released on conclusionof a call or on request to do so and would place limitations onthe frequency of calling.

The current lack of adequate and enforceable privacyprotection in the private sector is a concern to consumeragencies. Privacy issues which relate to direct marketing andtelemarketing are a major source of complaints and the Codeis expected to provide a significant advance in consumerprotection in this area.

MCCA has decided that initially, at least, it should be avoluntary code. The Australian Direct Marketing Association,the major representative in this industry sector, isparticipating in its development and has, in principle,expressed support for its implementation. The introduction ofthe Code is expected to create a positive influence across thisarea of the marketplace.

Page 52


A TTA CHMENT A

OECD GUIDELINES

Collection Limitation Principle

7. There should be limits to the collection of personal data and any such data should beobtained by lawful and fair means and, where appropriate, with the knowledge or consentof the data subject.

Data Quality Principle

8. Personal data should be relevant to the purposes for which they are to be used, and, tothe extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle

9. The purposes for which personal data are collected should be specified not later than atthe time of data collection and the subsequent use limited to the fulfilment of thosepurposes or such others as are not incompatible with those purposes and as are specifiedon each occasion of change of purpose.

Use Limitation Principle

10. Personal data should not be disclosed, made available or otherwise used for purposesother than those specified in accordance with Paragraph 9 except: -

(a) with the consent of the data subject; or

(b) by the authority of law.

Security Safeguards Principle

11. Personal data should be protected by reasonable security safeguards against such risksas loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness Principle

12. There should be a general policy of openness about developments, practices and policieswith respect to personal data. Means should be readily available of establishing theexistence and nature of personal data, and the main purposes of their use, as well as theidentity and usual residence of the data controller.

Page 1Attachment A


Individual Participation Principle

13. An individual should have the right: -

(a) to obtain from a data controller, or otherwise, confirmation of whether or not thedata controller has data relating to him;

(b) to have communicated to him, data relating to him: -

(i) within a reasonable time;(ii) at a charge, if any, that is not excessive;(iii) in a reasonable manner; and(iv) in a form that is readily intelligible to him.

(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied,and to be able to challenge such denial; and

(d) to challenge data relating to him and, if the challenge is successful, to have thedata erased, rectified, completed or amended.

Accountability Principle

14. A data controller should be accountable for complying with measures which give effectto the principles stated above.

Page 2Attachment A


A TTA CHMENT B

DRAFTING INSTRUCTIONS

THE BILL

Privacy Commissioner Bill 199...

1. OBJECTIVES

To establish the Office of Privacy Commissioner as an independent statutory officertasked to protect the right to privacy of Queenslanders that may be infringed by Stategovernment departments and agencies.

2. OTHER RELEVANT LEGISLATION

(a) The 1991 New Zealand Privacy Commissioner Act will be helpful in referenceto:

the establishment of the office of a Privacy Commissioner

• the functions of the Commissioner and, in particular, the function toreport to the Prime Minister on the need for taking administrative,legislative or other action to better protect the privacy of the individual.

In 1993 this Act was replaced with more comprehensive legislation, the PrivacyAct 1993 (NZ), which established privacy principles based on the OECDguidelines with respect to both public and private sector agencies.

(b) The NSW Privacy Committee Act 1975 . NSW is currently drafting nowlegislation on privacy.

(c) The Queensland Parliamentary Commissioner Act 1974, particularly section 13where the Ombudsman is entitled to investigate any complaint aboutadministrative action taken by an agency.

(d) The Commonwealth Privacy Act 1988.

3. COMMENCEMENT

On royal assent.

4. TRANSITIONAL PROVISIONS

None

Page 1Attachment B


5. REGULATIONS

None

6. LEGISLATION TO BIND THE CROWN

Yes

7. DETAILED INSTRUCTIONS

Establishment of the Office of Privacy Commissioner

(a) The Privacy Commissioner Bill 199.. will establish the office of the PrivacyCommissioner. The Privacy Commissioner will be an independent statutoryofficer appointed by the Governor in Council. The staff in the office will bepublic servants.

(b) As there is no intention to cover the private sector and GOCs and statutoryauthorities are to be out on a level playing field with the private sector, thelegislation will not apply to GOCs and statutory authorities.

Privacy Commissioner ' s Functions

(c) The Commissioner's functions relate only to State government departments andagencies only.

Guidelines for the protection of information privacy

(i) The Privacy Commissioner 'sfirst function will be to ensure the protectionof information privacy. One of the Commissioners 's first tasks will be thedevelopment of guidelines (including exemptions ) for the protection ofinformation held by State government departments and agencies.

(ii) These guidelines and their accompanying exemptions will be developedin close consultation with State government departments and agencies.

(iii) The guidelines will be based upon standards set by the Organization forEconomic Co-operation and Development, but the final product will betailored to suite Queensland government needs.

(iv) Issues such as whether out sourcing activities - for example, the outsourcing by the Premier's Department of IT to CITEC -should be exemptwill also be dealt with in the guidelines.

(v) The legislation must be broad enough to allow the guidelines to providean avenue for agencies to apply for an exception from the application of

Page 2Attachment B


the guidelines. Even the relatively stringent regime of theCommonwealth allows the Commissioner to make a writtendetermination that an act or practice which breaches a principle maynevertheless be allowed if the public interest in the agency doing that actoutweighs the public interest in adhering to the principle. Similarly theSouth Australian Privacy Committee may consider and authorise specificpublic interest exceptions to the principles.

(vi) The guidelines, including the exemptions, will be approved by Cabinetand issued as a Cabinet Administrative Instruction.

Receive, investigate complaints and report on non-compliance

(vii) The second function of the Commissioner will be to receive andinvestigate complaints and make reports on non-compliance with theprivacy protection scheme, in a similar fashion to the Ombudsman.

(viii) Under section 13 of the Parliamentary Commissioner Act 1974, theOmbudsman is entitled to investigate any complaint about administrativeaction taken by an agency. The Ombudsman can make recommendationsabout an administrative action. Under section 24, on completion of aninvestigation, the Ombudsman may report to the appropriate agency andthe responsible Minister. Under 24(5) if appropriate steps have not beentaken by the appropriate agency within a reasonable time, theOmbudsman may report to the Premier or cause a report to be laid beforethe Legislative Assembly.

(ix) It is proposed that the same reporting regime be applied to the PrivacyCommissioner.

Education

(x) Education will be integral to the Commissioner's function. In particular,the Commissioner will be given the task of informing State governmentdepartments and agencies of their responsibilities for privacy protection.

Publishing guidelines

(xi) Once the privacy guidelines are issued as formal principles by a CabinetAdministrative Instruction , one of the Commissioner 's functions will beto prepare and publish other guidelines or recommendations to assistdepartments and agencies to avoid acts or practices that may interferewith the privacy of individuals or which might otherwise have an adverseeffect on the privacy of the individuals . See s . 27(1)(e) of theCommonwealth Privacy Act 1988.

Page 3Attachment B


General power of inquiry

(xii) At the request of the responsible Minister, the Commissioner will be ableto inquire generally into any matter covered by the Act. See ss. 5(1)(f)and 5(3) of the 1991 New Zealand Privacy Commissioner Act.

General power of reporting

(xiii) At the request of the responsible Minister, the Commissioner may reportto the responsible Minister from time to time on the need for ordesirability of taking action to improve the privacy of the individual thatmay be infringed by State government departments and agencies. See ss.5(1)(h) and 5(2) of the 1991 New Zealand Privacy Commissioner Act.

Conducting audits

(xiv) When requested to do so by a department or agency, the Commissionerwill be able to conduct audits of records of personal informationmaintained by state government departments and agencies for thepurposes of ascertaining whether the records are maintained according tothe information privacy guidelines, once issued. See s. 27(1)(h) of theCommonwealth Privacy Act 1988 and s. 13(1)(b) of the New ZealandPrivacy Act 1993.

Privacy Commissioner's Powers

(d) The Privacy Commissioner will have all the powers, rights and privileges that arespecified in the Commissions of Inquiry Act 1950. This is the model used for the:

Ombudsman (s. 19 of the Parliamentazy Commissioner Act 1974)NSW Privacy Commissioner (s. 16(2) NSW Privacy Committee Act 1975)

Offences

(e) There will be three types of offences:

without lawful excuse to hinder or obstruct the Commissioner in aninvestigationwithout lawful excuse to refuse to comply with a lawful requirement ofthe Commissionerto make false or misleading statements

Examples are set out in section 22 of the NSW Privacy Committee Act andsection 35 of the NZ Privacy Commissioner act 1991. Proceedings for offencesmay be disposed of summarily by a magistrate sitting alone. The maximumpenalty is 10 penalty units.

Page 4Attachment B


A TTA CHMENT C

Draft Cabinet Instruction giving effect to the OECDGuidelines


Cabinet Administrative Instruction 199...

PART 1

PRELIMINARY

Short Title

1. This Instruction may be called the "Information Privacy Guidelines Instruction".

Commencement and Application

2. (1) This Instruction will come into effect on ...

(2) Subject to any contrary determination by Cabinet, this Instruction shall apply to -

(i) the "public service" as that term is used in the Public Service Act 1996;and

(ii) any agency or instrumentality of the State of Queensland that is subjectto control or direction by a Minister.

Exemptions

3. [to be inserted ...................... ]

PART 11

Guidelines

INFORMATION PRIVACY GUIDELINES

4. The principal officer of each agency shall ensure that the following Guidelines areimplemented, maintained and observed for and in respect of all personal affairsinformation for which his or her agency is responsible.

Page 1Attachment C


Collection Limitation Guideline

5. There should be limits to the collection of personal affairs information and any suchinformation should be obtained by lawful and fair means and, where appropriate, withthe knowledge or consent of the information subject.

Information Quality Guideline

6. Personal affairs information should be relevant to the purposes for which they are to beused, and, to the extent necessary for those purposes, should be accurate, complete andkept up-to-date.

Purpose Specification Guideline

7. The purposes for which personal affairs in information are collected should be specifiednot later than at the time of information collection and the subsequent use limited to thefulfilment of those purposes or such others as are not incompatible with those purposesor are directly related to the purpose for which the information was obtained and as arespecified on each occasion of change of purpose.

Use Limitation Guideline

8. Personal affairs information should not be disclosed, made available or otherwise usedfor purposes other than those specified in accordance with Paragraph 9 except -

(a) with the consent of the information subject; or(b) by the authority of law.

Security Safeguards Guideline

9. Personal affairs information should be protected by reasonable security safeguardsagainst such risks as loss or unauthorised access, destruction, use, modification ordisclosure of information.

Openness Guideline

10. There should be a general policy of openness about developments, practices and policieswith respect to personal affairs information. Means should be readily available ofestablishing the existence and nature of personal affairs information and the mainpurposes of their use, as well as the identity and usual residence of the informationcontroller.

Individual Participation Guideline

11. An individual should have the right -

Page 2Attachment C


(a) To obtain from an information controller, or otherwise, confirmation of whetheror not the information controller has information relating to the individual;

(b) to be advised of the information relating to the individual -

(i) within a reasonable time;(ii) at a charge, if any, that is not excessive;(iii) in a reasonable manner; and(iv) in a form that is readily intelligible to the person;

(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied,and to be able to challenge such denial; and

(d) to challenge information relating to the individual and, if the challenge issuccessful, to have the information erased, rectified, completed and amended.

Accountability Guideline

12. An information controller should be accountable for complying with measures whichgive effect to the principles stated above.

PART 111

COMPLIANCE WITH GUIDELINES

Reporting Procedures pursuant to the Instruction

13. After one year from the date of operation of this Instruction, each principal officer shallfurnish to the relevant Minister, a report detailing -

(a) the action taken to ensure that the Guidelines are implemented, maintained andobserved in the agency for which he or she is responsible;

(b) the name and designation of each officer with authority to ensure that theGuidelines are so implemented, maintained and observed;

(c) the result of any investigation and report, in relation to the agency for which heor she is responsible and, where applicable, any remedial action taken orproposed to be taken in consequence.

Agencies Acting Singly or in Combination

14. This Instruction and the Guidelines shall apply to the collection, storage, access torecords, correction, use and disclosure in respect of personal affairs information whetherthat personal affairs information is contained in a record in the sole possession or underthe sole control of an agency or is contained in a record in the joint or under the jointcontrol of any number of agencies.

Page 3Attachment C


A TTA CHMENT D

INFORMATION PRIVACY PRINCIPLES (Cw1th)

Principle 1Manner and Purpose of Collection of Personal Information

1. Personal information shall not be collected by a collector for inclusion in a record or ina generally available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly relatedto a function or activity of the collector; and

(b) the collection of the information is necessary for or directly related to thatpurpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2

Solicitation of Personal Information from Individual Concerned

Where:

(a) a collector collects personal information for inclusion in a record or in a generallyavailable publication; and

(b) the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that,before the information is collected or, if that is'not practicable, as soon as practicable after theinformation is collected, the individual concerned is generally aware of.

(c) the purpose for which the information is being collected;

(d) if the collection of the information is authorised or required by or under law - thefact that the collection of the information is so authorised or required; and

(e) any person to whom, or any body or agency to which, it is the collector's usualpractice to disclose personal information of the kind so collected, and (if knownby the collector) any person to whom, or any body or agency to which, it is theusual practice of that first-mentioned person, body or agency to pass on thatinformation.

Page 1Attachment D


Principle 3Solicitation of Personal Information Generally

Where:

(a) a collector collects personal information for inclusion in a record or in a generallyavailable publication; and

(b) the information is solicited by the collector;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that,having regard to the purpose for which the information is collected;

(c) the information collected is relevant to that purpose and is up to date andcomplete; and

(d) the collection of the information does not intrude to an unreasonable extent uponthe personal affairs of the individual concerned.

Principle 4Storage and Security of Personal Information

A record-keeper who has possession or control of a record that contains personal informationshall ensure:

(a) that the record is protected, by such security safeguards as it is reasonable in thecircumstances to take, against loss, against unauthorised access, sue, modificationor disclosure, and against other misuse; and

(b) that if it is necessary for the record to be given to a person in connection with theprovision of a service to the record-keeper, everything reasonably within .thepower of the record-keeper is done to prevent unauthorised use or disclosure ofinformation contained in the record.

Principle 5Information relating to Records kept by Record-keeper

1. A record-keeper who has possession or control of records that contain personalinformation shall, subject to clause 2 of this Principle, take such steps as are, in thecircumstances, reasonable to enable any person to ascertain:

(a) whether the record-keeper has possession or control of any records that containpersonal information; and

(b) if the record-keeper has possession or control of a record that contains suchinformation:

Page 2

Attachment D


(i) the nature of that information;

(ii) the main purposes for which that information is used; and

(iii) the steps that the person should take if the person wishes to obtain accessto the record.

2. A record-keeper is not required under clause 1 of this Principle to give a personinformation if the record-keeper is required or authorised to refuse to give thatinformation to the person under the applicable provisions of any law of theCommonwealth that provides for access by persons to documents.

3. A record-keeper shall maintain a record setting out:

(a) the nature of the records of personal information kept by or on behalf of therecord-keeper;

(b) the purpose for which each type of record is kept;

(c) the classes of individuals about whom records are kept;

(d) the period for which each type of record is kept;

(e) the persons who are entitled to have access to personal information contained inthe records and the conditions under which they are entitled to have that access;and

(f) the steps that should be taken by persons wishing to obtain access to thatinformation.

A record-keeper shall:

(a) make the record maintained under clause 3 of this Principle available forinspection by members of the public; and

(b) give the Commissioner, in the month of June in each year, a copy of the recordso maintained.

Principle 6Access to Records containing Personal Information

Where a record-keeper has possession or control of a record that contains personal information,the individual concerned shall be entitled to have access to that record, except to the extent thatthe record-keeper is required or authorised to refuse to provide the individual with access to thatrecord under the applicable provisions of any law of the Commonwealth that provides for accessby persons to documents.

Page 3Attachment D


Principle 7Alteration of Records containing Personal Information

1. A record-keeper who has possession or control of a record that contains personalinformation shall take such steps (if any), by way of making appropriate corrections,deletions and additions as are, in the circumstances, reasonable to ensure that the record:

(a) is accurate; and

(b) is, having regard to the purpose for which the information was collected or is tobe used and to any purpose that is directly related to that purpose, relevant, up todate, complete and not misleading.

2. The obligation imposed on a record-keeper by clause 1 is subject to any applicablelimitation in a law of the Commonwealth that provides a right to require the correctionor amendment of documents.

3. Where:

(a) the record-keeper of a record containing personal information is not willing toamend that record, by making a correction, deletion or addition, in accordancewith a request by the individual concerned; and

(b) no decision or recommendation to the effect that the record should be amendedwholly or partly in accordance with that request has been made under theapplicable provisions of a law of the Commonwealth;

the record-keeper shall, if so requested by the individual concerned, take such steps (if any) asare reasonable in the circumstances to attach to the record any statement provided by thatindividual of the correction, deletion or addition sought.

Principle 8Record-keeper to check Accuracy etc of Personal Information before use

A record-keeper who has possession or control of a record that contains personal informationshall not use that information without taking such steps (if any) as are, in the circumstances,reasonable to ensure that, having regard to the purpose for which the information is proposed tobe used, the information is accurate, up to date and complete.

Principle 9Personal Information to be used only for Relevant Purposes

A record-keeper who has possession or control of a record that contains personal informationshall not use the information except for a purpose to which the information is relevant.

Page 4Attachment D


Principle 10Limits on Use of Personal Information

1. A record-keeper who has possession or control of a record that contains personalinformation that was obtained for a particular purpose shall not use the information forany other purpose unless:

(a) the individual concerned has consented to use of the information for that otherpurpose;

(b) the record-keeper believes on reasonable grounds that use of the information forthat other purpose is necessary to prevent or lessen a serious and imminent threatto the life or health of the individual concerned or another person;

(c) use of the information for that other purpose is required or authorised by or underlaw;

(d) use of the information for that other purpose is reasonably necessary forenforcement of the criminal law or of a law imposing a pecuniary penalty, or forthe protection of the public revenue; or

(e) the purpose for which the information is used is directly related to the purpose forwhich the information was obtained.

2. Where personal information is used for enforcement of the criminal law or of a lawimposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

Principle 11Limits on Disclosure of Personal Information

1. A record-keeper who has possession or control of a record that contains personalinformation shall not disclose the information to a person, body or agency (other than theindividual concerned) unless:

(a) the individual concerned is reasonably likely to have been aware, or made awareunder Principle 2, that information of that kind is usually passed to that person,body or agency;

(b) the individual concerned has consented to the disclosure;

(c) the record-keeper believes on reasonable grounds that the disclosure is necessaryto prevent or lessen a serious or imminent threat to the life or health of theindividual concerned or of another person;

Page 5Attachment D


(d) the disclosure is required to authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law orof a law imposing a pecuniary penalty, or for the protection of the public revenue.

2. Where personal information is disclosed for the purposes of enforcement of the criminallaw or of a law imposing a pecuniary penalty, or for the purpose of the protection of thepublic revenue, the record-keeper shall include in the record containing that informationa note of the disclosure.

3. A person, body or agency to whom personal information is disclosed under clause 1 ofthis Principle shall not use or disclose the information for a purpose other than thepurpose for which the information was given to the person, body or agency.

Page 6Attachment D


A TTA CHMENT E

Examples of, and notes about, the operation of the ON

This attachment provides examples of, and notes about, the operation of the Information PrivacyPrinciples. These examples are drawn from the annual reports of the Commonwealth PrivacyCommissioner.

IPP1

• A form which requested information about the financial affairs of the spouse or de-factospouse and dependents of an employee without making provision for the recording of theconsent of the spouse or de-facto spouse and dependents may breach the requirementsof IPP 1.

IPP 2

• The Privacy Commissioner has agreed that, where IPP 2 requires a large amount ofinformation to be included on a form which requests information, IPP 2 will be satisfiedif a leaflet accompanying a form gives the required information about the use anddisclosure practices of an agency.

IPP3

• The form, mentioned above in relation to IPP 1, which requested information about thefinancial affairs of the spouse or de-facto spouse and dependents of an employee, maybreach IPP 3(d) as being an unreasonable intrusion into the affairs of the third partiesconcerned.

IPP 4

• The storage of personal information on thermal facsimile paper which would deteriorateto illegibility over time. This storage practice was in breach of the duty under IPP 4 toensure that a record of personal information is protected against loss.

• A compactus used to store file containing personal information which could not belocked was in breach of the duty under IPP 4 to secure personal information againstunauthorised access.

• The disclosure of arrest information contrary to the rules of the Australian Federal Policewas in breach of IPP 4 given that unauthorised disclosure occurred without there beingadequate security.

Page 1Attachment E


IPP6

• The Commonwealth Privacy Commissioner has a policy of leaving all issues arising inrelation to IPP 6 to be resolved under the Freedom of If formation Act 1982 (Cth).

IPP7

• The Commonwealth Privacy Commissioner has a policy of leaving all issues arising inrelation to IPP 7 to be resolved under the Freedom of Ir formation Act 1982 (Cth).

IPP 10

• The release of the contents of a persons worker's compensation claim to the person'scolleagues by a manager was a breach of IPP 10. Although there may have been a needto discuss some matters in the claim, that did not justify the wholesale disclosure of thestatements made by the person in support of the compensation claim.

]PP 11

• At a function, guests were invited to place their name and address in a visitors' book.There was no indication that this information would be used for any purpose other thanas a record of who attended the function. Subsequently, the names and addresses weremade available to a group who sent the guests promotional material. The disclosure ofthe names and addresses of was in breach of IPP 11.

• The disclosure of superannuation details to the former spouse of a person was in breachof IPP 11.

• Data-matching for law enforcement and revenue protection purposes continues withinthe Commonwealth Government. Although the Commonwealth Privacy Commissionerconsiders. that IPP 11 permits only the disclosure of information in relation toinvestigations about an individual case, he has recognised that in introducing restrictionson the use and disclosure of information by the IPPs the Commonwealth Governmentprobably did not intend to curtail data-matching programs (except where the data-matching involves the use of Tax Files Numbers which is authorised and regulated bythe Data Matching Program (Assistance and Tax) Act 1990).

Page 2Attachment E


A TTA CHMENT F

Draft Cabinet Instruction giving effect to theInformation Privacy Principles (Cwlth)


Cabinet Administrative Instruction 199....

PART I

PRELIMINARY

Short Title

1. This Instruction may be called the "Information Privacy Guidelines Instruction".

Commencement and Application

2. (1) This Instruction will come into effect on ...

(2) Subject to any contrary determination by Cabinet, this Instruction shall apply to -

(i) "the public service" as that term is used in the Public Service Act 1996;and

(ii) any agency or instrumentality of the State of Queensland that is subjectto control or direction by .a Minister.

Exemptions

[to be inserted ....................... ]

PART II


Principles

The principal officer of each agency shall ensure that the following Principles areimplemented, maintained and observed for and in respect of all personal affairsinformation for which his or her agency is responsible:

Page 1Attachment F


Collection of Personal affairs information

(1) Personal affairs information should be not collected by unlawful or unfair means,nor should it be collected unnecessarily.

(2) An agency that collects personal affairs information should take reasonable stepsto ensure that, before it collects it or, if that is not practicable, as soon aspracticable after it collects it, the record subject is told:

(a) the purpose for which the information is being collected (the "purpose ofcollection"), unless that purpose is obvious;

(b) if the collection of the information is authorised or required by or underlaw - that the collection of the information is so authorised or required;and

(3)

(c) in general terms, of its usual practices with respect to disclosure ofpersonal affairs information of the kind collected.

An agency should not collect personal affairs information that is inaccurate or,having regard to the purpose of collection, is irrelevant, out of date, incompleteor excessively personal.

Solicitation of Personal affairs information Generally

Where:

(a) an agency collects personal affairs information for inclusion in a recordor in a generally available publication; and

(b) the information is solicited by the agency

the agency shall take reasonable steps to ensure that the information collected is relevantto the purpose for which the information is collected, is up to date and complete, and thecollection of the information does not intrude to an unreasonable extent upon thepersonal affairs of the individual concerned.

Storage and Security of Personal affairs information

An agency who has possession or control of a record that contains personal affairsinformation shall ensure:

(a) that the record is protected, by such security safeguards as it is reasonablein the circumstances to take, against loss, against unauthorised access, usemodification or disclosure, and against other misuse; and

Page 2Attachment F


(b) that if it is necessary for the record to be given to a person in connectionwith the provision of a service to the agency, everything reasonablywithin the power of the agency is done to prevent unauthorised use ordisclosure of information contained in the record.

Statement of Affairs of Information Collection

(1) An agency who has possession or control of records that contain personal affairsinformation shall, subject to clause 2 of this Principle, take such reasonable stepsto enable any person to ascertain:

(a) whether the agency has possession or control of any records that containpersonal affairs information; and

(b) if the agency has possession or control of a record that contains suchinformation:

(i) the nature of that information;

(ii) the main purposes for which that information is used; and

(iii) the steps that the person should take if the person wishes to obtainaccess to the record.

(2) An agency is not required under clause 1 of this Principle to give a personinformation if the agency is required or authorised to refuse to give thatinformation to the person under the applicable provisions of any law ofQueensland that provides for access by persons to documents.

(3) An agency shall maintain a record setting out:

(a) the nature of the records of personal affairs information kept by or onbehalf of the record-keeper;

(b) the purpose for which each type of record is kept;

(c) the classes of individuals about whom records are kept;

(d) the period for which each type of record is kept;

(e) the persons who are entitled to have access to personal affairs informationcontained in the records and the conditions under which they are entitledto have that access; and

(f) the steps which should be taken by persons wishing to obtain access tothat information.

Page 3Attachment F


(4) An agency shall make the record maintained under clause 3 of this Principleavailable for inspection by members of the public.

Access to Records of Personal affairs information

Where an agency has in its possession or under its control records of personal affairsinformation , the record-subject should be entitled to have access to those records inaccordance with the Freedom of Information Act 1991.

Creation of Personal affairs information

An agency that has in its possession or under its control of personal affairs informationabout another person should correct it so far as it is inaccurate or, having regard to thepurpose of collection or to a purpose that is incidental to or connected with that purpose,incomplete , irrelevant , out of date , or where it would give a misleading impression iaccordance with the Freedom of I formation Act 1991.

Use of Personal affairs information

(1) An agency who has possession or control of a record that contains personalaffairs information shall not use that information without taking such reasonablesteps to ensure that, having regard to the purpose for which the information isproposed to be used, the information is accurate, up to date and complete.

(2) An agency who has possession or control of a record that contains personalaffairs information shall not use the information except for a purpose to which theinformation is relevant.

(3) Personal affairs information should not be used by an agency for a purpose thatis not the purpose of collection or a purpose incidental to or connected with thatpurpose unless:

(a) the record-subject has expressly or impliedly consented to the use;

(b) the agency using the information believes on reasonable grounds that theuse is necessary to prevent or lessen a serious and imminent threat to thelife or health of the record-subject or of some other person;

(c) the use is required by or under law;

(d) the use for that other purpose is reasonably necessary for the enforcementof the criminal law or of a law imposing a pecuniary penalty or for theprotection of the public revenue; or

(e) the purpose for which the information is used is directly related to thepurpose for which the information was obtained.

Page 4Attachment F


(4) Where personal affairs information is used for enforcement of the criminal lawor of a law imposing a pecuniary penalty, or for the protection of the publicrevenue, the agency shall include in the record containing that information a noteof that use.

Disclosure of Personal affairs information

(1) An agency shall not disclose personal affairs information to a third person unless:

(a) the individual concerned is reasonably likely to have been aware thatinformation of that kind is usually passed to that person, body or agency;


(c) the agency believes on reasonable grounds that the disclosure is necessaryto prevent or lessen a serious and imminent threat to the life or health ofthe individual concerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminallaw or of a law imposing a pecuniary penalty, or for the protection of thepublic revenue.

(2) Where personal affairs information is disclosed for the purposes of enforcementof the criminal law or of a law imposing a pecuniary penalty, or for the purposeof the protection of the public revenue, the agency shall include in the recordcontaining that information a note of the disclosure.

(3) A person, body or agency to whom personal affairs information is disclosedunder clause 1 of this Principle shall not use or disclose the information for apurpose other than the purpose for which the information was given to theperson, body or agency.

PART III

COMPLIANCE WITH PRINCIPLES

Reporting Procedures pursuant to this Instruction

After one year from the date of operation of this Instruction, each principal officer shallfurnish to the relevant Minister, a report detailing:

(a) the action taken to ensure that the Principles are implemented, maintained andobserved in the agency for which he or she is responsible;

Page 5Attachment F


(b) the name and designation of each officer with authority to ensure that thePrinciples are so implemented, maintained and observed;

(c) the result of any investigation and report, in relation to the agency for which heor she is responsible and, where applicable, any remedial action taken orproposed to be taken in consequence.

Agencies Acting Singly or in Combination

6. This Instruction and the Principles shall apply to the collection, storage, access torecords, correction, use and disclosure in respect of personal affairs information whetherthat personal affairs information is contained in a record in the sole possession or underthe sole control of an agency or is contained in a record in the joint or under the jointcontrol of any number of agencies.

Page 6

Attachment F


PRIVACY COMMISSIONER ]cont]

Salary Details: Class Salary f/n Salary p/a Leave Loading Total Basic Payroll Tax Super Total

Privacy Commissioner SES2 (3) 3,068 80,072

Higher Duties

1,882 81,954 4,098 12,006 98,058Director, Policy and Research A08 (3) 2,290 59,774 1,405 61,179 3,059 8,963 73,201Investigations Officer A06 (3) 1,821 47,515 1,117 48,632 2,432 7,125 58,188Research Officer A05 (3) 1,640 42,812 1,006 43,818 2,191 6,419 52,428Research Officer A05 (3) 1,640 42,812 1,006 43,818 2,191 6,419 52,428Executive Assistant A03 (3) 1,219 31,805 747 32,553 1,628 4,769 38,950

11,678 304,791 7,163 311.953 15.598 45,701 373.252

Property Maintenance Details: '

6 officers Rent 88,2095 offices, secretarial desk Electricity 3,000conference room Cleaning 3,500waiting room Security 997library/storage room Waste Disp 4342 car bays Car Bays 6,777200 - 250 sqm Other 2.083

105.000

' Based on the Privacy Commissioner Office being located in the State Law Building

Plant and Equipment Details: No Unit Cost Total Cost Recurrent

Photocopier' 1 9,000 9,000 3,000Computers 6 2,500 15,000

Software 6 700 4,200 1,400ISB Service - PC Replacement 6 1,000 6,000 6,000

File Server (1 gig) 1 8,000 8,000Network Operating System (6 users) 1 1,400 1,400LAN Desk Manager & Network Cards 1 2,000 2,000Office Automation Software 1 2,400 2,400Database Licences (RECFIND) 1 11,000 11,000 3,000Database Installation and Training 1 4,000 4,000Communications Equipment & Installation 1 7,000 7,000

Printers 3 3,000 9,000 3,000Fax 1 3,200 3,200 1,100Pager 1 300 300Fridge 1 500 500Furniture - SES Office 1 5,000 5,000Furniture - Standard Office 4 1,500 6,000Furniture - Secretary/Waiting Room 1 4,000 4,000Furniture - Conference Room 1 5,000 5,000Additional Storage (900x250x2000) 30 400 12,000

$71,900 $115,000 $17,500

Minor Works: °`

Construction - SES Office

No

1

Unit Cost

10,000

Tctal Cost

10,000Construction - Standard Office 4 7,000 28,000Construction - Conference Room 1 10,000 10,000

$27.000 $48,000

Estimate only for contruction and approvals as well as adjustments to lighting,air-conditioning, partitions, signage, computer and phone connections for theState Law Building

Page 2Attachment G


ALLOCATION OF CORPORATE SUPPORT

Program StaffingLevels (a)

Administration of Justice 1,198Criminal Justice 243Legal Services 196Community Affairs 326

Operational Programs 1 963

Corporate Support 136less IT Support (20)less Director-General (6)

Corporate Services 110

Core Corporate Services FTEs/Operational Programs FTEs 5.60%

(a) Staffing levels are from the Ministerial Portfolio Statement 1995196

Additional Staff - Privacy Commissioner 6Corporate Services in FTEs required 0.34

Base Grade ClerkA02 (4) Salary per annum 24,333Salary On-Costs 29.97% 7,291Administration On-Cost 33.39% 8.125

Cost of 1 FTE Corporate Services 39,749

Corporate Services Costs 13,364Support Costs (Database & Help Desk) 20,000

33,364

BreakdownSalaries 17,500Payroll Tax 900Superannuation 2,600Training & Development 600Workers Compensation 300Administration Expenses 11,500

33,400

Page 3Attachment G


DRAFT DISTANCE SELLING CODE OF PRACTICE

Standing Committee of Consumer Affairs Officials

December 1996

11/26/96 11:17 AM

Draft Distance Selling Code of Practice

Index

Page

Part 1. Introduction ...................................................................................................................................... 1

Background and objectives ......................................................................................................................... 1

Application ................................................................................................................................................. I

Exemptions ................................................................................................................................................. I

Adopting the Code ......................................................................................................... ............................. 2

Termination of membership ........................................................................................................................ 2

Interpretation ............................................................................................................................................. 3

Part 11. Fair Trading Requirements ............................................................................................................7

Marketing c laints ...... .................................................................................................................................. 7

Information prior to the formation of the contract ...................................................................................... 8

Information at the time of deliver).y .............................................................................................................. 9

Incentives ................................................................................................................................................. 10

Pyramid sales ........................................................................................................................................... 11

Orders ...................................................................................................................................................... 11

Delivery ...............................................................................:................................................................... I I

Payment ................................................................................................................................................... 13

Right of cancellation ................................................................................................................................ 14

Unordered goods and services .................................................................................................................. 16

Substitute goods or senvices ...................................................................................................................... 16

Cost of returning goods ............................................................................................................................ 17

Part III. Information privacy protection .................................................................................................... 18

Limited definition of 'consumer' ............ ................................................................................................... 18

Acquisition, use and disclosure of personal information .......................................................................... 18

Limitations on the collection , use and disclosure of sensitive information ................................................. 19

Limited applicability ................................................................................................................................ 20

Right to know source of information ......................................................................................................... 20

Access to information and right of correction ........................................................................................... 21

Maintenance of lists ................................................................................................................................. 21

Use of lists ................................................................................................................................................ 23

Draft Distance Selling Code of Practice. 11/26/56 11:17 AM

Part I V. Telemarketing .............................................................................................................................. 24

Identification information ......................................................................................................................... 24

Information to be provided on request ...................................................................................................... 25

Permissible hours of callirt ....................................................... 25

Line disconnection times .......................................................................................................................... 26

Frequency ofcallitt .............................................................................................. 26

Part V. Complaint and Dispute handling procedures ............................................................................... 27

Internal complaint handling procedures ................................................................................................... 27

Referral to external dispute resolution processes ...................................................................................... 27

Data collection ......................................................................................................................................... 27

Staff training ............................................................................................................................................ 28

Part VI. Administration of the code ............................................................................................................ 29

Code Administration Authority ................................................................................................................. 29

Term of Meutbersltip to the CAA ............................................................................................................... 29

Resignation of CAA ntembersltip .............................................................................................................. 29

Performance indicators ............................................................................................................................ 30

Monhoring ............................................................................................................................................... 30

Systemic or recurring contraventions ....................................................................................................... 30

Annual report ........................................................................................................................................... 30

Review ...................................................................................................................................................... 31

Amendtnent ............................................................................................................................................... 31

Education ................................................................................................................................................. 31

Ad»tinistrutive support ............................................................................................................................. 31

Meetings ................................................................................................................................................... 31

Funding .................................................................................................................................................... 31

Appendix 1 - Summary of the statutory warranty scheme ......................................................................... 32

ii


Part 1 . Introduction

Background and objectives

1. By using direct marketing techniques, distance selling has the potential toincrease consumers' choice of, and access to, a wide range of goods andservices. However, features that distinguish distance selling from traditionalretailing suggest that specific rules for distance selling may be appropriate.

This code is intended to enhance the potential for consumers to benefit fromdistance selling, and to improve the market for reputable businesses. Itseeks to do this by:

a. ensuring that consumers have access to the product and serviceinformation they need to make informed choices;

b. promoting ethical sales practices and ensuring that fair trading principlesare complied with;

c. ensuring that consumers have access to appropriate returns policies,complaints procedures and remedies where there is a problem with asale; and

d. protecting consumers' rights to privacy, including freedom fromunreasonable intrusion.

Application

2. This code applies to distance sellers, including charities, that use directmarketing techniques to market goods and services. The code also appliesto businesses engaging in direct marketing, to list users, list owners, listcompilers, and list brokers.

Exemptions

3. The following sales practices, goods and services are exempt from thecode:

a. automatic vending machines;'

' Similar exception in the draft European Union (EU) Directive on the protection of consumers inrespect of contracts negotiated at a distance (distance selling), Article 3(1).


b. automated commercial premises;2 and

c. contracts for the supply of perishable goods.3

4. Part II of this code does not apply in circumstances where a contract isinitiated from a contract solicitation made using a means of communication ata distance but is finalised in the presence of both parties to the contract.4

Adopting the Code

5. A distance seller, direct marketer, list user, list owner, list compiler or listbroker may adopt this code by entering into an agreement with the CodeAdministration Authority (CAA), on terms approved by the CAA, agreeing tocomply with the code and any recommendations made by the CAA.5

Termination of membership

6. A party to the Code may terminate its membership at any time after giving 1months notice to the CAA.

7. The CAA may terminate the membership of a party to the Code with 1months notice to the party in circumstances where , in the opinion of the CAA,

2 Similar exception in the draft EU Directive on distance selling, Article 3(1).

3 The draft EU distance selling directive exempts foodstuffs etc from only the provisions of thedirective relating to the provision of information, the cooling off period, and the time for performance,Article 3(2).

4 This clause ensures that contracts negotiated partly at a distance and partly in person (for example,some companies use telemarketers to make the initial contact, with the contract being finalised inperson) are not excluded from the code. The relevant clauses in the code apply to the parts of thetransaction conducted at a distance. However, in general, the application of the fair trading principlesto such transactions would place businesses using a part distance / part traditional approach at acompetitive disadvantage to other retailers. The working group seeks comments on whether it isappropriate for these part transactions to be excluded from all, or only some, of the provisions in Partll.

Note that if this Code does apply to contracts negotiated partly at a distance and partly in thepresence of both parties, there may be conflicts with the Door to Door Trading legislation in theStates and Territories.

Note also that, because of the definitions of direct marketing and contract solicitation, the Code willnot apply to general advertising where there is no expectation that the transaction will be conductedat a distance.

5 This clause is adapted from the General Insurance Code of Practice (also a voluntary code).

2


the party has consistently contravened the Code and has not made allreasonable endeavours to abide by the Code.

Citation

8. This code may be cited as the Distance Selling Code of Practice.

Interpretation

9. References to singular include references to plural and vice versa.

10. For the purposes of this code:

calling line identity means data generated by a telecommunications networkwhich identifies the originating telephone number.

campaign means a singular course of action organised by a distance seller anddesigned to induce the purchase of particular goods or services.

consumer , unless otherwise indicated, means:

either6

• an individal acquiring goods or services for personal, domestic or householduse; or

• an individual or organisation acquiring goods or services where the value ofthose goods or services is no more than $40 000;

and the goods or services are not acquired for the purpose of resupply, or forthe purpose of using them up or transforming them in trade or commerce.

or

6 The working group seeks comment on the appropriate definition of 'consumer'.

The first option would provide limited coverage for business purposes . The definition is asimplification of that used in the TPA. Businesses would be covered by the code in circumstanceswhere they purchase goods or services for their own use (rather than for resupply or formanufacture). Some members of the working group consider that small businesses are often in asimilar position to consumers when transacting with large organisations.

The second option is to limit the definition of 'consumer' to individuals only. Small business wouldtherefore get no protection from the code. Some members of the working group are of the view thatbusinesses are well equipped to deal with unscrupulous traders, and that the code should focus onthose that are the least vulnerable.

3


• an individual purchasing goods or services of a kind ordinarily acquired forpersonal, domestic, or household use or consumption.

Consumer also includes a prospective consumer.

continuing series of goods or services includes:

• periodic distribution of distinct goods or services to a consumer; and

• periodic distribution of goods or services to a consumer where the goods orservices are not complete until the final instalment is distributed.

contract solicitation means any form of communication, whether public orpersonalised, including all the elements necessary to enable the recipient toenter directly, or to offer to enter directly, into a contract that is intended to benegotiated and concluded through a means of communication at a distance.

direct marketer means any individual or organisation who engages in directmarketing, and includes a telemarketer.

direct marketing means the marketing of goods or services through a means ofcommunication at a distance where:

(a) consumers are invited to respond using a means of communication at adistance; and

(b) it is intended that the goods or services be supplied under a contract negotiatedthrough a means of communication at a distance.7

distance seller means an individual or organisation contracting or intending tocontract for the sale of goods or services to a consumer where the consumer iscontacted through direct marketing. A distance seller may also be a direct

marketer.

list means an aggregation of personal information that may be used for directmarketing purposes.

list broker means any individual or organisation who facilitates the use by listusers of lists owned by third parties for the purpose of direct marketing.

7 The Standing Committee of Officials of Consumer Affairs (SCOCA) has directed that the Code beconfined to distance selling, and exclude matters such as market research, surveying , polling andfund raising . This definition of direct marketing should ensure that general advertising, whereconsumers are expected to visit the store of the retailer concerned to purchase the goods or servicesadvertised , will not be covered.

4


list compiler means any individual or organisation who compiles a list.

list owner means any individual or organisation who owns a list and who usesthe list for the purpose of direct marketing, or who sells, rents, exchanges, orotherwise disseminates the list.

list user means any individual or organisation who uses a list for the purpose ofdirect marketing.

means of communication at a distance means any method permitting theexchange of information between a consumer and a distance seller not in thepresence of one another. Such means include, but are not confined to:

unaddressed printed matter

addressed printed matter

standard letter

advertising in the print media

radio advertising

television advertising

catalogues

telephone with human intervention

telephone without human intervention8

videophone (telephone with screen)

videotext (microcomputer and television screen, with keyboard, remotecontrol or touch screen)

electronic mail

the Internet

facsimile machine9

8 Note that the draft EU directive on distance selling provides that this means of communication canonly be used with the prior consent of the consumer (Article 10(1)).

5


• video/audio cassettes

outbound telemarketing call means a telephone call initiated by a telemarketeror by an automatic dialler mechanism that is designed to induce the purchase ofgoods or services.

personal information means information or an opinion (including information oran opinion forming part of a database), whether true or not, and whetherrecorded in a material form or not, about an individual whose identity isapparent, or can reasonably be ascertained, from the information or opinion.10

public sources means information that is generally available to members of thepublic, whether in printed or other form.

rents includes leases and hires.

restricted goods or services means goods or services that are, byCommonwealth, State or Territory legislation, prohibited from being sold topersons under a particular age.

statutory warranties includes statutory warranties and statutory conditions.

telemarketer means any individual or organisation who engages intelemarketing.

telemarketing means all activities that relate directly or indirectly to directmarketing and which involve the use of a telephone, facsimile machine, or othercustomer equipment connected to a telecommunications network to contact aconsumer.

9 Similarly, under the draft EU directive, this means of communication can only be used with theprior consent of the consumer (Article 10(1)). Additionally, Article 10(2) provides that other means ofcommunication at a distance can be used only if there is no clear objection from the consumer.

10 This definition is identical to that used in the Privacy Act (Cth). An alternative definitionsuggested is one derived from the EU Data Protection Directive - 'information relating to an identifiedor identifiable person '. The complete EU definition for personal data in this directive is:

'Any information relating to an identified or identifiable natural person; an identifiable person is onewho can be identified, directly or indirectly, in particular by reference to an identification number or toone or more factors specific to his [sic] physical, physiological, mental, economic, cultural or socialidentity.'

The working group welcomes comments on the most appropriate definition.

6


Part II. Fair Trading Requirements

Marketing claims

11. The distance seller or direct marketer shall not make false or misleadingclaims about an offer delivered through direct marketing whether by words,omission11, illustration or any other means.12 Among other things:

a. making false or misleading comparisons about price or quality,13

b. quoting scientific or technical data in support of a claim unless the datacan be readily substantiated;14

c. using false or misleading testimonials;15

d. advertising courses of instruction and implying the promise ofemployment or remuneration where this cannot be guaranteed;16

e. promising outcomes where those outcomes have no safe scientific,medical or performance bases;

overstating security risks-17 and

11 Note that the inclusion of the term "omission " goes further than the TPA 's (TPA) writtenprovisions although the case law makes it clear that a communication can be misleading because ofan omission.

12 Similar to part of the Australian Direct Marketing Association's (ADMA) Standards Part 1, section1(b); the ADMA Standards do not include the word 'omission'.

13 Similar to part of ADMA Standards Part 1, section 1(b).

14 Similar to ADMA Standards Part 1, section 1(c).

While experience with distance selling solicitations suggests that this provision is necessary it shouldbe noted that no similar requirement applies to traditional sales methods and it could be claimed toplace distance sellers at a competitive disadvantage. This situation will change though if theproposed amendments to the TPA are accepted. Under these the onus would be on the supplier toproduce evidence in support of such claims when challenged in court.

15 Similar to ADMA Standards Part 1, section 1(d).

16 Similar to ADMA Standards Part 1, section 1(i).

17 Similar to ADMA Standards Part 1, section 1(j).

7


g. describing goods or samples as "free" unless the goods or samples aresupplied at no cost or no extra cost to the consumer other than actualpostage/carriage when specified,18

are prohibited.

Information prior to the formation of the contract"

12. Prior to the formation of the contract the consumer must be given clear,unambiguous and easily accessible information, in any way appropriate tothe means of communication and the reasonably anticipated audience,covering:

a. the name of the relevant distance seller and a street address at which itcan be contacted. (A post office box, facsimile or telephone number, oran electronic mail address will not suffice as a street address.);20

b. the total price of the goods or services, including any delivery charge andany other fee or charge for which the consumer would be liable under thecontract;21

18 Similar to ADMA Standards Part 1, section 3(a).

19 Note that the draft EU directive on distance selling requires information to be given at the timethat the custom is solicited (Article 6), although some exceptions are made in the case of contractsolicitation by television (Article 7).

The working group understands that the time of formation is the time when the acceptance of anoffer is conveyed to the offerer. The requirement that the information be provided at any time priorto the formation of the contract gives some flexibility about the manner and timing of the provision ofthe information. It will therefore not be necessary for all the information contained in this clause tobe provided in a television or radio advertisement, as long as the information is provided before thecontract is formed.

20 Similar to ADMA Standards Part 1, section 2(a)(i).

There are some concerns that the requirement for a street address may not reflect the growingimportance of on-line services for marketing and selling goods and services. The working groupwould prefer that the code be technologically neutral. However, past consumer experience withsome direct marketers has shown that, without a street address, consumers may not be able tocontact the supplier if there is a problem with the order or delivery. The requirement for a streetaddress is also intended to discourage 'fly-by-night' businesses.

The working group seeks comment on whether it is necessary to provide a street address. Note thatthe draft EU directive on distance selling requires a street address to be provided in writing at orbefore the time of delivery (Article 5(1). One solution might be to require a street address only wherepayment is required before the goods or services are delivered.

8


c. the delivery arrangements;22

d. all material restrictions, limitations or conditions to purchase;23

e. the period, if any, for which the contract solicitation remains valid.24

Parts III and IV of this code also include additional requirements for theprovision of information to consumers.

Information at the time of delivery

13. No later than at the time of delivery, or in cases where delivery is to beeffected in stages, the time of the first delivery, the consumer shall receiveat least the following information in writing, in a clear and unambiguous styleand in the same language as was used in the contract solicitation:

a. the name and contact details, including at least the street address, of thedistance seller and the direct marketer where consumers can makeinquiries or complaints, or can return goods or cancel contracts;25

b. payment arrangements, including any credit terms, or terms for paymentby instalments-,26

all restrictions, limitations, or conditions to purchase;

d. any safety or care warnings required by any applicable law to accompanythe goods or services and, where necessary, instructions for proper use;and

e. refund, cancellation, and exchange rights and procedures.27

21 Similar to US Telemarketing Rules, section 310.3(a)(1)(i) (which is for telemarketers only) anddraft EU directive on distance selling, Article 4(1).

22 Similar to draft EU directive on distance selling, Article 4(1).

23 Similar to US Telemarketing Rules, section 310.3(a)(1)(ii) (which is for telemarketers only).

24 Similar to draft EU directive on distance selling, Article 4(1).

25 Similar to EU draft directive on distance selling, Article 5(1).

26 Similar to ADMA Standards of Practice Part 1, section 1(h) and EU draft directive on distanceselling, Article 5(1).

27 Similar to EU draft directive on distance selling, Article 5(1).

9


Incentives

14. The terms on which rewards, prizes or gifts are offered must be clearlystated, including whether distribution is conditional upon order or.purchaseof other goods or services.2

15. A reward, prize or gift shall not be described as "free" if the good or serviceto be purchased is increased in price or decreased in quality as a result ofthe premium offer.29

16. Rewards, prizes or gifts should be forwarded within such period as may bestated in the promotion, or within 30 days if no time period is stated, andshould be forwarded even if the distance seller becomes unable to supplythe advertised product or service.30

17. Contests or lotteries shall not be used as marketing incentives unless31

a. the rules governing the contest or lottery, including any conditionsassociated with receiving the prize, are clearly disclosed at the point ofentry;

b. all advertised prizes are awarded as described in the rules for the contestor lottery;

c. the judging takes place promptly, and fairly, and is certified by anindependent auditor;

d. the results of the contest or lottery are readily available to participatingconsumers who wish to receive them;

e. the conditions of entry clearly state when contestants' names andaddresses will be used for the purpose of targeting future contractsolicitations at a distance and give them the opportunity to indicate thatthey do not wish to receive any such offers. The fact that a consumer has

28 Similar to ADMA Standards of Practice, Part 1, section 3(b). Note that section 54 of the TPArequires companies to provide rewards etc as offered.

29 Provides an example of what would be covered by s52 of the TPA. Also approximately similar toADMA Standards of Practice, Part 1, section 3(d).

30 Partly covered by TPA s54, with the exception of the 30 day time limit. Also similar provision,minus the 30 day time limit , in ADMA Standards of Practice , Part 1, section 3(e).

31 All of the rules similar to the ADMA Standards (Part 1, section 3(f)), although note that the lastsubparagraph has been extended slightly.

10


indicated that he or she does not wish to receive any such offers shall notaffect their ability to enter the contest or lottery nor affect the odds of theirreceiving any prize offered.

The conduct of contests and lotteries is also governed by separate Stateand Territory laws.32

Pyramid sales

18. No distance seller or direct marketer shall operate or be involved in any kindof "pyramid selling" or "referral selling" scheme as defined in sections 61and 57 of the Trade Practices Act.

Orders

19. Distance sellers shall have appropriate procedures in place to minimise thesale of restricted goods or services to minors.33

20. For the purposes of clause 19, the definition of 'minor' in the restrictinglegislation is to apply.

Delivery

21. Unless the promotional material specifically warns of limited stocks, thedistance seller shall not offer particular goods or services for sale untilsufficient stock is available, or reasonably expected to be available, to meetthe reasonably foreseeable demand.31

22. The distance seller shall deliver all orders placed as the result of a contractsolicitation within such time period as is clearly stated in the promotion. In

32 The working group has sought to be consistent with State and Territory laws governing contestsand lotteries. The working group understands that these requirements go beyond Victoria's laws.However, there is some suggestion that the relevant Victorian laws could be amended. For the mostpart, the code provisions are similar to the relevant NSW provisions.

The Working Group also notes that a National Working Party has been formed to work towardsuniform laws in this area.

33 Similar to ADMA's Standards of Practice, Part 1, section 4(d).

34 Clause generally similar to sections 56 and 58 of the TPA. Also similar to ADMA Standards ofPractice, Part 1, section 5( a)(i).

11


the absence of any stated period , delivery is generally to be effected within30 days of the receipt of the order.35

23. When , for whatever cause, an order cannot be. delivered within the timeperiod stipulated in the offer , or 30 days where no . period is so specified, anacknowledgment of the order shall be sent to the consumer. Thisacknowledgment shall state the date at which the order is expected to bedelivered and the reason for the delay . The distance seller shall also offerthe consumer the option of cancelling the transaction and receiving a fullrefund of any money paid.36

24. If, when the revised expected date of delivery arrives, the distance seller isstill unable to supply the goods or services , the distance seller shall either:

a. advise the consumer that it is unable to fulfil the order and refund theconsumer any money paid; or

b. send a further communication to the consumer (enclosing a reply paidpostcard if the communication is done by mail ) stating a new revisedexpected date of delivery and offering to cancel the proposedtransaction and to refund any money paid.37

25. If the new revised anticipated date arrives and the distance seller is stillunable to deliver the goods or supply the service , the procedure set out inclause 24 shall be repeated until such time as the goods are delivered, oruntil the transaction is cancelled and any monies refunded.38

26. Any commitment by a consumer to receive a continuing series of goods orservices shall be subject to the following conditions:

a. the option to cancel this continuing series of goods or services shall beavailable to both parties at all times with reasonable notice (subject to thedischarge of any outstanding commitment); and

35 Similar to draft EU directive on distance selling , Article 7(1). There, performance of the contract isto occur within 30 days of the order being received unless the parties have agreed otherwise.

36 Similar to ADMA Standards of Practice, Part 1, section 5(b)(i). Under the draft EU directive ondistance selling, a distance seller must advise the consumer if they cannot fulfil the contract becausethe goods or services are unavailable, and the consumer must be able to get a refund within 30 days(Article 7(2)). Under the Sale of Goods Acts , goods must be delivered within a reasonable time.

37 Similar to ADMA's Standards of Practice, Part 1, section 5 (b)(ii).

38 Similar to ADMA 's Standards of Practice, Part 1, section 5(b)(iii)

12


b. the distance seller shall refund any money it has received at the time ofcancellation for goods, services or postage which have not beenprovided.39

Payment

27. Prepayment for goods or services may not be presented for payment to afinancial institution until the distance seller has possession of the goods, orthe first instalment of the goods, or immediate access to the services or tothe first instalment of the services, and there is no impediment to thedistance seller fulfilling the order.40

39 Similar to ADMA's Standards of Practice, Part 1, section 5(d).

40 This approach addresses the problem of suppliers using payments to fund stock purchases butdoesn't present them with the credit problems associated with not being able to process paymentsuntil after the order is filled. Note that this provision goes slightly further than s58 of the TPA thoughit is aimed at the same problem. It avoids the evidence problems associated with s58. It is alsosimilar to ADMA Standards of Practice, Part 1, section 4(e), although that section only applies tocredit transactions. Note that an early version of the draft EU directive on distance selling avoidedthis problem by preventing sellers from requiring payment before delivery or performance. However,that article has since been deleted.

There may also be a need for some additional provisions here to deal with fraud preventionmechanisms, eg with payment over the Internet. The working group seeks comments on thisissue. One possibility, which would require close consultation with card issuers, would be toadopt the EU provision which provides that:

Member States shall ensure that appropriate measures exist to allow a consumer:

to request cancellation of a payment where fraudulent use has been made of his [sic]payment card within the context of distance contracts covered by this Directive,

in the event of fraudulent use, to be recredited with the sums paid or have themreturned

(Article 8).

Others have suggested that other worthwhile clauses could include stating that the amount debitedmust not exceed the purchase price of the goods, and requiring merchants to delete credit carddetails from a consumer's records after the transaction has been processed.

13


Right of cancellation

28. For any contract initiated through direct marketing, consumers shall have aperiod of not less than 7 working days in which they may cancel thecontract.41

29. In the exercise of this right, the period of not less than 7 working days shallbegin:

a. for goods, from the deemed or actual date of receipt of the goods by theconsumer. The consumer will be deemed to have received the goods 3days after they were dispatched unless the consumer can prove that theywere received on a later date or the distance seller can prove they weredelivered at an earlier date.

b. in the case of periodic distribution of goods that are not complete until thefinal instalment is distributed, on receipt of the final instalment.

c. in the case of periodic distribution of distinct goods, on receipt of the firstinstalment.

d. for services, without prejudice to clause 32, from the time the contract tosupply the services is made.

30. A contract initiated through direct marketing may also be cancelled at anytime before the goods or services are dispatched to the consumer.

31. Cancellation of the contract occurs when the consumer initiates either thereturn of the goods in their original condition, or the advice of thecancellation of the contract for services. A good remains in its originalcondition even if the packaging has been removed or tampered with.42

41 Similar to draft EU Directive on distance selling, Article 6(1). However, the EU directive providesfor a 3 month cooling off period if Article 5 (provision of information at or before delivery) is notcomplied with. Note also that door to door trading legislation (which may be applicable totelemarketing) provides a cooling off period of 10 days.

ADMA is opposed to any requirement for a cooling off period in respect of distance selling.

42 Note that the door to door trading legislation provides that cancellation of the contract occurs whenthe consumer sends the prescribed notice to the trader. The consumer is only required to return thegoods if the trader demands them.

14

Draft Distance Selling Code of Practice . 11/26/96 11:17 AM

32. Clause 28 shall not apply to:43

a. services , if performance has begun before the end of the period of sevenworking days; 44

b. transactions concerning securities and other products or services theprice of which is dependent on financial market fluctuations which cannotbe controlled by the distance seller;

c. made -to-measure products or clearly personalised products;

d. products which can be immediately copied, including books , magazines,computer software , cassettes , videos and CDs that are supplied with awrapping or seal, unless the product 's immediate wrapping or seal isunbroken;

e. personal health or hygiene products where any wrappings or seals havebeen tampered with; and

f. products which by reason of their nature cannot be returned or are liableto deteriorate rapidly.

33. The distance seller shall refund any monies already paid by the consumerwithin 7 days of the distance seller receiving returned goods or notice ofcancellation of the contract.'

Separate Commonwealth , State and Territory laws also require all sellerss toprovide additional rights of cancellation for purchase of consumer goods orservices (see Appendix 1).

43 All exceptions apart from ( e) are similar to the exceptions in the draft EU directive on distanceselling, Article 6(3).

as Need an exception to this. For example , what happens if a consumer checks out a service suchas a complex telephone plan and sees upon closer inspection that the service is not right for them.Maybe drop (a), have the cooling off period apply , but the consumer to be charged for that part of theservice which has been used. An alternative could be that which is used in the door to door tradinglegislation of some jurisdictions . The legislation prohibits the supply of services until after the coolingoff period has expired. The working group seeks comments on this issue.

45 Note that some door to door trading legislation requires repayment within 7 days after exercisingthe cancellation of the contract. Victoria's legislation requires payment 'forthwith' after cancellation.

15

Draft Distance Selling Code of Practice. 11/26!96 11:17 AM

Unordered goods and services

34. Distance sellers shall not claim payment for unordered goods or servicesunless they have reasonable cause to believe that they are entitled to claimpayment for the goods or services supplied.46

35. Consumers who have been supplied unordered goods or services shall nothave to pay for those goods or services.47

36. Subject to clause 38, consumers who have been supplied unordered goodsshall become the owner of the goods after:

(a) 1 month of advising the distance seller that the goods were not orderedand of an address where the goods can be collected; or

(b) 3 months of receiving the goods;

whichever is the sooner, unless the distance seller takes possession of thegoods before this time has expired.`

37. During the time period referred to in clause 36, the distance seller maycontact the consumer to make reasonable arrangements for takingpossession of the goods.

38. Distance sellers are entitled to take possession of goods in circumstanceswhere the consumer to whom they were delivered knew, or should haveknown, that the goods were not intended for them. This right to takepossession of the goods must be exercised within a reasonable time period,and after making reasonable arrangements with the consumer.49

Substitute goods or services

39. A distance seller that cannot supply exactly the same good or service asspecified by a consumer may supply a substitute good or service of similarkind,-quality and price.

46 Similar effect as TPA s 64(1). Also similar to ADMA Standards of Practice, Part 1, section 4(a).

47 Similar effect as TPA s64(4).

48 Similar effect as TPA s65(2), (3), and (4).

49 Similar effect as TPA s65(3).

16


40. If the distance seller supplies a substitute good or service, it must clearlyinform the consumer of their. right to return the good or cancel the service ifthey are dissatisfied with the substitution, and of the time frame for doing so.The time frame for returning the good or cancelling the service shall be noless than that provided in clauses 28 and 29.50

41. Clause 40 shall not apply to:51

a. services, if performance has begun before the end of the period of sevenworking days;

b. transactions concerning securities and other products or services theprice of which is dependent on financial market fluctuations which cannotbe controlled by the distance seller;

c. made-to-measure products or clearly personalised products;

d. products which can be immediately copied, including books, magazines,computer software, cassettes, videos and CDs that are supplied with awrapping or seal, unless the product's immediate wrapping or seal isunbroken;

e. personal health or hygiene products where any wrappings or seals havebeen tampered with; and

f. products which by reason of their nature cannot-be returned or are liableto deteriorate rapidly.

Cost of returning goods

42. Where a consumer exercises his or her right to cancel the contract underclauses 28 or 40, the consumer shall bear the cost of returning any goods.52

43. Where a consumer exercises his or her right to return goods because of abreach of a statutory warranty, the distance.seller shall bear the cost ofreturning the goods.

50 Similar provision in draft EU directive on distance selling , Article 7(3).

51 See notes accompanying clause 33.

52 Some members of the working group consider that in the case of substitute goods, the distanceseller should bear the cost of return. The working group seeks comments on whether this would beappropriate.

17


Part III . Information privacy protection

Limited definition of `consumer'

44. In this Part, `consumer' refers only to an individual.

Acquisition , use and disclosure of personal information53

45. At or before the time personal information is collected from a consumer, theorganisation collecting the personal information must disclose the primarypurpose for collecting the personal information if that purpose is not obvious.

46. At or before the time personal information is collected from a consumer, theorganisation collecting the personal information must also disclose anysecondary purpose.54

47. If there is a delay between the collection of personal information and thenotice about a secondary purpose, the personal information must not beused for the secondary purpose until the notice of the secondary purposehas been received by the consumer. If the notice is delivered by mail, theconsumer will be deemed to have received the notice 3 days after it wassent, unless the consumer can prove that it was received at a later date, orthe organisation. collecting the personal information can prove it wasreceived at an earlier date.

48. At the time the secondary purpose is being notified to the consumer, theconsumer must be offered a chance to refuse to allow their information to beused for the secondary purpose. This offer must be clear and, if made inwriting, placed as close as possible to the information being collected.

49. Any purpose required to be disclosed under clause 45 or 46 must bedisclosed as follows:

(a) if the personal information is being collected by interactive means(including, but not limited to, orally), the purpose(s) must be given at the

53 The following provisions do not address the issue of collection and use of information frompublicly available sources. In its final report , the original direct marketing working group noted thecomplexities raised by this issue and suggested that the Ministerial Council on Consumer Affairs(MCCA) should request the Commonwealth Minister responsible for Consumer Affairs to refer thisissue to a Parliamentary Committee for inquiry. This working group also supports such an approach.

54 Privacy agencies on the working group are of the view that consumers should also be advised ifinformation collected will be used for internal direct marketing purposes.

18

Draft Distance Selling Code of Practice. 11/26 /96 11:17 AM

time of collection or in the first written communication given to theconsumer after that collection;

(b) if the personal information is being collected in writing, the notice aboutpurpose(s) must be clearly expressed and must be placed as close aspossible to the personal information being collected.5

50. In this Part, a primary purpose includes use of personal information forinternal direct marketing purposes.

51. In this Part, a secondary purpose includes the use of personal informationby a third party, including a related company or business, for directmarketing purposes, and the disclosure of personal information to a thirdparty, including a related company or business, where that personalinformation is to be used for direct marketing purposes.56

Limitations on the collection, use and disclosure of sensitive information

52. List compilers, owners and users must not collect or use personalinformation concerning57 a consumer's racial origin, political opinions oraffiliations, trade union membership, religious beliefs, sexual preferences orhealth unless the proposed use of such information is clearly andunambiguously disclosed before collection or use and the consumer givesexpress consent.58

55 This clause expresses an 'opt out' approach to seeking consumer consent to the disclosure ofinformation. The Privacy Commissioner's office, however, is of the view that an 'opt in' approachshould be used when information is to be disclosed to a third party. The working group seekscomments on this issue.

56 ADMA strongly objects to any provision that interferes with the relationship between a companyand its own customers. It considers that this clause should not apply to related third partycompanies.

The Privacy Commissioner's office also consider it important to include in this section of the code aprohibition on organisations requiring consumers to consent to use as a condition of receiving goodsor services, at least in cases where prizes or gifts are not involved. The working group seekscomments on this issue.

57 It has been suggested that this provision be extended to 'all sensitive personal informationincluding ...", listing the categories we currently have. Would it provide direct marketers withsufficient guidance on what constitutes sensitive information? If this amendment were to be made,what might be an appropriate definition for 'sensitive information'?

58 Similar to EU Data Protection Directive Clause 8.

19


This clause does not apply to the collection or use of personal informationthat can be inferred from the basis of a consumer's name.59

53. Lists containing personal information on a consumer's racial origin, politicalopinions or affiliations, trade union membership, religious beliefs, sexualpreferences or health shall not be disclosed to third parties unless theconsumer concerned explicitly consented.

Limited applicability

54. Clauses 45 - 51 do not apply in circumstances where personal informationwas collected and compiled before [date to be inserted] until 3 years havepassed since that date.60

Right to know source of information

55. Upon request from a consumer, a list user, compiler, owner or broker shalladvise the consumer of the source from which that consumer's personalinformation was obtained.61 If the party contacted by the consumer is notable to supply this information, that party shall seek advice about the sourceof the personal information from other parties associated with the list onwhich the personal information is contained. Any such party shall cooperatewith such a request.62

56. If a list compiler uses personal referrals as a source of information, it must,before incorporating the personal information into the list, get permissionfrom the referrer for their name to be disclosed in accordance with clause 55as the source of the personal information.63

59 This second paragraph was inserted to ensure that clause 52 does not apply to the collection ofnames by themselves (even though sensitive information, such as a consumer's racial origin, maybe inferred from a name alone).

60 This clause is based upon section 9 of the New Zealand Privacy Act. Note that it will probablyonly work if there is an uniform starting date for the code in all States and Territories. The PrivacyCommissioner's office is also concerned that a period of three years is unnecessarily long.

61 The first section of this clause is similar to ADMA Standards of Practice, Part 2, section 4.

62 It has been suggested that this clause also needs to deal with the situation where the list user,compiler, broker or owner is not able to provide this information. One solution might be to place anobligation on list compilers to maintain historical details of the source of personal information. Theworking group would appreciate any suggestions on the best way of dealing with this issue.

63 This clause was added at the suggestion of a meeting of Commonwealth, State and Territory, NewZealand and United Kingdom privacy officials.

20


Access to information and right of correction

57. On request from a consumer, the list user, compiler, broker or owner shallprovide the consumer with complete details of all of that consumer'spersonal information that is held by the list user, compiler, broker, or ownerwhere that information is used, or intended to be used, for direct marketingpurposes, and is stored in such a way that it can be readily retrieved.64

58. A consumer may request amendment of his or her personal information heldby a list user, compiler, broker or owner. If the request is made to the listuser, compiler or broker they shall also ensure that the consumer's requestis forwarded to the list owner. Where practicable, the list owner shallforward the consumer's request to other list users.

59. A list user, compiler, broker or owner that has been advised of a consumer'srequest that his or her personal information be amended must either makethe amendments on the relevant lists, or, if not willing to make theamendments, annotate the list to show the disagreement.65

60. A list user, compiler, broker or owner shall not charge a consumer forexercising their right of access to his or her personal information intendedfor use in direct marketing, or for exercising their right to request thatinformation be amended.

Maintenance of lists

61. Upon receiving advice that a particular consumer wishes no further contactfrom direct marketers the list compiler, user, broker or owner to whom theadvice is directed must:

a. remove or mark in some way the consumer's personal information onrelevant lists in its possession or control to ensure no further contact ismade with the consumer;66 and/or

b. 'add the consumer's name to its 'do not contact' list of consumers; and

sa Also reflects Information Privacy Principle 6 of the Privacy Act and Article 12(1) of the EU DataProtection Directive

65 Clauses 58 and 59 reflect Information Privacy Principle 7 of the Privacy Act and Article 12(2) ofthe EU Data Protection Directive. Note that Article 12(3) of the EU directive also requiresamendments to be passed on to others who may be using the list, unless impossible orunreasonable.

ss Similar to ADMA Standards of Practice Part 2 section 2.

21


c. where applicable, advise the list owner that the consumer wishes nofurther contact by direct marketers.

62. Subject to clause 64 , a list user shall not contact a consumer for.directmarketing purposes where that consumer's information has been deleted ormarked as wanting no further contact on a list to be used for that purpose,or is included in the list user's 'do not contact' list.

63. When advised by a consumer that he or she wishes no further contact withdirect marketers in general , the list user , owner , compiler or broker to whomthe advice is directed must inform the consumer about the existence of anynational preference scheme /s and explain both the purpose of suchscheme/s and how to register with it/them.

64. Notwithstanding clauses 61 and 62, a merchandiser may send directmarketing material to a consumer who has requested no further contact ifthe direct marketing material from that merchandiser is included withmaterial that is being sent to the consumer for non -direct marketingpurposes and it is not practicable to prevent the direct marketing materialfrom being included in the mailing.67

65. If advice is given that a consumer wishes no further contact from a particulardirect marketer , clauses 61 and 62 shall be interpreted accordingly.

66. For the purposes of clauses 61 and 62 the period for which there shall beno contact shall be:

(a) 12 months from the date of the request;68 or

(b) indefinitely , where a consumer specifically requests no further contactfrom a particular merchandiser;

unless the consumer requests to have such contact resumed before then.

67. List users , compilers, brokers and owners shall check, at least quarterly,their lists against any national data base established to register the namesof consumers who do not wish to have their personal information includedon direct marketing lists. All names registered with that national data base

67 Privacy agencies in the working group object to this clause , noting that businesses should beencouraged to meet consumer requests. The working group seeks comments.

68 The Privacy Commissioner's office has suggested that the default time period should be 2 years.They do not consider a 12 month period to be sufficient, given that the obligation for organisations tocheck names against the national data base is only quarterly. The working group seeks comment onwhat an appropriate time period would be.

22

Draft Distance Selling Code of Practice. 11/26,96 11:17 AM

shall be removed or marked in accordance with the procedures in-clause 61.

68. List users, compilers, brokers and owners shall implement reasonablesecurity safeguards to ensure that personal information is protected againstloss; unauthorised access, use, modification, or disclosure; or other misuse.List users, compilers, brokers and owners shall ensure that their agents andcontractors also implement reasonable security safeguards to protectpersonal information.69

Use of lists

69. The list owner or broker shall be informed of the use to which a list is to beput prior to selling, renting, exchanging, or otherwise disposing of the list,unless the personal information on the list has been obtained from publicsources.70

70. List compilers must have procedures in place to help prevent offers suitableonly for adults being sent to minors.71

ss Reflects Information Privacy Principle 4 of the Privacy Act and Article 17(1) of the EU DataProtection Directive.

70 Is this provision workable in practice? For example, a person who buys a list may not know at thetime of purchase all of the uses to which they plan to put the list. Commercial in confidence issuesmay also arise. The working group seeks comments.

71 Similar to ADMA Standards of Practice Part 2, section 1.

23


Part IV . Telemarketing72

71. This Part of the code covers additional requirements for persons engagingin telemarketing.

Identification information

72. At the earliest possible opportunity in an outbound telemarketing call,telemarketers shall:

a. identify themselves;73

b. identify the distance seller they represent;74

c. clearly state the purpose of the call;75 and

d. if calling from outside of Australia, state the country from which they arecalling.76

73. When making an outbound telemarketing call, a telemarketer shall not blockthe transmission of the calling line identity to the receiving service.

74. The name, address and telephone number of the distance seller and, wheredifferent, the telemarketing organisation, must be in a telephone directory,or, if a new listing, available through a Directory Assistance Service.

72 The working group 's understanding of the application of State and Territory door to door tradinglegislation to telemarketing is discussed in the attached paper . Note that , as the door to door tradingrequirements are found in Acts of Parliament , any conflict between this code and the door to doortrading legislation will be resolved in favour of the legislation . Where the legislation does apply totelemarketing , telemarketers will have to comply with the legislation , regardless of what the Codeprovisions are.

73 Similar to ADMA Standards of Practice Part 1, section 2(a)(ii).

74 Similar to US Telemarketing Rules 310.4(d)(1) and ADMA Standards of Practice Part 1, section2(a)(ii).

75 Similar to US Telemarketing Rules 310.4(d)(2).

76 It is recognised that there are jurisdictional problems involved with this provision but it is thoughtworth trying to include it. As we understand it, there is nothing preventing us including this provision,however, it would be very difficult to enforce.

24


75. Where the purpose of the call is to sell a good or service telemarketers shallnot represent that they are undertaking market research-77

Information to be provided on request

76. When telemarketers contact a consumer they shall, at the request of theconsumer, provide the following information:

a. the telemarketer's name, contact details, including at least its telephonenumber and street address, and the name of a person within theorganisation who is responsible for handling consumer complaints; and

b. details of the source from which the telemarketer or distance sellerobtained the consumer's personal information.

Permissible hours of calling

77. Without a consumer's consent, a telemarketer shall not make an outboundtelephone or Automatic Calling Equipment call to contact a consumer before8 am or after 9 pm local time at the consumer's location or on the followingpublic holidays:

- Christmas Day,

- Good Friday, and

- Easter Sunday.78

77 Similar to ADMA Standards of Practice Part 1, section 1(I)(vi).

78 Similar to ADMA Standards of Practice Part 1, section 1(I)(i), although Standards allow calls atother hours if the caller has justifiable reason to believe that calls at other times would be moreacceptable/convenient to the consumer. Also implements the recommendation of the Austel PrivacyAdvisory Committee in its report on telemarketing. Under the US Telemarketing rules, calls arepermitted between 8am and 9pm on any day (310.4(c)). The requirements under door to doortrading legislation (which may apply to telemarketing) in some States and Territories are moreonerous and would conflict if they apply to telemarketing (see attached paper on door to doortrading).

The issue of which days should be included in this clause was debated in the first working group andin the Austel report. However, some members of this working group are uncomfortable with the factthat non-Christian religions are not considered. The working group seeks comments on whether callsshould be prohibited on particular days, and if so, what those days should be.

25


Line disconnection times

78. Where a telemarketer uses the telephone to contact a consumer, thetelemarketer shall release the line within 5 seconds of the consumerhanging up or otherwise indicating that he or she requires the telemarketerto release the line.

Frequency of calling

79. A telemarketer, or its agents, shall not contact a consumer more than oncein any 30 day period for the same or similar campaign without thatconsumer's prior consent.

26

Draft Distance Selling Code of Practice . 11/26,96 11:17 AM

Part V. Complaint and Dispute handling procedures

Internal complaint handling procedures

80. Each distance seller, direct marketer and list owner shall have in placeprocedures for dealing with complaints from consumers.79

81. The procedures required under clause 80 shall be available to allconsumers whose custom has been solicited by direct marketing and to allconsumers whose name appears on a list owned, rented or used by theparty and shall comply with the Australian Standard on Complaints Handling(AS 4269).

Referral to external dispute resolution processes

82. Each party to the Code shall be a member of an independent disputeresolution mechanism that is capable of dealing with consumer complaintsarising under this code80 and meets the Benchmarks for Industry-basedCustomer Dispute Resolution Schemes.8'

83. Where a party's internal complaints procedures (under clause 80) havebeen unable to resolve a complaint to the consumer's satisfaction, in wholeor-in part, the party concerned shall provide written reasons for its decision.The party shall also provide written advice of the right to complain to therelevant independent scheme and of the means of doing so.82

Data collection

84. All parties to the code shall maintain appropriate data collection proceduresand shall report annually to the CAA on their implementation of the Code

79 Draft EU, directive on distance selling has a similar provision as an encouragement to branch andprofessional organisations, Article 15b.

80 Note that it is not expected that it will be the role of the CAA to establish a dispute scheme. As isthe case in other sectors, it is more likely that industry associations could be involved in developing ascheme or schemes.

81 These benchmarks are currently being developed by a Working Group chaired by the FederalBureau of Consumer Affairs (FBCA) and are due to be finalised shortly. Benchmarks includeaccessibility, independence, fairness, accountability, efficiency, and effectiveness.

82 The working group seeks comments on whether it would also be appropriate to include anobligation to advise consumers that consumer affairs agencies and small claims tribunals may alsobe able to provide assistance.

27


and on the number, type and outcome of consumer complaints relating tothe Code made to them.

Staff training

85. All parties to the code shall ensure that their staff and agents are aware ofthe Code and their obligations under it.

28


Part VI. Administration of the code

Code Administration Authority

86. The Code will be administered by a Code Administration Authority (CAA).The functions of the CAA include:

• developing, implementing and reporting against performance indicators;

• monitoring and reporting on the Code's operation;

• education and training;

• periodic review of the Code;

• investigation of systematic and recurring problems; and

• ensuring adequate funding arrangements for the CAA.

87. The membership of the CAA will comprise:

• an independent chair nominated by industry and approved by MCCA;

• 1 Australian Direct Marketing Association (ADMA) nominee; and

• 1 consumer representative approved by MCCA. The consumerrepresentative must be capable of reflecting the viewpoints andconcerns of consumers , and must be a person in whom consumers andconsumer organisations have confidence.

Term of Membership to the CAA

88. The independent chair shall be appointed to the CAA for a term of three years.

89. The industry and consumer nominees shall all be appointed to the CAA for aterm of two years.

90. Members of the CAA may be reappointed.

Resignation of CAA membership

91. All members of the CAA may resign from the CAA after giving 1 months noticeto the CAA. MCCA may withdraw its approval of the independent chair orconsumer nominee after giving 1 months notice to the CAA.

29


Performance indicators

92. The CAA will develop and implement performance indicators as a means ofmeasuring the effectiveness of the Code's operation , and will report againstthose indicators in its annual report.

Monitoring

93. The CAA shall monitor compliance with the Code.

94. The CAA shall monitor the operation of the independent dispute resolutionmechanisms that handle complaints under this Code.

Systemic or recurring contraventions

95. The CAA may investigate complaints indicating systemic or recurringcontraventions of the Code. After such an investigation, the CAA may makerecommendations to industry and/or government for eliminating orminimising the problem.83

Annual report

96. The CAA shall publish an annual report on the operation of the Code andpresent it to the Ministerial Council on Consumer Affairs (MCCA). Thereport shall include:

• performance of the Code against developed performance indicators;

• the number, nature, and outcomes of complaints made under externaldispute procedures (as referred to in clause 82);

• a summary of the number, nature and outcomes of complaints asreported by parties to the code under clause 84.

• details of any investigation undertaken by CAA under clause 95 and theresults of any such investigation;

• the names of all parties to the Code; and

• any other general issues the CAA wishes to comment on.

83 The working group queries whether there will also be a need for the CAA to impose sanctions forbreach of the code (additional to that in clause 7), and if so, what appropriate sanctions would be.Comments on this issue are welcomed.

30

Draft Distance Selling Code of Practice.

Review

11/26/96 11:17 AM

97. The Code will be reviewed 3 years after it commences operation, and atperiodic intervals thereafter.

Reviews will be conducted by the CAA in consultation with relevantgovernment, industry and consumer organisations.

Amendment

98. The Code can be amended at any time by the CAA with the approval ofMCCA and after consultation with relevant government, industry andconsumer organisations.

Education

99. The CAA shall undertake appropriate activities to ensure that consumersand industry are aware of the Code and understand its obligations.

100 The CAA shall undertake appropriate activities to encourage industrymembers to adopt the Code.

Administrative support

101 The CAA will determine appropriate arrangements for its administrativesupport.

Meetings

102 The CAA shall determine appropriate requirements for meetings.

Funding

103 The CAA shall determine appropriate arrangements for its funding.

31

bq .

Human Rights and Privacy CommissionerEqual Opportunity Commission

Our reference: 97-0247 blp490Your reference: Privacy in Queensland

Mr Neil LaurieResearch DirectorLegal , Constitutional and Administrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Mr Laurie

`PRIVACY IN QUEENSLAND' INQUIRY

LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMM

28 AUG 1997

I refer to the issues paper Privacy in Queensland, released by Judy Gamin MLA on16 May 1997. Please accept my apologies for the delay in providing the Committee with thissubmission; I hope it is still useful to you at this time.

To begin with, may I say that it is pleasing to see the Committee take up what I consider to bea very significant issue arising from the recent spectacular development of informationtechnology and its convergence with communications systems.

Attached to this letter is a submission responding to each of the 23 questions set out in theinquiry' s issues paper. There are, however, a few recent developments that I would like tohighlight in this letter.

On 18 August 1997 I released a consultation paper entitled Information Privacy in Australia: aNational Scheme for Fair Information Practices in the Private Sector. The paper suggests aprocedural framework for the development of a voluntary scheme of information privacyprotection in the private sector, together with discussion of the arguments for and against such ascheme and the principles on which it might be based. I have enclosed a copy for yourinformation.

There are a number of other information privacy initiatives under way or under considerationby various Australian governments. You will be aware that the Victorian Government hasannounced its intention to introduce a statutory scheme of information privacy protection whichwill apply to private sector organisations. The NSW Government has for some time had aninformation privacy bill in preparation. The WA and Tasmanian Governments are bothconsidering the adoption of information privacy principles for their public sectors on anadministrative basis, as South Australia has already done.

Human Rights and Equal Opportunity Commission Level 8 Piccadilly Tower 133 Castlereagh Street Sydney NSW 2000 GPO Box 5218 Sydney NSW 1042Telephone: 02 9284 9600 Facsimile: 02 9284 9666 Enquiries : 1800 023 985 (toll free) WWW http://www.hreoc.gov.au/ Teletypewriter: 1800 620 24 1 (toll free)

In this active policy environment, I see it as important that all the players stay in touch with oneanother's activities and coordinate their activities as far as possible. The enclosed consultationpaper stresses the importance of avoiding overlap and duplication wherever possible and,critically, avoiding a patchwork of State and Territory laws where the private sector isconcerned.

I have indicated in the paper that an effective mechanism for compliance monitoring andcomplaint resolution must form part of any credible privacy protection regime for the privatesector. I have, however, left open the way in which such a mechanism may be provided, toaccommodate both existing sectoral ombudsman schemes and any future State or Territoryinitiatives. I think that failure to do this could have serious consequences, both for theorganisations handling personal information, which want certainty and simplicity in thestandards expected of them, and the individual subjects of that information, who want to seeconsistent and comprehensive standards established.

I hope the Committee finds the attached submission useful. If you wish to discuss thesubmission or this letter, the contact officer here, in the first instance, is Brant Pridmore on

(02) 92849739.

Yours sincerely

I

MOIRA SCOLLAYPrivacy Commissioner

26August 1997

2

ATTACHMENT

SUBMISSION FROM THE FEDERAL PRIVACY COMMISSIONER TO AN INQUIRYBY THE QUEENSLAND LEGISLATIVE ASSEMBLY'S LEGAL, CONSTITUTIONALAND ADMINISTRATIVE REVIEW COMMITTEE INTO PRIVACY IN QUEENSLAND

Privacy in Queensland , the issues paper prepared by the Committee , sets out 23 questions forconsideration . This submission discusses them in order.

1. Are there valid concerns relating to privacy protection which need to be addressed bylegislative and/or administrative action ? If so , what particular concerns are mostpressing?

Privacy is a broad concept. Four dimensions are often identified:

• privacy of the body, for example, a person should not be subjected to arbitrary bodysearches;

• privacy of space, for example, a person should be able to enjoy some spaces, like theirhome or the homes of their our friends, without being spied on;

• privacy of communications, for example, a person should be able to communicate withothers free of eavesdropping; and

• privacy of information, for example, a person should not be made the subject of secretfiles or investigated behind their back.

The functions of the federal Privacy Commissioner centre on information privacy and in thisarea there are a number of concerns that could be addressed by administrative or legislative

action.

More information is being collected about people today than ever before. Cost pressures areinducing many major organisations, public and private, to rely more on remote systems and lesson face to face contact at the shopfront. This means that decisions are increasingly being madeabout people on the basis of abstract information uninformed by personal contact or judgement.In such circumstances it is all the more important that people should know how informationabout them is being handled and should be able to access and seek correction of thatinformation. These are fundamental principles of information privacy that appear asInformation Privacy Principles 2, 6 and 7 in section 14 of the Commonwealth Privacy Act.

Modern information technology also means that personal information can be analysed,transferred, sorted, searched and matched at very low cost. Uses of information that simplywould not have been practicable a few years ago are now entirely feasible. These maysometimes be far removed from the expectations of the people whose information is being usedand may be undertaken without their knowledge or consent. Some limitations on reuse ofinformation for new purposes are desirable although there clearly have to be exceptions to alloworganisations to function effectively. Such limitations, and exceptions, appear in InformationPrivacy Principle 10 in the Privacy Act.

Technology, especially communications technologies like increasingly sophisticated telephonenetworks and the Internet, makes it easier than ever before to collect information about people,

3

often without their knowledge. As well, surveillance technology has advanced rapidly in recentyears and uses a wide variety of means to collect information: direct visual surveillance; videorecordings; and audio recordings using sophisticated devices. In such an environment it isimportant that collection practices be fair and lawful and not unduly intrusive. This is reflectedin Information Privacy Principle 3.

All this suggests that there are genuine privacy issues, steadily growing in urgency, that couldbe addressed, to at least some extent, by legislative or administrative action. As thissubmission argues in relation to question 2, there are good arguments to suggest that theinformation privacy protection that current Queensland law (and Australian law generally) offersis less than optimal.


In the final analysis, of course, it is for the Queensland Parliament to determine the adequacy orotherwise of the current law in relation to privacy protection. Moreover, the federal PrivacyAct's focus on information privacy limits this office's capacity to comment on the adequacy ofQueensland law in relation to all aspects of privacy.

It is true, however, that more information is now collected about individual Queenslanders, and

all Australians, that at any time in the past. The Internet and other interactive computersystems provide very quick, cheap means of capturing personal information. What may bemore important is that contemporary information technology allows the information to beaccessed, searched, sorted, matched, analysed and transferred at a tiny fraction of the cost thatwould have applied even ten years ago. Personal information is increasingly available andpeople are continually thinking of new ways of using it. Queensland has no general scheme,legislatively based or otherwise, that identifies legitimate personal information handlingpractices or gives individual people any influence over the way information about them iscollected, used or disclosed. This suggests that better information privacy protections would be

desirable.

Overseas developments also suggest that the current situation in Queensland (and otherAustralian jurisdictions) falls short of international benchmarks.

• In October 1995 the European Parliament adopted directive 95/46 on `the protection ofindividuals with regard to the processing of personal data and on the free movement ofsuch data'. National laws implementing the directive are meant to be in place by October

1998. Article 25 says that data should not be transferred to a non-EU country unless thatcountry ensures an `adequate' level of protection. While EU countries have yet toestablish firm criteria for adequacy, it seems unlikely that the current situation inAustralia, except perhaps in the Commonwealth public sector and the credit reportingindustry, would meet this requirement. (It should be noted that Article 26 allows fortransfers of data to non-EU countries that do not have an adequate level of protection butwhere other specified conditions are in place.)

• In the Asia-Pacific region, the Hong Kong data protection ordinance of 1995 provides forlimits on the transfer of personal information from Hong Kong to other jurisdictions thatdo not provide a comparable degree of protection.

Naturally Australian policy should be dictated primarily by Australian considerations but sinceour economy is increasingly integrated with the rest of the world, policy makers need to beconscious of international as well as domestic considerations, especially where there may be a

4

direct effect on trade and foreign investment. As a recent paper from the US government papernotes:

No discussion of [on-line] privacy can be complete without appropriate consideration of the EUDirective and its implications for international trade in the Information Age.'

3. If not , how should the right to privacy be protected in Queensland ? For example,should Queensland introduce one or a combination of the following means ofregulation : information privacy principles ; a statutory tort of privacy; a privacycommittee or privacy commissioner ; or some other means to protect privacy?

Information privacy principles

It is widely accepted that privacy regulation should be founded on basic information privacyprinciples that are capable of application to the broadest range of activities, both in the publicand the private sectors. Formal principles are an explicit statement of what constitutes goodinformation privacy protection. They are easier to grasp than common law thinking developedby the courts. Internationally, nearly all jurisdictions that provide information privacyprotection for their people do so by way of sets of explicit principles, most of them based onthe OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,which identify eight information privacy principles designed to apply to public and privatesector organisations.

A statutory tort of privacy

There is nothing inherently undesirable about statutory torts of privacy. The federal PrivacyAct creates one in Part VIII, which extends obligations of confidence, including common lawobligations, in limited circumstances and thus creates a statutorily based tort. However, theCommittee's issues paper rightly points out a number of shortcomings of this approach. Inparticular, the following considerations suggest that complete reliance on a statutory tort ofprivacy is a less than satisfactory form of privacy protection.

• Enforcement in the courts is expensive and time consuming. Few people have thefinancial resources or legal knowhow to seek redress in the courts for the impact of whatmay be a tortious act.

• By its nature a tort of privacy is reactive, not proactive, in promoting respect for privacyrights. Cases are dealt with one by one. The inevitable delays in deciding cases slowsdown the development of principle and precedent around the tort.

• Even when principle and precedent do eventually develop, they are less likely to beclearly expressed and widely understood than explicit information privacy principles. Thiswould diminish the chance that information privacy is taken into account in thedevelopment of systems to process personal information, in both the public and privatesectors. Of course, once systems are in place, changing them is costly and unappealing toorganisations unless legal action is imminent.

A privacy commissioner or committee

If the Queensland Government chooses to back a scheme of information privacy protection forthe State, it makes sense to have some institutional structure to promote the scheme, whatever

National Information Infrastructure Task Force (US), Options for Promoting Privacy on the National

Information Infrastructure, April 1997.

5

its form. The body charged with the administration of a privacy scheme that applies to publicsector agencies inevitably takes on something of a watchdog role so if a scheme were to coverthe Queensland public sector it would be desirable for the body to have a measure ofindependence from the agencies to whom the scheme applies. It would not be appropriate forthe commissioner or committee to form part of a Department.

If a commissioner were appointed it would be strongly desirable for there to be a formalconsultative mechanism to allow advice from those who work within the scheme to flow to thecommissioner on a regular basis. The federal Privacy Act establishes a Privacy AdvisoryCommittee to carry out this role. The membership of an advisory body should berepresentative of the organisations covered by the scheme and of clients and consumers.


To all intents and purposes, Australia is a single economy. It is clear from the submissions tothe September 1996 discussion paper from the Attorney-General's Department that theregulatory outcome businesses are most concerned to avoid is a patchwork of inconsistent butlegally binding regimes in the nine Australian jurisdictions. Such an outcome would inflatecompliance costs, make the design of information systems more difficult and act as a barrier tothe interstate operation of businesses and other organisations in Australia.

The only legally binding privacy principles in Australia at the moment are the InformationPrivacy Principles in section 14 of the Commonwealth Privacy Act. They primarily apply toCommonwealth and ACT government agencies. But increasingly they also do apply or willsoon apply to a range of private sector organisations:

• accredited hearing service providers are subject to the IPPs;

• private employment services and non profit organisations providing case managementservices to the long term unemployed are subject to the IPPs;

• the federal Government has announced that contractors handling personal information onbehalf of Commonwealth government agencies will be made subject to the IPPs; and

• private health insurers collecting personal information on behalf of the Commonwealth forthe administration of the Private Health Insurance Incentive Scheme will be subject to aslightly amended version of the IPPs.

The Victorian Government has announced its intention to introduce information privacylegislation, to cover the private as well as the public sector. The shape of this legislation is notyet clear but it is likely to cover much the same issues as the Commonwealth Act. A recentconsultation paper suggests that the Victorian legislation could adopt any principles that emergefrom the Privacy Commissioner's National Scheme process.

The Tasmanian government is developing information privacy principles, based closely on theCommonwealth IPPs, for its public sector. The Western Australian government is also lookingat adopting privacy principles based on the IPPs. NSW is in the process of preparing a Privacy

Bill.

In this environment, it would appear hazardous for Queensland to promulgate privacy principlesthat depart markedly from those in the Commonwealth Privacy Act, especially in relation to the

private sector. That is not to say that those principles are perfect: they have not been reviewedsince their introduction in 1988 and there may be good arguments for some changes, at least atthe margins. But they cover the main aspects of information privacy and the call from business

6

for consistency of information privacy standards across jurisdictions is so strong that it is hardto see that any very different principles could be justified.

The National Scheme process announced recently by the Privacy Commissioner provides anopportunity to reach a general consensus on a revised set of Information Privacy Principleswhich could be adopted in various jurisdictions.


For the Queensland public sector, it would appear appropriate to set out IPPs in legislation.Even if enforcement mechanisms are limited, I think the suasive power of legislation can be animportant signal of the Government's concern for the information privacy of its citizens.

The question is more difficult in relation to the private sector. In a press release of21 March 1997, the Prime Minister announced that the Commonwealth would not beproceeding with privacy legislation for the private sector and that he had asked StateGovernments not to proceed independently. He indicated that the Privacy Commissioner wouldbe available to assist business in developing self regulatory approaches to information privacyprotection. The Privacy Commissioner has had consultative meetings with a range ofstakeholders. As a further step in the process she has released the enclosed consultation papersuggesting a possible self regulatory model for information privacy protection in the privatesector.

This submission argues in response to question 12 that there are good in principle reasons whylegislatively based privacy protections should apply to private sector organisations. However,deciding on the appropriate course at this time is complicated by the Commonwealth's policyposition in relation to private sector regulation and the obvious undesirability of having differentbinding regimes in different Australian jurisdictions. In these circumstances the QueenslandGovernment, if it takes action in relation to the private sector, may wish to consider the modelthat the Victorian Government is suggesting. It would clearly be undesirable for there to beoverlap or inconsistency between any national scheme developed under the auspices of thePrivacy Commissioner and any scheme developed in the Queensland context, so if Queenslanddecides to proceed with private sector privacy protection, it would make sense for that to bedone in liaison with the process in which the federal Privacy Commissioner is currentlyengaged.

6. Should individuals have to pay (a reasonable amount ) to exercise their right toprivacy?

The general answer is no. A right is something that a person enjoys irrespective of theirmeans. Once charges are imposed for exercising a right this universal status is diminished.

But there are some circumstances where the exercise of a right by one person imposes costs onanother and it may then be reasonable to expect the first person to incur some of the costs.Charges imposed under Freedom of Information legislation are an example of where modestcharges are attached to the exercise of a right. The occasional opportunistic use of charges bygovernment agencies to deter people from seeking government held information shows howadministrative charges can be abused so as to deny people the enjoyment of their rights. Anyprovision for explicit charges for the exercise by individuals of rights under a scheme ofinformation privacy protection should include safeguards against such abuse: charges should becapped, or subjected to a reasonableness test; there should be an avenue of appeal for peoplewho think they are being improperly charged; and there should be some monitoring mechanismto make sure that charges are being properly applied.

7

7. Would the costs associated with IPPs outweigh the public benefit flowing from theirimplementation?

Not if sensible principles were sensibly implemented. Complying with IPPs may involveadjustment costs for some organisations. Forms may need to be changed, procedures revisedand staff trained. Provided that there is an adequate phase-in period, so that organisations thatneed to change their practices can do so in the normal course of business, for example whenordering new stationery or brochures, the costs should be limited.

The consultation paper enclosed with this submission includes in Part 1 a more detaileddiscussion of the compliance costs that could be associated with a self-regulatory scheme ofinformation privacy protection. It is likely that the compliance costs under a statutory schemewould be very similar.

8. If an office of privacy commissioner or a privacy committee is established:

how should its independence be assured;

should the office be accountable to the Parliament , for example, via aparliamentary committee (with perhaps responsibilities in relation to matterssuch as appointments , suspensions , budgets and strategic reviews); and

should the office be combined with that of the Information Commissioner or anyother office?

The response to this question refers to a privacy commissioner but the comments made applyequally to a privacy committee.

Independence

This is a very difficult subject. In relation to regulation of the public sector, there is likely tobe a trade off between the independence of a commissioner and his or her access to thedeliberations of government.

The more independent a commissioner is and the more frank and fearless his or her publicstatements, the more cautious will Ministers and agencies be in involving the commissioner inthe development of new proposals that may have privacy implications. Yet it is at thedevelopmental stage that input from a privacy perspective may have the most impact on theeventual outcomes.

On the other hand, a commissioner too close to or dependent upon Ministers runs the risk ofbeing co-opted as a legitimator of whatever policies the government and its agencies choose topursue.

The federal Privacy Commissioner has tried to strike a balance between the two extremes. Forexample, the Commissioner has been prepared to give the government confidential advice onpolicy proposals and has referred to the relevant Minister requests from the Opposition to seethat advice. On the other hand, the Privacy Act provides that the Commissioner's annual reportto the Attorney-General must be tabled in Parliament and the Commissioner has sometimes usedthis document as a means of expressing concerns about aspects of government policy.

Accountability to Parliament

Internationally, a number of jurisdictions have a Privacy Commissioner who is appointed by orreports to Parliament rather than a Minister. These include the German Federal Commissioner

8

for Data Protection and the Canadian Privacy Commissioner. Such a structure would certainlywork to ensure greater independence of the Commissioner from the government of the day. Itwould appear to be an option worth serious consideration.

9. What functions should a privacy committee /commissioner have?

It is a matter for judgement how specifically the functions of a Privacy Commissioner should bespelled out. Where coercive powers are contemplated specificity is clearly necessary. Wherebroader educative or research functions are involved, a broader statement of function may besufficient. Three essential functions are:

Education. Flows of personal information in contemporary society are so pervasive thatreliance on the threat of sanctions alone would place an intolerable burden on the limitedresources likely to be available for the enforcement of any scheme. Education and persuasiondesigned to change cultures and increasing sensitivity to privacy issues has a crucial part to playin promoting respect for individuals' privacy rights.

Monitoring of technological trends. Information and communications technology are developingso rapidly and are having such a profound effect on the way that personal information iscollected and used, that this seems an indispensable function of any effective commissioner orcommittee.

Complaints. An independent, affordable and accessible complaints mechanism is essential toany effective scheme of information privacy protection.

The Committee may also wish to consider the functions of the federal Privacy Commissioner setout in sections 27, 28 and 28A of the Privacy Act, all of which have proved necessary or atleast useful over the years of the Act's operation.

10. What powers should a privacy committee/commissioner have? For example, shouldthese include the power to:

• enforce IPPs through sanctions such as fine or disciplinary action; and

• exercise coercive powers such as powers of access?

The question of coercive powers for a privacy committee or privacy commissioner should beapproached with caution.

The primary objective of a privacy commissioner or privacy committee is to promote respectfor individual privacy. The amount of emphasis placed on measures like fines, disciplinaryactions and the exercise of coercive powers should accord with the contribution they can maketo this goal.

The federal Privacy Commissioner has some such powers. In investigating a complaint or aparticular act or practice, the Commissioner can require the production of documents (s.44) andthe appearance of witnesses (s.45). In investigating a complaint, she can convene a compulsoryconference and require attendance at it; failure to attend is an offence (s.46). Section 65 makesit an offence without reasonable excuse to fail to attend before the Commissioner, to fail to besworn or make an affirmation, to wilfully obstruct her in the performance of her functions orknowingly to make to the Commissioner a false or misleading statement.

The experience of the federal Privacy Commissioner has suggested that, while the powers haverarely been used, having them in reserve has assisted in getting agencies to take privacyprotection seriously. Only two formal determinations have been made, and only one of these

9

awarded an amount of financial compensation, but a large number of other complaints havebeen conciliated, with the settlements compensation payments of up to $22,000, though theaverage amount awarded is much smaller.

Often the problem is not that policy makers and administrators are antagonistic to privacyconcerns but that they fail to appreciate the implications of their activities or to devote enoughthought to addressing them. The responsibilities of this office centre on the operationsCommonwealth government agencies, the consumer credit reporting system and the handling ofTax File Numbers. In each of these areas the experience of this office has been that `education'and the promotion of cultural change in the organisations affected by the federal Act has beenmore effective in changing behaviour than the threat of formal punitive action. Capacity forsuch action sometimes adds strength to an argument, but in practice the possibility of action ismore important than the execution.

Two powers should be mentioned that are important to the effective functioning of a privacycommissioner: the power to initiate investigations on his or her own motion and the power toaudit entities covered by the privacy regime. The own motion investigation power allows aproactive approach to emerging issues and a more timely response than would be possible ifinvestigations could only be launched after a formal complaint is made. In the federal context,the audit power has proved itself to be an important tool for achieving systemic change withingovernment agencies. The scrutiny of practices and the recommendations flowing from thatscrutiny highlight areas for improvement and provide a robust framework for monitoring agencyresponses.

11. Would the costs associated with an office of privacy commissioner /committeeoutweigh the public benefit flowing from the establishment of such an office?

Provided that the office is effective and efficiently run, the answer to this question is no. Ifinformation privacy is enough of a concern to warrant government action - and this submission

argues that it is - then it is enough of a concern to spend a modest amount of money on.Legislation or guidelines without institutional backup are likely to become empty documentswith no impact on the real world.


In principle, it seems almost beyond dispute that privacy protection is required in the private

sector.

Of course government agencies have a very considerable capacity to collect personalinformation about Australians and such collection is often compulsory. It has been argued thatit is only the handling of compulsorily collected personal information that poses a threat toindividuals' information privacy.

But consider the amount of information collected by the private sector: banking records;records of the renting and purchase of real estate; credit card records that detail purchases,amounts, times and places; health insurance records detailing medical procedures; psychologicaltests administered to employees; security systems monitoring and identifying those entering andleaving commercial premises. Most of this information is not collected compulsorily: in theoryyou could keep your savings under the bed, use no credit or other payment cards, avoid privatehealth insurance, make major purchases with cash, choose public rather than private schools foryour children and wear a balaclava when visiting commercial precincts (and endure theharassment that would ensue). But this is clearly a fantasy. A person who wishes to leadanything roughly approximating a normal life in Australia today has no choice but to provide,

10

as a condition of receiving basic goods and services, detailed information about themselves to awide range of private sector organisations. If assembled in the one place this information cancreate a picture of the individual's life and activities, not merely day by day but hour by hour.

A number of arguments have been put forward opposing the extension of information privacyprotections to the private sector. It is argued: that market forces will provide an adequate levelof privacy protection; that the costs of compliance with information privacy principles would betoo high; that the level of public concern is too low; and that existing law and guidelinesadequately protect people's information privacy. All of these arguments can be rebutted. Eachis discussed in the enclosed consultation paper. The paper does, however, propose a nationalself-regulatory scheme, in line with the Federal Government's preference. If it proves possibleto gain sufficient commitment from business to make this scheme work, then legislation maynot be necessary. But to provide credible protection, the scheme will need to have many of thesame characteristics, including compliance monitoring, dispute resolution and enforceableremedies.


Whether an organisation has the legal status of a corporation has little effect on the functions itperforms or its capacity to intrude into the privacy of those with whom it deals. A statutorycorporation may still administer legislation and exercise the executive power of the government.A more significant distinction between different public sector organisations is between generalgovernment organisations and public trading enterprises that produce goods and services for salein (more or less) competitive product markets.

This submission has argued that both private and public sector organisations should be coveredby a scheme of information privacy protection. It would clearly be anomalous if a scheme thatcovered the activities of general government agencies and private sector organisations did notalso cover public trading enterprises.

However, if a scheme of privacy protection were put in place that covers only public sectororganisations, it is less clear that public trading enterprises should be covered. Considerationsof competitive neutrality suggest that most public trading enterprises should not be required tocomply with a scheme that does not cover their private sector competitors. The federal PrivacyAct takes this approach by excluding from the coverage of the Information Privacy Principlessome public trading enterprises in their entirety and the commercial activities of a number ofothers (see Schedule 2 to the Freedom of Information Act (Cth)).


Yes. Local government, like State agencies and private sector organisations, collect and uselarge amounts of personal information about Australians. A considerable number of the generalenquiries received by the Privacy Hotline operated by this office relate to local governmentmatters, for example, the secondary use of information about building approvals, dog licences

etc. If a scheme of information privacy protection were to apply to state level public sectororganisations, it is hard to see why it should not also apply to local government.

11

15. Would the costs associated with privacy regulation of:

• the private sector;

• government owned corporations;

• local government activities;


For all these sectors, the overall benefits of a scheme of privacy regulation should easily exceedits costs, provided that it is well designed and efficiently implemented.

New Zealand has a Privacy Act that contains information privacy principles which are similar tothose in the Commonwealth Act but which apply to both private and public sectors. The NZAct was introduced in 1993 amid fears, especially in the business community, that it wouldimpose unmanageable compliance costs. It did not. For a small business with uncomplicatedholdings of personal information - like payroll records and an invoice book - the compliancecosts of a sensibly designed regulatory scheme for the private sector would be practically nil.Very rarely someone might ask to see payroll or invoice records that relate to them. Apartfrom that there would be no impact. Responsible businesses in personal information intensiveindustries already pay at least some attention to information privacy issues and, provided thatthe phasing in of a regulatory scheme is sensibly planned, the costs of compliance should bequite manageable. For example, sensible phase-in provisions would mean that no business isobliged to reprint millions of forms to abide by the provisions of the scheme. The onlybusinesses that could feel a significant cost impact are those that are currently dealingirresponsibly with large amounts of personal information.

As this submission says in response to questions 13, the same arguments for privacy protectionsin the private sector apply to public trading enterprises. And as this submission says inresponse to question 14, the same arguments for privacy protections in the State public sectorapply to local government.

16. If the private sector is not to be covered , how should privacy regulation apply tobodies performing services which the government has outsourced?

As this submission argues in response to question 12, there are good in-principle reasons whythe private sector should be covered by a scheme of information privacy protection. If ascheme is adopted that covers government organisations but not private sector organisations, thesame privacy regulation as applies to government agencies should apply to private sectororganisations performing functions under contract to government agencies. The risk to people'sinformation privacy posed by the mishandling of personal information depends primarily on thenature of the information and the uses to which it is put, not on the identity of the organisationdoing the handling. There is no reason to suppose that a private firm performing a functionunder contract to a government agency is any less likely than the agency itself to mishandlepersonal information or that the consequences of mishandling would be any less serious thanthey would be if the agency performed the function in house. Indeed in some circumstances,the commercial value of the information could be more of a temptation to private firms than itis to government agencies. Moreover, public sector agencies often have a well establishedculture of respect for at least some dimensions of information privacy, especially keepinginformation securely and confidentially.

12

The Committee may wish to note that the Federal Government has decided to extend theCommonwealth Privacy Act to apply to private contractors providing services to or on behalf ofgovernment. Legislation is currently being drafted for introduction later this year.

17. Should there be co -operative arrangements between the states, territories and thecommonwealth with respect to matters such as formal complaints regimes?

So far as information privacy is concerned, this is a significant topical issue, particularly inlight of the Victorian Government's proposed privacy legislation.

If State and federal privacy schemes were to cover some of the same organisations, it would besensible to look at the possibility of such arrangements to prevent forum shopping and simplifyadministration.

The Human Rights and Equal Opportunity Commission, of which the Privacy Commissioner isa member, has negotiated a variety of agreements at different times with State governments forthe handling of complaints under the Sex Discrimination Act, the Race Discrimination Act, andthe Disability Discrimination Act and the corresponding State legislation. Experience in thiscontext, including in Queensland, suggests that performance standards would need to be clearlydefined and monitored if such arrangements are to work satisfactorily.

18. How should any privacy protection legislation interrelate with freedom of informationlegislation? For example , should the access to, and amendment of, personalinformation be regulated by a Privacy Act alone?

There are two areas of interrelationship between FOI legislation and privacy legislation. Themost obvious is where disclosing an individual's personal information to another person has thepotential to invade the former's privacy. The Commonwealth FOI Act, like most state FOIlegislation, includes an exemption designed to avoid unreasonable invasions of privacy (s.41).

The issue of access to and amendment of, one's own personal information, is another potentialarea for interaction between the two Acts.

The right to have access to and amend your own personal information is a basic privacy rightrecognised in most privacy laws around the world. It is therefore appropriate that decisions byagencies or organisations to refuse access to personal information be reviewed from theperspective of the individual's privacy rights. However, any privacy regime could utiliseexisting FOI mechanisms for obtaining access, for example, FOI legislation sets out a fairlydetailed process for an individual to gain access to his or her personal information.

In the federal sphere, the right to obtain access to, and to have corrected, personal informationin the possession of a Commonwealth agency is embodied in two pieces of legislation - theFreedom of Information Act 1982 and the federal Privacy Act 1988.

Access and correction rights in relation to personal information, which are seen essentially asprivacy rights, were originally included in the FOI Act as an interim measure in anticipation ofprivacy legislation being enacted. While the ensuing enactment of the Privacy Act set out theserights in IPPs 6 and 7, access and correction provisions remain in the FOI Act. The experiencein the Commonwealth sphere and in the ACT is that the operation of the access and correctionprinciples in the Privacy Act is generally handled through the FOI machinery, as that Actprovides a detailed mechanism for accessing these rights. However, the Privacy Act givessome relatively minor additional grounds for amendment on the basis of relevance and expresslyallows for amendment by way of deletion.

13

This interrelationship was considered by the Australian Law Reform Commission (ALRC) andthe Administrative Review Council (ARC) in a joint review of the Commonwealth Freedom ofInformation Act 1982. In the course of the review, the ALRC/ARC considered whether theoverlap of access and correction rights should be removed. They proposed ways to facilitatethe administration of these provisions but made no recommendation for legislative change toretain access and correction provisions solely in one Act. This office put the view that theserights should be administered solely by the Privacy Commissioner. Some of the arguments putforward were:

• The right to have access to and amend your own personal information is essentially a`privacy' right, one in many ways distinct from the main objective of FOI laws, whichrelates to openness and accountability.

• The access and correction provisions in the Privacy Act (IPPs 6 and 7) contain broaderrights than the FOI Act. The ALRC/ARC recommended that the FOI Act provisions beamended to offer the same standards as IPPs 6 and 7. While this may allow flexibilityfrom the consumers' perspective, it is not clear why there should be two pieces oflegislation providing for what would be identical rights.

• At the time of the ALRC/ARC review, moves towards the establishment of a nationalprivacy framework suggested that it was likely that the Privacy Commissioner would takeon an access and correction role in relation to the private sector. For reasons ofconsistency it is desirable that, as far as possible, there is one decision-maker on privacymatters, regardless of whether the request was made to a public sector body or to aprivate organisation.

The report of the review was tabled in January 1996 and the federal Government is yet torespond to the recommendations.

19. What additional measures , if any, should be taken with respect to:

the 1995 European Directive; and

the OECD Cryptography Policy Guidelines?

EU Directive

See the comments under question 2 above.

Cryptography guidelines

In the current technological climate, it appears to be difficult for a state government, or indeedany single national government, to introduce effective measures to control the distribution anduse of cryptographic technology. The Committee may be aware that the federal Government isconsidering the OECD's Guidelines for Cryptography Policy for possible adoption in the

Australian context. Since most uses of cryptography involve interstate and internationaltelecommunications systems, this may be an issue best dealt with on a national level.

20. How should smart cards be regulated ? For example , by national legislation, statelegislation or industry codes?

It is difficult to introduce technology specific regulation for a technology as flexible as the smartcard, which is no more than a computer chip mounted in a standard plastic card. It can store

and process information in as large a range of ways as the same chip in another physical

context.

14

It may , therefore , be undesirable to attempt to regulate smart card applications per se inlegislation . Applying general privacy principles to the public and private sectors should sufficeto deal with privacy issues arising from most smart card applications . A legislative option maybe worthy of consideration in relation to particular applications , for example , e-cash or roadtolling systems , as the privacy issues associated with them become clearer . In 1995 the PrivacyCommissioner released an information paper entitled Smart Cards: implications for privacy,which looks at emerging privacy issues in a number of applications and suggests approaches tothem . A copy is enclosed.

21. What form of regulation should be introduced with respect to the various types ofelectronic banking and cash (not including those systems which use smart cards)?

It is difficult to give firm advice in such a new and rapidly developing area. The informationprivacy issues arising from electronic banking and e-cash systems differ from system to system.By and large the basic information privacy principles should be an adequate basis for addressingthem. More specific standards may need to be established as systems are developed andproblems emerge.

22. What form of regulation should be introduced with respect to privacy issues arisingin the areas of:

• personal privacy, including surveillance (visual and listening) both in public andprivate places;

• telemarketing and direct marketing;

• the workplace;

• medical records, including access; and

• genetics?

Surveillance

As this submission notes in relation to question 1, surveillance technology has advanced rapidlyin recent years and uses a wide variety of means to collect information: direct visualsurveillance; video recordings, made using infra red, millimetre wave, visible light or otherfrequencies; and audio recordings using sophisticated devices. I understand that in Queensland,as in other Australian jurisdictions, the use of some of these technologies is unregulated despitetheir fundamentally intrusive nature. There are major inconsistencies in the treatment ofdifferent technologies, with listening devices laws applying strict controls for some forms ofaudio surveillance, but most video recording being completely unregulated. This suggests thatsome policy action in relation to this sort of activity would be desirable.

Covert and overt surveillance raise somewhat different issues.

In February 1992 , the Privacy Commissioner issued Guidelines for Covert Optical Surveillance

in Commonwealth Administration, which set out the Commissioner's preferred approach to thissubject . A copy is enclosed.

Also enclosed is a presentation given by the head of Privacy Branch to the Privacy IssuesForum held in Christchurch , New Zealand in June 1996 which addresses the privacy issuesassociated with the use of street surveillance cameras.

15

You may also wish to note that the NSW Law Reform Commission is conducting an inquiryinto video and audio surveillance. This work may be relevant to the Committee's inquiry.

Telemarketing and direct marketing

An appropriate regulatory framework for these activities could be based on standard informationprivacy principles. However, effective State-based action may be difficult to achieve, since thecosts of telemarketing or direct marketing differ little if the marketing effort is based outsideQueensland - falling telecommunications costs mean that telemarketing based outside the `target'area is becoming more and more feasible.

You may be aware that a working group, chaired by the Australian Competition and ConsumerCommission (Ms Delia Rickard, (06) 2641166), has been convened to develop a code ofpractice on direct marketing. In March 1996, the Standing Council of Consumer Affairsdirected the working group to limit the scope of the code to distance selling, excluding fund-raising or market research. In December 1996, the Ministerial Council on Consumer Affairsreleased a draft Distance Selling Code of Practice for public comment. The Committee maywish to take this work into consideration in its inquiry.

The workplace

Information privacy in the workplace is a major issue for privacy protection in both public andprivate sectors. An approach to information privacy for employees in the Commonwealthpublic sector has been based since 1989 on the IPPs in the Privacy Act and a similar approachcould be effective in the Queensland context.

Medical records

This is clearly a contentious area. Nevertheless, medical information is so sensitive and heldabout such a high proportion of the population that to omit it from the scope of any informationprivacy scheme would greatly reduce its effectiveness. As an indication of the Commissioner'sthinking on this issue, enclosed is a copy of her second submission to the Senate CommunityAffairs Committee's inquiry into amendments to the Health Insurance Amendment Bill (no.2)1996 proposed by Senator Neal.

The Committee may wish to note that the ACT Government has announced its intention tointroduce, as a matter of priority, legislation to protect the privacy of personal healthinformation in both public and private sectors. The proposed legislation would give healthconsumers an enforceable right to have access to and correct their health records. In light ofthe desirability of consistent privacy protections for health consumers, the ACT Government isproposing that the new legislation include the Information Privacy Principles in the federalPrivacy Act, though modified to increase their relevance in the health context.

Genetics

There is little doubt that the handling of the personal information derived from genetic tests willbe one of the most pressing information privacy issues of the coming years. Tests are becomingquicker and simpler and available for a wider range of more common conditions. The use of theinformation outside the health care context - for example, in the insurance industry or thelabour market - poses a clear danger that those deemed genetically inferior will be marginalisedand discriminated against. Already in the US there have been legislative moves to forestall suchdevelopments. While personal genetic information has much in common with other sorts ofsensitive medical information, its predictive power may require specific limits on its use and

16

disclosure. In 1996, the Privacy Commissioner released an information paper addressing someof the privacy issues raised by genetic testing information. A copy is enclosed.

23. Generally, what should be done to ensure that the law keeps abreast withdevelopments in technology affecting individuals ' privacy?

One of the strengths of a set of general privacy principles is that they should be capable ofapplication to any technology. This at least provides a permanent framework in which may beaddressed the privacy implications of a new technology or a new application of an existingtechnology. But broad principles alone will not ensure that all privacy issues are adequatelyaddressed. In specific contexts, specific measures may be needed and this requires somemechanism for identifying emerging information privacy issues and feeding them into the policymaking process. Non government organisations like the Australian Privacy Foundation can anddo achieve a good deal in this regard but their resources and access to government are of courselimited. As suggested under question 9 one of the functions of a Privacy Commissioner orPrivacy Committee should be to monitor the privacy implications of technologicaldevelopments.

Enclosed: consultation paper on a national information privacy scheme for the private sector,smart cards information paper, covert surveillance guidelines, street surveillance speech, theCommissioner's second submission on the Neal amendments and the genetic testing informationpaper.

17

15 August 1997


Review CommitteeParliament HouseBrisbane Qld 4000

Dear Director,

Review of Privacy in Queensland

Please find enclosed my submission to the review.


21 AUG 1997

If I can be if any further assistance, please do not hesitate to call me on 3864 3188(w) or3358 5328(h).

Yours sincerely,

Brett Mason

Justice Studies UnitFaculty of Law

Queensland University of TechnologyKELVIN GROVE CAMPUS VICTORIA PARK ROAD LOCKED BAG NO 2 RED HILL O 4059 AUSTRALIA PHONE (07) 3864 2111 FAX (07) 3864 3944

Campuses : Gardens Point (city), Kelvin Grove, Carseldine World Wide Web : http://www.qut.edu.au/QUT International : Locked Bag No 2 Red Hill 0 4059 Australia Phone +61 7 3864 3142 Fax +61 7 3864 3529

LEGAL , CONSTITUTIONAL AND ADMINISTRATIVE REVIEWCOMMITTEE


General

There are valid concerns relating to privacy protection which need to be addressed bylegislative action. But the protection of privacy concerns does not necessarily equate withthe need to develop a general right to privacy. I have argued elsewhere against theadoption of a general right to privacy (see Mason 1992 and Mason 1993). In essence,"privacy" is a greedy legal term . It might relate to issues concerning abortion , choice ofsexual partner, law enforcement surveillance , powers to search , and a myriad of relatedsocial issues . As a general legal term, it is vague and unwieldy.

2. The current law in Queensland is not adequate with respect to privacy protection. Thevalid concerns of individuals as well as commercial interests are not currently being met.Queensland legislation that does protect privacy does so only incidentally.

3. It is perhaps too easy to suggest that legislation to protect privacy should be immediatelyintroduced . Certainly, there is little history of a culture of privacy protection inQueensland . I am not convinced , however , that comprehensive legislation protectingprivacy both within the public and private sectors is necessary immediately . The time isright , however, for government to protect privacy within its own domain . Either (a)administrative guidelines or (b) specific legislation along the lines of the FederalGovernment ' s Information Privacy Principles are appropriate . Either option couldusefully be enforced by a Privacy Commissioner or Privacy Committee . Cost of theprocess might make option (a) more attractive. At a later date , legislation could usefullybe extended to the private sector.

A statutory tort of privacy is an interesting option adopted as a measure in Canadianjurisdictions. It is hard to gauge, however , without seeing a draft provision , the extent ofthe protection such a tort would offer. At any rate, a statutory tort of unknownparameters enforced by a court (with all the limitations inherent in access to courts) maynot be the best method for the protection of privacy interests.

4. The Commonwealth's IPPs incorporated within the Privacy Act 1988 are a good model.However , that legislation has its difficulties . In particular, the Privacy Commissioner'srole in balancing competing public interests is problematic . Given the experience at theCommonwealth level perhaps it would be best to issue guidelines to a Queensland PrivacyCommissioner.

5. Ideally, IPPs should be in legislative form. However, this is really an issue of cost and anassessment as to how quickly and easily government departments are able to adopt IPPprocedures.

6. Yes, individuals should pay a reasonable amount to exercise their privacy rights - perhapsalong the principles developed for FOI requests.

7. Whether the costs associated with IPPs would outweigh the public benefit flowing fromtheir implementation is a difficult question as the costs associated with implementing theIPPs are uncertain. However, in the medium term State governments have little choicebut to devise ways to protect privacy. The general public as well as business interests willdemand it.

Option - a privacy commissioner/privacy committee

8- 11. Like other statutory officers tasked with protecting human rights, the office of PrivacyCommissioner is a precarious one. Put simply, is the Commissioner to be a privacyadvocate or an arbiter of the public interest or the government interest? This issueunderpins parliamentary frustration at the actions of some statutory officers. It must beaddressed prior to establishment of the office of privacy commissioner. Resolution of thisissue will provide the touchstone for the issues raised in questions 8 - 11.

Recent Queensland parliamentary history might indicate that while parliamentary oversightis appropriate, the powers of the privacy commissioner must be closely scrutinised. Is thegovernment prepared to address criticisms of its performance in relation to privacy? Ifnot, perhaps it is better to concentrate the powers of a privacy commissioner on theresolution of complaints by individuals than a broad monitoring role of governmentperformance. In short, the first issue to my mind is what cost and scrutiny the governmentwill tolerate. Experience with the Criminal Justice Commission seems to indicate that itis pointless to task a body with certain functions and then remain in constant battle withthat body. A frank assessment by the government of the level of scrutiny it will toleratefollowed by a commitment to enforce those standards is perhaps more sensible than apublicly generated wish list.

That stated, at a bare minimum, standards should be set to regulate the flow ofinformation between government departments and incorporate the reporting oftransgressions to Parliament by the Commissioner. More significant powers may well bedesirable - but the above are necessary if the public are to retain confidence in governmentadministration. It would be difficult to argue that this minimalist approach would notoutweigh the costs associated with establishing an office (see Question 11).


12. Yes - but as the Commonwealth experience indicates perhaps the public sector should bethe first priority. Moreover, there is likely to be considerable opposition from varioussources within the private sector to privacy legislation. The Howard government'sbackflip on this issue perhaps indicates the difficulty facing governments seeking toimpose what business sees as unnecessary imposts. Ultimately, however, tradenegotiations and the like may be subject to compliance with certain privacy standards.This has already occurred in the European context.

13. Privacy regulation should only apply to government owned corporations if the

competition (ie private corporations) are subject to the same legislation.

14. Perhaps the case is stronger for privacy legislation with respect to local governmentactivities. Here again, however, this is subject to the consideration whether they areinvolved in a competitive commercial environment.

15 Once again - it is difficult to balance the costs of privacy protection with competinginterests without the information necessary to make the assessment. The costs ofregulation are largely unknown. If in doubt - seek to regulate the public sector and then,later, the private sector.

16. A difficult issue. Perhaps adherence to privacy principles might be a condition ofgovernment work.

17. In a federation this is the only sensible option in the medium term.

18. Here again, note should be taken of the Commonwealth approach. Perhaps it is not soimportant whether the issue is dealt within one enactment so long as it is consistent.

19. Adoption of these measures would, of themselves, be a good start.


20-21. I have nothing to add here, except to say that the issues are national (if not international)in scope and that a coordinated national approach is sensible (see Privacy Commissioner1995).


22-23. The issues listed reflect the great potential for invasion of our privacy arising from themassive expansion of computer power in human affairs. This issue is truly one of the mostcontroversial and potentially alarming social issues of our time. With the capacity forsurveillance growing in modern societies, ordinary people are, to an extraordinary extentunder surveillance in the routines of everyday life: telemarketing and direct marketing, theworkplace and medical records are all avenues for the potential abuse our privacy. Andgenetic profiling is a scientific reality (Privacy Commissioner 1996).

I am not even able to begin to address these issues individually, except to say thatparliament must attempt to keep abreast of developments. Just one quick example. TheMinister for Police and Corrective Services has recently released for public comment adiscussion paper on Review of Police Powers . There was much discussion in the paperabout use of tracking devices, visual surveillance devices and covert search warrants. Thisis quite appropriate - as far as it goes ! But the paper does not engage with existing (letalone emerging) technology that has great capacity to compromise personal privacy andfor which no search warrant is necessary . Thus, technology such as satellite surveillance,thermal imaging, video surveillance , Cathoid Ray Micro-spy technology and radiofrequency sensors are largely unregulated . Perhaps the only way to effectively legislateto protect privacy is to penalise the fact of privacy invasion (no matter how caused) rather

than refer to particular types of potentially intrusive conduct or technology. Of course,the practicalities of enforcing any type of legislative scheme in this context is highlyproblematic.

References

B Mason , "Submission on the Right to Privacy" EARC Review of the Preservation andEnhancement of Individuals' Rights and Freedoms, 13 August 1992 . (attached)

B Mason, "A Profane Look at the Cult of Privacy" Vol 65(2) Australian Quarterly (1993) 60.

Privacy Commissioner (Cth), Smart Cards: Implicationsfor Privacy, Human Rights and EqualOpportunity Commission , Canberra, 1995

Privacy Commissioner (Cth), The Privacy Implications of Genetic Testing, Human Rights andEqual Opportunity Commission , Canberra, 1996.

13th August, 1992

Electoral and Administrative Review CommissionPO Box 349NORTH QUAY 4002 (Reference 122S)

Dear Sirs

REVIEW OF THE PRESERVATION AND ENHANCEMENT OFINDIVIDUALS' RIGHTS AND FREEDOMS

Please find enclosed my submission to the review. I have restricted my discussion to thequestion of whether a right to privacy should be incorporated into a possible Queensland Billof Rights? (para 9.169).

If I can be of any further assistance, please do not hesitate to call me on 864 3188 (W) or358 5328 (H).

Yours faithfully

"^ ^-f A lu(`^ -

Brett MasonJustice Studies UnitFaculty of Law

Queensland University of Technology

CarseidineGardens Point Kelvin Grove Kedron ParkBeams Road2 George Street Victoria Park Road Kedron Park RoadPO Box 284GPO Sox 2434 Locked Bap No 2 PO Box 117Zillmere Q 4034Brisbane Q 4001 Red Hill Q 4059 Kedron Q 4031AustraliaAustralia Australia Australia

Phone: (07) 864 21 1 1 Phone: (07) 864 2111 Phone: (07) 864 21 1 1Phone: (07)8642111Fax: (07) 864 4999Fax: (07) 864 1510 Fax: (07) 864 3998 Fax: (07) 864 4499

InternationalCodesCentral AdministrationPhone 61 7 864 21 1 IFax 461 7 864 1510ralax 71 AA44699

1

The Right to Privacy paras 9.152-9 . 172 Issues Paper)

Proposals for the inclusion of a right to privacy in a Bill of Rights highlight the difficulties of

transforming a popular cultural sentiment into a workable legal right . The issue can perhaps be

summarised thus : should the law be modified to extend a general right of privacy to

individuals? (The inclusion in a Bill of Rights of a right to privacy would be an appropriate

way of achieving this.) Or should , perhaps, provision simply be made to cater for specific

deficiencies in the law where the public interest so warrants ? (For example, with the rise of the

welfare state it may be wise to specifically legislate to control aspects of the transfer of personal

information held by government - rather than enacting a general right to privacy. The

Commonwealth Parliament has adopted this approach in enacting the Privacy Act 1988 ). I will

confine my submission to addressing the central issue whether a general right to privacy should

be incorporated into a Queensland Bill of Rights.

Proposal to Enact a General Right to Privacy

In his authoritative work, Human Rights in Australia, Bailey favours the enactment of a general

right to privacy . He suggests that there are three core human rights within international law: to

life, to an adequate standard of living and to privacy ( 1990:xii). He asserts that "...there are

intimate personal interests which relate to the development and maintenance of an individual

that cannot be suitably covered by extension or modification of the existing law" ( 1990:283).

2

Bailey defines what he terms a "core privacy right" as

"...the right of the individual to the fullest possible development of himself orherself, in a harmonious environment, and with a capacity to enjoy, respond toand not be prevented from intimacy with others by outside actions"(1990:284).

Bailey proposes that courts reach decisions based upon the balancing of competing rights. The

"right" to privacy would dominate in all but the most extreme circumstances where the right is

if... central to the development and maintenance of the individual persona"(1990:228).

However, where the facts in issue are less central to this dilemma other conflicting rights (for

example, the right of freedom to publish) would assume more importance in the balancing

process.

Criticisms of Proposals to Enact a General Right to Privacy

There are three principal criticisms of any proposal to incorporate a general right to privacy in

a Queensland Bill of Rights. First, such arguments are premised upon a philosophical

distinction the value of which is most unclear. It is a central tenet of liberalism that the law

regulates that which is conceived to be 'public'. Within the 'private' realm, however, one is

free to act as one pleases so long as no harm is done to another. Of course, today, the

distinction is not that clear (if it ever was). The welfare state, among other forces, has made

this so.

3

Modern government operates not only through institutions regarded as governmental but also

through non-governmental institutions or non-institutionally. State power and responsibilities,

often enhanced in response to public demand , have encroached into areas formerly of 'private

concern '. Similarly, the conduct of economic and commercial activities , once considered

private , has now moved increasingly into the public realm. The present federal Labor

Government ' s pursuit of a "corporate state" with the harnessing of the government-business-

union triad has blurred the distinction between the public and private realms even further. A

broad legislative right to privacy , premised upon the notion that there is a clear distinction

between 'public ' and 'private ', will not reflect reality.

Objections to a broad legal right to privacy run deeper than philosophical debates concerning

the pitfalls of the public /private distinction . A second objection is to the assumption that judges

are best able to balance the complex social, political and philosophical issues involved in the

assertion of a general legislative right to privacy.

Many would not agree that such a public policy issue is best determined within a judicial

forum . Finding a balance among competing claims will always involve the assertion of

particular political values . Balancing values is a political not a judicial task. While it is true

that judges are accustomed to resolving conflicting claims in other fields, there would be no

guidance to resolving explicitly privacy cases. Precedent would not readily inform the solution

to such cases. If legal rights are to evolve in this area, those rights would be more substantial

if clearly linked to existing defects in the common law. The law of confidentiality , defamation,

secrecy , and the privacy of personal information are obvious examples where difficulties

associated with the law invite reform . A general right to privacy would not assist this process.

4

Advocates of a legal right to privacy have been captured by a desire to capitalise on the public

appeal of a " right to privacy ". Unfortunately , though a commonly used concept it is not readily

fashioned into a useful legal concept . Would Bailey ' s "core right to privacy" have similar

appeal if it were a "core right to autonomy " or a "core right to security"? Is it more substantial

(or, for that matter , more important) than a "right to freedom"? And so on. Except to describe

an underlying feeling or intuitive description of certain activities , the concept of "privacy" adds

little to our understanding either of interests that it seeks to protect or of conduct that it should

regulate. Similar difficulties would occur if a legal concept were fashioned from other moral or

emotional claims such as a general "right to democracy " or "right to freedom ". Though the

"right to privacy " may be readily transformed into a fashionable cult or public policy slogan it

does not readily outfit a workable legal right.

Difficulties with the concept of privacy are not confined to its elusive philosophical and legal

character. Thirdly, of even more significance is the policy impact that adoption of privacy

claims can have. It is important to note that where claims for privacy are upheld, either in the

development of a legal right or as an aspect of government policy, other societal values will

suffer. Privacy is claimed at a cost. Two important examples of this are effective enforcement

of the law and protection of victims of domestic violence. (For a discussion of the difficulties

associated with balancing individual claims to privacy with the broader public interest in these

two areas please refer to pages 6-11 of my attached paper delivered to the Australasian Law

Teachers Annual Conference on 9 July 1992.)

5

Finally , as I trust I make clear in the attached paper (A) (see pp 11-14 ) with increasing

demands being made on government the privacy of the individual is inevitably compromised.

It is unrealistic to demand more services from Government and at the same time be surprised

when the Government demands "private" information and then checks that information received

is correct . Unfortunately , human nature being what it is, some people will give false

information in order to secure benefits or to relieve themselves of certain responsibilities.

Regrettably , to discourage these people the State seems to need to develop laws to be able to

protect itself.

Conclusion

In summary, I submit that a general right to privacy should not be incorporated into a possible

Bill of Rights for Queensland. The first difficulty discussed is largely one of philosophy. It

cannot be safely assured that it is easy to draw a neat distinction between "the public" (where

privacy is not an issue ) and "the private " (hwere privacy is an issue). Secondly, the terms

"private" and "privacy" have no succinct or precise meaning sufficient to outfit a workable legal

right . Widely divergent claims are lumped under the mantle of "privacy" in order to procure

the favourable connotation that "privacy" has in the community. Legislation purporting to

protect an individual's right of privacy is likely to be subject to widely varying judicial

interpretation . Given that search for a balance among competing claims will necessarily involve

the assertion of particular political values , it is questionable whether such a public policy issue

is best determined within a judicial forum . However, while reference to a general right of

privacy should be avoided, specific rights of privacy could usefully be developed.

6

The third major shortcoming of current discussions about the value of privacy is their failure to

recognise , or to give due weight to, other competing societal values. I have mentioned effective

law enforcement (particularly at the Commonwealth level) and the protection of victims of

domestic violence as just two examples of values that suffer where claims to privacy triumph.

There are others . Moreover, I have argued that to a large degree the privacy of individuals

inevitably suffers where government regulation and welfare continues to expand into areas

previously thought part of the private domain.

Postscript

While I have indicated that I do not support a general legislative right to privacy, reform in

areas such as police powers, defamation , secrecy, and the protection of confidential personal

and commercial information held by government is crucial . One need only look at the

Commonwealth Government ' s recently announced " Inquiry Into The Protection of Confidential

Personal and Commercial Information Held by the Commonwealth" to be convinced of the

necessity for reform. The New South Wales Independent Commission Against Corruption's

recent findings (released 12 August) about the sale of confidential government information

confirms the need for proposals to enhance the protection of personal information.

Finally , to conclude on a personal recollection , Attachment B is a classic current example of a

breach of privacy by a Government Department and a corporation. In short, the Department of

Resource Industries and the Gas Corporation of Queensland have engaged in misleading

administrative practices in order to satisfy the statutory obligations of the Gas Corporation.

7

Information has been elicited by the Gas Corporation for one purpose (in the words of the

"Important Notice " attached - for a "Hot Water Survey" and for a "Free Inspection ") and has

been used for another purpose (to discover the location of allegedly defective hot water

systems). Clearly , the Department and the Gas Corporation should explain yj they require

information and how they intend to use it. Unfortunately , the Minister appears unconcerned

that his Department ' s practices are misleading . In his reply (attached) he is merely concerned

to show that , in this context , misleading members of the public by breaching their privacy is not

breaching the law . He is correct . But a civilised democracy cannot knowingly sanction this

activity at the same time as it is considering a Bill of Rights. Governments and Corporations

should not be in the business of misleading members of the public.

LEGAL , CONS OVAL ANDADMINISTRATIVE REVIEW COMM ITTE E

20 AUG 1997

Market Research Society of Australia - Queensland

Response to the Legislative Assembly of Queensland Legal,Constitutional and Administrative Review Committee

"Privacy in Queensland Issues Paper"

Contents

General (Issues 1-3) page 1

Option - Information Privacy Principles (Issues 4-7) page 2

Option - A Privacy Commissioner / Privacy Committee (Issues 8 - 11) page 3

Scope of Privacy Regime (Issues 12 - 19) page 4

Smart Cards & Electronic Banking (Issues 20 & 21) page 5

Other Privacy Concerns (Issues 22 & 23) page 5

Appendices

MRSA National Response to Attorney General's Department Discussion Paper"Privacy Protection in the Private Sector" (Includes MRSA Code of ProfessionalBehavior)

Further details: Otto Wirgau (07) 32251674 (email : [email protected])Warren Laffan (07) 33687000

Market Research Society ofAustralia (MRSA) - Queensland

Response to Queensland Issues Paper "Privacy in Queensland"

General (issues 1-3)

There would appear to be little valid need for privacy legislation and/or administrative actionbeing taken at a state level. At a state level, a main concern should be that we may continueto conduct business with the other states in the Commonwealth, with our international tradingpartners, and in maintaining an environment which is conducive towards industry needs andemployment.

Privacy legislation must be a national exercise, if it is to be successful. To engage in aprivacy policy on a state by state basis does not necessarily (or even remotely appear to)satisfy the needs of other nations which do have specific privacy legislation (such as the 34articles which make up the European Unions European Directorate). A state based privacypolicy also would be likely to place enormous restrictions on interstate trade, both in theinstance of states with similar legislation, and between states with differing legislation. Inpractice, a state based privacy policy would be likely to be tantamount to unenforceable.

In the event of Queensland's interstate trading partners initiating restrictive state basedprivacy policies (similar to what is being canvassed in this discussion paper), then, and onlythen, should Queensland evaluate instigating similar parallel legislation. Queensland mustmaintain the awareness that to join with some states is likely to be at the exclusion of tradewith other states and other historic trading partners.

r

In the past, the MRSA has broadly supported NATIONAL'legislation on privacy. Theexisting MRSA Code of Professional Behavior is already of an equivalent, or even somewhatmore rigours nature than that proposed in the national discussion paper from the AttorneyGeneral to which the MRSA national body responded (jointly with the AMRO and theMRQA) (please see appendix 1).

From the point of view of the Market Research Society of Australia - Queensland (MRSA -Queensland), the existing environment, coupled with the existing MRSA industry Code ofProfessional Behavior and the Invasion of Privacy Act 1971 (Qld) work to maintain anexisting environment which protects the privacy of Queenslanders.

Concern exists on our part that any proposed privacy legislation should not inadvertentlyintroduce new regulations or requirements that could make the practice of market, social andsurvey research more difficult or unfeasible with respect to the statistical validity of theresults by restricting access to respondents, or more costly via unwarranted time-consumingadministrative requirements. This would be most unfortunate, as market, social, and surveyresearch is also an effective means of communication between members of the public andpolitical parties; governments; and supplies of services or goods such as governmentagencies, businesses and not for profit organisations. Market, social and survey research alsofacilitates effective communication between employees and their employers.

1



Option - Information Privacy Principles (issues 4-7)

There is limited justification for assessing IPPs in this situation, in part due to the argumentsextended previously in this response. A state by state application of state specific privacylaws would likely bring about a significant financial burden, and a decrease in the efficiencyin which business could be conducted. The extent of Queensland's ability to control theinflow and outflow of all electronic data into and out of the state would be likely to be thecreation of an environment leading to an inefficient usage of public moneys and resources, aswell as a rather severe imposition on business and upon the cost of doing business.

What exactly would be gained by the state of Queensland by implementing state basedprivacy laws, and their interaction with international and other state standards, would have tobe clarified fully, and then carefully assessed. It is not apparent how a state based privacypolicy would be in the public interest, nor is it clear how the benefits would outweigh thelikely substantial costs.

If a Commonwealth/national implementation of privacy laws were to be looked at, it wouldneed to address several international issues including, but not limited to:

• Relationship with the European Unions European Directorate• The relationship between the 36 articles of the European Unions European

Directorate, and the 11 IPPs apparently derived from the OECD principles.• Other international standards (both existing and proposed) being adhered to by

Australia's other major trading partners (particularly Japan, Korea, India,USA, Taiwan, etc...).

• Issues raised in the national MRSA response to the Attorney GeneralsDiscussion Paper on "Privacy Protection in the Private Sector"

At either a state or a national level, concern exists that any proposed privacy legislationshould not inadvertently introduce new regulations or requirements that could make thepractice of market, social and survey research more difficult or unfeasible with respect to thestatistical validity of the results by restricting access to respondents, or more costly viaunwarranted time-consuming administrative requirements. This would be most unfortunate,as market, social, and survey research is an effective means of communication betweenmembers of the public and political parties; governments; and supplies of services or goodssuch as government agencies, businesses and not for profit organisations. Market, social andsurvey research can also facilitate effective communication between employees and theiremployers.

In particular the following legislation would have to be carefully, framed to avoid severalother likely pitfalls, examples including, but not limited to situations where;

• A restriction on approaches being made at random to individuals for marketsocial or survey research purposes. Random sampling is an integral part ofresearch design aimed at ensuring the results of research truly represent theview of the whole group. Random sampling enables valid statisticalprojections to be made, and seeks to avoid decisions being made on the basisof views offered by a particular, or small but vocal, minority.

2

Market Research Society of Australia (MRSA) - Queensland


• New record keeping and reporting requirements being required in addition tothe record keeping procedures normally used to manage a market, social andsurvey research project. This could have the effect of leading to a reduction ofprivacy through the introduction of unnecessary and costly administrativereporting procedures.

• The utilization of IPP terminology which is open to interpretation (forexample; `unreasonable extent')

Option - A privacy commissioner / privacy committee (issues 8 - 11)

As raised for discussion previously, the justification in assessing the installment of aQueensland Privacy Commissioner(s) role is severely limited by the relevance of a state basedprivacy protection. An application of state specific privacy laws would be likely to bringabout a significant financial burden, a decrease in the efficiency in which business could beconducted, and given the extent of Queensland's preparedness to control the inflow andoutflow of all electronic data into and out of the state, would be likely to lead to an inefficientusage of state money, and resources.

If a Commonwealth/national implementation of privacy laws were to be looked at, it wouldneed to address several international issues including, but not limited to:

• Relationship with the European Unions European Directorate• The relationship between the 36 articles of the European Unions European

Directorate, and the 11 IPPs apparently derived from the OECD principles.• Other international standards (both current and proposed) being adhered to by

Australia's other major trading partners (particularly Japan, Korea, India,USA, Taiwan, etc...).

• Who would be responsible for selecting a commissioner(s)• What the exact mandate of a privacy commissioner or committee would be• Who would such a committee be composed of• Whom it would be meant to be representative of

3



Scope of privacy regime (issues 12 - 19)

If a Commonwealth/national implementation of privacy laws were to be looked at, it wouldclearly be advantageous to be able to meld in with other international standards, so as tominimize Australia's isolation from its trading partners and business partners. Any privacyregulation should address several international issues including, but not limited to:

• Equivalency with the European Unions European Directorate• Ascertain the relationship between the 36 articles of the European Unions

European Directorate, and the 11 IPPs apparently derived from the OECD.• Other international standards being adhered to by Australia's other major

trading partners (particularly Japan, Korea, India, USA, Taiwan, etc...).

Clearly any Commonwealth/national implementation of privacy laws would have to work inthe international climate (example; European, Unions European Directorate). That wouldcertainly appear to include the following groups listed in issues 12, 13, and 14 of theQueensland discussion paper:

• the private sector• the public sector• government owned corporations• local government activities

As has been maintained throughout this response, implementation of privacy regulations onan individual state, or state by state basis, would seem to be of little positive application forthe private sector. It would also appear to be of little, if any, benefit for the public sectorgovernment owned corporations, and local government activities.

The cost imposition of initiating and enforcing privacy laws on even a national basis wouldbe likely to be very high. Should this be done on a state basis, it would be of far greater costthan any foreseeable benefit likely to be derived. Alternatively, there may be some argumentfor greater benefit utilizing a Commonwealth based national legislation which would addressthe privacy concems/legislation of our major trade partners, should that situation arise.

The issue of regulatory application to bodies performing services for government wouldappear to be directly related to the privacy laws passed, and their status. There is littlejustification for anticipating the specific ramifications for state government, as there is nopressing advantage to implementing a state based privacy policy. There appear to be cleardisadvantages in pursuing of this on a state level. However, the implications on a nationallevel application must be clearly spelled out by whatever system is put into place. TheEuropean Unions European Directorate, for example, has spelled this out readily; however,this appears to be not worth considering on a state basis.

There undoubtedly would be some advantage to having a national level coordination body.This would naturally occur with the imposition of national legislation. Should something beimplemented on a state by state basis, it would still be necessary to address the anticipatedhigh number of interstate differences and issues which would occur between states witheither the same, similar, or no system, in place but with whom trade is conducted. A nationallevel coordination body would also contribute to the national transfer of information andother commercial activities which must continue as a part of maintaining their existing levelof business.

4



The Freedom of Information - Privacy interrelationship issue must certainly be addressed inany privacy system examined. Dependent on how FOI is applied to a system which seeks toaddress the privacy issue, this may lead to the necessary level of concurrent legislation. Itnaturally follows on that should this be addressed at a state level, the obvious complicationsthat would be sure to follow between different states would further complicate the issue ofcooperation regarding complaints regime.

As has been maintained throughout this response; the European Unions EuropeanDirectorate is really only relevant at a national level, and to discuss it as an issue for a state toaddress would appear to be poor utilization of scarce state resources. with regard to theEuropean Unions European Directorate in particular, the international standards beingadhered to by Australia's other major trading partners (particularly Japan, Korea, India, USA,Taiwan, etc...) must be addressed with considerable detail. The implications for othercountries with which we engage in trade and commerce must be detailed with rigor. Thiswould include assessing the exact types of trade and commerce conducted between (andwithin) firms, industries, and governments.

The OECD Cryptography Policy Guidelines is another example of an approach which isinarguably better implemented at a national level, as opposed to a state, or state by state level.The need for it at a national level is, if at all, arguable, as the imposition on business andtrade would be extensive, the cost of enforcement high, and the benefit unclear.

Smart cards and electronic banking (issues 20 and 21)

Smart cards, and the information they make usage of, would appear to be best regulated at anational level, if to be regulated at all. In general, any form of regulation of industries whichare of a national basis would clearly seem to have advantage in being addressed from anational level. An uncoordinated maze of state based systems seeking to address similarissues would likely be a draining influence on the resources of the country.

Other privacy concerns (issues 22 and 23)

Market, survey, and social research is based on the willing cooperation of the public and thebusiness community. Such cooperation depends on public and business confidence thatmarket research is carried out honestly and objectively using process that protect the identityand rights of individuals without any unwelcome intrusion. The key principles of the MRSACode of Professional Behaviour include:

• Respondents identities must not be revealed without their consent to anyonenot directly involved in a professional market research project (including theclient who commissioned the work) or used for any non-research purpose

• Nobody shall be adversely affected or harmed as a direct result of participatingin a professional market research study

• Respondents must be able to check without difficulty the identity and bonafides of researchers

• Respondents co-operation in a professional market research is entirelyvoluntary at all stages; they must not be misled when being asked for theirco-operation

5



• No child under 14 years shall be interviewed without parent's / guardian's /responsible adult's consent

Be it at a state or a national level, concern exists that any proposed privacy legislation shouldnot inadvertently introduce new regulations or requirements that could make the practice ofmarket, social and survey research more difficult or unfeasible with respect to the statisticalvalidity of the results by restricting access to respondents, or more costly via unwarrantedtime-consuming administrative requirements. This would be most unfortunate, as market,social, and survey research is an effective means of communication between members of thepublic and political parties; governments; and supplies of services or goods such asgovernment agencies, businesses and not for profit organisations. Market, social and surveyresearch can also facilitate effective communication between employees and their employers.

In particular any legislation would have to be carefully framed to avoid several other likelypitfalls, examples including, but not limited to situations where;

• A restriction on approaches being made at random to individuals for marketsocial or survey research purposes. Random sampling is an integral part ofresearch design aimed at ensuring the results of research truly represent theview of the whole group. Random sampling enables valid statisticalprojections to be made and seeks to avoid decisions being made on the basisof views offered by a particular, or small but vocal, minority.

• New record keeping and reporting requirements in addition to the recordkeeping procedures normally used to manage a market, social and surveyresearch project which could have the effect of leading to a reduction ofprivacy through the introduction of unnecessary and costly administrativereporting procedures.

• IPP terminology which is open to interpretation (example; `unreasonableextent')

• Attention must be drawn to the clear distinction between market, social, andsurvey research; and practices of direct marketing or direct selling. Market,social, and survey research seeks to benefit the community by providingaccurate information to assist the decision making process of government,government agencies, commercial, and not for profit organisations. Market,social and survey research can also facilitate effective communication betweenemployees and their employers.

Market, social, and survey research specifically does not include activities related to directselling, or preparing to offer goods or services for sale.

The following activities are not a part of market, social, and survey research, and arespecifically prohibited by the MRSA Code of Professional Behavior.

• Inquires whose objectives are to obtain personal information about privateindividuals per se, whether for legal, political, supervisory (eg jobperformance), private, or other purposes

• The acquisition of information for use for credit-rating or similar purposes• The compilation, updating or enhancement of lists, registers, or databases

which are not exclusively for research purposes (eg, which will be used fordirect marketing or prospecting)

6



Industrial, commercial, or any other form of espionage

Sales or promotional approaches to individual respondentsThe collection of debtsDirect, or indirect attempts, including by the design of a questionnaire, toinfluence a respondent's opinions, attitudes or behaviour on any issue, such aspush polling.

7



Appendix 1

8

MRSA, AMRO & MRQA Submission

on the

Attorney General's Department Discussion Paper

"Privacy Protection in the Private Sector"

CONTENTSPage

1. Submission by MRSA, AMRO & MRQA 1

2. MRSA, AMRO and MRQA Endorse

the Proposed Legislation

2

3. What is Market, Social and Survey Research? 3

3.1 What is Not Market, Social and Survey Research! 3

4. Benefits to the Community of Market, Social

and Survey Research

4

5. Scope of the Market, Social and Research Industry 5

6. MRSA Code of Professional Behaviour - An Overview 5

7. Concerns of MRSA, AMRO and MRQA 6

7.1 Privacy Principle 3 (d) - Concerns about Intrusion 7

7.1.1 Recommendation by MRSA, AMRO & MRQA 8

7.1.2 Comments on'Preference List' or'Opt-Out' Arrangements 8

7.1.3 Use of Contact Lists 9

7.2. Privacy Principle 5 - Parts 5.3 and 5.4

Record Keeping & Annual Reporting

10

7.2.1 Recommendation by MRSA, AMRO & MRQA 12

7.3 Principle 6 - Access to Records 12

APPENDICES

1. MRSA Code of Professional Behaviour

2. Sampling Methods

Submission on the Attorney General's DepartmentDiscussion Paper 'Privacy Protection in the Private Sector'

1. Submission by MRSA, AMRO & MRQA

This submission is made jointly by:

n the Market Research Society of Australia (MRSA)n the Association of Market Research Organisations (AMRO), andn Market Research Quality Assurance, Inc. (MRQA).

MRSA is a professional society of individuals engaged in the practice of market,social and survey research . Full professional membership is limited to memberswho satisfy educational and practical experience criteria.

MRSA members include economic analysts, psychologists, social researchers,marketing analysts , statisticians and users of market , social and survey research.

AMRO is an association of corporations which conduct market, social and surveyresearch.

rMRQA is an independent body which was established to set and auditprofessional standards specific to market, social and survey research for thepurposes of effective industry self-regulation.

The council of MRQA includes representatives of MRSA and AMRO andindividual members from the Australian Social Research Association, the Office ofGovernment Information and Advertising, and tertiary education institutions.

The professional practice of market research in Australia is controlled by theMRSA Code of Professional Behaviour to which all members of MRSA andprincipals of AMRO member organisations commit to annually by signature as acondition of membership. A copy of the MRSA Code of Professional Behaviour isprovided as Appendix 1.

The function of MRQA is to ensure compliance with the MRSA Code ofProfessional Behaviour by checking that the processes described in the Code areadhered to in the same sense that quality standards are monitored within theISO 9000 Quality System.

MRQA administers Interviewer Quality Control Australia (IQCA) which isa quality assurance process based on the MRSA Code of Professional Behaviour.The IQCA process includes setting minimum quality standards, accreditation oforganisations which meet the required standards, and annual audits of theirperformance with respect to maintaining their accreditation.

Page 1.

Submission on the Attorney General's DepartmentDiscussion Paper'Privacy Protection in the Private Sector'

2. MRSA, AMRO and MRQA Endorse the Proposed Legislation

MRSA, AMRO and MRQA strongly support the intentions of the proposedintroduction of privacy legislation for the private sector.

The legislation will, in effect, bring into law provisions of the MRSA Code ofProfessional Behaviour which in general are equivalent to, or more rigorous than,the proposed Privacy Principles with respect to protecting the privacy ofindividuals.

The market, social and survey research industry has been following theprocedures described in the MRSA Code of Behaviour for many years and theMRSA has received very few complaints which have been directly related tomarket, social or survey research activities.

It is envisaged that in due course, the MRSA Code of Professional Behaviour(with any modifications that may be required with respect to the Privacylegislation) would be adopted as the industry standard'Code of Practice' formarket, social and survey research. .

However, MRSA, AMRO and MRQA are concerned that the implementation ofthe proposed privacy legislation should not inadvertently introduce newregulations or requirements that would make the practice of market, social andsurvey research more difficult or even infeasible with respect to the statisticallyvalidity of sampling procedures, or more costly by way of introduction ofunwarranted administrative procedures.

Of particular concern are Principle 3(d) with respect to intrusion, and Sections 5.3and 5.4 of Principle 5 with respect to record keeping and reporting.

Regarding intrusion, market, social and survey research generally involvescontacting members of the public at random to gain the views of a representativesample of the relevant population.

Any restrictions on approaching potential respondents would inhibit or preventrandom sampling and place the statistical validity of research results in jeopardy.That is, restrictions on random sampling would prevent collection of accuratepublic opinion on issues that could affect people's lives and well being.

We argue strongly that legislation that would restrict a researcher's ability toconduct statistically significant research based on random sampling of therelevant population is not in the public interest.

Page 2.

Submission on the Attorney General 's DepartmentDiscussion Paper 'Privacy Protection in the Private Sector'

3. What is Market, Social and Survey Research?

Market, social and survey research involves the systematic collection and objectiverecording of information from individuals or organisations which is collated,aggregated and analysed to investigate the behaviour , needs, attitudes, opinionsor motivations of a whole population , or a particular part of a population.

Market, social and survey research is based on scientific principles which make itpossible to determine with confidence , the attitudes or opinions of a large groupfrom research carried out with a representative sample of individuals (ororganisations) selected at random from that group.

The information collected is used for statistical and research purposes and is nopassed on, or presented to any party, or published in a form that would enableany individual respondent to be identified.

Market, social and survey research practitioners are concerned about protectingthe privacy of the individuals and organisations who participate in research asrespondents . Such concerns are to avoid any possible harm and to foster goodwillso individuals will be willing to take part in research again in the future.

3.1 What is Not Market, Social and Survey Research!

Attention is drawn to the clear distinction between market , social and surveyresearch and direct marketing or direct selling.

Market, social and survey research seeks to benefit the community by providingaccurate information to assist the decision making processes of Government,Government agencies, commercial and not for profit organisations.

Market, social and survey research specifically does not include activities relatedto direct selling, or preparing to offer goods or services for sale, such as:

(a) Requesting personal information as a lead-in to offering goods or servicesfor sale (selling under the guise of market research or "sugging"); and

(b) Collecting personal information to identify prospects for subsequentselling or marketing activities.

The following activities rent market, social and survey research and arespecifically prohibited by the MRSA Code of Professional Behaviour(Notes to Rule 15 of the MRSA Code - p. 9 of Appendix 1 refer):

(i) Inquiries whose objectives are to obtain personal information aboutprivate individuals per se, whether for legal, political, supervisory(eg. job performance), private or other purposes

Page 3.


What is Not Market, Social and Survey Research (continued)

(ii) The acquisition of information for use for credit-rating or similarpurposes

(iii) The compilation, updating or enhancement of lists, registers ordatabases which are not exclusively for research purposes(eg. which will be used for direct marketing or prospecting)

(iv) Industrial, commercial or any other form of espionage

(v) Sales or promotional approaches to individual respondents

(vi) The collection of debts

(vii) Direct or indirect attempts, including by the design of thequestionnaire, to influence a respondent's opinions, attitudes orbehaviour on any issue, such as push polling.

4. Benefits to the Community of Market, Social and Survey Research

Market, social and survey research is an effective means of communicationbetween members of the public and political parties; governments; and suppliersof services or goods such as government agencies, businesses and not for profitorganisations. It can also facilitate effective communication between employeesand their employers.

In a very real sense, market, social and survey research is the 'voice of the people'.It provides individuals with the opportunity to express their opinions and havethem considered when decisions are made which may affect them.

Market, social and survey research seeks to determine the attitudes or opinionsof the whole community in order to avoid the possibility of decisions being madeon the basis of views offered by a particular, small but vocal minority.

To provide what the public needs, decision makers and supplier organisationsmust understand the differing needs; how best to meet these needs; and how tocommunicate most effectively about the services or goods that are available.

Feedback from individuals and organisations (as citizens, employees, consumers,customers, clients, etc.) to decision makers and suppliers is an essential input intothe management processes of organisations of all kinds.

Such feedback and measurement procedures are fundamental to the managementphilosophy of the ISO 9000 Quality System.

Page 4.


5. Scope of the Australian Market, Social and Research Industry

Market, social and survey research is an essential part of modern decision making.For example, the Australian Government operates the Australian Bureau ofStatistics (ABS) to collect and provide statistical information to facilitate 'informeddecision making' by both Government and business organisations.

The services of the market, social and survey research industry are widely usedby governments and government agencies, and by commercial and not for profitorganisations to collect accurate and timely information about issues relevant totheir activities to support their decision making processes.

In Australia the annual expenditure on market, social and survey research isestimated to be about $500 million (including the ABS) and the industry providesemployment for more than 20,000 people ( including both full time and part timeemployees).

6. The MRSA Code of Professional Behaviour - An Overview

The professional practice of market, social and survey research in Australia iscontrolled by the MRSA Code of Professional Behaviour to which all members ofMRSA and principals of AMRO member organisations commit themselves toannually by signature as a condition of their membership.

The MRSA has adopted the International Code prepared jointly by theInternational Chamber of Commerce (ICC) and the European Society for Opinionand Market Research (ESOMAR) as the MRSA Code of Professional Behaviour.

The full text of the Code including the Notes prepared by the MRSA on how theCode is to be applied is provided as Appendix 1.

The MRSA Code of Professional Behaviour specifically seeks to protect theprivacy of individuals through protection of personal information.

Market & social research is based on the willing cooperation of the public and thebusiness community . Such cooperation depends on public and businessconfidence that market research is carried out honestly and objectively usingprocesses that protect the identity and rights of individuals and without anyunwelcome intrusion.

The following summary of key principles relating to the responsibilities ofresearchers to respondents have been taken from the text of the Code forillustration purposes (they are not a substitute for the full text of the Code).

Page 5.

Submission on the Attorney General 's DepartmentDiscussion Paper'Privacy Protection in the Private Sector'

Key Principles of the MRSA Code of Professional Behaviour

• Respondents' identities must not be revealed without their consent toanyone not directly involved in the market research project (including theclient who commissioned the work) or used for any non-research purpose.

• Nobody shall be adversely affected or harmed as a direct result ofparticipating in a market research study.

Respondents must be able to check without difficulty the identity andbona fides of researchers.

• Respondents' co-operation in a market research project is entirely voluntaryat all stages; they must not be misled when being asked for theirco-operation.

• No child under 14 years shall be interviewed without parent 's/guardian's/responsible adult's consent.

7. Concerns of MRSA, AMRO and MRQA

MRSA, AMRO and MRQA are concerned that the implementation of theproposed privacy legislation should not inadvertently introduce newregulations or requirements that could make the practice of market, social andsurvey research more difficult or infeasible with respect to the statisticalvalidity of the results by restricting access to respondents, or more costly viaunwarranted time-consuming administrative requirements.

These situations could arise now, or at some future time, if the wording of thePrivacy Principles and the associated text were left open to interpretation.

In particular , MRSA, AMRO and MRQA wish to express concerns aboutlegislation which could:

(i) Restrict approaches being made at random to individuals for market,social or survey research purposes.

Random sampling is an integral part of research design aimed at ensuringthe results of the research truly represent the views of the whole group.Random sampling enables valid statistical projections to be made. .

Introduce new record keeping and reporting requirements in addition tothe record keeping procedures normally used to manage a market, socialand survey research project.

The concern is to avoid reducing privacy through the introduction ofunnecessary and costly administrative and reporting procedures.

Page 6.


7.1 Privacy Principle 3(d) - Re Concerns about Intrusion

In the wording of Privacy Principle 3, namely:

"having regard to the purpose for which the information is collected ...

(d) the collection of the information does not intrude to an unreasonable extentupon the personal affairs of the individual concerned"

the meaning of 'unreasonable extent' is open to interpretation.

Amendment to Principle 3 is sought via inclusion of a statement to define what is,and/or what is not 'unreasonable' in the context of 3(d).

MRSA, AMRO & MRQA argue that approaching individuals to request theirparticipation in market, social or survey research is not an unreasonable intrusionon the grounds that:

1. Under the Privacy Principles individuals must be given valid reasons forrequests for personal information from researchers.

2. Researchers must be able to establish their bona fides.

3. Individuals have freedom of choice to participate, or not to participate inthe research project.

4. The purpose of market, social and survey research is to produce aggregatedinformation for statistical and research purposes in a format from whichno particular individual could be identified. That is, the informationcollected from an individual is not to be passed on or presented in anyform that would enable that individual to be identified.

5. The function of market research is to serve the community interest as acommunication channel between members of the public and decisionmakers (in Government, business and not for profit organisations) whocontrol the provision of services or goods needed by the community.

6. Measurement is an essential component of quality standards under theISO 9000 Quality Standards system making statistically reliable researchsampling an essential component of quality management.

In recent years the introduction of quality standards and qualitymanagement practice has been a priority concern of Government.

In order to obtain statistically meaningful results from a relatively smallnumber of research interviews market, social and survey research work isof necessity based on random sampling.

Page 7.


7.1.1 Recommendation by MRSA, AMRO & MRQA

To avoid introduction of privacy procedures based on the wording of PrivacyPrinciple 3(d) that could make current market research practices with respect toscientific sampling methodology technically difficult (if not impossible),administratively complex and generally much more costly, it is recommendedthat a statement be included within Principle 3 to the effect:

"The collection of information by a bona fide market research interviewer forthe sole purpose of market, social or survey research where the informationwill be stored in an aggregated form for statistical or research purposes, andwhere the information will not be presented or published in a form that couldreasonably be expected to identify any individual concerned, is not consideredto be an unreasonable intrusion".

7.1.2 Comments on'Preference List' or'Opt-Out' Arrangements

Of particular concern to market, social and survey research practitioners is thesuggestion that a 'preference list' or 'opt-out' system could be introducedwhereby a telephone subscriber or householder may seek to have his or hertelephone number or street address placed on a preference list to avoid beingapproached to take part in market research interviews.

It is understood the concept of such a preference list arises from direct marketingwhere marketers may work from a prepared list of contacts. Advanced databasing software and analysis skills are used to facilitate one-on-one marketing.In the case of direct marketing, screening a prepared list against a preference listis at least technically feasible.

In contrast, much of market, social or survey research involves random samplingrather than the use of prepared or pre-existing contact lists. Where pre-existinglists are used they are generally provided by the client, eg. customer or client lists.

The use of lists is a minor component of market, social and survey researchestimated to account for only five to ten per cent of research project work.

Random sampling involves making approaches to participate in market, social orsurvey research from a certain starting point (eg. a specific address) then makingsubsequent contacts according to a simple formula (eg. every third house on theleft.,hand side of the street).

See Appendix 2. for a brief summary of sampling procedures.

Page 8.

Submission on the Attorney General 's DepartmentDiscussion Paper'Privacy Protection in the Private Sector'

In the case of random sampling, satisfying a requirement to screen potentialcontacts against a preference list would be unworkable, and could substantiallychange the way market, social and survey research is carried out. Such screeningprocedures would also have implications with respect to the statistical validity ofthe sample.

This submission strongly asserts that the introduction of a preference list schemeto restrict approaches to individuals for the purposes of market, social and surveyresearch is unwarranted for the reasons advanced under 7.1.1 above and thefollowing.

Australian research indicates most individuals understand the difference betweenmarket, social and survey research and direct selling or direct marketing and, ingeneral, are favourably disposed to taking part in market research provided theapproach is made at a convenient time, and the interview will not take too long.

Some resistance to participating in market, social and survey research has resultedfrom direct marketing practices in which salespersons misleadingly representthemselves as conducting research as a precursor to making a sales presentation.

The impacts of a preference or opt out scheme on market research would include:

(i) The costs of establishing and maintaining a preference list;

(ii) Costs of screening to ensure households (identified by telephonenumber or street address) on the list were not contactedinadvertently;

(iii) The impracticality of screening with respect to a preference list inthe case of random telephone and random door to door sampling;

(iv) The statistical validity of the 'screened' sample and the reliabilityof the research results would be open to question.

7.1.3 Use of Contact Lists

It has been noted that the Office of the Privacy Commissioner has particularconcerns about the use of pre-existing contact lists with respect to intrusions onthe privacy of individuals.

Research using contact lists is a minor component (less than 10 per cent) ofmarket, social and survey research . Such research is generally based on contactinformation supplied by the 'client', such as a customer or client list. It is rare forpersonal information to be provided in addition to name and telephone number.

Obtaining the appropriate consent for an approach for interview would be theresponsibility of the contact list supplier in accordance with Privacy Principle 2.

Page 9.


7.2. Privacy Principle 5 - Parts 5.3 and 5.4 Record Keeping & Annual Reporting

The record keeping and related annual reporting requirements outlined in theDiscussion Paper could impose unwarranted administrative work and costs onmarket, social and survey research projects, and could reduce the level of privacyprotection provided by current market, social and survey research industrypractices under the MRSA Code of Professional Behaviour and the InterviewerQuality Control Australia (IQCA) quality standards.

IQCA is a quality assurance process based on the MRSA Code which includessetting minimum quality standards, accreditation of organisations which meet therequired standards, and annual audits of their performance with respect tomaintaining their accreditation.

The arrangements under the MRSA Code of Professional Behaviour and the IQCAstandards are designed to provide privacy protection for personal informationwhile it is held by the researcher or research organisation as follows:

1. Field records containing personal identifiers must be held securely by theresearcher or research organisation and must not be made available to anyother party.

Note that not all records of interview will contain personal identifiers.

2. After processing and checking (typically about two weeks after datacollection) personal identifiers must be removed from field records.

If there is a need to keep personal identifier information it must be keptseparately and securely from the field records and other records of the factsor opinions of respondents.

There must be no linkage between personal identifiers and personalinformation by way of a coding system or the like.

3. Any other arrangement to retain personal identifiers must be with theconsent of the respondents (eg. where respondents have agreed thatfollow-up contacts may be made to them).

Unless there is an agreement to the contrary (eg. where respondents have given'informed consent ' for follow-up contacts to be made to them), personal identifiersshould be removed from primary field records after the completion of data entryand any necessary fieldwork quality checks, typically within two weeks. At thispoint these records cease to be personal information.

The period of time research records should be kept will vary with the nature ofthe project and any requirements for follow -up research or further analysis.Primary field records (less personal identifiers) should be retained for only oneyear after completion of the fieldwork for possible follow-up work before beingdestroyed.

Page 10.

Submission on the Attorney Generars DepartmentDiscussion Paper 'Privacy Protection in the Private Sector'

For particular research management purposes the personal identifiers may bestored separately from the questionnaire or record of interview but there must beno possible linkage between personal identifiers and personal information(eg. via a coding system).

The specific requirements of the MRSA Code of Professional Behaviour as per theNotes to Rule 4 of the Code and the requirements for IQCA accreditation follow:

• All indications of the identity of respondents should be physicallyseparated from the records of the information they have provided as soonas possible after the completion of any necessary fieldwork quality checks.(Generally within two weeks.)

• The researcher must ensure that any information which might identify therespondents is stored securely and separately from the other informationthey have provided; and that access to such material is restricted toauthorised research personnel within the researcher 's own organisation forspecific research purposes (eg. field administration , data processing, panelor 'longitudinal ' studies, or other forms of research involving re-callinterviews).

• To preserve respondents' anonymity not only their names and addressesbut also any other information provided by or about them which could inpractice identify them (eg. their Company and job title) must besafeguarded.

• These anonymity requirements may be relaxed only under the followingsafeguards:

(a) where the respondent has given explicit permission for this under theconditions of 'informed consent ' summarised in Rule 4 (a) and Rule 4(b).

(b) where disclosure of names to a third party (eg. a sub-contractor ) is essentialfor any research purpose such as data processing or further interview(eg. an independent fieldwork quality check) or for follow-up research.

The original researcher is responsible for ensuring that any such thirdparty agrees to observe the requirements of this Code, in writing, if thethird party has not already formally subscribed to the Code.

The validity of these procedures under the MRSA Code of Professional Behaviourwith respect to privacy protection of respondents has been tested in courtproceedings. Attempts to gain access to the names and contact information ofrespondents to particular surveys were denied by the Court.

Page 11.

Submission on the Attorney General,'s DepartmentDiscussion Paper'Privacy Protection in the Private Sector'

7.2.1 Recommendation by MRSA, AMRO and MRQA

MRSA, AMRO and MRQA recommend that Privacy Principle 5 be amended tocontain wording to avoid the preparation of lists of names or contact informationof respondents to market, social and survey research projects for the sole purposeof privacy protection record keeping and reporting, as follows:

The primary information collected for bona fide market, social or surveyresearch as 'records of interview', questionnaires and the like should not beused to prepare lists of the names of respondents to a research project for thesole purpose of maintaining privacy protection records.

This is because information collected is held as personal information either foronly a short period of time (typically two weeks), or is held with the informedconsent of the respondents for specific research purposes.

The process of preparing lists of respondents for privacy protection recordkeeping purposes could serve to reduce privacy, and would introduceunwarranted administrative work.

7.3 Privacy Principle 6 - Access to Records

Respondents have rarely expressed concerns to see, alter or delete the record oftheir responses to a market, social or survey research activity (record of interview,questionnaire, etc.).

Where respondents have had concerns they have usually been expressed within afew hours or days following the research interview. That is, the concerns are notof a long term nature.

When requests to see, alter or delete a record have been made at this early stagewhile the field records were still available, the researcher or research organisationhas been able to comply with the request. This has involved searching throughfield records to find the record containing the person's name as no listing ofindividual respondents is kept.

The introduction of more structured record keeping procedures specificallydesigned to enable individuals to gain access to their record of interview,questionnaire or the like, could have the reverse effect of reducing personal.privacy as argued in 7.2 above.

It must be emphasised that information collected for the purposes of market,social and survey research is quickly converted to an aggregated form forstatistical or research purposes and is not passed on, used, presented or publishedin a form that would enable any individual respondent to be identified.

Page 12.

MARKET RESEARCH SOCIETY OF AUSTRALIACODE OF PROFESSIONAL BEHAVIOUR

Appendix 1. Submission re the Attorney-General's Department Discussion Paper 'Privacy Protection in the Public Sector'

KEY PRINCIPLES

Market research depends upon the willing co-operation of the public and the business community.This co-operation is based on public and businessconfidence that market research is carried outhonestly, objectively and without unwelcomeintrusion or disadvantage to respondents.

The purpose of market research is to collect andanalyse information and not to directly sell or promote

goods or services, influence respondents' opinions orengage in other non-research activities.

Researchers' Professional Responsibilities

Researchers must not, whether knowingly ornegligently, act in any way which could bring discrediton the market research profession or lead to loss ofpublic confidence.

Researchers must always strive to design researchwhich is cost-efficient and of adequate quality, and thento carry this out.

Researchers must not undertake any non-researchactivities (eg. telemarketing and push polling).

It is in this spirit that the Code of ProfessionalBehaviour has been devised.

The general public, business community and otherinterested parties are entitled to complete assurancethat every market research project is carried out strictlyin accordance with this Code and that their rights ofprivacy are respected.

The key principles of professional market researchhave been taken from the full text of the Code ofProfessional Behaviour of the MRSA and are bindingon its membership.

This summary of key principles cannot be taken as asubstitute for the full Code.

Responsibilities to Respondents

Respondents' identities must not be revealed withouttheir consent to anyone not directly involved in themarket research project or used for any non-researchpurpose.

Nobody shall be adversely affected or harmed as adirect result of participating in a market research study.

Respondents must be able to check without difficultythe identity and bona fides of researchers.

Respondents' co-operation in a market research projectis entirely voluntary at all stages; they must not bemisled when being asked for their co-operation.

No child under 14 years shall be interviewed withoutparents'/guardians'/responsible adults' consent.

Researchers' and Clients' Mutual Rightsand Responsibilities

Market research must always be conducted according tothe principles of fair business practice.

Researchers must ensure that clients are aware of theexistence of the Code and of the need to comply with itsrequirements.

Clients' identities, information about their businesses,and their commissioned market research data andfindings remain confidential to the clients unless bothclients and researchers agree the details of anypublications.

Researchers must provide clients with all appropriatetechnical details of any research project carried out forthose clients.

The research findings must always be reportedaccurately and never used to mislead anyone in anyway.

INDEX

Key PrinciplesIntroductionThe International CodeDefinitionsRulesA.B.C.

GeneralThe Rights of RespondentsProfessional Responsibilitiesof Researchers

D. The Mutual Rights & Responsibilitiesof Researchers and Clients

E. Implementation of the Code

Notes on how the MRSA Code ofProfessional Behaviour should be applied

1.

5

6

7-10

MARKET RESEARCH SOCIETY OF AUSTRALIA

CODE OF PROFESSIONAL BEHAVIOUR


INTRODUCTION

Effective communication between the suppliers andconsumers of goods and services of all kinds is vital to amodem society. Growing international links make thiseven more essential.

For a supplier to provide in the most efficient way whatconsumers require, he/she must under-stand theirdiffering needs; how best to meet these needs; and howhe/she can most effectively communicate the nature ofgoods or services he/she is offering.

This is the objective of market research. It applies inboth private and public sectors of the economy. Similarapproaches are also used in other fields of study.For example, in measuring the public's behaviour andattitudes with respect to social, political and other issuesby Government and public bodies, the media, academicinstitutions, etc. Market and social research have manyinterests, methods and problems in common althoughthe subjects of study tend to be different.

Such research depends upon public confidence:confidence that the research is carried out honestly,objectively, without unwelcome intrusion ordisadvantage to respondents, and based upon theirwilling co-operation. This confidence must be supportedby an appropriate Code of Professional Behaviour whichgoverns the way in which market research projects areconducted.

The first Code of Marketing and Social Research Practicewas published by the European Society for Opinion andMarket Research (ESOMAR) in 1948. This was followedby a number of Codes prepared by national marketresearch societies and by other bodies such as theInternational Chamber of Commerce (ICC) whichrepresents the international marketing community.

In 1976 ESOMAR and the ICC decided that it wouldbe preferable to have a single International Code insteadof the differing ones, and a joint ICC/ESOMAR Codewas published in the following year (with revisions in1986).

This new version sets out as concisely as possible thebasic ethical and business principles which govern thepractice of market and social research. It specifies therules which are to be followed in dealing with thegeneral public and with the business community,including clients and other members of the profession.

Members working for the Australian Bureau of Statisticsare constrained by Australian Law under clause 2.They are exempt from conflicting parts of section Bwhile in the employ of the ABS.

After a review of the ICC/ESOMAR Code, MRSAadopted this Code in 1995 as the MRSA Code ofProfessional Behaviour.

The associated Notes on how the Code should beapplied have been modified for Australian market andsocial research practice.

THE INTERNATIONAL CODE

This Code sets out the basic principles which mustguide the actions of those who carry out or use marketresearch. Individuals and organisations who subscribeto it must follow not just the letter but also the spirit ofthese rules.

No Code can be expected to provide a completelycomprehensive set of rules which are applicable to everysituation which might arise. Where there is any elementof doubt people should ask for advice and meanwhilefollow the most conservative interpretation of theseprinciples. No variation in the application of the rules inAustralia is permissible without explicit authorisationby MRSA.

Individuals are always responsible for ensuring thatthe other people in their organisation who to theirknowledge are concerned in any way with marketresearch activities are aware of, and understand, theprinciples laid down in this Code. They must use theirbest endeavours to ensure that the organisation as awhole conforms to the Code.

Subsequent changes in the marketing and socialenvironment, new developments in market researchmethods and a great increase in international activitiesof all kinds including legislation, led ESOMAR toprepare a new version of the International Code in 1994.

Acceptance of this International Code is a condition ofmembership of the MRSA. Members should alsofamiliarise themselves with the Notes and Guidelineswhich help in interpreting and applying the Rulesof this Code.

2.




DEFINITIONS

(a) Market research is a key element within thetotal field of marketing information. It links theconsumer, customer and public to the marketer throughinformation which is used to identify and definemarketing opportunities and problems; generate, refineand evaluate marketing actions; improve understandingof marketing as a process and of the ways in whichspecific marketing activities can be made more effective.

Market research specifies the information required toaddress these issues; designs the method for collectinginformation; manages and implements the data_ollection process; analyses the results; andcommunicates the findings and their implications.

Market research includes such activities as quantitativesurveys; research; media and advertising research;business-to-business and industrial research; researchamong minority and special groups; public opinionsurveys; and desk research.

The term researcher includes any department, etc.which belongs to the same organisation as that of theclient. A researcher linked to the client in this way hasthe same responsibilities under this Code, vis-a-vis othersections of the client organisation, as does one who iscompletely independent of the latter.

The term also covers responsibility for the proceduresfollowed by any subcontractor from whom theresearcher commissions any work (data collection oranalysis, printing, professional consultancy, etc.) whichforms any part of the research project. In such cases theresearcher must ensure that any such subcontractorfully conforms to the provisions of this Code.

(c) Client is defined as any individual,organisation, department or division (including onewhich belongs to the same organisation as theresearcher) which requests, commissions or subscribesto all or any part of a market research project.

In the context of this Code the term market research alsocovers social research where this uses similarapproaches and techniques to study issues notconcerned with the marketing of goods and service. Theapplied social sciences equally depend on such methodsof empirical research to develop and test theirunderlying hypotheses; and to understand, predict andprovide guidance on developments within society forgovernmental, academic and other purposes.

Market research differs from other forms of informationgathering in that the identity of the provider ofinformation is not disclosed.

Database marketing and any other activity where thenames and addresses of the people contacted are to beused for individual selling, promotional, fundraising orother non-research purposes can under nocircumstances be regarded as market research since thelatter is based on preserving the complete anonymity ofthe respondent.

(b) Researcher is defined as any individual,research agency, organisation, department or divisionwhich carries out or acts as a consultant on a marketresearch project or offers their services to do so.

(d) Respondent is defined as any individual ororganisation from whom any information is sought bythe researcher for the purposes of a marketing project.The term covers cases where information is to beobtained by verbal interviewing techniques, postal andother self-completion questionnaires, mechanical orelectronic equipment, observation and any othermethod where the identity of the provider of theinformation may be recorded or otherwise traceable.

(e) Interview is defined as any form of direct orindirect contact (using any of the methods referred to inthe above) with respondents where the objective is toacquire data or information which could be used inwhole or in part for the purposes of a market researchproject.

(f) Record is defined as any brief, proposal,questionnaire, respondent identification, check list,record sheet, audio or audio-visual recording or film,tabulation or computer print-out, EDP disc or otherstorage medium, formula, diagram, report, etc. inrespect of any market research project, whether in wholeor in part. It covers records produced by the client aswell as by the researcher.

3.



Appendix 1. Submission re the Attorney -General's Department Discussion Paper 'Privacy Protection in the Public Sector'

RULES

A. GENERAL

place. If a Respondent so wishes, the record orrelevant section of it must be destroyed ordeleted. Respondents' anonymity must not beinfringed by the use of such methods.

1. Market research must always be carried outobjectively and in accordance with establishedscientific principles.

2. Market research must always conform to thenational and international legislation whichapplies in those countries involved in a givenresearch project.

B. THE RIGHTS OF THE RESPONDENTS

3. Respondents' co-operation in a market researchproject is entirely voluntary at all stages. Theymust not be misled when being asked for theirco-operation.

4. Respondents ' anonymity must be strictlypreserved . If the Respondent on request fromthe Researcher has given permission for data tobe passed on in a form which allows thatRespondent to be personally identified:

(a) the Respondent must first have been told towhom the information would be supplied andthe purposes for which it will be used , and also

(b) the Researcher must ensure the information willnot be used for any non-research purpose andthat the recipient of the information has agreedto conform to the requirements of this Code.

5. The Researcher must take all reasonableprecautions to ensure that Respondents are inno way directly harmed or adversely affected asa result of their participation in a marketresearch project.

6. The Researcher must take special care wheninterviewing children and young people. Theinformed consent of the parent or responsibleadult must first be obtained for interviews withchildren.

Respondents must be told (normally at thebeginning of the interview) if observationtechniques or recording equipment are beingused, except where these are used in a public

8. Respondents must be enabled to check withoutdifficulty the identity and bona fides of theResearcher.

C. THE PROFESSIONAL RESPONSIBILITIESOF RESEARCHERS

9. Researchers must not, whether knowingly ornegligently, act in any way which could bringdiscredit on the market research profession orlead to a loss of public confidence in it.

10. Researchers must not make false claims abouttheir skills and experience or about those oftheir organisation.

11. Researchers must not unjustifiably criticise ordisparage other Researchers.

12. Researchers must always strive to designresearch which is cost efficient and of adequatequality, and then to carry this out to thespecifications agreed with the client.

13. Researchers must ensure the security of allresearch records in their possession.

14. Researchers must not knowingly allow thedissemination of conclusions from a marketresearch project which are not adequatelysupported by the data. They must always beprepared to make available the technicalinformation necessary to assess the validity ofany published findings.

15. When acting in their capacity as Researchers thelatter must not undertake any non-researchactivities, for example, database marketinginvolving data about individuals which will beused for direct marketing and promotionalactivities.

Any such non-research activities must always,in the way they are organised and carried out,be dearly differentiated from market researchactivities.

4.




D. THE MUTUAL RIGHTS ANDRESPONSIBILITIES OF RESEARCHERSAND CLIENTS

16. These rights and responsibilities will normallybe governed by a written contract between theResearcher and the Client. The parties mayamend the provisions of Rules 19-23 below ifthey have agreed to this in writing beforehand;but the other requirements of this Code may notbe altered in this way. Market research mustalways also be conducted according to theprinciples of fair competition, as generallyunderstood and accepted.

17. The Researcher must inform the Client if thework to be carried out for that Client is to becombined or syndicated in the same project withwork for other Clients but must not disclose theidentity of such Clients.

18. The Researcher must inform the Client as soonas possible in advance when any part of thework for that Client is to be subcontractedoutside the Researcher's own organisation(including the use of any outside consultants).On request, the Client must be told the identityof any such subcontractor.

19. The Client does not have the right, without prioragreement between the parties involved, toexclusive use of the Researcher's services orthose of his/her organisation, whether in wholeor in part. In carrying out the work for differentClients, however, the Researcher mustendeavour to avoid possible clashes of interestbetween the services provided to those Clients.

20. The following Records must remain theproperty of the Client and must not be disclosedby the Researcher to any third party without theClient's permission:

(a) market research briefs, specifications and otherinformation provided by the Client.

(b) the research data and findings from a marketresearch project (except in the case of syndicatedor multi-client projects or services where thesame data are available to more than oneClient).

The Client has however no right to know thenames and addresses of respondents unless thelatter's explicit permission for this has first beenobtained by the Researcher (this particularrequirement cannot be altered under Rule 16).

21. Unless it is specifically agreed to the contrary,the following Records remain the property ofthe Researcher:

(a) market research proposals and cost quotations(unless these have been paid for by the Client).They must not be disclosed by the Client to anythird party, other than to a consultant workingfor the Client on that project (with the exceptionof any consultant working also for a competitorof the Researcher). In particular, they must notbe used by the Client to influence researchproposals or cost quotations from otherResearchers.

(b) the,contents of a report in the case of syndicatedand/or multi-client projects or services wherethe same data are available to more than oneClient and where it is clearly understood thatthe resulting reports are available for generalpurchase or subscription. The Client may notdisclose the findings of such research to anythird party (other than to his/her ownconsultants and advisers for use in connect-ionwith his/her business) without the permissionof the Researcher.

(c) all other research Records prepared by theResearcher (with the exception in the case ofnon-syndicated projects of the report to theClient, and also the research design andquestionnaire where the costs of developingthese are covered by the charges paid by theClient).

22. The Researcher must conform to currentlyagreed professional practice relating to thekeeping of such Records for an appropriateperiod of time after the end of the project.On request, the Researcher must supply theClient with duplicate copies of such recordsprovided that such duplicates do not breachanonymity and confidentiality requirements(Rule 4); that the request is made within theagreed time limit for keeping the records; andthe Client pays the reasonable costs of providingthe duplicates.

5.




E. IMPLEMENTATION OF THE CODE

23. The Researcher must not disclose the identity ofthe Client (provided there is no legal obligationto do so), or any confidential information aboutthe latter's business, to any third party withoutthe Client's permission.

24. The Researcher must on request allow the Clientto arrange for checks on the quality of fieldworkand data preparation provided that the Clientpays any additional costs involved in this.Any such checks must conform to therequirements of Rule 4.

Queries about the interpretation of this Code, andabout its application to specific problems , should beaddressed to the National Secretariat of the MRSA.

Any apparent infringement should in the first place bereported immediately to the National Secretariat of theMRSA.

The MRSA, as appropriate, will then investigate thecomplaint and take such further action as may becalled for. This action can include suspension orwithdrawal of membership of the MRSA.

25. The Researcher must provide the Client with allappropriate technical details of any researchproject carried out for that Client.

26. When reporting on the results of a marketresearch project the Researcher must make aclear distinction between the findings as such,the Researcher's interpretation of these, and anyrecommendations based on them.

27. Where any of the findings of a research projectare published by a Client the latter has aresponsibility to ensure that these are notmisleading. The Researcher must be consultedand agree in advance the form and content ofpublication, and must take action to correct anymisleading statements about the research andits findings.

28. Researchers must not allow their names to beused in connection with any research project asan assurance that the latter has been carried outin conformity with this Code unless they are

confident that the project has in all respects metthe Code's requirements.

29. Researchers must ensure that Clients are awareof the existence of this Code and of the need tocomply with its requirements.

-00000-

The MRSA is currently reviewing the complaintsprocedures which are part of the Articles ofAssociation of the MRSA.

6.



NOTES ON HOWTHE CODE OF PROFESSIONAL BEHAVIOURSHOULD BE APPLIED

These Notes are intended to help users of the Code tointerpret and apply it in practice.

Any query or problem about how to apply the Code in aspecific situation should be addressed to the NationalSecretariat of the MRSA.

The Notes, and the Guidelines referred to in them, willbe reviewed and reissued from time to time. The Notesand Guidelines will continue to be updated when it islecessary to take account of changing circumstances orimportant new issues.

SECTION B

All Respondents are entitled to be sure that when theyagree to co-operate with this Code that the Researcherwill conform to its requirements. That in any marketresearch project they are fully protected by theprovisions that apply equally to Respondentsinterviewed as private individuals, and to thoseinterviewed as representatives of organisations ofdifferent kinds.

(Rule 3)

Researchers and those working on their behalf(eg. interviewers) must not, in order to secureRespondents' co-operation, make statements orpromises which are knowingly misleading or incorrect -for example, about the likely length of the interview orabout the possibilities of being re-interviewed on a lateroccasion. Any such statements and assurances given toRespondents must be fully honoured.

If asked by respondents, the source of sample used toselect the respondent should be revealed.

The disclosure of the identity of the client is subject toRule 23.

Respondents are entitled to withdraw from an interviewat any stage and to refuse to co-operate further in theresearch project . Any or all of the information collectedfrom or about them must be destroyed without delay ifRespondents so request.

(Rule 4)

All indications of the identity of Respondents should bephysically separated from the records of the informationthey have provided as soon as possible after thecompletion of any necessary fieldwork quality checks.

The Researchers must ensure that any informationwhich might identify Respondents is stored securelyand separately from the other information they haveprovided; and that access to such material is restrictedto authorised research personnel within the Researcher'sown organisation for specific research purposes(eg. field administration, data processing, panel or'longitudinal' studies, or other forms of researchinvolving re-call interviews).

To preserve Respondents' anonymity not only theirnames and addresses but also any other informationprovided by or about them which could in practiceidentify them (eg. their Company and job title) must besafeguarded.

These anonymity requirements may be relaxed onlyunder the following safe-guards:

(a) where the Respondent has given explicitpermission for this under the conditions of'informed consent' summarised in Rule 4(a) andRule 4(b).

(b) where disclosure of names to a third party(eg. a sub-contractor) is essential for anyresearch purpose such as data processing orfurther interview (eg. an independent fieldworkquality check) or for further follow-up research.

The original Researcher is responsible forensuring that any such third party agrees toobserve the requirements of this Code - inwriting, if the third party has not alreadyformally subscribed to the Code.

These anonymity requirements relate also to use of arespondents photograph, verbatim quotes and videotaped interview.

Permission to observe an interview/group discussion bya third party must be gained from the respondent inaccordance with Rule 4.

7.




The definition of 'non-research activity', referred to inRule 4(b), is dealt with in connection with Rule 15.

the relevant section of the record and, if they so wish, tohave this destroyed.

In the case of customer satisfaction surveys, where amajor objective of the research is to improve thehandling of customers' difficulties or complaints,identified information about an individual Respondent'sproblems may be passed to the client provided that theRespondent has explicitly agreed to this and/or askedfor this to be done.

(Rule 5)

The Researcher must explicitly agree with the Clientarrangements regarding the responsibilities for productsafety and for dealing with any complaints or damagearising from faulty products or product misuse. Suchresponsibilities will normally rest with the Client, butthe Researcher must ensure that products are correctlystored and handled while in the Researcher's charge andthat Respondents are given appropriate instructions fortheir use.

More generally, Researchers should avoid interviewingat inappropriate or inconvenient times. They shouldalso avoid the use of unnecessarily long interviews; andthe asking of personal questions which may worry orannoy Respondents, unless the information is essentialto the purposes of the study and the reasons for needingit are explained to the Respondent.

(Rule 6)

Children are defined as being 'under 14 years' andyoung people are defined as being '14-17 years'. In thecase of young people, when interviewing on sensitivesubjects such as those relating to sexual activity,violence and drug taking, consideration may need to begiven to seeking parents'/guardians'/responsible adults'permission.

Researchers may wish to seek the guidance of the MRSAEthics Committee or State Government PrivacyCommittees when considering whether such permissionis justified.

(Rule 7)

The Respondent should be told at the beginning of theinterview that recording techniques are to be usedunless this knowledge might bias the Respondent'ssubsequent behaviour: in such cases the Respondentmust be told about the recording at the end of theinterview and be given the opportunity to see or hear

A 'public place' is defined as one to which the public hasfree access and where an individual could reasonablyexpect to be observed and/or overheard by other peoplepresent, for example in a shop or in the street.

(Rule 8)

The name and address /telephone number of theResearcher must normally be made available to theRespondent at the time of interview. In cases where anaccommodation address or 'cover name' is used for datacollection purposes arrangements must be made toenable Respondents subsequently to find withoutdifficulty or avoidable expense the name and address ofthe Researcher. Wherever possible 'Freephone' orsimilar facilities, should be provided so thatRespondents can check the Researcher's bona fideswithout cost to themselves.

SECTION C

This Code is not intended to restrict the rights ofResearchers to undertake any legitimate market researchactivity and to operate competitively in so doing.However, it is essential that in pursuing these objectivesthe general public's confidence in the integrity of marketresearch is not undermined in any way. This Sectionsets out the responsibilities which the Researcher hastowards the public at large and towards the marketresearch profession and other members of this.

(Rule 14)

The kinds of technical information which should onrequest be made available include those listed in theNotes to Rule 25. The Researcher must not howeverdisclose information which is confidential to the Client'sbusiness, nor need he/she disclose information relatingto parts of the survey which were not published.

(Rule 15)

The kinds of 'non-research activity' which must not beassociated in any way with the carrying out of themarket research include:

• inquiries whose objectives are to obtainpersonal information about private individualsper se, whether for legal, political, supervisory(eg. job performance), private or otherpurposes

8.



• the acquisition of information for use for credit-rating or similar purposes

• the compilation, updating or enhancement oflists, registers or databases which are notexclusively for research purposes (eg. whichwill be used for direct marketing)

• industrial, commercial or any other form ofespionage

• sales or promotional approaches to individualRespondents

(Rule 18)

Although it is usually known in advance what ,subcontractors will be used, occasions do arise duringthe course of a project where subcontractors need to bebrought in, or changed, at very short notice. In suchcases, rather than cause delays to the project in order toinform the Client it will usually be sensible andacceptable to let the Client know as quickly as possibleafter the decision has been taken.

(Rule 22)

• the collection of debts

• fund-raising

• direct or indirect attempts, including by thedesign of the questionnaire, to influence aRespondent's opinions, attitudes or behaviouron any issue, such as push polling.

Certain of these activities - in particular the collection ofinformation for databases for subsequent use in directmarketing and similar operations - are legitimatemarketing activities in their own right. Researchers(especially those working within a client company) mayoften be involved with such activities, either directly orindirectly.

In such cases it is essential that a clear distinction ismade between these activities and market research sinceby definition market research anonymity rules cannot beapplied to them.

Situations may arise where a Researcher wishes, quitelegitimately, to become involved with marketingdatabase work for direct marketing (as distinct frommarket research) purposes: such work must not becarried out under the name of market research or of amarket research organisation as such.

SECTION D

This Code is not intended to regulate the details orbusiness relationships between Researchers and Clientsexcept in so far as these may involve principles ofgeneral interest and concern. Most such matters shouldbe regulated by the individual business Contracts.It is clearly vital that such Contracts are based on anadequate understanding and consideration of the issuesinvolved.

The period of time for which research Records shouldbe kept by the Researcher will vary with the nature ofthe project (eg. ad hoc, panel, repetitive) and thepossible requirements for follow-up research or furtheranalysis. It will normally be longer for the storedresearch data resulting from a survey (tabulations, discs,tapes, etc.) than for primary field records (the originalcompleted questionnaires and similar basic records).The period must be disclosed to, and agreed by theClient in advance.

In default of any agreement to the contrary, in the caseof ad hoc surveys the normal period for which theprimary field records should be retained is one yearafter completion of the fieldwork while the researchdata should be stored for possible further analysis for atleast two years. The Researcher should take suitableprecautions to guard against any accidental loss of theinformation, whether stored physically or electronically,during the agreed storage period.

(Rule 24)

On request, the client or his/her mutually acceptablerepresentative may observe a limited number ofinterviews for this purpose. In certain cases, such aspanels, or in situations where a Respondent might beknown to (or be in subsequent contact with) the Client,this may require the previous agreement of theRespondent. Any such observer must agree to be boundby the provisions of this Code, especially Rule 4.

The Researcher is entitled to be recompensed for anydelays and increased fieldwork costs which may resultfrom such a request. The Client must be informed if theobservation of interviews may mean that the results ofsuch interviews will need to be excluded from theoverall survey analysis because they are no longermethodologically comparable.

9.


Appendix 1. Submission re the Attorney -General's Department Discussion Paper ' Privacy Protection in the Public Sector'

In the case of multi-client studies the Researcher mayrequire that any such observer is independent of any ofthe Clients.

Where an independent check on the quality of fieldworkis to be carried out by a different research agency thelatter must conform in all respects to the requirementsof this Code. In particular, the anonymity of the originalRespondents must be fully safeguarded and their namesand addresses used exclusively for the purposes ofback-checks, not being disclosed to the Client. Similarconsiderations apply where the Client wishes to carryout checks on the quality of data preparation work.

'Rule 25)

The Client is entitled to the following information aboutany market research project to which he/she hassubscribed:

(1) Background

• for whom the study was conducted

• the purpose of the study

• names of subcontractors and consultantsperforming any substantial part of the work

(2) Sample

• a description of the intended and actualuniverse covered

• the size, nature and geographical distribution ofthe sample (both planned and achieved); andwhere relevant, the extent to which any of thedata collected were obtained from only part ofthe sample

• details of the sampling method and anyweighting methods used

• where technically relevant, a statement ofresponse rates and a discussion of any possiblebias due to non-response

(3) Data Collection

• a description of the method by which theinformation was collected

a description of the field staff, briefing and fieldquality control methods used

• the method of recruiting Respondents includingnumber of call-backs used to contact selectedrespondents; and the general nature of anyincentives offered to secure their co-operation

• when the fieldwork was carried out

• (in the case of 'desk research') a clear statementof the sources of the information and theirlikely reliability

(4) Presentation of Results

• the relevant factual findings obtained• the bases of percentages (both weighted and

unweighted)

• general indications of the probable statisticalmargins of error to be attached to the mainfindings, and of the levels of statisticalsignificance of differences between key figures

• thei-questionnaire and other relevant documentsand materials used including data maps andassociated documentation, if the data is beingprovided in an electronic form (or, in the case ofa shared project, that portion relating to thematter reported on)

The Report on a project should normally cover theabove points or provide a reference to readily availableseparate documents which contain the information.

(Rule 27)

If the Client does not consult and agree in advance, theform of publication with the Researcher the latter isentitled to:

(a) refuse permission for his/her name to be usedin connection with the published findings and

(b) publish the appropriate technical details of theproject (as listed in the Notes to Rule 25).

(Rule 29)

It is recommended that Researchers specify in theirresearch proposals that they follow the requirements ofthis Code Of Professional Behaviour and that they makea copy available to the Client if the latter does notalready have one.

-00000-

10.

SUBMISSION ON THE ATTORNEY GENERAL'S DISCUSSION PAPER'PRIVACY PROTECTION IN THE PRIVATE SECTOR'

APPENDIX 2. SAMPLING METHODS

RANDOM SAMPLING

A fundamental consideration in the design of market, social and surveyresearch projects is the statistical technique of random sampling.

Research is based on the assumption that the sample of respondents to asurvey represents the total target group of interest , eg. voters, mothers ofyoung children, retired persons, the person who does the weekly groceryshopping, company directors, etc.

Placing restrictions on the ability to sample can bias the analysis andinvalidate the results. That is, restrictions on sampling could affect thestatistics of sampling and place the integrity of the results of market, socialand survey research in jeopardy.

There are internationally recognised standard procedures for selectingrandom samples . Notes on the procedures used most often follow:

1. RANDOM TELEPHONE SURVEYS

1.1 Telephone Directories

Random samples may be drawn electronically or manually from the whiteor yellow pages telephone directories respectively , for householder orbusiness surveys.

A sample is generated using standard statistical techniques to obtain thenumber of telephone numbers it is necessary to dial in order to get therequired sample size.

The telephone number is used for the purposes of dialling only. The numberis not linked to the data collected nor are the address details taken from thedirectory.

1.2 Random Digit Dialling

Market researchers use two different forms of random digit dialling.

(1) The phone directory is used to select a range of numbers for an area.Statistical techniques are used to generate random numbers withinthis range. The possibility that the range may include unusednumbers is taken into consideration.

Appendix 2. - Page 1.

SUBMISSION ON THE ATTORNEY GENERAL'S DISCUSSION PAPER

'PRIVACY PROTECTION IN THE PRIVATE SECTOR'


(2) The phone directory is used to generate a sample of numbers.A random digit is added to replace the last digit of each of thesenumbers, thereby providing a blind' and less biased sample thanobtained by direct sampling from the directory.

2. RANDOM FACE TO FACE SURVEYS

2.1 Door to Door

Australia is mapped by the census into CCD's which are areas containingapproximately 200 dwellings. Standard statistical techniques are used forrandom sampling of these areas.

Interviewers are issued with maps and random start points. They approachhouseholds using a systematic method for working from the start point suchas 'every third house on the left hand side of the street'.

An alternative method involves the interviewer being issued with a randomstart point address selected randomly from the phone book.

2.2 Shopping Centre or Street Intercept

Market researchers may rent space in a shopping centre or obtain approvalfrom a local council to approach individuals on the street at specified streetlocations. Standard methods are used for random sampling of potentialrespondents.

This technique is often used to identify individuals for research associatedwith shopping.

2.3 Special Locations

Market research may be conducted at specific venues. The research mayeither be commissioned by or carried out with the approval of the venueoperator.

Statistical techniques are used to select samples to represent all attendees.


SUBMISSION ON THE ATTORNEY GENERAL ' S DISCUSSION PAPER'PRIVACY PROTECTION IN THE PRIVATE SECTOR'


3. PRE-RECRUITED INTERVIEW PANELISTS

A record is kept of individuals who have expressed an interest in taking partin research or further research in the future. The record would include nameand contact details and sometimes limited information provided by theindividual for the purposes of the interview panel register.

While conducting research using recruited interview panelists can be veryuseful the panel generally cannot satisfy the requirements for randomsampling. Therefore respondents from this source can only be used for avery limited range of research activities.

4. CLIENT LISTS

Some research is undertaken using contact lists provided by clients. Theseare often lists of the client 's customers or clients.

The MRSA Code of Professional Behaviour places restrictions on the linkingof personal identifier information with the facts or opinions provided byrespondents for transmission to the client.

Also the research worker is required to declare the source of the sample tothe respondent if asked.


(04

CRIMINAL JUSTICE COMMISS ION

Contact Officer: David Brereton

12 August, 1997


Dear Sir/Madam,

Telephone: (07) 3360 6060Facsimile: (07) 3360 6333

LEGAL, CONSTITUTIONAL ANDMTRATIVE REVIEW COMMITTEE

14 AUG 1997

Please find enclosed a submission by the Criminal Justice Commission (CJC) prepared in response to theCommittee's Issues Paper on Privacy. The CJC welcomes the opportunity to be able to contribute to discussionon the important issues raised in this paper.

I apologise for the fact that the CJC was unable to prepare this submission by 1 August, which was the deadlinespecified in the Issues Paper. However, as I hope members of the Committee would appreciate, it has been aparticularly busy time for the CJC.

If the Committee or its research staff require any further information from the CJC I suggest that you contact, atfirst instance, the Director of the Research and Coordination Division, Dr David Brereton.

Encl.

557 Coronation Drive, Toowong, Qld, 4066, AustraliaPO Box 137, Brisbane, Albert Street, Qld, 4002, Australia

SUBMISSION TOLEGAL, CONSTITUTIONAL AND ADMINISTRATIVE REVIEWCOMMITTEE IN RELATION TO ISSUES PAPER ON PRIVACY

The Criminal Justice Commission (CJC) welcomes the opportunity to respond to the Issues Paper issued by

the Legal , Constitutional and Administrative Review Committee.

The CJC addresses below some of the issues raised in part 12 of the Issues Paper. The CJC does not propose

to comment on issues 12, 19, 20, 21 and 22 (in so far as the latter issue relates to : telemarketing and direct

marketing ; medical records, including access; genetics).

1. Are there valid concerns relating to privacy protection which need to be addressed by

legislative and/or administrative action ? If so , what particular concerns are most pressing?

In the CJC's view, there is a need for a system which balances the competing interests of protection ofprivacy and other interests. This submission will consider only those other interests as they relate to the CJC'sfunctions. Specifically referred to are the interests of law enforcement agencies and whistleblowers.

In developing a system of privacy protection, questions which should be determined include:

• what is `personal' or `private' information?

• what obligations should be imposed on a record keeper to keep personal information about anindividual from inappropriate disclosure?

In relation to the first of these questions, the CJC acknowledges the inherent difficulty in the formulation ofa workable definition of `personal information'. However, the definition in the Commonwealth Act mayprovide a useful starting point:

information or an opinion (including information or an opinion forming part of a database), whether true ornot, and whether recorded in a material form or not, about an individual whose identity is apparent or canreasonably be ascertained, from the information or opinion.

Without attempting to directly answer the second question, the CJC considers that there should be readyaccess to `the rules' which will apply to those who hold personal information. The `rules' should apply inboth law enforcement and other areas where there is a likelihood of access to, or disclosure of, personalinformation, and thus an infringement of the privacy of individuals.

Whether the rules should be embodied in legislation or some other means of regulation is discussed belowin relation to issue 3.


In the CJC' s view, the current Queensland Invasion of Privacy Act 1971 is not adequate . That Act is limited

to the regulation of credit reporting agents and listening devices.

Current methods of surveillance available to law enforcement agencies include devices and methods otherthan listening devices. Those methods and devices include visual surveillance cameras, tracking devices andtelephone interceptions. Those are discussed in the Discussion Paper recently released by the Minister for

1

Police and Corrective Services and Minister for Racing (the Police Minister) and in volume V of the CJC'sReview of Police Powers (copy attached).

Any restrictions on the use of the product of a surveillance device (whether visual or audio only) should applyto all devices. The CJC has made a recommendation concerning restrictions upon disclosure of informationobtained by the use of a surveillance device (see pp. 805-807). A similar restriction is proposed in theDiscussion Paper on Police Powers (p. A27) in relation to listening devices.

Further, information which may be considered `personal information' also comes into the hands of lawenforcement agencies such as the Queensland Police Service and the CJC. Both of those agencies haveconfidentiality obligations' which are intended to afford a form of privacy protection. No doubt most, if notall, public service departments and agencies also have similar confidentiality obligations. To assist in readyreference to obligations of privacy, the CJC suggests that a list of legislative provisions be compiled andperhaps included as a footnote in the new legislation, if that is the course adopted in Queensland.

3. If not, how should the right to privacy be protected in Queensland ? For example , should

Queensland introduce one or a combination of the following means of regulation : information

privacy principles (IPPs); a statutory tort of privacy ; a privacy committee/privacy

commissioner ; or some other means to protect privacy?

The CJC considers that the federal system of privacy protection embodied in the Commonwealth Privacy Act

1988 is a useful basis from which a privacy protection system for Queensland could be created. The CJCsupports the adoption of IPPs, and the establishment of a Privacy Commissioner.

Further, the CJC suggests that one of the sanctions which should be available for imposition by the PrivacyCommissioner is compensation for breaches which have a serious consequence for the individual whoseprivacy has been breached. The CJC suggests that, to avoid legal costs and to minimise the instances whenrecourse to the Courts will be required, there be a scale of compensation, depending on the type of breach andthe person or body to whom the disclosure was made. However, the CJC acknowledges that there may bedifficulty in drafting appropriate legislative provisions.

If a privacy regime broadly consistent with the Commonwealth system is implemented in Queensland, it willbe necessary to decide whether a breach of privacy amounts to òfficial misconduct' for the purposes of the

Criminal Justice Act 1989. The CJC considers that on the basis of the current definition of what is òfficialmisconduct',' a breach of a privacy principle would likely constitute òfficial misconduct' and therefore fallwithin the CJC's jurisdiction. Any legislation could expressly deal with that issue.

1

2

The Criminal Justice Act 1989 provides in section 132 that a commissioner or officer of the CJC (among others) `must not wilfully disclose

information that has come to the person 's knowledge because the person or is or was a person to whom this subsection applies unless theinformation is disclosed for the purposes of the Commission or of this Act.' A similar provision applies to police officers (among others)

pursuant to section 10.1 of the Police Service Administration Act 1990.

Section 32(1) defines òfficial misconduct' as:(a) conduct of a person, whether or not the person holds an appointment in a unit of public administration, that adversely affects, or

could adversely affect, directly or indirectly, the honest and impartial discharge of functions or exercise of powers or authority ofa unit of public administration or of any person holding an appointment in a unit of public administration; or

(b) conduct of a person while the person holds or held an appointment in a unit of public administration-(i) that constitutes or involves the discharge of the person's functions or exercise of his or her powers or authority, as the

holder of the appointment in a manner that is not honest or is not impartial; or(ii) that constitutes or involves a breach of the trust placed in the person by reason of his or her holding the appointment in

a unit of public administration; or

(c) conduct that involves the misuse by any person of information or material that the person has acquired in or in connection with thedischarge of his or her functions or exercise of his or her powers or authority as the holder of an appointment in a unit of public

administration , whether the misuse is the for the benefit of the person or another person;and in any such case , constitutes or could constitute-(d) in the case of conduct of a person who is the holder of an appointment in the unit of public administration , a criminal offence, or

a disciplinary breach that provides reasonable grounds for termination of the person's services in the unit of public administration;

(e)

orin the case of any other person , a criminal offence.

2

Since its establishment, the CJC has investigated numerous complaints concerning improper disclosure ofinformation by persons within units of public administration. If the CJC's jurisdiction is to include breachesof privacy principles committed by officers in units of public administration - in circumstances where itwould not currently have jurisdiction - the CJC may require some additional resources to properlyinvestigate those instances.


The CJC considers that the IPPs in the Commonwealth Act are a good model from which to draft principlesrelevant to Queensland . However, the CJC draws the attention of the Committee to two issues:

• Legitimate law enforcement purposes

Principles 10 and 11 of the Commonwealth principles prohibit a record-keeper from using or disclosinginformation other than in certain situations, but exempts from that prohibition use or dissemination whereit is `reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, orfor the protection of the public revenue'. The term ènforcement' is capable of differing interpretations. Ifprinciples similar to the Commonwealth model are adopted, it should be made clear that ènforcement of thecriminal law' includes:

the investigation of a suspected breach of the criminal law

the gathering of information for legitimate intelligence purposes, even though a specified identifiedincident of a suspected breach of the criminal law is not being investigated.

One of the CJC's functions (performed by the Official Misconduct Division) is to investigate alleged orsuspected òfficial misconduct'. The CJC considers that any privacy regime adopted in Queensland needs toclearly recognise an entitlement to gather, use and disseminate information for investigation of, andenforcement, of criminal law and official misconduct.

The CJC's Intelligence Division has voluntarily adopted a policy of adherence to the Commonwealth privacyprinciples in its operation.

The CJC suggests that a privacy regime which recognises the role of use and dissemination of informationfor legitimate law enforcement purposes should place on the law enforcement agency seeking the informationthe onus of showing that particular personal information is required for a law enforcement purpose. Thelegislation could incorporate a certification process pursuant to which a designated senior officer of theagency seeking information could certify that the information was reasonably necessary for law enforcementpurposes or an investigation of suspected official misconduct , and the agency which held the informationcould accept that certification . Such a process would reduce the number of persons who have access tooperational matters and thus minimise opportunities for possible breaches of operational confidentiality.

• Protection of whistleblowers

Any privacy regulation should be structured to preclude unlawful conduct from being easily hidden andshielded from detection and examination.

The current law relating to protection of whistleblowers is contained in the Whistleblowers Protection Act1994 (Qld) with some complementary provisions in the Criminal Justice Act 1989 (ss. 103 and 131). The1994 Act provides protection only in respect of `public interest disclosures' which are defined relativelynarrowly. While whistleblowing may provide a benefit to the broader public interest, there may be difficultiesfor potential whistleblowers. A whistleblower who knows or reasonably suspects that misconduct hasoccurred faces a fundamental dilemma because there is often insufficient information, other than the

3

whistleblower's personal knowledge, to provide a basis of a public interest disclosure, or to demonstrate toan authority that an investigation is warranted.

Any legislative privacy regime must be carefully drafted to take into account that there will be situationswhich justify a person `whistleblowing', and ensure that the current protection afforded those persons is notreduced.


The CJC considers that it is preferable for IPPs to be included in legislation rather than in guidelines, withthe consequences for breach of those principles clearly set out. The CJC prefers that approach becauseotherwise the consequences of a breach of guidelines may not be clear.


The CJC considers that where persons or agencies have accumulated information concerning an individual,the individual should not have to pay to ensure and/or seek redress from those persons or agencies who haveimproperly dealt with that information.


The CJC is not in a position to determine whether the costs associated with IPPs would outweigh the publicbenefit flowing from their implementation. This issue could be the subject of consultation with otherjurisdictions where privacy regimes are already in existence. However, the CJC cautions against givingprimacy to the question of costs in consideration of this issue.

8. If an office of privacy commissioner/committee is established:- how should its independence be ensured- should the office be accountable to the Parliament, for example, via a

parliamentary committeeshould the office be combined with that of the Information Commissioner or

any other office?

The CJC considers that a Privacy Commissioner is an appropriate model for overseeing a privacy regime,if one is implemented in Queensland To allow a broader input, the Commissioner could perhaps be assistedby an advisory committee , along the lines of the Commonwealth model.

To achieve the independence of the Commissioner-both in reality and in perception - there must be afair and independent process for budget allocation. The CJC suggests adoption of a process similar to thatcurrently applicable to the Parliamentary Commissioner for Administrative Investigations. This wouldinvolve submission of a budget to a Minister, but with that submission being treated separately to thedepartmental bid and listed separately in the budget papers. The CJC suggests that the proposed PrivacyCommissioner be entitled to report directly to Parliament.

In view of the different focus of a Privacy Committee or Commissioner on the one hand, and the InformationCommissioner on the other, it may not be appropriate to combine the two offices. The former is concernedwith ensuring maintenance of privacy of personal information, whereas the other is focused on havinginformation (in some instances, including personal information) released into, what is in effect, the publicarena, unless there are good reasons for not doing so. However, the CJC acknowledges that there could beadministrative efficiencies from combining the two functions in the one office.

4


Without attempting to be exhaustive, the CJC recommends that the functions of the proposed body couldinclude, in the context of law enforcement agencies:

3

An auditing role to ensure that where information is obtained in circumstances which wouldotherwise be a breach of a privacy principle, the gathering of that information was justified.

Oversight of destruction of fingerprints . The CJC has previously recommended that an independentmonitoring body be responsible for ensuring compliance with the destruction regime suggested inits Police Powers Report3. Such a body would ensure that records are destroyed or removed asrequired.

Oversight of police use of surveillance devices4. The CJC's Police Powers report recommends thatthe Ombudsman or some other independent body be charged with conducting regular inspections toensure records and registers relating to electronic surveillance are being maintained and stored inaccordance with the proposed Act. (Note that the Police Powers Discussion Paper also recommendsthat this role be performed by a person independent of police.)

Oversight of telephone interception powers, assuming those are ceded to the State of Queensland,as recommended by the CJC5 and as suggested in the Police Powers Discussion Paper.

The Commonwealth Telecommunications (Interceptions) Act 1979 provides for the CommonwealthOmbudsman to have a supervisory role over Commonwealth agencies' use of interceptions powers.The question of whether the oversight function should be vested in the Ombudsman or the PrivacyCommissioner has been raised on a number of occasions in recent years. A 1991 review of theCommonwealth Act pointed out that the Ombudsman at that time, and his predecessor, were of theview that the function would be more appropriately vested in the Privacy Commissioner. The 1994Barrett Review6 also recommended that the function be transferred to the Privacy Commissioner.The Commonwealth Government again rejected this recommendation on the grounds that the presentarrangements were working well and were also better suited to the Ombudsman's functionalresponsibilities, as `the inspection function is one which is directed towards compliance rather thanadjudication of privacy issues' (Senate Second Reading Speech 7 December 1994,Telecommunications (Interception) Bill)). However, different considerations may apply in the caseof Queensland.

See Report on A Review of Police Powers in Queensland -Volume V: Electronic Surveillance and Other Investigative Procedures, p. 850:

Ensuring compliance with the requirement for automatic destruction of fingerprints is important.... [I]t is important, if publicconfidence in the process is to be preserved, that there be some independent oversight.... In the Commission's view an independentbody, such as the Ombudsman or other independent agency, should be given legislative responsibility for overseeing the QPS'scompliance with the destruction scheme. The role of this person or body would involve ensuring that records are destroyed orremoved fromelectronic databases where required within the proposed time frame. The details of a scheme to monitor compliancearebeyond the scope of this report, but presumably the function could best be discharged by undertaking period `audits'. Clearly,the monitoring body would need to have the statutory powers and resources necessary to perform its role effectively.

4

5

The CJC suggested in its submission to the Connolly/Ryan inquiry that an Inspector-General be appointed, who could be entitled to audit CJCoperational files involving the use of listening devices (or other matters involving the use of compulsory powers where prior judicial approvalwas required) to ensure that the information provided to the Court was accurate: see Criminal Justice Commission Submission to theCommission oflnquiry into the Effectiveness of the Criminal Justice Commission (April 1997), paragraph 4.69.

See Telecommunications Interception and Criminal Investigation in Queensland : A Report (CJC 1995) pp. 26 and 37.

6 Review of the Long Term Cost Effectiveness of Telecommunications Interception 1994

5

10. What powers should a privacy committee/commissioner have? For example, should these

include the power to:

- enforce IPPs through sanctions such as fine or disciplinary action; andexercise coercive powers such as powers of access?

The CJC considers that if, as recommended , a privacy commissioner is appointed , the commissioner shouldhave the power to receive and investigate complaints , and to impose sanctions, such as fines or disciplinaryactions.

If the Commissioner is to investigate complaints of breaches of privacy, he or she must be granted rights ofaccess to agency or departmental records to determine: whether a breach has occurred; if information hasbeen disseminated to others, to whom and what information has been disseminated; whether the breach wasinadvertent or deliberate; whether the processes of the agency which breached an individual's privacy areinadequate.

Section 68 of the Commonwealth Act currently provides a power to enter premises of an agency and inspectany documents that are kept at those premises which are relevant to the functions of the Commissioner if theoccupier has consented to such or entry, or a warrant to enter the premises has been issued a Magistrate.

The CJC recommends that powers of access , at least as wide as those in the current Commonwealth Act, begranted to the person or body responsible for dealing with complaints of breaches of privacy principles. Ifthis is considered too restrictive , an alternative model may be found in the Criminal Justice Act 1989. Thisprovides , in respect of CJC investigations, that an officer of the CJC (authorised in writing by theChairperson) is permitted to enter premises used by or for the official purposes of a unit of publicadministration' and may enter and search any premises , when a Supreme Court judge has authorised the issueof a warrant (s. 71(1)).

11. Would the costs associated with an office of privacy commissioner /committee outweigh thepublic benefit flowing from the establishment of such an office?

The CJC is not in a position to determine whether the costs associated with an office of privacycommissioner/committee would outweigh the public benefit flowing from their implementation. Consultationwith other jurisdictions which have had the benefit of a privacy regime for some time may prove useful.

13 and 14. Should privacy regulation apply to government owned corporations and localgovernment activities?

Given the diverse nature of government owned corporations (GOCs), it may not be appropriate to make ablanket decision concerning the appropriateness of privacy regulation applying to GOCs and localgovernment bodies. For example, many local government activities, such as property ownership records,outstanding rates etc. are currently readily available and frequently obtained in property conveyancing; itwould probably be impractical to impose restrictions on access to this material.

7Section 3 defines "unit of public administration" to mean-(a) the Legislative Assembly, and the Parliamentary Service; or(b) the Executive Council; or(c) a department; or(d) the Police Service; or(e) Queensland Railways; or(f) every corporate entity that is constituted by an Act, or that is of a description of entity provided for by an Act, which in either case

collects revenues or raises funds under the authority of an Act; or(g) every non-corporate entity established or maintained pursuant to an Act, which is funded to any extent with moneys of the Crown,

or is assisted in a financial respect by the Crown; or(h) the courts of the State of whatever jurisdiction, and the registries and other administrative offices of them.

6

Currently, many GOCs8 and local governments are within the definition of `units of public administration'for the purposes of the Criminal Justice Act 1989, and therefore may be the subject of investigations intosuspected official misconduct. The CJC considers that if a privacy regime is to apply, it will need to be madeclear whether a breach of an IPP (if that is the model adopted) is `official misconduct' for the purposes of theCriminal Justice Act 1989. (See discussion under issue 3 above).

15. Would the costs associated with privacy regulation of:- government owned corporationslocal government activitiesoutweigh the public benefit to be gained by that regulation?

The CJC is not in a position to determine the costs involved in privacy regulation of such bodies. Informationabout costs could perhaps be obtained through consultation with other jurisdictions where privacy regimesare already in existence. However, the CJC cautions against giving primacy to the question of costs inconsideration of this issue.

16. If the private sector is not to be covered , how should privacy regulation apply to bodiesperforming services which the government has out sourced?

The CJC suggests that the same privacy obligations which apply to the out-sourcing department or agencyshould apply to the body which is performing the service. That could be a matter of contract between therespective bodies, with the contracts referring specifically to the legislative provisions in the contract whichaffect the out-sourcing department or agency.

17. Should there be co-operative arrangements between the States , Territories and theCommonwealth with respect to matters such as formal complaints regimes?

Increasing population mobility, high speed communication and ease of transfer of information across bordershighlights the need for a consistent nation-wide approach to protection of personal information and a co-operative approach to dealing with complaints regimes. In recent years, matters which have a national focushave become the subject of federal legislation with the States enacting complementary legislation. Examplesinclude witness protection and telephone interceptions. In the interests of a sensible non-fragmented system,the CJC urges the development of nationwide co-operative arrangements.

18. How should privacy protection legislation interrelate with freedom of information legislation?For example, should the access to, and amendment of, personal information be regulated bya Privacy Act alone?

Freedom of information (FOI) legislation currently applies to information which has (and should have) noprivacy component, namely information about decision-making processes of government departments andagencies. Section 44(l) of the Queensland Freedom of Information Act 1992 entitles an agency to exemptfrom disclosure certain matter relating to `personal affairs'. The expression `personal affairs' is not defined.

The CJC suggests that separate privacy legislation be enacted, complementary to the current Freedom ofInformation Act 1992 (Qld), while retaining in that FOI Act provisions dealing with protection andamendment of personal information . The CJC suggests that there be consistency of terminology in both Acts(either "personal information" or "personal affairs" ) with a clear definition of whatever term is used.

8The Government Owned Corporations Act 1993 provides in section 181 that a `statutory GOC' is a unit of public administration for thepurposes of the Criminal Justice Act 1989, whereas company GOC's are not (s. 183).

7

Whether access to and amendment of personal information should be regulated by a Privacy Act alone, ratherthan in freedom of information legislation, is a difficult issue. In terms of dealing with information soughtpursuant to freedom of information legislation, the FOI administrator will invariably have to sift throughmaterial which contains both personal and non-personal information in deciding whether `matter' should bereleased, or whether exemptions are to be claimed.

The Commonwealth system, even with the overlap between the FOI and privacy legislation is notunworkable. Obviously, the consequences of any overlap between FOI legislation and privacy legislation willneed to be made clear. As stated in Open Government: a review of the federal Freedom of Information Act19829:

The Review no longer considers that the FOI, Privacy and Archives Acts should be combined in a single Act.Nevertheless, it remains strongly of the view that the connections between these Acts must be clearlyunderstood and appreciated by those subject to them and by those who oversee their administration. The Actsshould be amended, where necessary, to ensure that together they provide a cohesive and consistent packageof legislation on government records.

The CJC supports such an approach in relation to separate FOI and privacy legislation in Queensland.

22. What form of regulation should be introduced with respect to privacy issues arising in theareas of:- personal privacy, including surveillance (visual and listening) both in public and

private places- the workplace?

The CJC's view is that, in the context of specific criminal and official misconduct investigations, the conductof surveillance in private premises (both visual and listening) should be contingent on prior judicial consentin the form of a warrant. The CJC has previously recommended such a process in its Police Powers Report(Volume V). Further, the Discussion Paper on Police Powers has similarly suggested such a process, althoughin respect of a broader range of offences than recommended by the CJC. It will be necessary to ensure thatthe product of surveillance methods, such as listening devices, video tapes and telephone interceptions (wheregathered from private premises) is not disseminated unnecessarily. That will probably require seriouspenalties for such improper dissemination.

The CJC does not oppose the use of visual surveillance cameras to enable surveillance of areas occupied bysignificant numbers of the public, for example the City Mall. When visiting those public places, there is, inany event, a reasonable expectation of being seen by others.

Further, the tapes from the cameras recording activities in the public space provide useful information inrelation to offences and allegations against police, although there should be a restriction on those tapes beingmade available to the general public or the media.

In the context of the workplace, the CJC recommends that surveillance, whether visual or listening, shouldbe limited to where there is some suspected criminal activity or official misconduct, or where it is relevantfor security purposes. Where surveillance is employed for the latter purpose, it should be limited to theminimum level which will satisfy the agency's security concerns.

9Australian Law Reform Commission Report No 77 and Administrative Review Council Report No 40.

8

23. Generally, what should be done to ensure that the law keeps abreast with developments intechnology affecting individuals ' privacy?

The Commonwealth Privacy Act provides that one of the functions of the Privacy Commissioner in relationto interferences with privacy is:

to undertake research into, and to monitor developments in, data processing and computer technology(including data-matching and data-linkage) to ensure that any adverse effects of such developments on theprivacy of individuals are minimised, and to report to the Minister the result of such research and monitoring.

The dynamic nature of technology capable of storing and disseminating information clearly requires constantreview of the implications of that technology for privacy. The CJC suggests that a Privacy Commissioner orCommittee could conduct periodic reviews. Alternatively, such reviews could be conducted by bodies suchas the Legal, Constitutional and Administrative Review Committee or the Law Reform Commission.

9

Australian Finance Conference Level 22, 68 Pitt Street, Sydney, 2000. G.P.O. Box 1595 Sydney. 2001.Telephone: (02) 9231 5877 Facsimile: (02) 9232 5647

1 August 1997

Mr Neil LaurieResearch DirectorLegal, Constitutional & AdministrativeReview CommitteeParliament HouseBRISBANE QLD 4000

Dear Mr Laurie,

PRIVACY IN QUEENSLAND - ISSUES PAPER

The Australian Finance Conference (AFC) is the national finance industry association; a list ofour members is attached . We appreciate the opportunity to comment on issues with respect toprivacy protection in Queensland.

AFC member companies currently are required to comply with the Credit ReportingProvisions (Part 3A) of the Commonwealth Privacy Act and with the Credit Reporting Code

of Conduct developed in conjunction with the Commonwealth Privacy Commissioner. Theyalso have experience with the tax file number provisions of that Act. Our members have anon-going commercial interest in the development and application of data protection andprivacy regimes which impact on their dealings with customers , employees , securities and datacollection agencies.

The AFC and its members agree that the inappropriate collection and use of customers'personal information is a valid and important concern to both industry and government. Wedo not intend our comments to in any way to detract from the legitimacy and importance ofthe issue.

We note the breadth of personal privacy regulation (eg freedom from surveillance and privacyof communications ; public vs. private sector regulation) which is raised for consideration inthe issues paper . However, in responding , we have focussed on the issues which are ofgreatest relevance to the business of our members, namely , regulation of personal informationor data privacy within the private sector and continued availability of public record data forbona fide commercial purposes.

C\AFC\INDEM2\PRIVACY,QISSUE-C.DOC

Incorporated in NSW as Australian Finance Conference Limited • A.C.N. 000 493 907

- page 2 -

Scope of a Privacy Regime - Should privacy regulation apply to the private sector as well

as the public sector?

On a general level and as a matter of principle, we see value in the broad application ofInformation Privacy Principles across the private sector provided that the Principles areappropriately modified to take into account and exempt reasonable public and businessinterests which ought to over-ride individual privacy interests. We understand that the

Principles would be similar in form to those in operation under the Commonwealth Privacy

Act. We note that these Principles have been qualified to recognise the CommonwealthGovernment's bona fide need to use or disclose personal information or restrict access to theinformation in certain cases (eg IPP 10 (1. d), IPP 11(1. e) IPP 6).

We also see value in a co-regulatory approach to the development of the regulation beingadopted because of the avenues for consultation and co-operation between the private andpublic sector which it should present. The regulation which results should represent anequitable balance between competing interests and, as a consequence, should better work inpractice while minimising inefficiencies and costs in its administration and management.

We note the consideration of the implementation of the Principles by way of guidelines rather

than legislation. We are concerned that without some statutory support behind the Principlestheir value to the community would be significantly diminished.

In terms of implementation we consider that the introduction of privacy regulation of theprivate sector on a national basis by the Commonwealth is preferable to the individualintroduction of potentially disparate legislation by the various States.

Our members operate across borders and are often subject to nine different sets of laws on thesame subject (eg credit law and fair trading law). On occasions these laws are contradictoryand place our members in an invidious position in terms of compliance. Such over-regulationalso brings with it increased compliance costs which is reflected, in turn, in the higher cost of

goods and services. Moves to uniformity in the credit law area through the enactment of theUniform Consumer Credit Code should relieve this. However, the achievement of uniformityhas been a long and involved process. We therefore believe that the Commonwealth shouldtake the lead on this issue to achieve a timely, nationally consistent approach to privacyregulation of the private sector.

We recognise that the Prime Minister has ruled out the proposal to extend the Privacy Act tothe private sector and has encouraged the development of a system of voluntary Codes ofpersonal information handling in its place. We have written to the Commonwealth Attorney-General outlining our reservations with this approach, primarily the lack of enforceability of

the codes. We have encouraged amendment of the Privacy Act to give the Codes the force oflaw and attach a copy of our letter for your information.

Telemarketing & Direct Marketing - Regulation

We do not believe specific regulation of telemarketing or direct marketing activities to providepersonal privacy protection is needed at this time.

- page 3 -

Our members believe that the major privacy concerns of customers who are the subject oftelemarketing or direct marketing programs may arise from the unauthorised use or disclosureof personal information by the company initially in receipt of that personal information or byunrelated third parties.

Our members have addressed this concern in two ways. Firstly, there is a growing practicewithin the industry for customers to be asked at the time they provide personal details whetherthey have any objection to such details being used for marketing purposes. This "opt-out"approach has been commonly adopted world wide, including within the European Union.Secondly, our members' current practice is not, nor do they have any intention in the future, tomake available to external, unrelated third parties lists of their potential and existing customersfor the purposes of direct marketing activity. They have a commercial interest in restrictingaccess to that information.

A primary motivation for our members to respect the rights of their customers, including theright to privacy, stems largely from the recognition that the customer is the end-user of theirproducts and services. The profitability and future existence of our members depends onensuring customer satisfaction; a motivation far greater than any threat of future prosecutionfor breach of rights legislatively provided to that customer.

Our members are particularly aware of the privacy implications of their customers' personalinformation, and having in place high standards for the protection and use of that information.However, they believe customers should be given an opportunity to choose whether to receiveapproaches from direct marketers or telemarketers.

We consider the market not legislation to be the appropriate vehicle for change. According toa majority of our members, only a minority of customers have indicated irritation at receivingmailing information. Given the opportunity to "opt-out" of mail information, the industry'sexperience has been that the vaste majority of customers have not taken this option. It wouldappear that most customers are comfortable in evaluating the offer and taking appropriateaction. It is also seen as part of the service the member provides to its customers.

We suggest that the continuing success of all financial institutions is dependent on responsiblemanagement of customer data-bases and the exercise of discretion with regard to control overthe right to communicate with an existing customer base. As a major user of telemarketingand direct marketing, our members would be greatly concerned to see any major restrictionsintroduced which limit their ability to provide information about their products and services totheir customers in a cost effective and efficient manner. Such regulation would be seen as anunneccessary interference with the relationship between a company and its own customers.

We further note the request for feedback on whether there are valid concerns relating toprivacy protection which need to be addressed (Question 1). Regulation on the basis ofperceived public need can stifle commercial activity or increase the price of consumer goodsor services while doing little to reduce hazards. As noted above, the lack of contrary customerreaction to our members who use direct marketing to promote their goods and services, forexample, would mitigate against regulatory intervention. In our view, feedback fromcustomers to determine specific privacy concerns and the extent of those concerns is anessential pre-requisite to any further consideration of regulation of these marketing activities.

- page 4 -


On the basis of our earlier comments, we believe that the regulation of privacy issues arisingfrom the use of smart cards and other forms of electronic banking are better dealt with at theCommonwealth rather than the State level. In principle, we agree that some legislativebacking for the regulation should be adopted in preference to the adoption of Codes on avoluntary basis. We are concerned that without that backing Codes may not be sufficient tomeet the test of "adequate" protection required by the European Union Directive - Protection

of Individuals with regard to the Processing of Personal Data and on the Free Movement ofsuch Data (95/46/EC). Australian businesses which comply may not gain any advantage in theglobal market over their non-complying competitors as a result. Justification for compliance is

therefore questionable.

Public Record Data

AFC members currently have access to a range of public record information including thatfrom the Courts, vehicle registration and motor and other licensing authorities, and various

title or security interest registrars. This access can be either direct or indirect through a thirdparty such as the Credit Reference Association of Australia (CRAA - the national industryowned credit bureau) and can be full or limited depending on the data concerned.

Members have a bona fide commercial need for this data usually to protect or preserve theirsecurity interest in items owned or financed by them and to vouchsafe the representationsmade to them by those seeking finance. In these circumstances there is a natural balancing ofprivacy rights with commercial and other community needs for the better functioning ofmarkets and optimal pricing of goods and services.

AFC would ask that in any development of a privacy regime in the public (and/or private)sector, care is taken to not disrupt or cease current practices without there first being arigorous review of the costs and benefits involved ; a similar test should be applied to newinitiatives.

Thank you again for the opportunity to comment on the issues paper . Please feel free to

contact me or our Corporate Lawyer, Helen Gordon, on (02) 9231 5877 to discuss our

comments in more detail.

Kind regards.

RON HARDAKERExecutive Director

Enclosures:1 List of AFC members2 Letter from AFC to Commonwealth Attorney-General of 6 June

AFC MEMBER COMPANIESAdelaide Bank

Advance Bank

Asset Risk ManagementAT&T Capital Corporation

Australian Guarantee Corporation

Automotive Financial Services

Avco Access

Avco Financial Services

Bank of MelbourneBankSA Finance and Leasing

BankWest

BMW Australia Finance

Bridge Wholesale Acceptance Corporation

Capital Corporate Finance

Caterpillar Financial Australia

CBFC

Elderslie Finance Corporation

Esanda Finance Corporation

FAI Finance

GE Capital FinanceGeneral Motors Acceptance Corporation Australia

GIO Finance

HDFI

Heller Financial Services

Heritage Building Society

Land Rover Finance

Medical Equipment Credit

Mercedes Benz Finance

Motorcharge Finance

Newcourt

Nissan Finance Corporation

NRMA Finance

ORIX Australia Corporation

RAC Finance

R.A.C.V. Finance

Rental and Finance Limited

St. George Bank

Suncorp-Metway LimitedTextron Financial

Toyota Finance Australia

Volvo Finance Australia

Westlawn Investment Company

July 1997

Australian Finance Conference Level 22 , 68 Pitt Street , Sydney, 2000. G.P.O. Box 1595 Sydney. 2001.Telephone: (02) 9231 5877 Facsimile : (02) 9232 5647

6 June 1997

The Hon Daryl Williams AM QC MPAttorney-General & Minister for JusticeParliament HouseCANBERRA ACT 2600

Dear Attorney-General,

Privacy Act - Private Sector Extension

The Australian Finance Conference (AFC) is the national finance industry association ; a list ofour members is attached . Our member companies currently are required to comply with theCredit Reporting provisions (Part 3A) of the Commonwealth Privacy Act and with the CreditReporting Code of Conduct developed in conjunction with the Commonwealth PrivacyCommissioner . They have an on-going commercial interest in the development andapplication of data protection and privacy regimes which further impact on their dealings withcustomers , employees , securities and data collection agencies.

We note that the Prime Minister has ruled out the proposal to extend the Privacy Act to theprivate sector on the grounds of added business compliance costs. We also note hisrecognition of the ability of the various States to enact privacy legislation which has both apublic and private sector application. We are concerned that, despite the Prime Minister'surging to the contrary, there is a real danger that State Governments will unilaterally move toregulate the private sector in its handling of personal information . Even if only a couple ofjurisdictions were to so legislate , the effect on the private sector of attempting to comply withdifferent, possibly conflicting , privacy regimes when operating across borders would beextremely serious.

National credit providers have been forced for many years to operate under a multiplicity ofsometimes contradictory credit laws. Compliance, as a consequence , has been difficult andcostly . Moves to uniformity in the credit law area through the enactment of the UniformConsumer Credit Code late last year should provide relief in that area of commerce.However, the achievement of uniformity has been a long and involved process. We thereforebelieve that the Commonwealth should take the lead on this issue to achieve a timely,nationally consistent approach to privacy regulation of the private sector.

We note the proposal at the Commonwealth level by the Privacy Commissioner and others toaddress the perceived concern of individuals arising from the lack of privacy regulation of theprivate sector through the development of voluntary Codes of Practice.

C WFCVNDEX\2\PRIVACYISECTOR-C.DOC

Incorporated in NSW as Australian Finance Conference Limited • A.C.N. 000 493 907

-2-

We see value in a co-regulatory approach to regulation because of the avenues forconsultation and co-operation between the private sector and public sector which it presents.Business, through its industry associations for example, has a valuable role to play. Webelieve that regulation which results should represent an equitable balance between competinginterests and, as a consequence, should better work in practice while minimising inefficienciesand costs in its administration and management.

However, we are concerned that without some statutory support behind these Codes theirvalue to the community will be significantly diminished . Businesses which decide to opt-inmay put at risk their competitiveness in the market through expenditure on compliance costswith no greater return as a result. We recognise that it is always open to the market to votewith its feet and support those businesses which decide to voluntarily adopt a regime ofprivacy protection for the personal information of their customers. However, we do notforesee a market response as being a viable compliance tool, at least in the short term.

For these reasons we recommend amendment of the Privacy Act to provide a process ofgiving the Codes the support of law. This approach is not new . For example in the fairtrading legislation at both the federal and state level, provision is made for the relevantauthority to develop, through consultation with industry, Codes of Practice for fair dealing (egNSWFair Trading Act Part 7 -Codes of Practice). If approved by the Minister, the Codeshave the force of law. Rights of enforcement are provided in the event of contravention toenhance the motivation of industry to comply. A similar approach was proposed in the NSWPrivacy & Data Protection Bill 1994. We believe that these approaches provide a suitablemodel for the development of a privacy regime to apply to the private sector at theCommonwealth level.

We are also concerned that the availability of voluntary Codes of Practice, in parallel withspecific contract provisions, will create confusion, more particularly if adoption of such codesis seen as insufficient to meet the test of "adequate" protection required by the EuropeanUnion Directive - Protection of Individuals with regard to the Processing of Personal Dataand on the Free Movement of such Data (95/46/EC). Australian businesses which complywith voluntary codes may not gain any advantage in the global market over their non-complying competitors as a result . Justification for compliance is therefore questionable. Toavoid unnecessary and prolonged legal argument on this issue , we encourage the adoption oflegislative backing to support the Codes of Practice.

Thank you for your consideration of the concerns of the AFC and its members.

RON HARDAKERExecutive Director

Attachment: List of AFC Members

04

RIKQUEENSLAND COUNCIL FOR CIVIL LIBERTIESG.P.O. B o x 2 2 8 1 B r i s b a n e 4 0 0 1

Our Ref : IFD:LP

12 August 1997

Mr Neil LaurieResearch DirectorLegal, Constitutional and AdministrativeReview CommitteeParliament HouseGeorge StreetBRISBANE Q 4000

BY FACSIMILE 3406 7691 - TOTAL OF 19 PAGES

Telephone: (07) 3211 3811Facsimile: (07) 3211 3737


14 AUG 1991

Dear Sir

RE: PRIVACY LEGISLATION

We refer to our previous correspondence in relation to the above.

Please find enclosed the Council's submission with respect to Privacy in Queensland.

We look forward to being able to express the Council's submissions orally at an appropriatetime.

Please do not hesitate to contact Ian Dearden should you wish to discuss the matter further.

Yours faithfullyQUEENSLAND COUNCIL FOR CIVIL LIBERTIES

IAN DEARDEN(President)

SUBMISSION TO THE LEGAL,CONSTITUTIONAL AND ADMINISTRATIVE

REVIEW COMMITTEE

ISSUES PAPER NO 2


The release of Issues Paper No 2 Privacy in Queensland by the Legal, Constitutional and

Administrative Review Committee of the Queensland Parliament is to be welcomed.

To the extent that they have been made at all, the sporadic efforts of various Australian

governments to examine privacy suggest that an examination of the issue is both warranted

and overdue.

In particular, in Queensland there has been broad support for privacy legislation on the part

of the Liberal/National Party Coalition and the Labor Party (over at least the last eight or nine

years). However, this has never been translated into any legislative or administrative regime

covering either the public or the private sectors in Queensland.

It has been the experience of the Queensland Council for Civil Liberties (QCCL) that matters

related to privacy form the largest single group of enquiries that QCCL receives both from the

media and from members of the public . What this indicates is the breadth of concern about

privacy issues , which cover a myriad of different sectors of society (both private and public)

and relate to both individuals and corporations in many different aspects and stratas of

society.

As Issues Paper No 2 suggests, privacy is multi-faceted. Inevitably, therefore, there are a

variety of competing interests which must be addressed and balanced in any legislative

regime.

It would be unduly ambitious to think that such a balance could be struck without recourse to

a comprehensive consultation process. The Issues Paper No 2, therefore, is an eloquent

commencement for such a process, and QCCL notes with approval the intention of the

1

Committee to consult widely, not just within south east Queensland but throughout rural and

regional Queensland . Obviously QCCL wishes to make an oral submission in support of this

written submission during the course of any such consultative process.

It should be noted that there are significant forces involved, from those who zealously guard

both ends of the spectrum, whether that be the status quo (or something less than the status

quo) through to the rights of the individual being championed without regard to the impact of

those rights upon other individuals or the broader community.

PRIVACY

Privacy is clearly is a multi-faceted issue and QCCL 's view comprises four separate

elements:

• Territorial privacy;

• Personal privacy;

• Information privacy; and

• Communication privacy.

In addition to these four elements , there is the question of the potential operation of any

legislative framework. Ordinarily, this is defined as applying to the public sector (ie

government) and/or the private sector (which, having regard to the four elements referred to

above, potentially includes all individuals or entities other than the public sector).

Finally, there is the framework by which privacy protection is established. Ordinarily this is

defined as involving either an administrative regime (that is voluntary submission to or

compliance with a stated set of principles ) or a legislative regime (whether it be legislation of

general or specific application).

INITIATIVES TO DATE

It is fair to say that the various expressions ( including remaining silent ) with respect to

privacy protection, both within Australia and outside Australia reveal that there is no fixed or

preferred method to address the privacy issues.

2

There is a clear need for a comprehensive consultation process in the development of any

framework to address privacy concerns. This has not occurred to date in Queensland in

terms of state-based legislation or an administrative regime and the Committee is to be

commended for commencing this process.

The four broad options which are essentially available are as follows:-

1. Remove the existing privacy framework which exists in Queensland;

2. Maintain the existing privacy framework which exists in Queensland;

3. Complete a comprehensive consultation process to identify a privacy framework for

Queensland; or

4. Act unilaterally and implement a particular privacy framework for Queensland.

The choice of any of these options is a matter for judgment and like most, if not all matters of

policy , is not set in stone . Indeed as Issues Paper No 2 illustrates, there is also the capacity

for a cocktail of policy to be made (whether it be an administrative regime applying

information privacy to the public sector together with a statutory tort of privacy for individuals,

or some other mix of ingredients).

Issues Paper No 2 identifies at least 23 issues with respect to privacy. Many of these issues

contain a number of sub- issues.

In terms of the themes running through the 23 issues, they can be delineated as follows:-

1. Organisational - i.e. the need for organisational change to inculcate a culture of

privacy within institutions and individuals;

2. Policy - i.e. the need for choices to be made about the balance to be struck in

relation to privacy; and

3. Structural - i.e. the framework by which the organisational change will be pursued

and policy choices effected.

This submission now addresses the 23 issues with respect to privacy protection set out in

Part 12 of Issues Paper No 2.

3

GENERAL

1. Are there valid concerns relating to privacy protection which need to be

addressed by legislative and/or administrative action ? If so, what particular

concerns are most pressing?

As set out above, concerns with respect to privacy form the single largest group of queries

received by QCCL both from the media and from members of the public. This clearly reflects

research undertaken by the then Federal Privacy Commissioner, Mr Kevin O'Connor, who in

an August 1995 survey, Community Attitudes to Privacy, found that "When asked to rank a

number of social issues % [of the Australian population] said confidentiality of personal

information was very important, second only to education". In particular "Eight out ten people

[were] very worried about maintaining the privacy of their home or property" and "Keeping

personal information private ranked second in importance". The research also showed an

increasing concern by Australians, with 50% of those surveyed feeling that "They [had] less

personal privacy in their daily lives than they did ten years ago". This clearly is a result in

particular of the increasingly pervasive use of computers in all aspects of both the public and

private sectors in Australia.

It is almost impossible to comprehensively cover the particular concerns relating to privacy

which need to be addressed, but in brief they include the following:

• Electronic data security - This includes the use of advanced information technology

search techniques which have made it possible to use public registers to find out vast

amounts of information about individuals for which the registers were never intended.

• Electronic surveillance - There is a rapidly increasing presence of video surveillance

in public places such as malls . QCCL is aware of surveillance cameras operated by

city councils in Brisbane , Ipswich , Toowoomba , the Gold Coast and Townsville.

Currently there is no regulation of the surveillance which is not only used in public

places such as malls , but in schools, workplaces , shops and other commercial

enterprises such as auto tellers.

• Business - There is a current problem as a result of the directive of the European

Union with respect to privacy that Australia's inadequate privacy regime will affect

overseas trade . There is a clear need to comply with international privacy standards.

• Telemarketing - The use of both publicly accessible and privately compiled lists have

lead to an enormous boom in telemarketing and targeted direct mail campaigns.

4

There is a disturbing trend involving the sale of information to telemarketing and

mailing list companies by local governments.

• Media Intrusions - There are frequent intrusions by the media into the privacy of

individuals, both those who are in public life and those who are often involuntarily

thrust into public life. A classic recent example were the published photographs of

former Senator Bob Woods photographed in his backyard during the course of a

domestic dispute with his wife.

• Smart Cards - Technology has clearly outstripped legislation and consumers are left

with no protection with respect to the operation of new technologies such as "smart

cards".


The current law in Queensland is characterised by a complete lack of privacy protection,

subject only to a number of minor exceptions including the "personal affairs" exemption of the

Freedom of Information Act, the right of access and amendment of personal information

under the Freedom of Information Act, and some specific legislative protections placed on

organisations such as the Queensland Police Service and the Criminal Justice Commission

which are responsible for the investigation and collation of significant amounts of personal

information on individuals.

The only existing legislation in Queensland which in any way specifically addresses privacy

are some provisions of the Invasion of Privacy Act, which restrict to some extent the use of

intrusive surveillance by members of the police service and others.

It is clear that current privacy laws in Queensland are completely inadequate.

3. If not, how should the right to privacy be protected in Queensland?

A single regime is not sufficient. In the view of QCCL, the protection of privacy in

Queensland requires the introduction of a system of complementary regimes. These should

be legislative, not administrative, and should apply to both the public and private sectors.

5

In QCCL's view, there are three identifiable models for privacy protection , all of which should

be implemented in a complimentary fashion in order to provide wide ranging privacy

protection . These are as follows:

• The implementation of information privacy principles (IPPs);

• The creation of a statutory tort of privacy; and

• The establishment of a Privacy Committee/Privacy Commissioner.

QCCL considers that IPPs should be introduced as part of a statutory regime.

QCCL considers that the creation of a statutory tort of privacy, with appropriate protections to

balance both the interests of the individual and issues related to freedom of the press,

together with the possible introduction of a criminal offence of privacy intrusion, would

perform a significant role with respect to the protection of the privacy of individuals.

QCCL sees a clear need for a Privacy Committee, established along the lines of the New

South Wales Privacy Committee, which could be headed by a Privacy Commissioner,

undertaking the functions of investigation , audit, research and education.



There are a range of options with respect to possible IPPs as part of the privacy legislation in

Queensland. They could follow the model contained in the Privacy Act (Commonwealth) or

they could follow the OECD model. At the end of the day, however, it is essential to adopt a

group of IPPs which take advantage of the experience in other jurisdictions, but which are

also credible, relevant and effective within Queensland.


In QCCL's view , IPPs should be in the form of legislation . Their application should not be at

the discretion of an agency , corporation or individual (which is the effect of guidelines) but

should be mandatory . There should be a capacity for the use of subordinate legislation in

order to rapidly respond to changing developments in technology and privacy protection.

There would be a clear role for a Privacy Commissioner/Privacy Committee to advise and

6

oversee the introduction of such subordinate legislation in response to the changing needs of

privacy protection. It has been said that although responsible corporate citizens may well

comply with guidelines, the need for legislation is to deal with the irresponsible corporate

citizens who will take no notice of any form of guidelines unless there is a legislative basis

and appropriate sanction for breach of relevant IPPs.

6. Should individuals have to pay to exercise their right to privacy?

QCCL believes that privacy is a fundamental right inherent in a democratic society which

goes to the inherent dignity of the individual. Privacy has been recognised in various

international instruments including the Universal Declaration of Human Rights and the

International Covenant for Civil and Political Rights. It should be remembered that the

government exists for the benefit of the community, and not the converse. In accordance

with such a principle, individuals should not have to pay in order to exercise their right to

privacy, which should be respected and protected by government regardless of the capacity

of individuals to pay in order to protect their privacy.

7. Would the costs associated with IPPs outweigh the public benefit flowing from

their implementation?

QCCL acknowledges that there is a cost both for the public and private sector flowing from

the implementation of IPPs . However , the protection of the rights to privacy of individuals is

in QCCL's view a public benefit which clearly outweighs the financial costs which flow from

implementation.

A recent survey by Price Waterhouse found that 70% of 130 major Australian companies

surveyed by the firm want a general privacy law, and most felt that the introduction of such

laws would not result in significantly higher costs (see Australian Financial Review - 30 May

1997; The Australian - 30 May 1997; Canberra Times - 30 May 1997).

The survey also showed that for private sector organisations, the key issues were:

• The need to comply with international privacy standards;

• The move to legislate privacy in the private sector and concern about a "hotch-potch"

of state regulations on privacy;

7

• A potential privacy breach affecting the company's public profile and market share;

and

• Developments in telecommunications technology.

The survey clearly indicated that not only does the private sector not regard the

implementation of privacy protection as a problem, but sees privacy protections as "good

marketing" and part of selling themselves as "good corporate citizens". The private sector is

also clearly aware of the need to comply with the privacy protection guidelines being required

in particular for trade with the European Union.

PRIVACY COMMISSIONER/PRIVACY COMMITTEE


• How should its independence be ensured;.

It is clear that a Privacy Commissioner or Committee requires a significant degree of

independence from government, but should also be answerable to an appropriate

parliamentary committee (such as the Legal, Constitutional and Administrative Review

Committee). It needs to be adequately funded, but given that it will have significant

investigative and auditing functions with respect to government and semi-government

entities, the accountability mechanism should be directed to the Queensland Parliament

through a parliamentary committee.

• Should the office be accountable to the Parliament, for example, via a

parliamentary committee (with perhaps responsibilities in relation to

matters such as appointments, suspensions, budgets and strategic

reviews); and

See QCCL's answer above.

• Should the office be combined with that of the Information

Commissioner or any other office?

In QCCL's view, it should be a separate office and not combined with the Information

Commissioner. This would only lead to a confusion of roles, given that at present the

8

Information Commissioner's role itself is effectively performed by the Ombudsman and the

protection of privacy would be better served by the positions of Information Commissioner

and Privacy Commissioner/Committee being clearly separate and unrelated.


As noted above, QCCL considers that the functions should include investigation, audit,

research and education. Clearly these functions would include the development of

appropriate privacy policies, an involvement in informed public debate and the preparation of

recommendations to government for law reform in respect of privacy, as well as the

recommendation and preparation of subordinate legislation with respect to specific privacy

issues.

10. What powers should a privacy committee/commissioner have?

The Privacy Committee/Commissioner should have the appropriate powers necessary to

enforce the functions of the Committee/Commissioner , which should include the enforcement

of IPPs . Without enforcement powers , balanced of course against the rights of individuals in

particular circumstances, any protection of privacy would be completely inadequate. There

is, in QCCL's view , absolutely no point in establishing a Committee /Commissioner which has

no teeth to enforce legislation however wide ranging it may be.

11. Would the costs associated with an office of privacy commissioner/committee

outweigh the public benefit flowing from the establishment of such an office?

See QCCL's answer to question 7 above . QCCL believes the costs of running such an office

would be relatively modest , with enormous public benefits flowing from such a

Committee/Commissioner.


12. Should privacy regulation apply to the private sector as well as the public

sector?

As stated above , it is QCCL' s view that privacy legislation should apply to the private sector

as well as the public sector . In addition , it is clear that a large proportion of the private sector

9

is in fact quite comfortable about the application of privacy regulations to their operations.

QCCL is concerned that those sections of the private sector who do not want private

regulations to apply to their operations are almost certainly those sections which are most in

need of appropriate privacy regulations.

There is a further issue, which is the current trend towards privatisation and outsourcing of

government functions. For example, the Federal Government is currently undertaking an

exercise of outsourcing all information technology (IT) processing. This has already

commenced in departments such as the Department of Veterans Affairs, and it is envisaged

within a relatively short period of time that the Federal Government will have outsourced all

its IT requirements. In these circumstances, privacy legislation which only covers the

government sector, becomes ineffective if it does not also cover the private sector. Further

examples of this include the privatisation of previously government owned

telecommunications networks, as well as water and power utilities. Such government entities

(now being privatised) are in fact the recipients of vast amounts of private information which

require protection.

A further concern is the use of electronic data by telemarketing companies, who are able to

access both publicly available data (for example, White and Yellow Pages) as well as being

able to take advantage of the wide-spread trade in data lists. At present there is absolutely

no effective means for consumers to prevent this trade in data lists, nor to seek any form of

remedy when it occurs.

The extension of a privacy regime to the private sector is also essential in QCCL's view in

order to conform with international privacy standards. This is a function which should have

been addressed by the current Commonwealth Government, but as they failed to carry out

their commitment (given prior to the last Federal election) to do so, it remains to State

Governments to commence controls in this area until and unless the Commonwealth

Government decides to legislate . Clearly any privacy legislation introduced in Queensland

should be drafted appropriately to deal with the potential introduction of a federal privacy

regime for the private sector.


It should be remembered that government owned corporations, despite their commitment to

the "level playing field" and to taking on the appearance of being a private corporation,

10

remained owned by and operate as assets of the government, and as such should clearly be

subject to any privacy regime. As set out above, there is a clear need for regulation of the

private sector, which is equally applicable to government owned corporations. Indeed if

privacy regulations applies to the private sector it becomes essential in order to keep a "level

playing field" between government owned corporations and the private sector.


Local Government activities are in QCCL's view clearly part of the government sector, and

should be subject to exactly the same privacy regulation as State Government activities.

There has been a disturbing trend in recent years for Local Government bodies to sell the

vast amounts of information which they compulsorily acquire , to the extent where the sale of

that information (almost inevitably without the specific informed consent of the rate payers

concerned) now forms a significant component of the budget of many such Local

Government bodies . Local Government is in fact the level of government which most closely

touches on the lives of individuals , and therefore clearly requires the application of a privacy

protection regime as much as any other sector, be it public or private.

15. Would the costs associated with privacy regulation of.

• the private sector;

government owned corporations;

• local government activities;


As would be seen by QCCL's answers to previous questions , it is QCCL' s very clear view

that although it is acknowledged that costs will flow from privacy regulation in all sectors,

these costs are clearly outweighed by the public benefit gained by the regulations.

16. If the private sector is not to be covered, how should privacy regulation apply

to bodies performing services which the government has outsourced?

It is QCCL's clear view that the private sector should be covered. Accordingly, this should

not become an issue. However, if any privacy legislation covered government entities only,

then that regulation should clearly extend to any services outsourced from government.

Such services continue to be paid for by government and if not "outsourced" would in fact

have been performed within government and have been covered. The Federal Government

11

has indicated that although it does not now intend to introduce legislation to cover the private

sector on a federal basis, it will amend the Federal Privacy Act in order to extend its

protections to those services which are outsourced by the Federal Government.

17. Should there be co-operative arrangements between the states, territories and

the commonwealth with respect to matters such as formal complaints regimes?

Any such co-operative arrangements are of course ideal and preferred, but the need for such

co-operative arrangements should not over-ride the important need for the urgent

implementation of a state-based privacy protection regime, based on the needs of

Queenslanders.

18. How should any privacy protection legislation interrelate with freedom of

information legislation?

This is essentially a technical issue, which in QCCL's view could easily be sorted out by an

appropriate protocol between the Privacy Commissioner/Committee and the Information

Commissioner. In fact, QCCL understands that a comparable protocol applies federally

between the Administrative Appeals Tribunal and the Federal Ombudsman. Given that

model, it is clear that both a Privacy Act and a Freedom of Information Act could correlate

and interrelate subject to the implementation of appropriate protocols between the particular

entities administering both acts.

19. What additional measures, if any, should be taken with respect to:

• The 1995 European Directive; and

• The OECD Cryptography Policy Guidelines?

The underlying policy objectives contained in the 1995 European Directive and the OECD

Cryptography Policy Guidelines are commendable, but essentially these are international

obligations which can only appropriately be dealt with at a federal level by the

Commonwealth Government . QCCL would not oppose their introduction to the extent to

which they are relevant in Queensland , but as a general matter they should be addressed in

an appropriate manner by the Commonwealth Government.

12


20. How should smart cards be regulated?

Ideally smart card regulation should be by way of Commonwealth legislation given that

neither the cards nor the companies which issue them are restricted to individual states and

territories. However, in the absence of any Commonwealth legislation , a combination of

state-based legislation together with national industry codes is the next best alternative. The

failure of the Commonwealth Government to introduce federal legislation leaves the distinct

possibility that different states will impose different regulatory regimes for smart cards, but

this of course is the "downside" attaching to the failure of the Commonwealth Government to

introduce the legislation that they promised in this particular area.

21. What form of regulation should be introduced with respect to the various types

of electronic banking and cash (not including those systems which use smart

cards)?

See answer to question 20 above . In QCCL's view , appropriate regulation to protect the

privacy of individuals should be applied both to smart cards and to electronic banking and

electronic cash regardless of the mechanism by which such electronic banking/cash is

manipulated.


22. What form of regulation should be introduced with respect to privacy issues

arising in the areas of.

• Personal privacy, including surveillance (visual and listening) both in

public and private places;

With the increased use of surveillance, in particular video surveillance both in public and

private places, it is clear that there is a pressing need for regulations. Video cameras are

becoming increasingly pervasive both in shopping malls, shops and public areas, with little

public reaction due to the perception (by members of the public) of an increase in the level of

public safety, although there is a paucity of evidence to support the argument that such

cameras assist in crime prevention and detection.

13

It is clear that without regulation, the use of video camera surveillance is open to significant

abuse. For example, in recent times in Queensland we have seen examples of the misuse

of cameras by security personnel in a major department store in order to look into women's

change rooms, and to spy on women's breasts and buttocks.

In Victoria , school authorities mounted video cameras in school washrooms in order to

confirm reports of heroin use . The use of such cameras constituted an extraordinary breach

of the right to privacy which , in QCCL's view , attaches to all members of society. Although

the introduction of cameras to the Queen Street Mall by the Brisbane City Council did involve

a representative of QCCL on the Committee which drew up the appropriate protection

protocols , QCCL does not have the resources to become involved in attempting to have

appropriate privacy protection protocols introduced with respect to the growing number of

local councils which are currently moving to introduce video surveillance in public areas.

The regulations with respect to such video surveillance need to be quite specific with respect

to the area in which the camera is used. The level of privacy expected on the street is clearly

vastly different to the level of privacy expected in a toilet. There is a clear need for regulation

as to the use of the equipment (at all), and if the equipment is to be used, who is to have

access to it and the use to which any recordings can be put. There is also a clear need for

an auditing function to ensure that such surveillance is not misused.

In this respect, QCCL refers the Committee to the report entitled "Invisible Eyes: Report on

Video Surveillance in the Workplace" issued by the Privacy Committee of New South Wales

(Report No 67 - September 1995) which reported extensively on the issues relating to video

surveillance in the workplace.

In particular, the New South Wales Privacy Committee proposed the introduction of a code in

addition to legislation which prohibited:

The use of covert video surveillance in the workplace without a permit;

The use of video surveillance for monitoring individual work performance;

The operation of video surveillance cameras in toilets, showers and change rooms;

and

• The operation of video surveillance in locker rooms and employee recreation rooms

without a permit.

14

The Committee considered that a high degree of justification would be required before an

employer could install video surveillance equipment, that as set out above some uses of

video surveillance in the workplace should be prohibited completely, that the installation of

video surveillance equipment should only be done after appropriate consultation with

employees and their representatives, and the areas on the video surveillance should be

clearly sign posted.

In addition, the Committee considered that there should be a review of the effectiveness of

video surveillance in achieving its original purpose, the cameras should only be operated

within the hours for which their use is justified, should only be installed in areas where there

was a specific and heightened security risk, should be operated ethically and not used to

zoom on individuals or pry into a person's activities without cause, access to tapes should be

restricted to those individuals whose use would be limited to the original purpose of

surveillance, tapes should only be retained for a short maximum period before erasure or

destruction, external parties should not have access unless authorised by law, employees

should have the right to view tapes, there should only be specific exceptions from the code

where there is adequate justification, and employers should nominate an individual who

would be responsible for complying with the enforcement of the code.

Telemarketing and direct marketing;

This is an area which clearly requires specific regulation. There is currently access to and a

trade in vast amounts of personal information compiled as lists of various forms and for

various specific purposes throughout Australia. Strict controls should be put in place to

regulate the collection and use of information, auditing the information collected and limiting

the use of the personal information as well as the trading of information between companies.

This is again an area which ideally requires national regulation given that the trade in

personal information transcends both state and national borders. Part of the process of

regulation would be to ensure that the mechanisms used by direct marketing and

telemarketing companies for gathering information are made clear and open and allowing

individuals to "opt in" (rather than "opt out") if they are engaging in a transaction or activity

which is likely to result in the production of information which is of interest or value to a

telemarketing or direct marketing entity.

15

For example, the Redcliffe City Council currently sells to marketing companies the details of

a person who (in accordance with legislative requirements) registers a swimming pool. The

requirement to register the swimming pool is a mandatory legislative requirement, but the

individual is given no choice about the sale of the information by the Redcliffe City Council.

Individuals in such situations should firstly be warned that the Council does sell that

information (if a privacy regime were to allow the continuation of such a sale) and secondly,

should be entitled to decide whether their own personal information should be able to be

supplied to third parties.

• The workplace;

There are major ongoing issues in relation to the protection of privacy in the workplace.

Currently there are moves by a significant number of employers to impose random drug and

alcohol testing in the workplace. At present there is absolutely no protection for employees

who provide samples for such testing, whether at the testing company that undertakes the

tests, or within the employer company within itself. For example, there is currently no

obligation on the employer company in these circumstances which would prevent them from

handing over to the Queensland Police Service, the results of a test which showed that an

employee had within a reasonable period of time used an illegal substance. Similarly, such

tests can reveal that a person uses any of a wide range of legal drugs which may indicate the

presence in their body of particular diseases (AIDS, hepatitis etc) or the control of particular

physical or mental illnesses.

Employers, whether for their own purposes or as a result of mandatory legislative

requirements of Federal, State and Local Governments, accumulate vast amounts of

information on individual employees, none of which is currently subject to any privacy

protection regime whatsoever. There is a clear and undeniable need for wide ranging

privacy protection to cover all aspects of the protection of private information in the

workplace.

Medical records including access;

In Breen v Williams (1995) 186 CLR 71, it was held that at common law the property in

medical records remains in the treating doctor and there is no right of access to these

records by the individual concerned. Given the current state of the law, patients treated in

the public health system can seek access to their records under the Freedom of Information

16

Act but private patients are dependent entirely on the policy regime of the individual health

provider. QCCL considers that privacy legislation should include a provision which would

allow patients access to their medical records, enable them to correct inaccuracies, make

copies and have any medical terminology explained to them. In a similar manner to the

Freedom of Information Act, where it was necessary in the interests of the physical and

mental health of an individual patient, such access to medical records could take place with

the assistance of an intervening medical practitioner.

• Genetics

As discussed under the heading of "the workplace" above, current genetic testing is

becoming increasingly wide-spread (as the issues paper points out) in areas such as health

care, medical research, insurance, determination of paternity, identity, employment and law

enforcement.

QCCL supports the rights of individuals to refuse to undergo testing , for instance, by

employers who seek to screen job applicants.

As discussed at page 9 of the Issues Paper , a Privacy Commissioner , in QCCL's view,

should at the least have the power to draft and publish guidelines , or preferably to draft and

have the government implement subordinate legislation to cover such areas which have the

clear potential for the adverse affect on the privacy of individuals . It is essential that the

Privacy Commissioner/Committee have the capacity to respond to changing circumstances

and be able to put such subordinate legislation in place promptly and efficiently after

appropriate consultation with the relevant affected sectors of society.

23. Generally, what should be done to ensure that the law keeps abreast with

developments in technology affecting individuals' privacy?

It should be a clear requirement on a Privacy Commissioner/Committee to research privacy

issues both in Australia and overseas, and to put forward proposals for reform (as well as

drafting appropriate subordinate legislation) in response to developments in technology,

changes in societal expectations and the changing requirements of government and the

workplace.

17

CONCLUSION

QCCL considers that clearly there is strong support in the Queensland community for wide

ranging enforceable privacy legislation . QCCL has long held the view that such legislation is

required (and long overdue) in Queensland . QCCL commends the Committee for its Issues

Paper No 2 and its commitment to consultation . QCCL looks forward to expanding on these

written submissions by way of oral submissions at an appropriate time.

QUEENSLAND COUNCIL FOR CIVIL LIBERTIES

IAN DEARDEN

(President)

18

QUEENSLANDGOVERNMENT

Telephone:

Reference:

Refer To:

Your Ref:

12 August 1997

The Research DirectorLegal, Constitutional and Administrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir,


(01Family Services Building

Cnr George and Elizabeth StreetsBrisbane Queensland 4000

GPO Box 806Brisbane Queensland 4001

Telephone : (07) 3227 7111Facsimile : (07) 3404 3570

Attached is the response by this Department to the Legal, Constitutional andAdministrative Review Committee Issues Paper No. 2, Privacy in Queensland.

Should you require clarification of any issues raised or further information, please do nothesitate to contact Ms Carmel Finn, Director, Information Management, on 3224 5470.

Yours faithfully

Allan C MaleDirector-General

Working with Communities to Create a Caring Society

RESPONSE TO THE LEGAL, CONSTITUTIONAL AND ADMINISTRATIVE REVIEWCOMMITTEE ISSUES PAPER NO. 2 PRIVACY IN QUEENSLAND

GENERAL

1. Are there valid concerns relating to privacy protection which need to beaddressed by legislative and/or administrative action ? If so, what particularconcerns are most pressing?

Community awareness about privacy issues is increasing and a range of concerns areemerging. Information privacy protection is an issue of concern to most members of thecommunity. Recent public opinion polling shows that Australians view the confidentialityof personal information held by organisations as a very important issue. When askedto rank a number of social issues three quarters said confidentiality of personalinformation was very important, second only to education. This was reported in 1995.The survey also revealed that people feel control over their personal information isbeyond the individual's power. This was a particular concern where information is heldon computers.

Over the years, advances in technology have brought new threats to privacy. Activitiessuch as computer profiling, data-matching and surveillance are now commonplace.Information about the private activities of a person can be collated and monitored andthis can take place without the knowledge or consent of the person concerned.

The European Union Directive on Transborder Data Flows, (24 October 1995),demonstrates the seriousness with which the European Union views data protection andprivacy issues. By October 1998 European Union Members cannot trade or deal inpersonal information with outside countries which do not provide 'an adequate level ofprotection'.

Although 'adequate level of protection' is defined in the Directive, there is muchdiscussion about whether this requirement can only be satisfied by a country's overallprivacy laws. In any event, it is clear that privacy protection is widely considered asdesirable in today's technological climate.

In another survey of 120 of Australia's biggest companies two-thirds favour theintroduction of a national privacy act to regulate the private sector or oversee industryspecific codes.


In the context of community expectations the current law in Queensland is not adequatewith respect to privacy protection. Ironically many of the most sensitive personal recordsare held by state government agencies. However unlike records held by theCommonwealth there is no legislation which specifically addresses the need forinformation privacy protection. With the operation of Freedom of Informationlegislation in both jurisdictions it has become apparent that there is an expectation in the

1

community that information privacy regimes should operate in both jurisdictions.

3. If not , how should the right to privacy be protected in Queensland? Forexample, should Queensland introduce one or a combination of the followingmeans of regulation : information privacy principles, (IPPs); a statutory tort of

privacy; a privacy committee/ privacy commissioner; or some other means of

to protect privacy?

The introduction of information privacy principles based on the OECD guidelines,accompanied by the establishment of an appropriate, 'independent' office to oversee

privacy protection would effectively address community concerns. Such an approachwas proposed in the current government's policy statement on privacy during the 1995election. However there are costs associated with the introduction of this kind ofinformation privacy regime and a proper balance needs to be achieved between the idealsystem and one which reflects contemporary economic constraints and consequentpriorities for resource allocation. The implementation of an administrative regime as afirst stage prior to the introduction of a legislative ( and therefore enforceable) regime will

serve to reduce the costs.

Although the introduction of a statutory tort of privacy may address the issue ofobligations under international law, there is a real danger that it will not effectivelyaddress community concerns and needs. For instance, access to privacy protection couldbe limited because of the associated costs and delays in a court driven process. Thecost of action through the courts is well out of the reach of many people. For examplemost clients of this Department already suffer social and economic disadvantage within

our community. They rely on services provided by government and communityorganisations; the nature of these services is such that an individual's privacy is oftennecessarily intruded upon. It is well established that welfare clients are less likely tohave the resources, skills, knowledge or education to exercise their right to take civil

action. In the Canadian jurisdictions where a general tort of privacy operates, therelevant law is not often used.

OPTION INFORMATION PRIVACY PRINCIPLES


An effective privacy protection regime needs to allow for the appropriate balancebetween the responsibilities of society and our individual right to privacy. The OECDGuidelines on the Protection of Privacy and Transborder Flows of Personal Data, are anideal starting point in developing a privacy protection regime. The Guidelines provideeight principles which specifically relate to information privacy protection. They alsorecognise that there are certain public interests which may justify interference with

privacy.

Adoption of the basic OECD guidelines could be the initial step in the development ofa privacy regime which properly addresses privacy issues in this State. It would providean opportunity to develop principles and infrastructure that reflect and properly balancethe State's responsibilities.

2

In the discussion on Information Privacy Principles, the issues paper makes reference tothe principles contained in the Commonwealth Privacy Act. It should be noted thatadoption of the same or similar principles may not be appropriate. Some responsibilitiesof State Governments raise issues which have not been faced by the CommonwealthGovernment. State Governments have greater responsibility for the provision of directservices to members of the community. In the South Australian jurisdiction, forexample, privacy principles place lesser restrictions on information privacy. This reflectsa difference in the sensitivity of and the purpose for the collection and use of personalinformation by a state government. The relatively large number of exceptions grantedby the South Australian Privacy Committee further demonstrate the differentresponsibilities Commonwealth and State Governments have in respect of individuals.The intrusion of state agencies into the personal affairs of individuals is far greater thanthat of commonwealth agencies. The amount of co-operation and sharing of verysensitive personal information required between agencies in the area of child protection,for example is unequalled in the Commonwealth.

It will be necessary to look very carefully at the functions and responsibilities ofQueensland Government agencies to ensure the proper balance between a right toprivacy and the public interest in any exceptions to that right. Set out below are someof the issues facing this agency which will need to be addressed.

Exceptions for the Protection of Children and Persons with Impaired Decision MakingCapacity

Protection of Children

It is most important that the information privacy principles introduced in Queensland donot extinguish essential communication and coordination among agencies to ensurepublic safety. Of particular concern to the Department of Families, Youth andCommunity Care is the exchange of information necessary for effective child protectionpractice. Current practice and procedures undertaken by departmental officers involvethe regular exchange of information between the core agencies involved in childprotection. The Department holds concerns that the application of the Privacy Principleswould seriously undermine Queensland's child protection system unless an exceptionthat relates to the protection of children is incorporated. The delineation and definitionof the roles of the agencies and personnel involved in the protection of children and thecoordination of their activities is central to ensuring that children do not "fall through thegaps" or on the other hand that families are not overwhelmed by a barrage of agenciesvisiting. The collection and consideration of all relevant information also is critical toa proper assessment being made of the degree of risk to which children are subject. Theimportance of coordination of the response by agencies to child protection concerns hasbeen a consistent finding of all recent official inquiries into child protection practice bothin Australia and overseas .

During the last two decades a central mechanism for determining the direction of childprotection policy has been public inquiries following the deaths of children. It has notbeen uncommon for it to emerge during these inquiries that a number of governmentand non government agencies had been involved with the family of the child who died.

3

The way in which they have coordinated (or more commonly failed to coordinate) theexchange of information has generally been a focus of attention. Recent inquiries heldin NSW and Victoria have been subject to considerable media scrutiny. TheDepartment of Families, Youth and Community Care proposes that any QueenslandInformation Privacy Principles be designed to reflect our child protection responsibilities.In proposing the changes the findings of these inquiries have been considered.

The findings of an Inquiry held in the UK in 1985 into the death of Jasmine Beckford,a five old year child provides a useful example to consider in this context. Firstly theInquiry highlighted the importance of case conferences with multi-agency involvementas one mechanism for ensuring welfare professionals are accountable for their decisionmaking. ( The Report of the Inquiry into the circumstances surrounding the death ofJasmine Beckford (1985) London Borough of Brent.) The importance of liaison withschools in the child protection area and the lack of effective liaison was identified by theInquiry. In addition, the Inquiry commented on the need for case conferences to haveaccess to information about the parents as children. The nature of child abuse is suchthat a person's own experience of parenting is crucial in establishing their own patternof parenting. In the Beckford case the background information was apparently not usedto full effect. The Inquiry went on to highlight the importance of police involvement atcase conferences and that information regarding police history should be available tocase conferences. The Inquiry even recommended the ready exchange of informationwith the relevant non-government agencies, in particular, the National Association forthe Prevention of Cruelty to Children. The Inquiry went as far as to suggest that recordsfrom different agencies should be routinely compared and all participants in caseconferences should have access to these documents. Finally, like all these Inquiries, theBeckford Inquiry emphasised that coordination and exchange of information amongagencies is central to ensuring an effective child protection system.

... we have attempted further to address some of the problems of child abuse,beyond just the "management" of social services and other agencies. We wereconcerned throughout our deliberations to point to the need for betteridentification of the signs of child abuse, and to indicate improved methods of

inter-agency and inter-professional collaboration. (p297)

Current practice of this Department reflects a commitment to this coordinated approachand would contravene the Privacy Principles if they were identical to those currentlyenshrined in the Commonwealth legislation. The following procedures consideredessential to good practice highlight the need.

If a child protection notification has been received which requires full investigation, it

is not uncommon for the police to be contacted to carry out a joint investigation withFamily Services Officers. Procedures prescribe that Family Services Officers "share andassess all available information" and that " In joint investigations, Police Officers areentitled to receive the information provided by an informant". This disclosure is

consistent with the statutory provisions of the Childrens Services Act.

Procedures also prescribe that specialist support workers may be used in theinvestigation. Their participation is not provided for under the Act and would contravene

4

the Privacy Principles if they are not amended to incorporate a child protection

exception.

It is routine for the Aboriginal and Islander Child Care Agency to be contacted when thenotification relates to an Aboriginal or Torres Strait Islander family. In areas where thereis no AICCA representative the officer is required to contact an appropriate representativeof the relevant Indigenous community. This is consistent with Recommendation 235 of

the Royal Commission of Inquiry into Aboriginal Deaths in Custody and thisDepartment's progress to date has been published and reported to the QueenslandParliament in the subsequent progress reports.

Other support workers who may be contacted include ethnic support workers insituations where the family is not fluent in English; or where a parent or child may havespecial needs or a disability a relevant specialist may be contacted. For example, if thechild is deaf, the involvement of a specialist proficient in sign language would benecessary to properly investigate the child abuse notification.

Procedures also state that where another person may have information which the officershould know before speaking to the parents, an interview should be undertaken with thisperson. For example, if the notifier has indicated that the child went to a doctorfollowing an alleged incident of physical abuse. This is not clearly provided for in theAct and would contravene the Privacy Principles if they do not incorporate a childprotection exception.

Children are only interviewed without parental permission when " information receivedrelates to sexual or serious physical abuse and the offender lives in the home" or whenthe "child is likely to feel under pressure from their parents to withhold or distortinformation". Such interviews commonly occur at schools. Current procedures prescribethat in such a circumstance an area manager must contact the school principal who maysubsequently seek approval from the Regional Office of the Department of Education forthe interview to take place. Sufficient information must be provided to support the claimthat the circumstances are serious enough to warrant an interview taking place withoutparental permission. Identifying information regarding the child is not provided untilapproval in principle has been given.

It is Education Department policy to have a staff member present during the interview.This is not always the Principal who may authorise another staff member to be present.It is the policy of this Department to " seek a school representative of the child's choice,or who is considered to have a positive relationship with the child". This wouldgenerally be a classroom teacher or guidance officer rather than a senior authority figurelike a principal. These procedures would contravene the Privacy Principles unless theyincorporate a child protection exception.

In many cases the matter may be referred to a SCAN Team for further consideration. Thecore membership of SCAN is representatives from the Department and the QueenslandPolice Service and a medical practitioner. SCAN Teams are the formal mechanism forcoordinating management of child abuse intervention in Queensland. The exchange ofinformation between relevant specialists and agencies involved with these families is

5

central to the effectiveness of providing a safe and secure environment for thesevulnerable children. For example, schools provide an important venue for monitoringthe ongoing safety of children who remain within their family but are assessed as beingat ongoing risk of abuse. In a number of SCAN Teams around the State, representativesof the Education Department are coopted as regular members of the team.

Another situation in which the sharing of information is critical to the effectiveness ofchild protection intervention is when there are current proceedings in the Family Court.When child protection concerns exist in such circumstances the interests of the childrenmay be represented by a separate independent legal representative. It would becommon practice for this legal representative to attend SCAN meetings. This ensuresthat the Family Court has access to any relevant child protection information without theDepartment always having to adopt the cumbersome and potentially expensive route ofbecoming a party to the proceedings. In addition, protocols have been developed withthe Family Court regarding the sharing of information in other circumstances (egregarding special medical procedures jurisdiction).

People with Impaired Decision Making Capacity

The impact of the proposed introduction of Information Privacy Principles to theQueensland Government on records relating to people with impaired decision makingcapacity requires special attention. This includes people with chronic mental illness,acquired brain damage, head injury, senility, dementia or intellectual disability. Thecapacity of these people to provide informed consent to the collection, use anddisclosure of their personal affairs information must be considered. Procedures need tobe in place to ensure their rights can be properly protected if it is considered that theircapacity to make an informed decision is sufficiently impaired. In the Commonwealthit is common to use "warrantees" to provide authorisations on behalf of people with anintellectual disability. The Department, as lead agency in the development of disabilitypolicy, should have a central role in the development of procedures for the StateGovernment.

In June 1996 the Queensland Law Reform Commission released a report "Assisted and

Substituted Decisions: Decision-making by and for people with a decision-making

disability". The Attorney and Minister for justice has subsequently issued a consultation

draft of the Powers of Attorney Bill 1997. This represents Phase One of a two phaseprocess to implement the recommendations of the Queensland Law Reform Commission.Phase One relates to reform of those areas of the law which will enable people toappoint a person(s) and to give directions in relation to future personal matters andfinancial matters. Legislation relating to Phase Two - the creation of a process to appointpeople to make substitute decisions for people with a decision making disability - willbe introduced at a later time. Until this proceeds, the law regarding substituted decisionmaking for people with impaired decision making capacity remains unchanged. There

is no existing statutory mechanism which has jurisdiction to provide consent for thecollection, use and disclosure of their records.

In the interim, the existing statutory mechanisms for other consents may need to be usedto seek authorisation for collection, use and disclosure of personal affairs information of

6

people with intellectual disabilities. Alternatively, procedures may be developed whichanticipate those proposed by the Law Reform Commission; under such a regime,authorisation from relatives and close friends would be sought. The primary existingstatutory mechanism for decision-making or authorisations on behalf of people with anintellectual disability is the Legal Friend. Both the Legal Friend and the IntellectuallyDisabled Citizen's Council were transferred to the auspices of the Attorney-General andMinister for justice on 1 July 1997. Section 26 of the Intellectually Disabled Citizens Act1985 outlines the jurisdiction of the Legal Friend. Section 26.(1) (c) states that the LegalFriend

(c) may liaise with Government departments and other organisations or bodies onbehalf of an assisted citizen

However the role of liaison appears to be distinguished in the legislation from thecapacity to authorise. In contrast to 26.(1)(c) the following sections are quite specificregarding the scope of the powers of the Legal Friend.

(3) Subject to subsection (4), where the Council under this Act authorises theLegal Friend to act on behalf of an assisted citizen, the Legal Friend mayon behalf of the citizen give consent to any medical, dental or surgical orother professional treatment or care (whether a single item of treatment orcare or a course of treatment or care over a period) being carried out onor provided to the citizen for the citizen's benefit by a personprofessionally qualified to carry it out or provide it.

(9A) Where the Legal Friend acts in accordance with the authority given bysubsection (9)-

(a) the Legal Friend shall as soon as possible thereafter make or causeto be made an application under section 27; and

(b) the Legal Friend may, in giving consent referred to in subsection(3), only give consent to such essential medical, dental or surgicalor other professional treatment or care (whether a single item oftreatment or care or a course of treatment or care over a period) asis necessary to alleviate or prevent the citizen being subject tosignificant illness or suffering or to preserve the life of the citizen.

A preliminary interpretation would seem to suggest that the powers of the Legal Friendto authorise matters is limited to treatment related matters. Accordingly there is nocompulsion for authorisation for information related matters to be sought from that office.

The Law Reform Commission recommended that professional care providers should notbe eligible to be decision-makers. The Department would propose a procedure forauthorisation which includes family members or close friends and reflects therecommendations of the Queensland Law Reform Commission.

7

It is acknowledged that one of the challenges in making special provision for people withan impaired decision making capacity is defining who this includes. Certainly thereneeds to be mechanisms in the system to ensure that the exception is not inappropriatelyused. There must be a mechanism to determine circumstances where the decisionmaking capacity of people with a mental illness, intellectual disability etc is notdiminished to the extent of not being able to provide informed consent to the use oftheir information.

To some extent the dilemma faced regarding the introduction of an information privacyregime to records relating to child protection and people with impaired decision makingcapacity highlights the different roles the Commonwealth and State Governments havein respect of individuals. Ideally, Queensland should adopt an information privacyprotection scheme that reflects the privacy needs of individuals in this state. If we areto adopt the Commonwealth IPPs, adjustments to the wording of some principles wouldbe appropriate. For example, principles 10 and 11 would require amendment as

underlined below:

Principle 10Limits on Use of Personal Affairs Information

A record-keeper who has possession or control of a record that contains personal affairsinformation that was obtained for a particular purpose shall not use the information for

any other purpose unless:

(a) the individual concerned has consented to use of the information for that other purpose;

(b) the record-keeper believes on reasonable grounds that use of the information for thatother purpose is necessary to prevent or lessen a serious or imminent threat to the life orhealth of the individual concerned or another person;

(c) use of the information for that other purpose is reasonably necessary for enforcement ofthe criminal law or of a law imposing a pecuniary penalty, or for the protection of the

public revenue; or

(d) use of the information for that other purpose is reasonably necessary for enforcement ofthe criminal law or of a law imposing a pecuniary penalty, for the protection of the public

revenue or for the protection of children and people with impaired decision making

capacity; or

(e) the purpose for which the information is used is directly related to the purpose for whichthe information was obtained.

2. Where personal affairs information is used for enforcement of the criminal law or of a lawimposing a pecuniary penalty, for the protection of the public revenue, or for the protection ofchildren and people with impaired decision making capacity ; or, the record-keeper shall includein the record containing that information a note of that use.

Principle 11Limits on Disclosure of Personal Affairs Information

8

1. A record-keeper who has possession or control of a record that contains personal affairsinformation shall not disclose the information to a person, body or agency (other than theindividual concerned) unless:

(a) the individual concerned is reasonably likely to have been aware, or made aware underPrinciple 2, that information of that kind is usually passed to that person, body or agency;


(c) the record-keeper believes on reasonable grounds that the disclosure is necessary toprevent or lessen a serious or imminent threat to the life or health of the individualconcerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a lawimposing a pecuniary penalty, for the protection of the public revenue or for theprotection of children and people with impaired decision making capacity;

2. Where personal affairs information is disclosed for the purposes of enforcement of the criminallaw or for a law imposing a pecuniary penalty, for the purpose of the protection of the public

revenue or for the purpose of the protection of children or people with impaired decision

making capacity, the record-keeper shall include in the record containing that information a note

of the disclosure.

3. A person, body or agency to whom personal affairs information is disclosed under clause 1 thisPrinciple shall not use or disclose the information for a purpose other than the purpose for whichinformation was given to the person, body or agency.

However the inclusion of these amended Commonwealth IPPs does not preclude theearlier proposal for using the OECD guidelines as the "starting point" for the Committee'sconsideration of privacy principles.

5. Should IPPs be in the form of guidelines or legislation ?

It is the view of the Department of Families, Youth and Community Care that ultimatelythe IPPs should be enshrined in law. However because of the costs of implementationit is a more realistic strategy for the Principles to be introduced administratively initiallywith the legislation representing a second phase of the process. As suggested previouslythe Queensland principles should be derived from the OECD Principles with a stagedimplementation to facilitate the "fine tuning" of the principles prior to their beingintroduced as law.

To be fully effective, privacy principles would need to be introduced through legislation.One significant factor in this regard is that without a legislative requirement there wouldbe no obligation to review current legislation or give due consideration when enactingor drafting new legislation to ensure that adverse effects on the privacy of individuals areminimised. Furthermore an administrative scheme will not compel agencies to amend

existing legislation which includes powers for the collection, use and disclosure of

information

The situation in New South Wales is instructive in this regard. Even though a committee

9

exists under statute, their role is promotional and consultative rather than one ofenforcement of the law. There is no privacy legislation. This situation has not been seenas effective and legislation is currently under consideration. In addition, the expectationsof the community are informed by their experience of the Commonwealth which hasboth legislated IPPS and a review body established by statute (the Privacy

Commissioner).

There are additional costs attached to the collection and storage of documents and foran information privacy protection regime to extend to the non-government sector itseems likely that it would need to be compelled by law.

6. Should individuals have to pay (a reasonable amount ) to exercise their right to

privacy?

Individuals exercise their "right to privacy" through access and amendment of documentsheld by organisations. Currently in the Queensland Public Sector this right is exercisedin accordance with the Freedom of Information Act. Any change to this arrangement isnot supported. Nor however, as discussed below, is an extension of FOI to the private

sector. Access and amendment arrangements to personal documents held in the privatesector would be better dealt with under a privacy regime. It seems reasonable thatapplicants to the private sector should not have to meet the full costs of meeting suchaccess and amendment costs. It must be considered with the trend toward transfer offunctions from the government to the non-government sector that the community is likelyto be highly critical of such changes if the effect is that they incur high costs for a servicewhich was available at no cost from the government sector. The proposal contained inthe September 1996 Commonwealth Attorney-General's Department Discussion Paper,Privacy Protection in the Private Sector was that an information privacy regime in theprivate sector would require any fee charged to be reasonable and linked to thereasonable cost to the individual or organisation of complying with the request." Thediscussion paper did not consider that application fees should be charged. This isconsistent with the Queensland FOI Act which does not include an application fee forapplications for and amendment of "personal affairs" documents.

7. Would the costs associated with IPPs outweigh the public benefit flowing fromtheir implementation?

There is little doubt that there will be considerable costs involved in the introduction ofany effective form of privacy protection. However as discussed earlier, there are certainobligations regarding privacy protection under international law which need to beaddressed and increasing community concern in Australia regarding privacy protection.However costs could be minimised through staged implementation. Initially guidelines

could be introduced with a "sunset clause" for the introduction of legislation.

OPTION - A PRIVACY COMMISSIONER/PRIVACY COMMITTEE


how should its independence be ensured;

10

should the office be accountable to the Parliament, for example, via aparliamentary committee (with perhaps responsibilities in relation tomatters such as appointments , suspensions , budgets and strategicreviews); and

should the office be combined with that of the InformationCommissioner or any other office

The reporting arrangements of a body reflect the level of independence from both thepolitical processes and the bureaucracy. The independence of a commissioner orcommittee will be challenged if it is subject to the direction of a Minister or a seniorbureaucrat. On one hand, in such a circumstance the Commissioner/Committee wouldbe perceived as lacking impartiality in relation to the public sector and on the otherwould be seen as lacking credibility with the private sector because of its inextricablelinks to the bureaucracy. To address this and to maximise the independence of theprivacy committee or commissioner it would preferable for the reporting arrangementsto be linked to the Parliament.

The role of the Information Commissioner is integral to the administration of theFreedom of Information Act. The central component of the role is the determination ofapplications for External Review. The skills and knowledge base is necessarilyembedded in administrative law and the work of the Information Commissioner isprimarily applications driven. A privacy commissioner/ committee would be primarilyconsidering systems established in agencies to ensure privacy principles are followed.The purpose of an information privacy protection scheme is to regulate the use, storageand release of information collected by agencies about the private affairs of individuals.Information privacy protection is designed to stop or limit practices that intrudeunreasonably upon the personal affairs of individuals. Rather than the emphasis onadministrative law, the work of a privacy committee or commissioner requires aknowledge base which is embedded in records management, public and private sectoradministration, the interplay of legislation, information technology and policydevelopment. Neither the role nor the type of expertise required is consistent with thatof the Information Commissioner.

9. What functions should a privacy committee/ commissioner have?

The role of a privacy commissioner or a committee generally is to monitor adherenceby agencies to the scheme, to determine any exceptions to its application and todetermine compensation for citizens whose privacy it has determined has beenunreasonably breached.

More specifically, the functions could be as follows:

the Commissioner/Committee could oversight the development of the Queenslandprinciples from the OECD guidelines, the implementation of the informationprivacy regime on an administrative basis and the transformation of theapplication of the principles on an administrative basis to statute.

11

the Commissioner/Committee could review existing legislation in terms of privacyprotection as part of the implementation process and have an ongoing role inreviewing all proposed legislation from the same perspective.

the Commissioner/Committee could grant exceptions to the application of one ormore principles in circumstances where the public interest favours such andexception.

the Commissioner/Committee should have an ongoing responsibility to monitorand respond to changing data processing techniques and information technologyand their impact on privacy protection.

the Commissioner/Committee could have a promotional and educative role inrelation to both organisations and members of the community regarding theircompliance and rights respectively.

the Commissioner/Committee should conduct audits of records of personalinformation maintained by organisations for the purpose of establishing whethersystems are in place which are consistent with the privacy principles.

he Commissioner/Committee should monitor the charging regimes to ensure thatthey remain reasonable and in line with the intent of the legislation.

the Commissioner/Committee should mediate between citizens whose privacy ithas determined has been unreasonably breached and the relevant organisation.

the Commissioner/Committee should determine compensation for citizens whoseprivacy it has determined has been unreasonably breached.

the Commissioner/Committee should report to the Queensland Parliament on atleast an annual basis on the above matters

10. What powers should a privacy committee / commissioner have? For example,should these include the power to:

enforce IPPs through sanctions such as fine or disciplinary action; and

exercise coercive powers such as powers of access?

The Commissioner/ Committee will require statutory authority to undertake the functionsoutlined in the response to the previous question. However the introduction of aninformation privacy regime should not be seen as an onerous imposition in which theCommissioner/Committee is perceived as an arbiter. Rather the role of theCommissioner/ Committee should be seen as primarily facilitative. It would be necessaryfor the Commissioner/ Committee to have power to enforce the legislation. However

12

this would only require the power to compensate the aggrieved party (rather than fine)where breaches have occurred. The use of reparation is qualitatively different frompunishment.

Other powers (such as the power of access and) are necessary to undertake audits.

11. Would the costs associated with the Office of the Privacy Commissioner/Committee outweigh the public benefit flowing from the benefit of such anoffice?

There is no doubt that for an information privacy regime to be effective there must bea central body oversighting compliance; the office must be separate from theorganisations subject to the privacy regime. It must have adequate funding andinfrastructure to avoid claims of tokenism. The choice is not really whether an office isestablished but rather whether an information privacy regime is introduced. Unless a"watchdog" body has autonomy and independence from the subject agencies it willattract criticism. In addition, it should have sufficient authority and standing among theagencies.


12. Should privacy regulation apply to the private sector as well as the publicsector?

In the 1995 survey regarding privacy more than 8 out of 10 Australians stated that theybelieved that governments should pass legislation to protect privacy and that privacy lawsshould apply to both government and business.

From the perspective of this Department, it is important to define what is beingconsidered when the "private sector" is being discussed. This Department currentlyfunds, licenses and supports community services. The organisations funded provideservices to target groups that include older people, people who are homeless, individualsor families who are threatened by breakdown, crisis or domestic violence, people withdisabilities, families requiring quality child care, children subject to protective courtorders, disadvantaged young people and abused children. The transfer of serviceprovision to the non-government sector has been an increasingly common trend in thelast decade. It is currently the subject of a Commonwealth Parliamentary Committee ofInquiry (House of Representatives Standing Committee on Family and Community Affairs'Inquiry into the Competitive Tendering of Welfare Service Delivery).

If this trend continues and privacy regulation was introduced in the public sector, it isforeseeable that the transfer of functions from the public to the private sector could resultin the extinguishment of rights to privacy. One option which could be considered toaddress such an inequitable situation is to include privacy protection measures in theservice agreements made with funded or licensed organisations. However this wouldresult in funding or licensing bodies having to assume a monitoring role regarding theadherence of the organisation to privacy protection measures. This is not appropriate.

13

The expertise of the funding or licensing bodies would not lie with information privacyprotection. Each funding organisation would have to develop monitoring and compliancemeasures and it is likely this would result in uneven application of the privacy measuresacross the private sector. Accordingly it is necessary for the information privacy regimeto apply directly to non-government organisations.

Consideration may be given to the introduction of Codes of Practice for differentindustries. In this way differences between the public and private sectors and differentparts of the private sector could be reflected in the overall privacy regime. For example,the guidelines in relation to banking, real estate, retailing and community welfareorganisations all could well require different approaches to the collection, storage andexchange of personal information.

A further factor to be considered is the European Union Directive which comes intoeffect next year. This provides an economic imperative for the private sector.

16. If the private sector is not to be covered , how should privacy regulation applyto bodies performing services which the government has outsourced?

Although it is not the preferred option, service agreements with funding bodies couldinclude a requirement that organisations adhere to an information privacy regime.However this would result in a plethora of information privacy compliance bodies withinfunding agencies. Expertise would be dissipated across the public sector; costefficiencies associated with central agencies would be lost; there would be a loss ofindependence from the bureaucracy and political processes which would perceived asa diminution of accountability; finally because the funding agencies necessarily wouldconsider information privacy as peripheral to their primary reason for funding anorganisation, it is likely that it could be given scant regard.

17. Should there be co -operative arrangements between states, territories and thecommonwealth with respect to matters such as formal complaints regimes?

While the relationship should not be adversarial, it should be complementary rather thanco-operative. The Committee/ Commissioner should be accessible, especially throughthe period of implementation. However the central reason for establishing a separateQueensland Office of the Committee/ Commissioner is that the regime it will oversightshould reflect the difference between State and Commonwealth responsibilities. It isanticipated that as a result, different principles and different legislation will emerge fromthe Commonwealth.

18. How should any privacy protection legislation interrelate with freedom ofinformation legislation? For example, should the access to and amendment of,personal information be regulated by a Privacy Act alone?

The approach of regulating access and amendment of personal information as purelyprivacy issues fails to recognise the significance of access and amendment to issuesrelating to the accountability and openness of government. It would not be uncommonfor a citizen to be seeking documents relating to their personal affairs as well as related

14

non personal documents or documents relating to the personal affairs of other people.For example, in this Department FOI applicants routinely seek material that relates bothto themselves and to other family members. It would be unwieldy if they were expectedto apply under both the FOI Act and privacy legislation to access all information abouta particular matter.

The Commonwealth Privacy Commissioner has taken the view that access and correctionshould generally be dealt with through the provisions of the FOI Act. The Privacy Acthowever, gives additional grounds for amendment. For example, it allows foramendment by way of deletion on the basis of the relevant collection of personalinformation. Another example is that the FOI Act excludes provision for the amendmentof exempt documents in that the applicant must have previously had access to thedocuments. In some instances documents containing personal affairs information may beexempt from disclosure. This is not uncommon in documents of this agency relating tochild abuse and domestic violence where public safety exemption provisions are applied.Commonwealth review bodies have suggested that good management would indicatethat amendments should be made to such exempt documents. FOI legislation does notcompel such amendment but a privacy regime would.

The Queensland FOI Act unlike the equivalent Commonwealth legislation uses the term"personal affairs" rather than "personal information". This term was used initially in theCommonwealth legislation but was replaced in 1991. The Queensland InformationCommissioner commented on the disparity and its history in Re Stewart (93006) .

That conclusion would be reinforced by the fact that the Queensland Parliament did notsee fit to adopt the amendments made to the Commonwealth FOI Act in 1991 to removethe term "personal affairs" which was described in the explanatory memorandum to theFreedom of Information Amendment Act 1991 Cth as a "more limited and uncertainphrase" than the term "personal information" which replaced it. The term "personalinformation" was given a definition which corresponded to the meaning of the same term

as used in the Privacy Act 1988 Cth. An FOI memorandum issued by theCommonwealth Attorney-General's Department at the time of the amendments stated

that:

"The main purpose of the change is to ensure that the privacy exemptionis capable of applying to information regarding work performance, capacityor suitability of a person for appointment or promotion."

The 1991 amendments to the Commonwealth FOI Act were introduced after EARC haddelivered its Report on Freedom of Information in December 1990 (and were not takeninto account in that Report), but wel I before the passage of the Queensland FOI Act, and

it was open to the Queensland Parliament to embrace the 1991 Commonwealthamendments if they were considered to be appropriate. (The Freedom of InformationAct 1992 WA, in its personal information exemption, followed the 1991 Commonwealthamendments, while adding some variations of its own.) Alternatively, it was open to theQueensland Parliament to follow the approach adopted in the Freedom of InformationAct 1991 SA, which was to employ the term "personal affairs" but give it a non-exhaustive statutory definition, clearly extending its meaning into at least two areas

15

where doubt existed as to the application of the undefined words "personal affairs" onthe Commonwealth authorities.

In looking at this issue it is submitted that the Committee consider the findings of theAustralian Law Reform Commission and the Administrative Review Council in their reportof January 1996 'Open Government: a review of the federal Freedom of Information Act1982'. The Commonwealth jurisdiction has 15 years experience in the administration ofa FOI Act and 7 years of experience with both pieces of legislation operating. As aconsequence these reports provide useful information based on experience rather thanconjecture.

19. What additional measures , if any, should be taken with respect to :

the 1995 European Directive; andthe OECD Cryptography Policy Guidelines

In addition to comments already made regarding the necessity of taking these standardsinto account for economic and other reasons consideration must be given to the situationof Trusted Third Parties. These are bodies which offer key management services inelectronic commerce. With the trend to globalisation of communication the need forencryption will increase and consequently the role of Trusted Third Parties will requiregreater scrutiny. Consideration will need to be given as to whether Trusted Third Partiesare located in the government sector, are licensed or regulated in some other manner.

23. Generally, what should be done to ensure that the law keeps abreast withdevelopments in technology affecting individuals' privacy?

As stated earlier, the role of the Office of the Privacy Committee/Commissioner wouldbe central in ensuring that a contemporary knowledge is maintained.

If you require further information or clarification of the above, the contact officer forthis matter is the Director, Information Management , telephone number 3224 5470.

16

LEGAL, CONSTITUTIONAL ANDADMINIS T1VE REVIEW COMMITTEE

11 AUG 1997bO

THE AUSTRALIAN PRIVACY CHARTER COUNCILHosted by the School of Law, University of New South Wales

Patron : The Hon Justice Michael Kirby AC CMG President:

Vice President : Julie Cameron Secretary:Janine Haines

Tim Dixon

School of LawUniversity of New South WalesP.O. Box R507 Royal ExchangeSYDNEY, NSW 2000

Mr Neil LaurieThe Research DirectorLegal, Constitutional and Administrative Review CommitteeParliament HouseBRISBANEQUEENSLAND 4000

6 August 1997

Dear Neil

PRIVACY IN QUEENSLANDISSUES PAPER NUMBER 2, MAY 1997

A SUBMISSION TO THE QUEENSLAND LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMITTEE FROM THE AUSTRALIAN PRIVACY

CHARTER COUNCIL

The submission from the Australian Privacy Charter Council to your committee is attached for your

consideration. We welcome this timely enquiry into privacy issues by your Parliament. We considerthe questions that you have raised are crucial at a time when the community in increasinglyconcerned about surveillance and the impact of technology on their privacy.

If you have any queries about this submission or if you would like assistance from members of the

Council, please contact me.

Yours sincerely

tulle Cameron

Julie CameronVice President, Australian Privacy Charter CouncilTelephone: 02-9326 9430email : cameronj@acslink. aone.net.au

1

PRIVACY IN QUEENSLANDISSUES PAPER NUMBER 2, MAY 1997

A SUBMISSION TO THE QUEENSLAND LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMITTEE FROM THE AUSTRALIAN PRIVACYCHARTER COUNCIL

l . INTRODUCTION

THE AUSTRALIAN PRIVACY CHARTER COUNCIL

Privacy from unwarranted surveillance is a basic human right. Unwanted surveillance can resultfrom the collection, collation, exchange and use of personal information and from the powerful newvisual, communication and information processing technologies, like CCTV, Smart Cards.Miniaturisation of visual and audio equipment makes surveillance invisible. The convergence oftechnologies means that information, whether held as hard copy or in electronic form (as forexample, film, voice recordings, computerised data, "documents" scanned into electronic format)can be integrated cheaply are making increased surveillance of individuals very easy.

The Australia Privacy Charter Council, a group of 25 citizens representing the business, academic,legal, information technology, and health communities, consumer and privacy advocates, the mediaand politicians was formed in 1992 under the Chairmanship of Justice Kirby, AC. CMG, Presidentof the NSW Court of Appeal to developed a Privacy Charter. The draft Australian Privacy Charterwhich was circulated widely nationally and internationally for comment was launched on 5December, 1994.

The goal of the Charter is to establish permanent change in the practices and processes that deliverprivacy protection for individuals. The Charter (a copy of which is attached) comprises eighteenprinciples that encompass and apply to:• all forms of privacy and surveillance• private and public sector users and clients.

The Charter aims to provide:• guidance for individuals in relation to increasing the awareness of surveillance and in

understanding the concepts involved in rights to Privacy• assistance to individuals in articulating their own rights to Privacy

• a benchmark model for the assessment of organisational practices and procedures in the privateand public sectors, development of legislation and regulation and for the assessment oftechnology prior to its implementation.

Since the launch the Charter has been promoted by the Australian Privacy Charter Council. It has

been well received by the business community as well as government organisations and private

citizens.

Privacy has become an issue for public and private sector organisations due largely to citizenconcern about the infringement on their lives of information technology used for administrative,regulatory and security purposes. There is concern in the IT industry, that unless appropriatelegislative protection is enforced that public concern will hamper the develop of electroniccommerce.

The Australian Privacy Charter Council welcomes the Queensland Parliamentary initiative and urgethat this discussion paper be a springboard for privacy legislation in your State. We are delighted tohave been invited to make submissions. We are available for further comment, if required.

2

2 GENERAL PRIVACY IMPLICATIONS OF THE DISCUSSION PAPER

The Australian Privacy Charter Council is concerned primarily about data and information that canbe related to a specific person which is "personally identifiable", and data which is considered as"personal data" under privacy legislation (ie. "Information about an individual whose identity isapparent from the information concerned, or whose identity can be reasonably ascertained from thatinformation"). Personally identifiable information held in the private and public sectors can beextremely sensitive and the consequences of misuse and inappropriate or wrongful disclosure can beseverely detrimental for the data subject. (The data subject is the person who is the subject of thedata or information.).

3 RESPONSE TO THE QUESTIONS RAISED IN THE ISSUES PAPER

General

1. Are there valid concerns relating to privacy protection which need to be addressed bylegislative andlor administrative action? If so, what particular concerns are most pressing?

The Australian Privacy Charter Council believes that it is essential for privacy protection to be

addressed by legislative action.

Valid concerns include:

• Use of outsourcing by government organisations, often to large multi-nationals which means thatpersonal data about Australians may be stored and processed overseas.

• "Function creep" (gradual extension of powers by organisations like AUSTRAC)

• Use of data warehousing by organisations (where large centralised databases are used to storecopious details of information about people and their transactions with different parts of

organisations).

• Use of "data matching" and "data mining" techniques where vast amounts of information iscompared and matched to provide "profiles" and "patterns".

• Use of computerised "profiles" (eg. by banks for assessing applications for loans) and the use ofartificial intelligence techniques to assess risks related to people and their behaviour.

• Electronic exchange of personal information among organisations.

• Multi-media (which combines different media, including film, sound, print, etc., into digitalform) have made surveillance a public issue.

• Security of information systems and of the personal information they hold

• Validity and integrity of information, particularly due to the risk of error and difficulty in havingdata corrected, even if the data subject knows that the information is inaccurate! It is almostimpossible for data subjects to know if the information held by organisations is correct or if,when combined with other data, provides an accurate view of behaviour.

As the power of computers increases and the integration of technology continues these concerns will

increase.


The Australian Privacy Charter Council does not believe that the current law is adequate. For

example:• The common law provides minimal and entirely unsatisfactory protection for privacy.

3

• Confidentiality and defamation laws may provide protection in some cases but it in incidentaland sometimes unhelpful ways.

• Freedom of Information legislation may provide modest protection.• Secrecy provisions may partially (but unsatisfactorily) address security issues• The Privacy Act 1988 may provide protection in relation to transactions that involves

Commonwealth agencies.

Threats to privacy continue to increase, and public concern is growing fast. There will be manydemands for specific protections in the future, in areas as diverse as Internet usage, licensing, streetsurveillance and employee surveillance. At least some of these demands will be politicallyirresistible.

To enable demands for specific privacy protections to be constructively addressed, it is critical that aprivacy-protective framework be established first. The Queensland Parliament's initiative istherefore very timely.

3. If not, how should the right to privacy be protected in Queensland? For example, should

Queensland introduce one or a combination of the following means of regulation: information

privacy principles (IPPs); a statutory tort of privacy; a privacy committee/privacy commissioner; or

some other means to protect privacy?

If the focus is on privacy in the broad sense (of the person, of personal behaviour, of personalcommunications, and of personal data), then a tort could be considered. However, almost allgovernments and parliaments have decided against this approach.

If the focus is on 'data protection' (i.e. personal communications and personal data), then thefollowing combination has been proven in many jurisdictions to be an effective approach:• Legislation covering the private and public sectors aimed to address privacy and surveillance

concerns of citizens and covering individuals and organisations located in and operating out ofQueensland.

• Legislated information privacy principles. The Commonwealth IPPs are one example but theseneed to be reviewed in order to increase their effectiveness and to address the new issues relatedto emerging technologies and their use in business and government. The Australian PrivacyCharter principles are designed to address these problems and to be incorporated into legislation.

• A 'watchdog' agency, with legislated powers, responsibilities and resources headed by a "PrivacyCommissioner"

• A code mechanism (typically in the form of a 'disallowable instrument' that can be tabled by thePrivacy Commissioner), such that specific activities, sectors or organisations can be the subjectto more detailed and operationally defined terms, appropriate to the particular area.

• A simple system of handling complaints to the Commission - based on that used for small claimsunder consumer legislation

• Penalties for non-compliance with the IPPs• A review procedure to assess the effectiveness of the legislation and procedures at the end of five

years.

There is a tendency in recent years to look favourably on the New Zealand model. A report isexpected to be published soon from the Victorian Government which is likely to be of considerableinterest to the Queensland Committee.

4



Commonwealth IPPs are not a satisfactory model and the OECD Principles need updating andextension. As stated, the Australian Privacy Charter Principles are designed to overcome theseissues. They are designed to include protection from surveillance. They are technology neutral andwill cover changes, developments and increased integration. We recommend that the Principles ofthe Australian Privacy Charter be used in the Queensland legislation.

5. Should IPPs be in the form of guidelines or legislation

The Australian Privacy Charter Council strongly recommends legislation. Self regulation has beenproven not be a sufficient mechanism to ensure protection. Organisation and industry sector codescan play a useful roles, provided that there are legislative sanctions in behind them administered byan independent body established under the legislation with the power to enforce compliance.


The Australian Privacy Charter Council believes that access should be on the same basis as that forthe Commonwealth Privacy Act.


The `costs' and `benefits' should not be defined in strictly financial terms. Social and communityfactors including quality of life must be considered. The costs of not implementing effective privacyprotection must be considered. For example, the opportunity costs of not complying with theEuropean Directive on trans-national data flows may be high.

Although some government agencies and some companies initially express dismay about 'thecompliance costs', a carefully designed scheme, with some limited transitional period, and parallelawareness and education programmes, has proven not to be a terribly serious imposition onorganisations' budgets. The additional costs on business are also not considered high. Adherence tothe Australian Privacy Charter Principles is adherence to quality information managementstrategies.

It is argued at http://www.anu.edu.au/people/Roger.Clarke/DV/PStrat.html that privacy is now astrategic factor for organisations in both the public and private sectors, and that appropriate privacy-sensitive statutes, policies and procedures are simply a cost of doing business.

8. If an office ofprivacy commissioner/committee is established:a. How should its independence be ensureb. Should the office be accountability to Parliament

Should the office be combined with that of the information commissioner or any other office

The independence should be ensure by a statutory appointment by an officer who would reportdirectly to the Parliament and be appointed for a set term. The role should not be combined withother roles in order to avoid any conflict on interest.

9. What functions should a privacy commissioner have?

5

The role is that of an ombudsman. In addition the privacy commissioner's powers should include:• investigation of complaints• imposition of penalties within the Act• audit to ensure recommendations have been implemented• advice to Parliament• education and advice to government and business organisations and individuals

10. What powers should the privacy commissioner have?

The powers include• fines in the form of compensation to complainants who have suffered loss as a result of actions

contravening the legislation• rectification (in case of wrong information),• reinstatement of rights• publication of the names of offenders if the Commissioner's findings are not implemented• audit.

The power to exercise coercive rights such as powers of access is not supported.

11. Would the costs associated with an office ofprivacy commissioner/committee outweigh thepublic benefit flowing from the establishment of such an office?

An office of the order of 10-15 people, with minimal formal requirements (and definitely nowasteful registration-of-personal-data-systems bureaucracy), including 2-3 senior executives, and asufficient administrative, training, consultancy support, and travel and communications budget, anda one-time provision for awareness and education, is not an expensive commitment, and is much-needed, if the technological challenges of the coming few years are to be confronted.



Both sectors involve substantial threats to privacy.

The original justification for public sector-only application was that government should get its ownhouse in order first, and gain experience before imposing responsibilities on business. The model isnow 25 years old, and a huge amount of experience exists.

In the absence of effective Commonwealth legislation, Queensland should prepare legislation tocover both sectors. It should be drafted in such a manner that the provisions regulating the privatesector are capable of withdrawal or recession in the event that the Commonwealth legislates in anappropriate manner.


The regulations should apply to all organisations including government owned corporations.


6

As stated above, the regulation should apply generally. Some specific provisions may beappropriate in relation to particular organisations of various kinds. These should, in general, becatered for through Codes. In a few cases it may be appropriate to address them in the legislation.

15. Would the costs associated with privacy regulation of:• the private sector• government owned corporations

• local government activities:


The Australian Privacy Charter Council has found that the experience with privacy regulation in theEuropean Community and in New Zealand supports the view that the public benefit of regulationsignificantly outweighs the cost..

16 If the private sector is not to be covered, how should privacy regulation apply to bodiesperforming services which the government has outsourced?

The private sectors must be covered directly, by the terms of the legislation; not merely by contract.Privity of contract has the effect of cutting people off from the protection and forcing them todepend on the agency prosecuting the terms of the contract.

17. Should there be co-operative arrangements between the states, territories andCommonwealth with respect the matters such as formal complaints regimes?

There arrangements would be developed as a part of normal inter- government negotiations

18. How should any privacy protection legislation interrelate with freedom of information

legislation? For example, should the access to, and amendment of, personal information be

regulated by a Privacy Act alone?

The appropriate course is to rescind the 'subject access' aspect of the Fol legislation, in favour of thecorresponding provisions of the Privacy Act.

Privacy and Fol must be remain separated. We are concerned about the complexities andambiguities that arise when the individual's right to privacy, including the rights to access andcorrect information are duplicated under legislation. We support the view of the Freedom ofInformation Review Committee's proposition that "the additional, privacy dimension of access toone's own personal information means this right should be stated independently of the general rightof access to government information."1 (P15)

19. What additional measures , if any, should be taken with respect to the 1995 EuropeanDirective and the OECD Cryptography Policy Guidelines

The legislation will need to meet the requirements of the Directive and guidelines.

Smart Cards and electronic banking

'REVIEW OF FREEDOM OF INFORMATION ACT - DISCUSSION PAPER 59, MAY 1995

7

20 How should smart cards be regulated?

There is need to co-ordinate protection related to smart cards with the Commonwealth and otherStates.

Smart cards should be covered under the legislation as one of the technologies that affect privacyand can be used for surveillance purposes. The Australian Privacy Charter Principles are designed tocover these risks related to the use of smart cards, while enabling the benefits to be utilised by thecard issuers and the community.

21 What form of regulation should be introduced with respect to the various types of electronicbanking and cash?

There is need to co-ordinate protection with the Commonwealth and other States. Any specialrequirements would be addressed via the use of codes backed by legislation.

22. What form of regulation should be introduced with respect to privacy issues arising in theareas of personal privacy, telemarketing, the work place, medical records and genetics?

The Australian Privacy Charter Principles incorporated into legislation should be applied to theseareas. Any special requirements would be addressed via the use of codes.

23. Generally, what should be done to ensure that the law keeps abreast with developments in

technology affecting individuals' privacy?

It is vital that the Privacy Commissioner have a research function, and that it be resourced. Thisinvolves a combination of some staff-posts and/or fractions of posts, together with a budget forconsultancy support on specific matters.

General Comments

A great deal of relevant source-material is available at:http://www.anu.edu.au/people/Roger.Clarke/DV/and at the Austlii site.

Members of the Australian Privacy Charter Council have expertise in various aspects of relevant toyour enquiry. Key members related to this submission are:Dr Roger Clarke , consultant and Visiting Fellow, Faculty of Engineering and InformationTechnology, The Australian National University, CanberraAssociate Professor Graham Greenleaf , School of Law, University of New South Wales, Sydney.

If you have any queries please contact me on telephone 02-93269430.

&ulie Cameron

Julie CameronVice President, Australian Privacy Charter Council

8

Australian PrivacyCharter Council

The AustralianPrivacy Charter

December 1994

PreambleThe meaning of 'privacy'

Australians value privacy. They expect that their rightsto privacy be recognised and protected.

People have a right to the privacy of their own body,private space, privacy of communications, informationprivacy (rights concerning information about a person),and freedom from surveillance.

'Privacy' is widely used to refer to a group of relatedrights which are accepted nationally and internationally.This Charter calls these rights 'privacy principles'.

Privacy Principles comprise both the rights that eachperson is entitled to expect and protect, and theobligations of organisations and others to respect thoserights.

Personal information is information about an identifiedperson, no matter how it is stored (eg sound, image,data, fingerprints).

Privacy is importantA free and democratic society requires respect for theautonomy of individuals, and limits on the power ofboth state and private organisations to intrude on thatautonomy.

Privacy is a value which underpins human dignity andother key values such as freedom of association andfreedom of speech.

Even those privacy protections and limitations onsurveillance that do exist are being progressivelyundermined by technological and administrativechanges. New forms of protection are thereforerequired.

Interferences with privacy must be justifiedPrivacy is a basic human right and the reasonableexpectation of every person. It should not be assumedthat a desire for privacy means that a person has`something to hide'. People who wish to protect theirprivacy should not be required to justify their desire todo so.

The maintenance of other social interests (public andprivate) justifies some interferences with privacy andexceptions to these Principles. The onus is on thosewho wish to interfere with privacy to justify doingso. The Charter does not attempt to specify wherethis may occur.

Aim of the principlesThe following Privacy Principles are a generalstatement of the privacy protection that Australiansshould expect to see observed by both the public andprivate sectors. They are intended to act as abenchmark against which the practices of businessand government, and the adequacy of legislation andcodes, may be measured. They inform Australians ofthe privacy rights that they are entitled to expect,and should observe.

The Privacy Charter does not attempt to specify theappropriate means of ensuring implementation andobservance of the Privacy Principles. It does requirethat their observance be supported by appropriatemeans, and that appropriate redress be provided forbreaches.

Privacy Principles1. Justification & exceptions

Technologies, administrative systems, commercialservices or individual activities with potential tointerfere with privacy should not be used orintroduced unless the public interest in so doingoutweighs any consequent dangers to privacy.

Exceptions to the Principles should be clearly stated,made in accordance with law, proportional to thenecessities giving rise to the exception, andcompatible with the requirements of a democraticsociety.

2. ConsentIndividual consent justifies exceptions to somePrivacy Principles. However, 'consent' ismeaningless if people are not given full informationor have no option but to consent in order to obtain abenefit or service. People have the right to withdrawtheir consent.

In exceptional situations the use or establishment ofa technology or personal data system may be againstthe public interest even if it is with the consent ofthe individuals concerned.

3. AccountabilityAn organisation is accountable for its compliancewith these Principles. An identifiable person shouldbe responsible for ensuring that the organisationcomplies with each Principle.

4. ObservanceEach Principle should be supported by necessary andsufficient measures (legal, administrative orcommercial) to ensure its full observance, and toprovide adequate redress for any interferences withprivacy resulting from its breach.

5. OpennessThere should be a policy of openness about theexistence and operation of technologies, administrativesystems, services or activities with potential to interferewith privacy.

Openness is needed to facilitate public participation inassessing justifications for technologies, systems orservices; to identify purposes of collection; to facilitateaccess and correction by the individual concerned; andto assist in ensuring the Principles are observed.

6. Freedom from surveillancePeople have a right to conduct their affairs free fromsurveillance or fear of surveillance. `Surveillance'means the systematic observation or recording of one ormore people's behaviour, communications, or personalinformation.

7. Privacy of communicationsPeople who wish to communicate privately, bywhatever means, are entitled to respect for privacy, evenwhen communicating in otherwise public places.

8. Private spacePeople have a right to private space in which to conducttheir personal affairs. This right applies not only in aperson's home, but also, to varying degrees, in the work-place, the use of recreational facilities and publicplaces.

9. Physical privacyInterferences with a person's privacy such as searches ofa person, monitoring of a person's characteristics orbehaviour through bodily samples, physical orpsychological measurement, are repugnant and require avery high degree of justification.

10. Anonymous transactionsPeople should have the option of not identifyingthemselves when entering transactions.

11. Collection limitationThe minimum amount of personal information shouldbe collected, by lawful and fair means, and for a lawfuland precise purpose specified at the time of collection.Collection should not be surreptitious. Collectionshould be from the person concerned, if practicable.

At the time of collection, personal information shouldbe relevant to the purpose of collection, accurate,complete and up-to-date.

12. Information qualityPersonal information should be relevant to eachpurpose for which it is used or disclosed, and shouldbe accurate, complete and up-to-date at that time.

13. Access and correctionPeople should have a right to access personalinformation about themselves, and to obtaincorrections to ensure its information quality.

Organisations should take reasonable measures tomake people aware of the existence of personalinformation held about them, the purposes for whichit is held, any legal authority under which it is held,and how it can be accessed and corrected.

14. SecurityPersonal information should be protected by securitysafeguards commensurate with its sensitivity, andadequate to ensure compliance with these Principles.

15. Use & disclosure limitationsPersonal information should only be used, ordisclosed, for the purposes specified at the time ofcollection, except if used or disclosed for otherpurposes authorised by law or with the meaningfulconsent of the person concerned.

16. Retention limitationPersonal information should be kept no longer thanis necessary for its lawful uses, and should then bedestroyed or made anonymous.

17. Public registersWhere personal information is collected underlegislation and public access is allowed, thesePrinciples still apply except to the extent required forthe purpose for which public access is allowed.

18. No disadvantagePeople should not have to pay in order to exercisetheir rights of privacy described in this Charter(subject to any justifiable exceptions), nor be deniedgoods or services or offered them on a lesspreferential basis. The provision of reasonablefacilities for the exercise of privacy rights should bea normal operating cost.

Australian Privacy Charter CouncilFaculty of Law

University of New South Wales

c! P.O. Box R507 Royal Exchange

Svdney,NSW 2000

Fax: +61 2 262 355 3

ACCQUEENSLAND CHAMBEROE COMMERCE AND INDUSTRY

Queensland Chamber of Commerce and Industry Limited

A.C.N. 009 662 060

Industry House

375 Wickham Terrace

Brisbane Qtd 4000

Administration/General: (07) 3842 2244

Business Advice Line: (07) 3842 2222

Event Registration: (07) 3842 2233

Facsimile: (07) 3832 3195

Email: [email protected]

URL: http://www.qcci.com.au

LEGAL CONS'UTIONAL ANDADMINISTRATIVE REVIEW COMMITTEE

30 JUL 1997

30 July 1997

Mr John McCraeResearch DirectorLegal, Constitutional and Administrative Review CommitteeParliament HouseBRISBANE Qld 4000

Dear Mr McCrae,

RE: PRIVACY IN QUEENSLAND

Please find attached the Chamber's responses to the Committee's call for submissions onthis topic. Authorisation is by way of Board approval.

As this matter is of critical importance to our members permission is requested to allowthe Chamber to communicate the content of the submission to them immediately,including placing the submission on our internet web site.

If there are any matters on which you may require clarification please do not hesitate to

contact me.

Yours sincerely

CLIVE BUGeneral Manager

Incorporating the Queensland Confederation of Industry , Queensland Chamber of Manufactures, Queensland Employers Federation,

State Chamber of Commerce and Industry, Brisbane Chamber of Commerce. Registered as an "Industrial Organisation of Employers"

SUBMISSION BY THE

QUEENSLAND CHAMBER OF COMMERCE AND INDUSTRY

TO THE

LEGAL , CONSTITUTIONAL AND ADMINISTRATIVE REVIEW COM IITI'EE

OF THE

LEGISLATIVE ASSEMBLY OF QUEENSLAND

IN REGARD TO


BRISBANE

30 JULY 1997

1

1.0 IN'T'RODUCTION

This paper has been prepared to assist the deliberations of the Legal , Constitutional andAdministrative Review Committee (LCARC) of the Queensland Legislative Assembly followingits public request on 16 May 1997 for submissions on the general issue of privacy inQueensland.

The Chamber has taken note of comments contained within the Committee's Issues Paper No. 2of May 1997 and will specifically address issues as set out on pages ten and eleven of the paper.In particular it has been noted that the establishment of an independent privacy commissionerwas coalition policy during the last election campaign.

2.0 ACTIVITIES IN OTHER JURISDICTIONS

A large amount of information is contained in Issues Paper No 2, however the following isincluded in order to indicate the understanding of the Chamber as to the latest informationavailable.

2.1 Commonwealth Government

The Commonwealth Government, through the Attorney General's Department, issued adiscussion paper titled "Privacy Protection in the Private Sector" in September 1996. Theapproach adopted was "co-regulatory" involving "the application of statutory InformationPrivacy Principles (IPPs) to the collection, storage and security, individual access andcorrection, use and disclosure of personal information and provision for the development ofCodes of Practice based on the IPPs to provide a level of flexibility in their application to theprivate sector".

The paper also suggested that the functions and powers of the office of the CommonwealthPrivacy Commissioner be expanded and organisations appoint a "privacy officer". All actionswere to be subject to investigation by the Privacy Commissioner. Significant civil penalties werealso suggested.

Following complaints by the Australian Chamber of Commerce and Industry (ACCI) and otherprivate sector bodies about the draconian nature and high cost of this approach, theCommonwealth Government recently announced that it does not intend to introduce laws toprotect the privacy of personal information held by businesses about their customers andemployees . Current legislation protects personal information held by the Commonwealth andACT governments , and credit reporting and tax file number information.

The Attorney General stated in a speech given to the Banking Law & Practice Conference inSydney on 22 May 1997 that the Commonwealth Government will legislate to extend theapplication of the Privacy Act to cover contractors supplying services to government in relationto personal information held on behalf of government. A copy of the relevant speech isattached.

2

Consultation between the Commonwealth Government's Privacy Commissioner and majorindustry groups concerning a model voluntary privacy code is expected to take place in comingmonths. It should be noted that some groups already have their own codes of practice/conduct.

2.2 Victorian Government

It is understood that the Victorian Government is working with the Commonwealth Governmentand its Privacy Commissioner, towards a national voluntary approach to data protection based,at least initially, on voluntary code/s, but will ensure that any regime will be effective inmaintaining international data flows.

2.3 Queensland Government

The Queensland Government was reported by the Commonwealth Attorney General on 22 May1997 in the speech as indicated previously as agreeing not to introduce privacy legislation in thisstate. The Northern Territory was also reported as agreeing to the same.

3.0 ROLE OF THE COMMONWEALTH GOVERNMENT'S PRIVACYCOMMISSIONER

It has been noted that the Commonwealth Government's Privacy Commissioner, Moira Scollay,in a background information paper dated April 1997 stated "protecting privacy is more thanguaranteeing confidentiality. The aim of privacy protection in Australia should be to ensure thatindividuals are informed about what is happening to their information, and are able toparticipate in decisions about what is collected, who collects it, and why." She went on to saythat " fair and responsible handling of personal information means:-

* Collecting only information necessary for specified purposes;

* Informing people about why their personal information is being collected and what it is to beused for;

* Allowing people to access information about them which has been collected, and to correct itif it is inaccurate or out-of-date;

* Making sure that the information is securely held and cannot be tampered with, stolen orimproperly used; and

* Limiting the use and disclosure of personal information for other purposes without the consentof the person affected. "

This statement by the Commissioner appears to be a summary of the eleven Information PrivacyPrinciples (IPPs) of the OECD detailed in the issues paper section 4.1, (The Commonwealth,page three) which must be complied with by Commonwealth Government departments andagencies.

3

4.0 CONTROLLING TIIE PROLIFERATION OF "RED TAPE"

Any inquiry into privacy must take account of the possible impacts of any decision to increaseregulation. Along with inquiry into the issues, consideration of proposed processes must includethe capacity of any new regulations to generate "red tape".

Business has realised for many years that the generation of "red tape" must be controlled. Onemechanism which is operational world wide is cost benefit analysis, with the system introducedinto Queensland some years ago titled "Regulatory Impact Statements" (RIS). Unfortunatelystatistics show that no real effort has been made to ensure that compliance by departments andagencies is achieved in Queensland (compliance 0.5 %). No real alternative to an RIS ispresently known to the Chamber.

Another process is the "sunset clause". Again this has not been pursued with vigour inQueensland.

A further system is the formation of a dedicated task force to advise government. In Queenslandthis is the present "Red Tape Reduction Task Force". Task forces of this nature do not operateon a continuous basis generally being terminated at the conclusion of their deliberations.

The Scrutiny of Legislation Committee of the Queensland Parliament regularly reports on theway regulatory impact systems are operating in its jurisdiction. Despite repeated comments onthe need for better process as regards RIS no real results have been forthcoming.

Clearly Queensland has available to it established processes to control the proliferation of "redtape" and generate reform however the track record in achieving results is not great.Nevertheless any new privacy legislation and associated regulations would need to be tested forcosts and benefits and results made available publicly to allow informed debate.

Reform strategies at the Commonwealth level detailed in the 24 March 1997 report titled" More Time for Business" included many matters relating to regulatory impact statements,sunset clauses, training of public servants and the development of performance indicators tomeasure the impact of regulatory activities on small business suggesting that these methods arecurrently the best ones available.

Some eighteen OECD countries are also using regulatory impact analysis to assess regulationsmore carefully. Reference should be made to the Report to OECD Ministers on RegulatoryReform April 1997.

5.0 REGULATORY MODELS

All levels of government now accept that legislation should not restrict competition unless it canbe demonstrated to confer net benefits to the community. Though this is the stated aim,regulation and "red tape" continues to grow. A number of types of regulatory models are asfollows:-

(1) Self Regulation is where there is no government intervention. It may be based on an

4

industry code of practice or similar. There are no penalties other than what the market canprovide.

There are a number of self-regulatory systems of this type operational in Australia generallyinvolving references by complainants to an "ombudsman" at arms length from the industry. Theombudsman is funded entirely by the industry with control by an industry board and a councilwith public representation. The structure can be a company under the Australian SecuritiesCommission with specific terms of reference and annual reporting requirements. This is arelatively new type of structure but has been implemented in a number of areas. Furthercomments are made later in this paper.

(2) Co-regulation which is direct regulation by industry associations or other groups combinedwith government oversight or ratification has been a fact of life in many jurisdictions for manyyears. Associations under this model are generally not in a position to write as well as interpretthe rules, however members have a better knowledge of the quality of services provided and caneasily detect breaches of compliance. Control of service quality is generally very good.

(3) Mandatory standards and Codes of Conduct/Practice are other mechanisms which are oftenused to ensure compliance. Other like models include negotiated rule making where eachbusiness would write its own rules with enforcement by the firm's independent "inspectorate"followed up by government audits.

(4) Other examples are "merit exemptions" where firms with a proven best practice record areexempted from regulatory practice. Alternatively there may be an "operating agreement"between companies and regulators with each agreement having a set of core principles.

(5) Another system is one of "composite licences" (or common licences) which incorporate theessential elements of a number of existing licences. This reduces compliance costs and mayinclude extension of the duration of licences so that renewal is needed less frequently. It hasbeen stated that Commonwealth , State and Territory governments, over the next four years, willbe reducing a range of licences into common licences.

(6) Negative licensing where an individual or business is permitted to undertake a commercialactivity without any test of competence, allows public resources which are devoted to handling,notification and prior approval under a licensing system to be redirected to enforcement of thestandard. It retains the flexibility of accreditation.

Sources of information on this topic include the Office of Regulation Reform of the VictorianGovernment and the May 1997 publication of the Law Reform Committee of the Parliament ofVictoria titled " Regulatory Efficiency Legislation", "More Time for Business" published on 24March 1997 by the Commonwealth Government, and the publication "Regulatory ReformGuidelines" of the ACT, July 1996. A paper on Incentive Licensing was also put forward inJune 1997 by the Ministerial Advisory Committee to the Minister for Environment,Queensland.

5

6.0 SELF REGULATION

All of the above models except the first mentioned, self regulation, have inherent inflexibility,high costs of administration and compliance. They can also result in loss of competition.

Self regulation by industry and commerce together with self regulatory dispute resolutionprocedures is accepted as the best methodology by the Chamber.

The Issues paper stated on page 6 that:-

"whilst the advantages of self-regulated industry or sector-specific codes include flexibility,opportunity for community consultation, government involvement and constant review, againthe major disadvantage lies in their ability to be enforced".

The latter comments on enforcement are considered by the Chamber to be very negative. Therecord shows that industry and commerce generally is making every attempt to improveprocesses of consultation with clients without any compulsion from government due particularlyto the need to maintain and/or increase market share and maximise sales. The successfulexamples of self regulation are those with a clear focus and industry commitment andsupervision involving industry association particularly.

7.0 DISPUTE RESOLUTION

A number of self regulatory dispute resolution systems have been developed by various sectorsincluding the banking industry, through the Australian Banking Industry Ombudsman, theinsurance industry through the General Insurance Enquiries and Complaints Scheme and manyothers detailed by the Federal Bureau of Consumer Affairs. Please see material attached.

These models have the advantage of being the first line of contact for clients seekinginformation. They have a long history of very effective work, have taken responsibility andhave enabled the individual in many cases a free dispute resolution service. The filtering andearly settlement of complaints has also assisted the Courts, though recourse there is stillavailable.

8.0 COMMENTS ON SPECIFIC ISSUES RAISED

Comments on the issues as identified by the Committee are as follows:-

ISSUE No 1 : Are there valid concerns relating to privacy protection which need to beaddressed by legislative and/or administrative action? If so, what particular concerns aremost pressing?

Response: As the issues paper shows, the matter of privacy is multi-faceted includinginformation, impacts of new technology on all areas of business, new services such astelemarketing and direct marketing, surveillance, medical testing to establish proneness ofindividuals to disease regimes and the need to harmonise our arrangements with overseasjurisdictions.

6

These issues are becoming more important as we become more integrated into the globaleconomy, technology becomes more sophisticated, the ability to manipulate data bases becomesmore efficient and we become more reliant on computer systems to progress business.Nevertheless, the proposed heavy handed "government knows best" approach has been rejectedby the Commonwealth Government. It has decided that it would not be implementing privacylegislation for the private sector but would be assisting business in the development of voluntarycodes of conduct.

The Chamber understands that there are many in-principle reasons why privacy risks are likelyto be increasing, but considers that there are no valid concerns which need to be addressed bylegislative and /or administrative action. In particular in view of developments in the nationaland international arena, there is no reason for Queensland to become involved in new legislativeor administrative arrangements. In addition the Chamber is unaware of any analysis of practicalsituations which would lead it to change its position.

ISSUE NO 2 : Is the current law in Queensland adequate with respect to privacyprotection?

Response: Until some incontrovertible evidence emerges to the contrary, QCCI considers thatthe current law is adequate.

ISSUE NO 3 : If not , how should the right to privacy be protected in Queensland? Forexample, should Queensland introduce one or a combination of the following means ofregulation : information privacy principles (IPPs); a statutory tort of privacy ; a privacycommittee/privacy commissioner; or some other means to protect privacy?

Response: As a matter of principle QCCI supports the concept of privacy protection but doesnot agree that the best way to achieve this goal is by way of legislation and associated statutoryprinciples. The position of the Chamber is that all levels of government must minimiseregulatory compliance costs as a matter of principle in efforts to ensure the internationalcompetitiveness of our industry and commerce. Queensland particularly with its largeconcentration of small to medium enterprises is particularly vulnerable to arbitrary regulationwhere no test of costs or benefits are made.

As you are aware the Chamber has been assisting the Queensland Government in its efforts tominimise "red tape" through membership of the Red Tape Reduction Task Force and any moveto introduce another unnecessary layer of legislation and regulation to the day to day operationsof business is not considered appropriate. Other mechanisms are available which can moreeffectively achieve any desire to protect the right to privacy.

The Chamber is aware of the pre-election commitment of the Queensland Government toappoint a privacy commissioner. This person could act as the focus for voluntary codeimplementation together with an industry based self regulated disputes resolution mechanism.The Commissioner could also be the focus for facilitation of simple voluntary guidelines("do's and dont's") to be issued by industry associations.

7

The activities of the office would probably complement those of the present CommonwealthPrivacy Commissioner. Business does not want the formation of a number of different regimeswith their multiplicity of different rules, regulations and compliance procedures.

9.0 OPTION - INFORMATION PRIVACY PRINCIPLES

ISSUE 4: If IPPs are introduced what should they provide?

Response: Information Privacy Principles (IIPs) guidelines, if introduced, could stipulatestandards for the collection, storage, access, use and disclosure of personal information asindicated in Issues Paper No.2. They must however only be developed in conjunction with theprivate sector with emphasis on harmonisation of requirements as between jurisdictions,including those overseas.

ISSUE 5: Should IPPs be in the form of guidelines or legislation?

Response: The Chamber states categorically that IPPs should only be based on guidelines andthat there be no legislative base.

ISSUE 6: Should individuals have to pay (a reasonable amount ) to exercise their right toprivacy?

Response: There should be no mandatory requirement for business to charge for the supply ofinformation to individuals, but business should be authorised to charge reasonable fees formalting information available to individuals. This would allow the processing of requests wherecosts of processing are quite high.

ISSUE 7: Would the costs associated with IPPs outweigh the public benefit flowing fromtheir implementation?

Response: IPPs will certainly increase compliance costs for business but if they are developedand administered in an appropriate way, then costs should be minimal and public benefit shouldbe high. Any deviation from the voluntary code of conduct/practice model would be resisted bythe Chamber, particularly for small to medium sized businesses.

8

10.0 OPTION - A PRIVACY COMMISSIONER/PRIVACY COMML IT EE

ISSUE 8: If an office of privacy commissioner/committee is established :

* how should its independence be ensured;

* should the office be accountable to the Parliament, for example via a parliamentarycommittee with perhaps responsibilities in relation to matters such as appointments,suspensions , budgets and strategic reviews); and

* should the office be combined with that of the Information Commissioner or any otheroffice?

Response: (1) . The appointment of a Privacy Commissioner should not be associated with theestablishment of a large bureaucracy. Any attempt to create a new bureaucracy to service thearea would be strongly resisted by the Chamber.

(2) The independence of the privacy commissioner could be assured by implementing the modelof the Australian Banldng Industry Ombudsman (ABIO) ie through the establishment of aseparate "ACN" company with specific "Terms of Reference". See attached. Other similarmodels are listed by the Federal Bureau of Consumer Affairs in its Directory of ConsumerDispute Resolution Schemes and Complaint Handling Organisations. See attached.

(3) Funding of the ABIO is through fees paid by members. An annual report is prepared and isavailable publicly. The privacy commissioner's operations could be funded through a return of acertain amount of money paid by business for registration of identifiers ie business names andACN numbers.

(4) Final responsibility for funding and other arrangements should lie within the portfolio of theQueensland Minister for Tourism, Small Business and Industry with the Commissionerreporting annually to the Minister. Similarly other consumer matters should be centralisedwithin that portfolio.

(2) "Freedom of Information" (FOI) is a concept that is currently legislatively restricted to thepublic sector. Following a major inquiry by the Australian Law Reform Commission someyears ago it was decided by the Commonwealth Government that this requirement was notappropriate for the private sector. Any linking of FOI with the privacy debate would be stronglyresisted by the Chamber.

ISSUE 9: What functions should a privacy committee /commissioner have?

Response: The Chamber does not consider that the privacy committee model is appropriate. Themain function of any privacy commissioner should be to facilitate self regulation throughindustry codes of conduct/practice and ensure that they are in place in the various industries.The commissioner should also ensure that private self regulatory dispute resolution mechanismsare in place where necessary. This gives the commissioner a facilitatory role as against anoperational role. This "facilitatory role" is one that should permeate all actions of government in

9

the future as stated frequently by the Chamber.

ISSUE 10: What powers should a privacy committee /commissioner have? For example,should these include the power to:

* enforce IPPs through sanctions such as fine or disciplinary action; and

* exercise coercive powers such as powers of access?

Response: The Privacy Commissioner should have the power to:-

* facilitate the development of capability within industry to establish industry based selfregulatory codes of conduct/practice in order to assist the interface between business and clients;

* ensure that adequate and appropriate self regulatory dispute resolution mechanisms areestablished under the auspices of industry associations;

* administer voluntary Information Privacy Principles (llPs) developed in conjunction with theprivate sector with emphasis on harmonisation of requirements as between jurisdictions.

Access to business records is available to numerous bodies already and any extension of thesepowers would be resisted. It is not considered that any need would exist for access. It is alsoconsidered that it is inappropriate for another body of bureaucracy to be authorised for access.

ISSUE 11: Would the costs associated with an office of privacy commissioner/committeeoutweigh the public benefit flowing from the establishment of such an office?

Response: The Chamber is concerned that costs will outweigh benefits. No strong case has yetbeen seen by the Chamber for the implementation of privacy legislation in Queensland. Theappointment of a privacy commissioner in the way and with the responsibilities indicated wouldresult in a lean operation. If any new system is not set up in the way suggested then costs couldescalate dramatically with the cost/benefits ratio becoming rapidly skewed.

11.0 SCOPE OF THE PRIVACY REGIME

ISSUE 12: Should privacy regulation apply to the private sector as well as the publicsector?

Response: No. The considered response of the private sector to the 1996 discussion paper of theCommonwealth Government as indicated previously should be noted. The methodology of selfregulation with codes of conduct/ practice under industry association supervision shouldaccommodate all parties and make further legislation/regulation unnecessary.

10

ISSUE 13: Should privacy regulation apply to government owned corporations?

Response: No. Under Competition Policy rules these bodies are becoming more closely alignedto private sector operational bodies and any attempt to stifle their development and laterprivatisation should not be progressed.

Where however the corporation's activities link back to government then regulation shouldapply as in the public sector.

ISSUE 14: Should privacy regulation apply to local government activities?

Response: Yes - in line with other government jurisdictions.

ISSUE 15: Would the costs associated with privacy regulation of:

- the private sector

- government owned corporations

- local government activities;


Response: (1) The matter of costs and public benefits have been canvassed in issue No.11 andcomments made.

(2) Comments under Issue 13 above detail the position of the Chamber as regards GOE's.

(3) Local Government is emerging as a major force in the day to day activities of business inAustralia. It should be treated no differently to other levels of government on this issue. Nocomment can be made as to cost/benefits.

ISSUE 16: If the private sector is not to be covered, how should privacy regulation applyto bodies performing services which the government has outsourced?

Response: Outsourcing carried out by the private sector for governments is a major businessactivity in Australia, but again self regulatory codes of conduct/practice should apply otherwisenew regulations could result in no real economic gain being delivered through this mechanism.

ISSUE 17: Should there be co-operative arrangements between the states, territories andthe Commonwealth with respect to matters such as formal complaints regimes?

Response: There is no need for statutory co-operative arrangements. Harmonisation of anyarrangements under self regulatory codes of conduct/practice would be sought by business inorder to minimise compliance costs and assist uniformity. The matter of internationalharmonisation would also need to be addressed.

11

ISSUE 18: How should any privacy protection legislation interrelate with freedom ofinformation legislation? for example , should the access to, and amendment of, personalinformation be regulated by a Privacy Act alone?

Response: As indicated previously:-

(1) there is no need for further privacy legislation to be enacted to cover the private sector eitherat the state or national level;

(2) freedom of information (FOI) legislation is a separate issue and the requirement that FOI notapply to the private sector should stand.

ISSUE 19: What additional measures, if any, should be taken with respect to:

- the 1995 European Directive; and

- the OECD Cryptography Policy Guidelines?

Response: (1) It is understood that the 1995 EU Directive is not specific about the regulatoryregime for third countries, talks about "adequate" protection and contemplates contracts beingthe primary provision mechanism. Also individual countries must satisfy themselves on privacyissues, the EU as an entity only coming into the picture when a specific country so desires.

The Chamber believes that there is flexibility within the EU position concerning the 1995Directive. The assertions of certain parties about risks to trade with Europe through inaction isapparently not well based, however the Committee should take advice on this matter from theCommonwealth Government in the first instance. QCCI is being kept informed on this matterby the ACCI.

(2) The need for security in data transmissions is well recognised by business in this age of theinternet and global electronic commerce. Business will respond to needs in this area in acommercial manner. There is no need for government interference. It is likely to be counter-productive.

12.0 SMART CARDS AND ELECTRONIC BANKING

ISSUE 20: How should smart cards be regulated? For example , by national legislation,state legislation or industry codes?

Response: Smart cards are an example of new technology that is designed to give better andmore efficient service to a client base, in this case predominantly in the financial sector. As theyare capable of being multi-function covering not only finance but other personal or businessinformation, they are expected by many to raise new privacy concerns over time, however theChamber considers that smart cards would not significantly degrade current levels of privacyprotection.

On the finance side the Chamber considers that the existing methods of privacy protection are

12

adequate for the present financial system. There may be a need however to look at new uses andprotections at the appropriate time. The borderless nature of the device suggests that anational/international approach would need to be adopted.

The Chamber considers that there is no need for Queensland legislation implementingenforceable privacy standards for smart cards as a legislative response has not been necessaryfor current arrangements. The suggested self regulatory industry code of conduct is appropriatewith monitoring by a body such as the Reserve Bank of Australia as recommended in the 1995NSW Privacy Committee's report.

ISSUE 21: What form of regulation should be introduced with respect to the various typesof electronic banking and cash (not including those systems which use smart cards)?

Response: This is taken to refer to internet digi-cash or credit by way of the usual credit card.As mentioned previously industry itself has a vested interest in ensuring the safety of themedium and necessary encryption and other safeguards are being implemented as a matter ofurgency.

13.0 OTHER PRIVACY CONCERNS

ISSUE 22: What form of regulation should be introduced with respect to privacy issuesarising in the areas of:

* personal privacy , including surveillance (visual and listening) both in public and privateplaces;

* telemarketing and direct marketing;

* the workplace;

* medical records, including access; and

* genetics?

Response: These are very specific issues and are mostly covered by existing legislation and caselaw.

* The Issues Paper indicates on page two that the Invasion of Privacy Act 1971 generally makesit an offence to use a listening device to record or listen to a private conversation or publish anyprivate communication which has been overheard or listened to unlawfully.

Law and order issues are currently being progressed by way of extensive monitoring of publicplaces. Business also uses security cameras eg in casinos and their use should not be restricted,otherwise criminal activity could increase.

13

* Telemarketing is an area of growth but new technology such as the internet is expected to seethis activity decline in importance. Federal laws also apply.

* Aspects of employment records are currently covered by either Federal or State legislation. InQueensland the Workplace Relations Act 1997 and regulations is the specific legislation dealingwith employers' obligations to maintain time and wages records.

QCCI considers that employment records are maintained to protect both the interests of bothemployers and employees in the employment relationship. The common law imposes a duty ofconfidentiality with respect to employees' records. Limited use and dissemination ofinformation is controlled by the legislation. Therefore this area should be exempted frominclusion in this debate. Records to be excluded would include records or informationmaintained in connection with the payment of (1) wages (2) PAYE taxation (3) superannuationguarantee levy and (4) commencement or termination of an employee.

There is also a concern that the custom and value of references may well suffer if privacyprovisions applied.

A practical approach for the bulk of businesses could be to have simple voluntary guidelines(do's and dont's) issued to them by industry associations. Persons feeling aggrieved in relationto the use of personal information about them would be advised that they could seek redressfrom an independent mediator.

* Genetics is an emerging science. Privacy and ownership of your genetic material (DNA) hasnot yet been adequately addressed for the individual eg your DNA could be used by laboratoriesor genetic engineers to enhance the capability of another person. This has already been donewith animals. This aspect is more important than the privacy issue as regards genetic testing. Itis suggested that the matter of genetics, including privacy, could be the subject of a nationalinquiry.

ISSUE 23: Generally, what should be done to ensure that the law keeps abreast withdevelopments in technology affecting individual 's privacy?

Response: It has been established at the federal level that there is no present need to pushforward with new privacy legislation/regulation. The self regulatory mechanisms assisted byinput and advice from industry associations put forward by the Chamber in association withcurrent laws should be adequate for the immediate future. It is thus the responsibility of lawmakers to monitor developments in technology and liaise with industry in order to gainknowledge this rapidly changing area.

14

14.0 CONCLUSIONS

QCCI wishes it to be placed on record that:-

(1) The private sector does not support the introduction of further privacy legislation by theQueensland Parliament designed to impact on the private sector. Already there are private sectordriven models that are successfully addressing similar issues;

(2) The use of voluntary industry codes of conduct/practice and self regulatory disputeresolution mechanisms is an acceptable response by business to any concerns;

(3) No objection is raised to the appointment of a Privacy Commissioner to assist thedevelopment of capability within the private sector to respond to privacy issues;

(4) The 1995 EU privacy directive is not the imperative said to be stated by various parties;

(5) When considering this issue the demand by business that unnecessary "red tape" beeliminated should be given top priority.

Ss 4

5 August, 1997

The Research DirectorLegal , Constitutional and Administrative

Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir

PRIVACY IN QUEENSLAND - Issues Paper No. 2

The Institute ofChartered Accountantsin Australia

The Institute of Chartered Accountants in Australia welcomes the opportunity to commenton the matters raised in the Issues Paper, "Privacy in Queensland", produced by the Legal,Constitutional and Administrative Review Committee of the Queensland LegislativeAssembly.

1. The Institute

The Institute of Chartered Accountants in Australia (ICAA) is the professional bodyrepresenting chartered accountants. Membership of the Institute numbers 29,000nationally , with 3, 400 of those members in Queensland . Accountants are regarded asthe principal advisers to small-medium enterprises) (SMEs ) which are likely to be thesector most affected by any extension of privacy legislation or regulation.

2. General

As a general principle , the ICAA does not favour the application of prescriptive , "blackletter" law as a method of regulating the collection , storage , access to , and use ofpersonal information . The Issues Paper identifies smart cards and associatedtechnology , personal surveillance , telemarketing , the workplace , medical records andgenetics as just some areas where privacy concerns exist . An all-encompasing Act, oreven separate Acts, to regulate privacy across such a broad and disparate group ofactivities , is likely to be extremely complex and would present SMEs with considerabledifficulty in terms of understanding and compliance.

Many businesses of all sizes already have an acute appreciation of the need to treatinformation held about customers and employees in a highly confidential manner. Thisexists through a combination of commercial imperatives, existing legislation in certainareas, and the threat of legal action for defamation or breach of confidence.

I The Road to Recovery - Solutions for Small Business, ICAA 1993 andOpen For Business - White Paper on the Future Business Frameworkfor Australia's SMEs - ICAA 1996

1ST FLOOR TEL (07) 3221 5644200 MARY STREET FAX (07) 3221 0856

BRISBANE QLD 4000 DX 204 BRISBANE

GPO BOX 2054

BRISBANE QLD 4001

2

A frequently stated objective of federal and state governments, both past and present,is to reduce the regulatory burden on business owners and operators. In particular, wenote certain initiatives taken to give effect to this objective: the Small BusinessDeregulation Task Force (federal), Regulatory Impact Statements, the Red TapeReduction Task Force (state) and its predecessor, the Business Regulation ReviewUnit. The success of these initiatives in reducing the red tape burden on SMEs hasbeen mixed.

Privacy legislation would undoubtedly add to the regulatory burden on business and forthat reason alone, would be strongly opposed by businesses. Even with a cost/benefitanalysis favourable to business, it is likely to still attract significant opposition from thebusiness community. The major difficulty to overcome would be the strong perceptionthat SMEs were, again, being forced to undertake non-productive paperwork for thegovernment.

3. Response to Specific Issues in the Paper

3.1 Are there valid concerns relating to privacy protection which need to beaddressed by legislative and/or administrative action? If so, what particularconcerns are most pressing?

The ICAA recognises that security of personal information may be a growingconcern in the wider community. However, we do not consider these concernswould be best addressed by legislative/administrative action. Business shouldbe encouraged to adopt tighter privacy standards in relation to personal data asa sign of best practice. This could best be achieved through voluntary, self-regulatory schemes promoted by industry associations, with the backing andendorsement of government.

3.2 Is the current law in Queensland adequate with respect to privacy protection?

In the absence of any specific and identified deficiency in Queensland laws, theICAA regards the existing legislation as adequate. Tens of thousands oftransactions involving personal data occur daily, without any cause for concernin the minds of consumers. The number of cases where this data is used forunintended purposes, or to cause damage to a person's standing andreputation, is minute and is not a sufficient reason for specific legislation.

3.3 If not, how should the right to privacy be protected in Queensland? For example,should Queensland introduce one or more of a combination of the followingmeans of regulation: information privacy principles (IPPs), a statutory tort ofprivacy, a privacy committee/privacy commissioner, or some other means toprotect privacy?

The ICAA regards the present mechanisms to protect privacy of personal dataas adequate. Business should be encouraged to implement higher standards ofprivacy protection voluntarily and as a sign that the business strives to exceedthe expectations of customers and staff.

3.4 If IPPs are introduced, what should they provide?

If introduced in Queensland , IPPs must mirror those in the CommonwealthPrivacy Act 1988 , must not extend beyond the boundaries of these and must beintroduced in consultation with industry.

The Institute of Chartered Accountants : submission on Issues Paper "Privacy In Queensland"

3

3.5 Should IPPs be in the form of guidelines or legislation?

The ICAA states unequivocally that IPPs must be guidelines only.

3.6 Should individuals have to pay (a reasonable amount) to exercise their right toprivacy?

Business should be allowed to charge reasonable fees for the provision of datato individuals, since provision of such data would not be a normal part of thedaily routine of the business. As a parallel, the provision of documents underFreedom of Information laws generally attracts a charge.

3.7 Would the costs associated with IPPs outweigh the public benefit flowing fromtheir implementation?

If IPPs are introduced, they must be on a voluntary basis only and uniformacross Australia. There will be a cost for SMEs which choose to observe IPPsbut, if voluntary, then it is a conscious decision of the business owner. We re-state that there are no legitimate privacy concerns which might be responded toby implementing (compulsory) IPPs; the costs of this course of action could welloutweigh any benefits.

3.8 If an office of privacy commissioner is established:

• how should its independence be ensured,

• should the office be accountable to Parliament for example via aparliamentary committee with, perhaps, responsibilities in relation to matterssuch as appointments, suspensions, budgets and strategic reviews, and

• should the office be combined with that of the Information Commissioner orany other office?

A number of industry- based , voluntary schemes are operating in Australia wherethe "umpire" is an independent appointment. If an office of privacy commissioneris established in Queensland, these may well serve as a model . The role of aprivacy commissioner should be to assist in the development and introduction ofprivacy standards by industry and promotion of these standards as bestpractice.

The office of privacy commissioner should report to the minister holdingresponsibility for small business.

It would not be appropriate to combine the office of privacy commissioner withthat of Information Commissioner. A combined role would be viewed uneasily bybusiness.

3.9 What functions should a Privacy Commissioner have?

The prime role should be to encourage and facilitate the voluntaryimplementation of industry based codes, including dispute resolution schemes.

3.10 What powers should a privacy committee/commissioner have? For example,should these include the power to:

• enforce IPPs through sanctions such as a fine or disciplinary action,

The Institute of Chartered Accountants : submission on Issues Paper "Privacy In Queensland"

4


A comprehensive industry based code of practice should encompass standards,complaint procedures and dispute resolution mechanisms. It serves no-one'sinterests to have prescriptive, bureaucratic processes to follow when matterssuch as privacy are involved. Serious breaches of privacy are actionablethrough the legal system; minor breaches are best resolved speedily throughmediation. It is therefore considered that there is no need for a privacycommittee/commissioner to have the powers suggested above.

3.11 Would the costs associated with an office of privacy commissioner/ committeeoutweigh the public benefit flowing from the establishment of such an office?

A privacy commissioner/committee appointed with the prime purpose offostering industry based codes of practice would involve minimal costs. It isdifficult to measure or even contemplate how to measure the benefits whichmight flow to consumers, business or government beyond the public relationsvalue and a general raising of awareness of privacy issues.

3.12 Should privacy regulation apply to the private sector as well as the publicsector?

No. Commercial imperatives, existing legislation and the possibility of legalaction for defamation or breach of confidence already provide considerable"incentive" for the private sector to exercise due caution when gathering, storingand using personal information.

3.13 Should privacy regulation apply to government owned enterprises?

3.14 Should privacy regulation apply to local government activities?

Where GOEs and local authorities compete with the private sector, they shouldbe subject to the same laws and regulations.

3.15 Would the costs associated with privacy regulation of:

• the private sector,

• government owned corporations,

• local government activities,


Please refer to the comments under items 3.7 and 3.11 above.

3. 16 If the private sector is not to be covered, how should privacy regulation apply tobodies performing services which the government has outsourced?

This could be achieved through the industry-based, self regulatory codes ofpractice and through the terms of any contract drawn up between thegovernment and the private sector provider.

3.17 Should there be co-operative arrangements between the states, territories andcommonwealth with respect to matters such as formal complaints regimes?

Any government initiatives should, as a fundamental principle and as far as ispracticable, be uniform across all states, territories and the commonwealth. The

The Institute of Chartered Accountants: submission on Issues Paper "Privacy In Queensland"

5

"worst case" scenario should any action be taken with respect to privacylegislation/regulation governing the private sector, would be to have differentlaws in each jurisdiction.

3.18 How should privacy legislation interrelate with freedom of informationlegislation? For example, should the access to and amendment of, personalinformation be regulated by a Privacy Act alone?

To repeat our comment at item 3.2, there appears to be no identified need forthe introduction of privacy legislation covering the private sector, either by wayof separate Act or by amendment or extension of existing FOI legislation.Freedom of information legislation , and compliance with the spirit thereof, has acheckered history and should be disregarded as any sort of model for privacyregulation or enforcement.

3.19 What additional measures, if any, should be taken with respect to:

• the 1995 European Directive,

• the OECD Cryptology Policy Guidelines?

The ICAA is not in a position to comment in detail on these policies. However,we note a statement by the Federal Attorney-General (Australian FinancialReview, May 23, 1997) that the lack of privacy legislation in Australia coveringpersonal data would not affect trade with the European Union.

3.20 How should smart cards be regulated? For example, by national legislation,state legislation or industry codes?

Information gathered by smart cards is most likely to be used to improve levelsof service by the banks and card provider to their customers. It is inconceivablethat card providers would wish to share this commercially sensitive and valuableinformation with any other organisation.

Codes of practice/conduct already exist to cover "electronic funds transfer/pointof sale" (EFTPOS) transactions. Terms of conditions already exist to cover theuse of credit cards and ATM cards. Such codes and terms could easily beextended to cover data generated by the use of smart cards.

3.21 What form of regulation should be introduced with respect to the various typesof electronic banking and cash (not including those systems which use smartcards)?

Existing industry codes could, again , be extended to cover such applications.Measures to ensure the confidentiality of internet transactions have been, andare being, developed by a number of major companies in the banking and I.T.areas . We note that IBM among others, is already marketing its encryptionmethods for the internet as a point of difference with its competitors.

3.22 What form of regulation should be introduced with respect to privacy issuesarising in the areas of.

• personal privacy, including surveillance (visual and listening) both in publicand private places,

• telemarketing,


6-

• medical records including access, and

• genetics?

All-encompasing legislation which sought to extend privacy protection across allindustries and areas of personal activity would be horrendously complex. Whilethe central issue under examination is the collection, storage and use ofpersonal information, the ICAA believes that many concerns, such as thoseraised above, can be adequately dealt with within existing legislation and codesof practice. For example, the Invasion of Privacy Act deals with recording ofconversations; federal legislation exists to regulate recording of telephoneconversations; stalking legislation might be extended to cover personalsurveillance; the Australian Direct Marketing Association has a code of conductregarding telemarketing and direct marketing.

3.23 Generally, what needs to be done to ensure that the law keeps abreast withdevelopments in technology affecting individual's privacy?

The rapid pace of technological development is likely to outstrip the ability oflaws to keep pace. For this reason, the best approach would be to encouragethe development of voluntary, uniform privacy principles which set out standardsof data gathering, storage and security.

The Federal Government has determined not to proceed with privacy legislationfor the private sector, citing the burden of additional regulation and verymarginal cost/benefit outcomes. Instead, it has promoted the development ofuniform industry standards.

4. Conclusion

In conclusion, the ICAA would not support the introduction of specific legislation toregulate personal information gathered and held by the private sector. It would beviewed by SMEs as little more than another costly impost on their businesses,consuming valuable staff time. We urge the Committee to give serious consideration tothis "red tape" aspect when considering its recommendations.

If any action is contemplated, it must be industry-driven, must be voluntary and must beuniform across Australia. There are many examples of industry-driven programs whichare satisfactorily meeting the needs of both consumers and business. As a guide, werefer to the Directory of Consumer Dispute Resolution Schemes and ComplaintHandling Organisations published by the Federal Bureau of Consumer Affairs.

We thank the Committee for the opportunity to comment on this Paper.

Yours faithfully

I W Donaldson FCAState Chairman


Si1

i

LEGAL , CONSTITUTIONALANDC nr Bloomfield & Middle Sts

ADMINISTRATIVE REVIEW COMMITTEE Cleveland Old 4163

11 AUG 1991

Telephone (07) 3286 8686Facsimile (07) 3286 8765

8 August, 1997


I

PO Box 21Cleveland Old 4163

Your Ref:Our Ref:

File No: EXO8/002Contact: Jacqui Ooi

Dear Sir


Please find attached Redland Shire Council's submission with regards privacy inQueensland.

Thank you for the extension of time to make this submission.

Yours sincerely

HAYDENI-WWGHTCHIEF EX UTIVE OFFICER

Attach.

RedlandMWORRUM 8 August 1997

This submission has been prepared by Redland Shire Council in relation toprotection of privacy in Queensland.

GENERAL

1. Yes.

At present the major legislative issue relating to privacy for local governmentoccurs within the parameters of the Freedom of Information Act. Theproblem with this Act and possibly the proposed Privacy Act is the lack ofspecific criteria for what is termed "personal affairs". The current definition for"personal affairs" causes confusion. Therefore any proposed Privacy Actmust be prescriptive in what constitutes "personal affairs".

There is also a necessity to clarify what Acts take precedence in issuespertaining to privacy. For example acts such as :

Adoption of Childrens Act; Freedom of Information Act; Secrecy Act

2. No, definitely not.

The current law in Queensland does not adequately protect privacy. Theonus of protection and confidentiality of information acquired should be on therecipient of the information rather than the individual concerned having toprove privacy has been invaded. Thus the necessity to have clear andprescriptive guidelines on what constitutes "personal affairs" is paramount.

Throughout Australia there needs to be a consistent and cohesive lawregarding privacy. Consistency in privacy protection would result in thedevelopment of a common database of case histories which would serve as areference in determining the appropriateness of releasing information.Furthermore, there needs to be co-ordination between different Acts such asthe Freedom of Information Act and Privacy Act both at Commonwealth andState levels in order to provide a reliable source of reference.

3. The right to privacy protection in Queensland should be by way of theintroduction of severe penalties on people releasing another individualsinformation without proper authority.

The proposed Privacy Act must require public and private sectororganisations/industry of more than say 10 employees to develop proceduresand guidelines to protect private information. This could be achieved in muchthe same way as the Public Sector Ethics Act imposed obligations on all localauthorities to develop a Code of Ethics/Conduct. Procedures and guidelinescould be complemented by the requirement that all staff be made aware ofthe fundamentals of the Act together with the penalties of not adhering to itsrequirements.

Redland Shire Council - Submission on Privacy in Queensland Page

Local governments are in possession of a huge amount of personalinformation about ratepayers and businesses operating in the Shire and thushave a responsibility to protect that information.

"Information Privacy Principles" enshrined in an act would certainly assistlocal governments in the protection and use of information in theirpossession. If IPPs were introduced long the lines of the Privacy Act1988(cth) then clear guidelines must be developed on what information canbe released.

Statutory tort would provide the aggrieved party with a means ofcompensation in terms of invasion of privacy however it does not provideprotection. It is merely a "band-aid measure".

A privacy committee in lieu of a single commissioner would offer a balancedapproach to investigation of complaints.

Moreover, if local governments were required by the Local Government Actto report on privacy issues in their Annual Reports this would furtheremphasise the importance of promoting the protection of privacy in localgovernment . This could be by way of a statement to the effect "'x' number ofrequests for personal information were received and 'x ' number of requestscould not be complied with because of implications under the Privacy Act". Itwould also serve as a monitoring mechanism by insisting that localgovernments are aware of the necessity to protect information in theirpossession.

Option - Information Privacy Principles4. The information privacy principles incorporated in the Privacy Act 1988 (cth)

provide a guide to storage and release of information but do not appear togive specific direction on what constitutes "personal information". This needsto be clarified.

The privacy principles need to be strong enough to allow an individual theright of re-dress. Onus should be placed on the transgressor to prove allnecessary precautions have been taken with regards security. This shouldnot alleviate the transgressor from damages just personal liability.

The obligation to protect privacy could be developed similar to the obligationsof the Environmental Protection Act where there is a threat of fines placed onindividuals for negligence. The Trade Practices Act also operates in a similarfashion by placing responsibility on those who have knowledge of the Act tocomply or face huge fines.

5. Yes.

Legislation should be accompanied by guideline principles which compelorganisations of a certain size to have a policy in place to deal with privacyissues. The Public Sector Ethics Act, for example, requires all localauthorities to have a Code of Ethics/Conduct in place incorporating theprinciples as outlined in the Act.

Redland Shire Council - Submission on Privacy in Queensland Page 2

6. No.

There should be no necessity for individuals to pay to exercise their right toprivacy. It should be a "given" and accepted right of any individual not to besubject to unsolicited invasion of privacy.

7. No.

Costs associated with IPPs would not outweigh the public benefit flowingfrom their implementation. Individual privacy is paramount and public interestneeds to be justified. Justification by means of a public interest test shouldbe conducted such as that required under the Freedom of Information Act.

Option - A privacy commissioner/privacy committee8. If an office of privacy commissioner/committee was established the following

points should be considered:

• with regards its independence a reporting mechanism should be developedunder the guidelines of legislation. The commissioner/committee shouldreport to the Parliament. This would provide a monitoring mechanism.

• if the Freedom of Information Commissioner and the Privacy Commissionerwere one and the same it would ensure consistency in matters relating toprivacy issues.

9. The function of a privacy commissioner/committee should be to administerthe proposed Act. This body should be responsible for its own appointments,suspensions, budgets and strategic reviews. The commissioner/committeeshould act along the same lines as the Ombudsman by offering anindependent view and the opportunity of arbitration. It should be the finalpoint of review for contentious issues and thus by way of setting precedentsand decision making it would, by default, set the interpretation of futuredecisions.

Furthermore, this body should have the function of continually reviewingtechnology to ensure changes that could potentially affect privacy are dealtwith.

10. The privacy commissioner/committee should have the power to both enforceIPPs through sanctions and exercise coercive powers such as powers ofaccess. This would provide assistance for further remedy via the courts.

11. No.

The benefit of having a privacy commissioner/committee would outweigh theassociated costs as this body would provide a valuable service andpotentially protect local government from litigation and damages.Furthermore, it would protect the individual's right to privacy.


Scope of a privacy regime12. Yes.

Privacy regulations should apply to both public and private sectors. Thiswould provide consistency especially in the light of national competition policyimplications which will see public sector business units competing in theprivate sector market place.

13.&14.Yes.

With regards government owned corporations and local government activitiesthese should both be covered by the same privacy regulations.

15. No.

16. The private sector should be covered by regulations relating to privacy. If thesame regulations were not applied to both the public and private sectors aCode of Practice should be developed to regulate the flow of informationbetween the public and private sectors and in fact, the flow within the samesectors. This would most certainly result in additional cost to thegovernment.

17. Yes.

The issue of privacy is global and needs to be dealt with accordingly. Alreadythere are many different rules between states and thus a co-operativearrangement with regards a complaint regime is essential. In order todevelop a consistent complaints regime there needs to be stronger legislationto serve both the private and public sectors.

The question needs to be asked "why do we need separate acts for statesand territories?". The principle of one act would provide consistency indealing with matters of privacy and would certainly provide a common base indealing with transfer of information across borders.

18. Yes.

Interrelation of the Freedom of Information Act and privacy protectionlegislation would offer a stable basis to work from and dispel confusion overwhat constitutes private information. This would contribute to a clearunderstanding of what act takes precedence and in what cases.

19. Privacy protection should at least attain the level of the 1995 EuropeanDirective and the OECD Cryptograhpy Policy Guidelines and should befurther strengthened to ensure international obligations can be fulfilled.

Smart cards and electronic banking20. Smart cards should be covered by the Privacy Act.


21. The Privacy Act should most definitely provide national guidelines withrespect to various types of electronic banking and cash as this is obviously anational issue.

Other privacy concerns22.)23.) No comment.


Z00'd CSLT'ON x'/Xd. TT:OT L6, 80/TT

DEPARTMI?NT OF TRAINING AND INI )USTRIAI , RE I .A ['IONS

Citibank C entre, 199 Charlotte Street, Brisbane . Postal Address: G.P.O. Box 69, Brisbane , Old 4001.

s7.

LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMITTEINr

11 AUG 1997

The Research DirectorLegal, Constitutional andAdministrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Director

Thank you for the opportunity to provide comment on Issues Paper No.2, "Privacy inQueensland". The Department of Training and Industrial Relations has considered this Paper andI am pleased to provide the attached comment,-,-

I apologise for the delay in providing comment. I wish you well with this project, if you haveany queries regarding the information provided, or require additional information, Ms RachaelMackay, A/Policy Officer, Executive Liaison Unit, telephone (07) 3225 2289, would be pleasedto assist.

Yours sincerely

C W THATCHERDirector-General

`{,/08197

Dorking 13Htt'-r Togciher

L1,,'Z 'J 6 J ^9p '°N U Z 6 i' nVH

£00°d £SLFON XN/XS, TROT L6, 80/IT

DEPARTMENT OF TRAINING AND INDUSTRIAL RELATIONSComments on "Privacy in Queensland - An Issues Paper"

GENERAL

1. Are there valid concerns relating to privacy protection which need to be addressed bylegislative and/or administrative action ? Ifso, whatparticular concerns are most pressing?

The current lack of protection for information privacy in Queensland exposes persons topossible abuse of information from government agencies and requires address.

A clear policy to regulate the collection, storage, security, use, access, disclosure and correctionto "personal" information is urgently required.


As there is no law in Queensland to protect citizens' rights to privacy, especially informationpxi.vacy, adequate protection is not provided.

3. If no, how should the right to privacy be protected in Queensland? For example, shouldQueensland introduce one or a combination of the following means of regulation:information privacyprinciples (IP.Ps); a statutory tort of privacy; a privacy committee/privacycommissioner; or some other means to protect privacy.

Queensland should introduce an administrative scheme of information privacy principles witha privacy commissioner attached to the Ombudsman's Office, with similar powers to theOmbudsman to ensure compliance with these principles.

OPTION - INFORMATION PRIVACY PRINCIPLES

4. If IPPs are introduced, what should they provide?

IPPs should provide the same cover as the already established Commonwealth IPPs.Additionally IPPs should address the collection, use and disclosure of criminal historyinformation-

Because the Freedom of Information Act already exists, it is important that any Queenslandinformation privacy protection should give consideration to the difference between personalinformation and personal affairs information.

This will ensure that the privacy guidelines and Freedom of Information legislation areconsistent.

Department of Training and Industrial Relations

3G ='1^Iid ±^- ^Gb> 'un'd'id

7001d £SLT'ON XlI/XL TT:OT L6, 80/TT

Exemptions similar to those provided in the Commonwealth legislation for such things as lawenforcement would be necessary.

5. Should IPPs be in the form of guidelines of legislation?

From a departmental perspective, i t would be preferred i f the principles could be introduced asguidelines . In addition, a Privacy Commissioner attached to the Ombudsman 's Office, with

similar powers to that of the Ombudsman, could make recommendations and report to

Parliament.

It is essential that the TPPs are in a form that ensures they are enforceable.


Although there will be an obvious cost to agencies , it does not seem appropriate to charge aperson for what should be their basic rights to privacy.

7. Would the cost associated with IPPs outweigh the public benefit flowing from theirimplementation?

It is unlikely that the cost would outweigh the public benefit After the initial implementationcost, on-going costs to agencies should be minimal.

OPTION, A PRIVACY COMMISSIONER/PRIVACY COMMITTEE

8. If an office ofprivacy commissionerlcommittee is established:

In response to the questions raised under this heading, it is believed that an office of the privacycommissioner should be set up with similar operating principles to the Commonwealth model.Independence and accountability should be modelled on the Commonwealth Office.

9. What functions should a privacy committeelcommissioner have?

Similar to those of the Ombudsman, to take and investigate complaints, make recommendations,and if the matter cannot be resolved, report to Parliament.


^rr^ l & L '^I IIQ ^^.^ v 7 ' 'II

S00' d £SLT' ON X'iIIXL TT : OT L61 80/IT

10. What powers should a privacy committee%ommissioner have? For example, should these

include the power to:

enforce IFFs through sanctions such aas fine or disciplinary action; andexercise coercive powers such as powers of access?

The powers of the privacy commissioner should be similar to those of the Commonwealthprivacy commissioner.

11. Would the costs associated with an office of the privacy commissioner/committee outweigh

the public benefit flowing from the establishment of such an office?

Within Australia, it is recognised that there is a multimillion dollar market in infonnationtrading. This often occurs without the knowledge of individuals whose information is traded.In this regard, it is believed that the protection offered to the public's right of privacy outweiglisthe associated costs to establish an office.



Privacy regulation should apply to both sectors, as a first preference. The second preference isthat it should apply to those parts of the private sector which are providing services undercontractual arrangements with government agencies.


Yes - the regulation should apply to government owned corporations.

14. Should privacy reg ulation apply to local government activities?

Yes - the regulation should apply to local government activities.

15. Would the costs associated with privacy regulation of..

the private sector;government owned corporations; andlocal government activities;

outweigh the public benefit to be gained by that regulation.

No. Individuals have a right to know how personal information that they have supplied topublic and private-organisations will be used and a right to object to certain uses of thatinformation.


r` d 6-119 ''r Uld Sy- ! 5 5- "ji

900'd £SLF'ON Xd/XJ TT:0T L6, 80ITT

16. If the private sector is not to be covered, how should privacy regulation apply to bodies

performing services wkick the government has outsourced?

It is considered that it should apply in respect to the personal affairs information that has beencollected for the functions of government.

17 Should there be co-operative arrangements between the states, territories and the

commonwealth with respect to matters such as formal complaints regimes?

It is essential that there are cooperative arrangements between states and territories given the"borderless'" nature of information collection, storage and dissenainat-ion. However, in view ofthe differences in the Freedom of Information legislation between jurisdictions and the need forthe privacy legislation only to apply to the personal affairs information and not personalinformation, it is considered that this would not be possible.

18. How should any privacy protection legislation interrelate with freedom of informationlegislation? For example, should the access to, and amendment of, personal information beregulated by a Privacy Act alone?

In many respects, the two go hand in hand and in others there is a potential for conflict. Bothconcepts have separate purposes which should stand alone. Personal information should beregulated by a Privacy Act alone.

19. What additional measures, if any, should be taken with respect to:

the 1995 European Directive; andthe OECD Cryptography Policy Guidelines?

Government should address commercial concerns that may arise if European Union countriesrefuse to transfer certain data to Australia if it is perceived that Australia does not have adequatedata protection laws.

The implementation of OECD guidelines on Cryptography should be considered-


20. How should smart cards be regulated? For example, by national legislation, state legislationor industry codes?

Smart Cards should be the subject of national legislation given the "borderless" nature of these.cards.


21,x'9 d^ '^IIL^ ^5 I66- `,3

L00'd £SLT°0N XN/XJ, T1:0T Lb, 80/1T

21. Whatform of regulation should be introduced with respect to the various types ofelectronicbanking and case (not including those systems which use smart cards)?

The department is unable to provide comment on this issue.


22. WhatBerm ofregulation should be introduced with respect to privacy issues arising in the

areas Of

IPPs should address each of the matters raised under this question.

23. Generally, what should be done to ensure that the law keeps abreast with developments in

technology affecting individuals ' privacy '

Whatever law is introduced, should be flexible enough to allow it to meet the increasing rateof technological change.

department of Training and Industria l Relations

1rI 'd 611 30 'Elk, ;Ill nt 'I l

S5

.'"'"'NS LA'alf,"D

IN ASSOCIATION WITH AUSTRALIAN NURSING FEDERATION QLD. BRANCHJust Re arils for Professional are

ADDRESS ALL CORRESPONDENCE TO THE SECRETARY, G.P,O. BOX 1289, BRISBANE, Q, 4001.

IN REPLY PLEASE QUOTE:

7 August 1997

All enquiries regarding thiscorrespondence should be directed to:

The Research Director LEGAL, CONS OVAL ANDLegal, Constitutional and Administrative Review Committee ADMINISTRATIVE REVIEW COMM ITTEEParliament HouseBrisbane Qld 4000

Fax No: (07) 3406 7691

14 AUG 1991

Dear Sir/Madam,

Re: Submission on Privacy In Queensland

Thank you for the opportunity to provide comment on the important issue on privacy in Queensland. Iapologise for the lateness of this submission and thank your office for agreeing to accept this document.

We have advertised the availability of your discussion paper to our members via our journal and made thedocument available upon request. Comments from members have been included in our submission.

This submission details broad general concerns and views on possible remedies. Officials of this Unionwould be happy to meet with members of the committee at some future date should further information orclarification be required.

With regards to the relationship between privacy and freedom of information regimes it should be notedthat the Queensland Nurses' Union (QNU) believes that there is also a necessity for Freedom ofInformation Legislation reforms, most notably with respect to extension of the legislation to the nongovernment sector. The QNU has made submissions to the Law Reform Commission on this matter in1995. (Copies of these documents are attached for your information.) The Union believes that reform inthis area is of vital importance and requires urgent attention. Although this issue falls somewhat outsidethe terms of reference for your inquiry, the issues are related and we thought that you may be interested inour previously stated views on this matter.

It may also be of interest to your committee to know that our federal office (the Australian NursingFederation in Melbourne) provided a submission to the House of Representatives Standing Committee onFamily and Community Affairs Inquiry into Health Information Management and Technology in Aprilthis year. This submission details concerns regarding ensuring privacy within the context of technologicaladvances in health information management. (Extracts of this submission are enclosed for yourinformation. Appendices have not been included as these were lengthy.)

This submission will not address all of the suggested issues for discussion set out in your document, butwill follow the format provided in broad terms.

!'Wien _ 2nr ai 56 Boundary Street, West End, Brisbane, 4101.

Townsville Office: Rockhampton Office:7P.C Sox BRISBANE 4001 P.O. Box 175', TOWNSVILLE 4810 PO. Box 49, ROCKHAMPTON 4700Phone: (07) 35+0 1444 Phone: (077) 72 541 1 Phone: (079) 22 5390Fax: (07) 3844 9387 Fax: (077) 21 1820 Fax: (079) 22 3406

Reglrtera0,nder I ntlonAr5, , onAct IM

1.General Issues

The QNU believes that there is an urgent need to introduce a consistent framework for privacy protectionin Australia. A nationally consistent privacy regime should be effected through Commonwealth legislationand backed by complimentary state legislation. As the Prime Minister has announced that the federalgovernment does not intend to progress this issue each state will have to regulate privacy protectionseparately. Queensland therefore must progress its plans to introduce privacy legislation as an interimmeasure and lobbying must continue to ensure that the co-regulatory approach (as outlined in the federalAttorney Generals discussion paper of September 1996) is introduced. Lack of consistency willunfortunately continue to be an ongoing problem given the federal government's policy direction change.

Areas of particular concern identified by members of this Union are:

Medical Records - maintaining privacy of records; access to records; and maintaining

security/privacy with introduction of new technology (eg computerised records).

Maintaining privacy in an environment of rapidly advancing technologies (eg Internet, smart cardsetc).

Issues relating to privacy in the workplace (including surveillance, privacy of employment recordsand requirements for employee testing for medical conditions etc).

Use of genetic testing and the impact of advances in this area.

Access to databases for telemarketing or direct marketing purposes especially access to the database of organisations such as the Queensland Nursing Council for this purpose.

The QNU strongly believes that the current law in Queensland is inadequate with resect to privacyprotection. It is our belief that there is an urgent need for the introduction of a statutory privacy protectionmechanism that is consistent throughout Australia. This should include standardised IPPs and theestablishment of an office of Privacy Commissioner or a Privacy Committee.

2.Options

Information Privacy Principles

In our view Commonwealth Information Privacy Principles (IPPs) should be adopted as the minimumstandard for both the public and private sectors throughout Australia. The QNU believes that it isappropriate for all of the eleven IPPs to apply to all state and local governments and statutory authorities.Selected IPPs and specific protections should apply to specific areas of the private sector through legallyenforceable codes of practice. For example, with respect to private medical records, IPPs 2, 4, 6 and 11should be enforced , with specific mechanisms for dealing with access rights and appeal rights. Furtherdetailed analysis needs to be performed on the scope of the application of the IPPs to the various sectionsof the private sector as all are not applicable to all settings. It is our belief that government ownedbusinesses should be subject to the same privacy regime as like private sector organisations. Given thatcurrent government services are being "outsourced" to the private sector (eg private employment agenciestaking over some functions of the CES) it is essential that the current commonwealth privacy provisionsextend to private sector operators undertaking functions that were (and should be) performed bygovernments.

The QNU does not believe that individuals should have to pay to exercise their right to privacy.

Privacy Commissioner/Committee

The QNU believes that it will be necessary to establish either an independent office of PrivacyCommissioner or Privacy Committee that reports to parliament. The privacy commission/committee needsto have coercive investigatory powers, all advisory functions as outlined in your discussion paper, theability to investigate and determine complaints and powers to make awards of compensation ordeterminations imposing penalties.

3. Scope of Privacy Regime

The first general section of this submission has already dealt with an number of questions raised in thepart of your discussion paper dealing with the scope of the privacy regime.

We do however wish to make comment on the issues raised in question 18 regarding the inter relationshipbetween privacy and freedom of information legislation. Privacy and freedom of information legislationmust be consistent and complimentary. Provisions of privacy legislation must not prevent access of thirdparties to information of a personal information when it is clearly in the public interest to release suchinformation. There are many examples of class action cases that attest to the need to balance thecompeting priorities appropriately. It is our view that access to private information must be regulated byboth Freedom of Information and Privacy legislation.

4. Other Privacy Concerns

Many of the privacy issues raised in question 22 of your report are of particular importance to ourmembers. These too have been highlighted in the first general section of this submission. It is the casehowever that information privacy is a discrete area that is already the subject of an established regulatoryregime in the commonwealth arena. These other issues (that are not directly related to the protection ofpersonal information) should be addressed via the enactment of appropriate legislation other thaninformation privacy legislation. It is however appropriate and necessary to discuss other related privacymatters in this context and to consider possible remedies to concerns within your brief.

Thank you for considering this submission from the QNU about this important issue . The abovecomments are general in nature and, as stated above, the QNU is willing to be involved in furtherdiscussions should your committee so desire.

As the issues surrounding privacy protection are complex and often involve competing agendas we haverefrained from giving detailed views on possible mechanisms for protecting privacy. We believe that thereshould be further widespread public consultations following the release of the report on your deliberationsso that the implications of these are clearly understood and debated prior to implementation of anyrecommendations. The QNU is very keen to be involved in any future processes of this nature.

Should you wish to discuss any matters raised in our submission please feel free to contact QNU ProjectOfficer Beth Mohle by telephoning (07) 3840 1437.

Yours sincerely,

Gay HawksworthSECRETARY

QUEENSLAND

Nurses' UnionN aSSOC1AiiCN t/1-H AUSTPAUAN NURSING ^EDE:P,= Gtj QLG BRANCH

Just Rewards for Professional Care

ADDRESS ALL CORRESPONDENCE TO THE SECRETARY. G.P.O. BOX 1289, BRISBANE , Q. 4001.


5 July 1995

415.487

The SecretaryAustralian Law Reform Commission133 Castlereagh StreetSYDNEY NSW 2000

r;,.,,r' es re gcr,:^irg this.r^_:carderce ,rccld be 1ir-r_ed

TO: Members and Officers of the ALRC and ARC

Dear Members and Officers

Submission in response to the ALRC' s Discussion Paper 59

Steve Ross

Thank you for sending the Queensland Nurses' Union of Employees (QNU) the AustralianLaw Reform Commission's 59th Discussion Paper entitled Freedom of Information. It madeinteresting reading.

This submission addresses a gap that appears within the framework and rationale of theDiscussion Paper: whether Freedom of Information (FOI) Legislation should apply to non-government organisations (NGO's) that receive government funds. The QNU believes itshould. At a minimum, FOI legislation should apply to non-government organisations in theprivate health sector which receive government funds. Our reasons are outlined below. Irequest that the ALRC and the ARC give specific attention to this area when formulatingtheir final recommendation about FOI legislation.

The QNU submits that the reasons which justify an extension of FOI legislation togovernment business enterprises (GBE's) also justify an extension of the legislation to non-government organisations (NGO's) which receive Federal government funding. In yourdiscussion paper, the arguments in favour of extending the FOI Act to CBE's are set-out onpages 111 and 112. On page 111, it is argued that:

GBE's represent the expenditure of much public money and should therefore be publiclyaccessible and accountable for the use of that money. In addition, GBE's are accountable toMinisters financially and strategically and the public has a democratic interest in theirworkings.

Queensland Nurses ' Union of Employees , 2nd Floor QNU Budding, 56 Boundary Street, West End, Brisbane. 4101.

Brisbane Office: Townsville Office : Rockhampton Office:G P.O 3ox 1289. BRISBANE 4C01 P.O. Box 1761. TCWNSVILLE 4810 PD. Box 49, RCCXHANIPTON 47C0

Phone ,07) 38,10 '4.14 Phone: (077) 72 541 ^'reno 0'") 22 5390Fax ,0') 384.14347 Fax: ;073) 21 1820 07') '^_ 3-!C6

Sti;nmea n,i.r '^ a n,n.: n, i -i ennn.m .ar.drnnan ',-' - V

2

Whilst NGO's receive substantial amounts of public funds, their operations are not presently transparentto neither the government nor the public. According to a recent Industry Commission draft report',the largest 50 community social welfare organisations received (presumably Federal) government fundingtotalling over $724 million during 1992 - 93. These organisations must report to government. Some ofthese reports would be available under FOI legislation. These reports would be general. They areusually about the way in which an organisation has dispersed its funding or the grounds upon which itclaims funding. They may also include information about the organisation's performance in using publicmonies. They are unlikely to give a detailed account of decision-making, nor provide detailedinformation about the other activities of the organisation. Other reports made to government by the 50largest community organisations may not be available under FOI. During 1992 -93, 18 of theseorganisations provided aged care. Their funding arrangements are governed by the National Health Act.The secrecy provision under that Act2 could impede the release of the reports made to government byaged care providers.

On page 111, it is argued that the competitive environment provides inadequate public accountability for3BE's:

The competitive environment ... does not facilitate a fair and just provision of goods and/or services.Private remedies might assist, but the cost of justice is apt to take these outside the reach of most individuals.By contrast, administrative law remedies are by and large cheaper and more accessible and likely to lead topublic accountability and better decision making; possibly even in the commercial sphere.

The same arguments can apply to many categories of NGO's receiving government funds. Take nursinghomes as an example. It is in the public interest that the standard of care provided by nursing homescan be scrutinised. These homes receive substantial government funding through service arrangements.They are full of vulnerable people: people who, because of their frailty, or as a consequence of a mentalor physical disability, cannot speak out to the public if they are abused. Providing patients of nursinghomes with rights to access their individual files (as the ALRC discussion paper proposes) will not enablesufficient access to information about whether the standard of care that a nursing home offers, isreasonable. There are two reasons for this. First, information personal to particular patients will notprovide an overall picture of whether the home is ensuring that it provides sufficient specialist care, oradequate food, heating and stimulation for its patients: this information is contained in more generaldocumentation such as menus, dietary reviews, specialist - patient contact documentation, and letters ofcomplaint to the home. Second, the right is personal to a patient. Many of the patients in nursing homeswill be too frail or too ill to decide to make FOI applications. Other people should have the right toaccess general information about the nursing home. If a family member or friend of the patient, or aprofessional working with a nursing home, suspect that deficiencies in the quality of care available to aperson in a nursing home, they should be able to find out. For instance, they may want to review whatmechanisms are in place to ensure that those living in the home receive adequate nutrition. They maywant to find out whether enough staff are employed during the night.

They may want to assess the safety of medication regimes in place: that medication is being given byproperly qualified staff and that medication is given for the benefit of patients, and not to pacify patientsto make them easier for staff to manage.

IIndustry Commission (1994) Charitable Organisations in Australian - an inquiry into Community Social WelfareOrganisations Attachment 1.

2 Section 135A.

3

They may want to establish that the programs that the nursing home management said to the governmentthat it would provide for its patients, are in fact being provided. In the limited circumstances in whichcivil action would be available to them, they should not have to pay huge legal costs to find out thisinformation. They are acting in the public interest, not in self-interest. Low cost, accessible remediesshould be available to them, such as FOI.

On page 112, the discussion paper presents this argument in favour of extending FOI to GBE's:

GBE's should be subject to the full FOI requirement in order to make government requirements of such

entities more transparent. This is particularly the case on issues such as ... community service obligations

Two highly publicised examples of health care services providing fatally deficient standards of care mayhave been exposed years before the public inquiries that were eventually held into them, if FOI had beenavailable to the family, friends of patients and concerned professionals. These examples are not used tosupport this submission's contention that FOI access should be extended to non-government organisations-eceiving Federal government funding - Chelmsford was not receiving government funding. TownsvilleGeneral Hospital is a public hospital to which FOI access now applies. Rather, the examples provide animportant reminder about the suffering and injury that can be caused by health services whose practicesand operations are not accountable nor transparent to the public. We use these examples to underline theneed for FOI access in the private health sector.

Twenty-four people are known to have died in Chelmsford Private Hospital near Sydney between 1963and 1979. Patients at the hospital who were subjected to Dr Harry Bailey's deep sleep therapy werebombarded with sufficient barbiturates and tranquillisers to keep them virtually comatose for up tofourteen days at a time. Some of those who died were tragically young: young enough for warning bellsto sound. Twelve deceased were under 40 years at the time of death - one was 14 years old. Anothernineteen victims of Chelmsford's therapy committed suicide within a year of receiving treatment. Thedeaths of only four patients who died in Chelmsford were the subject of a coroner's inquest. Thoseinquests were unable to obtain sufficient information to make proper findings.3

Townsville's General Hospital Psychiatric Unit (Ward 10B) provides a second example. CommissionerCarter headed the public inquiry into Ward 10B. He found that between 2 March 1975 and 20 February1988 many of Ward LOB's patients were treated in a manner that was negligent or unsafe. He found4P ZDthat two patients had died because of this neglect and lack of safety, and a further six patients who hadcommitted suicide, were cared for and treated in Ward 10B in a manner that was negligent and unsafe.'The Friends of Ward 10B was an active community group drawing attention to the excesses of Ward10B. It would have been assisted in its task by obtaining information from the hospital about the careand treatment of its psychiatric ward patients from 1975 - 1988. However, FOI access was not availableto its members. Without this information, the group's proof was inadequate to back up its suspicionsand bring sufficient pressure to bear to stop the practices within the Ward. As a consequence, thedeficient care and treatment regime experienced by Ward 10B patients continued, unabated.

3 See I. Anderson ( 1991) Nightmare in Chelmsford , Sydney New Scientist Vol 129 pp4 for a useful summary.

a Findings 66 - 68 and Chapter 10 Commission of Inquiry into the care and treatment of patients in the psychiatric unitof the Townsville General Hospital between 2 March 1975 and 20 February 1988 - Vol I February 1991 Go Print Brisbane.

4

Finally, your discussion paper presents this argument supporting FOI access to GBE 's on page 111:

The traditional private sector corporate reporting , accounting and audit requirements do not provide publicaccountability . ... FOI and other administrative law mechanisms have the potential to provide such results

As a Union, the QNU advocates for the industrial concerns of its members. However, the submissionsthe QNU makes should not merely be seen as emanating from the self interest of its meeting. As a peakprofessional body, the QNU advocates for the professional concerns of its members. Much of itsadvocacy is aimed at enhancing the standards of care that nurses can offer their patients.

QNU Industrial Officers who contest decisions made by private nursing homes to make some nursingstaff redundant or to cut back nurses' working hours are faced with the argument that these decisions arenecessary as the nursing homes have no capacity to pay for the maintenance of existing staff levels.

This argument is difficult for the union to combat. Many private nursing homes providing aged care arenot incorporated. Unlike companies, they are not required to submit audited accounts and annual returnsfor inclusion on a public register. The QNU cannot get information to assess the capacity of thesenursing homes to pay unless it commences proceedings in the Industrial Relations Commission and thenrequests the Commission to issue a subpoena. Reduced nursing staff levels directly affect the quantityand quality of care that nursing homes offer their patients. There were 178 nursing homes inQueensland in 1992 - 1993. Some of these nursing homes may not have the financial capacity tomaintain existing staff levels. However, the QNU knows that 1.9% of the nursing budget forQueensland's nursing homes that returned monies from their nursing budget have subsequently reducedtheir nurses working hours and argued that this is necessary because they have no capacity to pay. Inother words, these nursing homes are acting in a way that is contrary to the interest of their staff andpatients. The QNU's role of fighting for the quality of care its members can offer their patients wouldbe enhanced with the application of FOI legislation to non government organisations receiving publicmoney.

Thank you for the opportunity of responding to your discussion paper entitled Freedom of Information.If you require further information please refer to our first submission where we covered the governmentissues of why FOI should be extended to non-government organisations in receipt of government funding.Alternatively please do to hesitate to call Steve Ross, QNU Industrial Officer for the Private SectorHealth Services (Ph. - 07 840 1415) with any further queries you may have. I will look forward toreceiving your final report.

Yours sincerely

GAY HAWKSWORTHSecretary

QUEENSLAND

Nurses' UnionIN ASSOCIATION ', TH Al S" 2AI IAN NURSING ==" ERATION QLD BRANCH

Just Rewards for Professional Core

ADDRESS ALL CORRESPONDENCE TO THE SECRETARY, G.P.O. BOX 1289, BRISBANE, Q, 4001.


15 December, 1994

Ali enquiries regarding thiscorrespondence should to directed to

The SecretaryAustralian Law Reform CommissionGPO Box 3708Sydney NSW 2001

Fax: 02 284 6363

Dear Secretary, staff and members of the Commission

Submission in response to Issues Paper 12 entitledFreedom of information

Your Commission and the Administrative Review Council have been requested by theFederal Attorney-General to review the Commonwealth Freedom of Information Act 1982.One of the terms of reference for this review is -

whether the ambit of the application of the Act should be extended to cover privatesector bodies.

The Queensland Nurses' Union of Employees (QNU) represents approximately 7000 nursesworking in private sector health services. The QNU believes that the Freedom of InformationAct 1982 should be extended to cover all private sector bodies. Failing a general applicationof the legislation to the private sector, the QNU submits that, at a minimum, the Act beextended -

to allow individuals access to information that is about them, or which has thepotential to affect their interests, whether or not this information is held within theprivate or public sector;

to cover all non government organisations that receive any payment from theCommonwealth government for services that they provide; and

to cover all health services operating in the private sector.

This submission contains reasons to explain the QNU's position. It also outlines reasons thatjustify legislation to enable consumers of health services to be able to access their medicalrecords and files upon request.

Queensland Nurses ' Union of Employees . 2nd FIc.y QNU Building. 56 Boundary Street, West End, Brisbane, 4101.

Brisbane Office : Townsville Office: Rockhampton Office:G.P O Box 2B9, BRI3E.:, iE BOG P' net ' 75^. rC^ wr J L. P Pt:r -,0 CKH, : 2N: 4

1 1 Phone • OY, 22 539014 Phone '077 72 54phone 007; RIO , 4-1Gax (07': R44 ^3P_? cox ^ 7 ; _ 82C 'n 22 740n

2

1. The QNU believes that Freedom of Information legislation should be extended tocover the private sector.

1.1 Administrative law should extend to the private sector when it exercisespublic power (Issues 131 and 134).

Presently, administrative law acts to disqualify an unlawful exercise ofgovernmental power and to compel the performance of legal duties that havebeen neglected. Through Freedom of Information (FOI) 'legislation,administrative law allows the community to open the doors of governmentaldecision making. It promotes an understanding about how and why decisionsare made. It can provide the means to assess whether governmental power hasbeen validly and properly exercised. FOI legislation therefore acts as animportant tool in administrative law.

In controlling governmental power, administrative law has focused its attentionon governments, bureaucracies, and statutory bodies. Industry, too, exercisesgovernmental power. Its actions and decisions can affect both the nationaleconomy, and the working and living standards of millions of employees. AnAmerican academic explains -

The penalties that private management can impose possess a coerciveforce and effect that government even with its threat of incarcerationcannot equal. The management of a business like the United StatesSteel Corporation has wide powers to affect the economic security,stability and subsistence level of its two hundred thousand employees.It has power, too, to influence the lives of its numberless customers.But more than this, such a corporation either by itself or incombination with its contemporaries can virtually determine whatpolicies with reference to the production and sale of steel we shallpursue as a nation.'

Administrative law has started to look towards the private sector. Theoverwhelming bulk of the law about procedural fairness continues to concerncourts, statutory bodies, and ministerial and bureaucratic decision making.Courts have, however, decided that a duty of procedural fairness appliesoutside these boundaries to bodies which exercise important powers that havenot been given to them by or through statute, for example in the fields ofemployment and sport.' Similarly, judicial review normally scrutinises thedecisions of those who derive their power through statute or regulations. TheEnglish Court of Appeal has recently said that judicial review could beextended to any body which performed or operated as an integral part of asystem which performed public duties. It found that the Panel on Take-oversand Mergers, a self-regulating body operating through the City of London's

'J Landis The Administrative Process in P Schuck (ed) (1994) Foundations of Administrative Law Oxford Uni PressNew York on page 13.

'Forbes v NSW Trotting Club (1979) 25 ALR 1; McInnes v Onslow-Fane [1978) 1 WLR 1520

3

Stock Exchange , was in fact an integral part of a governmental framework forthe regulation of financial activity in the City of London . ' As Professor Wadeobserves -

At present these cases are sporadic and appear to be anomalous. Butit is probable that they will multiply and so open new vistas ofjudicial review, enabling the courts to penetrate into many areaswhich were previously beyond their reach.'

The reasoning that has been applied by some judges in recent administrativelaw decisions compliments an extension of administrative law to the privatesector. In assessing whether an administrative remedy is available, judges havelooked towards the type of power that the decision maker wields, rather thanthe sector from which the decision maker comes. A majority in the HighCourt said -

It is now clear that a duty of procedural fairness arises, if at all,because the power involved is one which may "destroy, defeat orprejudice a person's rights, interests or legitimate expectations. "5Thus, what is decisive is the nature of the power, not the characterof the proceeding which attends its exercise.6

In the recent Court of Appeal case referred to on the previous page, Lloyd LIemphasised that, in assessing whether the courts would scrutinise the decisionsof a particular decision maker, it is helpful to look not just at the source of thepower, but at the nature of the power -

If the body in question is exercising public law functions, or if theexercise of its functions has public law consequences, then that ...may be sufficient to bring the body within the reach of judicialreview.'

The QNU understands that many lawyers may argue that the administrativelaw principles behind FOI may differ from those relevant to judicial reviewand procedural fairness. We are not relying on these cases to equate the 3administrative law tools. Rather, we use these cases to indicate a judicialrecognition that -

'R v Panel on Take-overs and Mergers; ex parte Datafin Pic [1987] QB 815.

4H W R Wade (1988) Administrative Law 6th edition Clarendon Press Oxford on page 245

'Annetts v McCann (1990) 170 CLR 596 at 598.

6per Mason CJ, Dawson, Toohey, and Gaudron JJ in Ainsworth v Criminal Justice Commission (1992) 66 CLR 271.

'See footnote 3, on page 847.

5

accounts laid before the company in its last general meeting.' In essence, thework .:gs of a corporation are not transparent: even members of the publicwho entrust their money to corporations through the purchase of shares do sowithout being able to properly evaluate how the company is using theirmoney. Consumers and shareholders must rely primarily on the media,advertising, and the limited public documents produced by companies to assesscorporate performance. These sources are inadequate to formulate an informedview. In effect, the community must trust directors to make ethical, and moraldecisions about their companies' undertakings, and how they affect thecommunity.

Unincorporated businesses, and businesses or operations that are incorporatedunder incorporation of associations legislation, have no obligation to theoutside community to provide information about their decision making and itsaffects.

With access to relevant information individuals could play an important rolein keeping industry honest and responsible. The private sector would have apowerful incentive to effectively regulate its conduct and actions if individualswere given the means to blow the whistle on unethical or illegal practices.Your issues paper explains the positive role that US citizens can play now thatprivate sector organisations must make public disclosures about the use ofhazardous chemicals (on pages 105 and 111). We endorse this model. Thereare other examples -

Members of the public should be able to access information aboutpublic safety issues that affect them or their family additional toinformation about hazardous chemicals and wastes. For instance, aperson who has suffered or risks suffering an industrial death or injuryat a workplace should be entitled to access information indicating theawareness of their employers to the risk, and the mechanisms that theemployers have or will put in place to minimise the risk. Air safetyprovides another example in this category.

Despite recent changes to the Corporations Law, members of Boardsthat govern organisations and companies can act and argue in self-interest. The results are not perceptible to the public. For instance,we know of a Private Hospital Board member who is connected witha building society. The hospital's financial business is conductedthrough the building society. This may be coincidental. It may notbe. If it is not, hospital business may be being conducted for thebenefit of the commercial interests of board members rather than thebest interests of the Hospital.

'Sections 259 and 315.

6

Information that allows concerned individuals to assess the standard ofcare offered by institutions providing care for people who arevulnerable and whose voices cannot be heard by the community (forinstance, the frail aged and those who have an intellectual, physical ormental disability), can provide a way to identify institutional neglector abuse. Once identified, neglect and abuse can be confronted.10

If interested individuals had more informatiop about the corporateentrepreneurs of the 1980's, then the community may have beenalerted to their precarious dealings well before their financial collapse.The community deserved to be alerted. The collapse of multi-milliondollar corporations means loss of jobs, financial loss to shareholdersand creditors, and unserviced foreign debt.

1.3. Freedom of Information should extend to information held by nongovernment organisations that receive government grants or payments (Issue135).

The trend towards commercialisation of the public sector justifies an extensionof FOI to commercial enterprises connected to public sector service delivery.The trend is not a justification to wind back FOI access. We believe that FOIshould apply to government business enterprises, commercial organisationswho provide goods and services to the government, and any organisation thatreceives or spends public funds. Non government organisations that receivegovernment grants and payments are paid these monies because they undertakesome of the functions of government. FOI legislation should apply to thembecause they are exercising a public function.

In the terms of reference for this review, the Acting Attorney-General outlinesthe basic purposes and benefits of FOI legislation -

to extend as far as possible the right of the Australian community to accessinformation in the possession of the Federal government;

to make government more accountable by making it more open to publicscrutiny;

to improve the quality of decision making by government agencies in bothpolicy and administrative matters by removing unnecessary secrecysurrounding the decision-making process;

to enable groups and individuals to be kept informed of the functioning of thedecision-making process as it affects them and to know of the kinds ofcriteria that will be applied by government agencies in making thosedecisions; ... and

"Chris Richards and Townsville Community Legal Service (1993) Grave Concerns - Institutionalised Death inQueensland TCLS Townsville.

7

to increase the level of public participation in the processes of policy makingand government.

Each of the purposes and benefits of FOI legislation listed above would beenhanced if FOI legislation applied to those organisations that receive andspend government funds.

The most urgent category for FOI extension in this area is non governmentorganisations that receive and administer public funds. Public funding of nongovernment organisations can be substantial. According to a recent IndustryCommission draft report," the largest 50 community social welfareorganisations received (presumably Federal) government funding totalling over$724 million during 1992-93. These organisations must report to government.Some of these reports would be available under FOI legislation. These reportswould be general. They are usually about the way in which an organisationhas dispersed its funding or the grounds upon which it claims funding. Theymay also include information about the organisation's performance in usingpublic monies. They are unlikely to give a detailed account of decision-making, nor provide detailed information about the other activities of theorganisation. Other reports made to government by the 50 largest communityorganisations may not be available under FOI. During 1992-93, 18 of theseorganisations provide aged care. Their funding arrangements are governed bythe National Health Act. The secrecy provision under that Act12 could impedethe release of the reports made to government by aged care providers.

Non government agencies that receive public money should be accountable tothe community for the way in which they use this money. At the moment,they are not. The money that they receive from the government can providethese organisations with operating capital to maintain basic services. They canthen choose to undertake other projects funded through non governmentsources: projects that they may have been unable to undertake withoutgovernment funding of basic operating costs. There is no necessity that theirfinancial decision-making outside the parameters of public funds, be justifiablein the public interest. They are not accountable to government for thisdecision-making. Direct accountability to the public should be the price we askof organisations that are given the privilege of receiving public money.

The extension of FOI legislation to these organisations should not be limitedto applications for access to personal information. For instance, QNUindustrial officers who contest decisions made by private nursing homes tomake some nursing staff redundant or to cut back nurses' working hours arefaced with the argument that these decisions are necessary as the nursinghomes have no capacity to pay for the maintenance of existing staff levels.

"Industry Commission (1994) Charitable Organisations in Australia - an inquiry into Community Social Welfare

Organisations Attachment 1.

"Section 135A.

8

This argument is difficult for the union to combat. Many private nursinghomes providing aged care are not incorporated. Unlike companies, they arenot required to submit audited accounts and annual returns for inclusion on apublic register. The QNU cannot get information to assess the capacity ofthese nursing homes to pay unless it commences proceedings in the IndustrialRelations Commission and then requests the Commission to issue a subpoena.Reduced nursing staff levels directly affect the quantity and quality of carethat nursing homes offer their patients. There were 178 nursing homes inQueensland in 1992-93. Some of these nursing homes may not have thefinancial capacity to maintain existing staff levels. However, the QNU knowsthat 1.9% of the nursing budget for Queensland's nursing homes was returnedto the Department of Human Resources and Health in that financial year. Theunion suspects that some of the nursing homes that returned monies from theirnursing budget have subsequently reduced their nurses working hours andargued that this is necessary because they have no capacity to pay. In otherwords, these nursing homes are acting in a way that is contrary to the interestsof their staff and patients. The QNU's role of fighting for both the quality ofcare its members can offer their patients and the industrial rights of itsmembers, would be enhanced with the application of FOI legislation to nongovernment organisations receiving public money.

There is a precedent for our proposal. Queensland's Freedom of InformationAct 1992 envisages the eventual extension of the legislation to bodies (whetheror not incorporated) that [are] supported directly or indirectly by governmentfunds or other assistance or over which government is in a position to exercisecontrol ... that [are] declared by regulation to be a public authority for thepurposes of this Act.13 At the time of writing, no declarations have beenmade under this section. However, the legislative intent is there.

This proposal will require substantial amendment of section 135A NationalHealth Act.

1.4. If Freedom of Information legislation is not extended to the private sectorin general, it must apply specifically to the private health sector (Issues 134and 136).

If your Commission and the Administrative Review Council decide not toextend FOI legislation to the private sector in general, the QNU submits thatan extension of FOI legislation be made to apply specifically to the privatehealth sector. In the next section of this submission, we will argue thatindividuals must be given the right to access medical records and files held byprivate health care providers. The QNU does not believe that this goes farenough. The QNU submits that the FOI access currently available in thepublic sector should also apply to private health services. The need for this ismost abundant in private nursing homes. These homes receive substantial

"Section 9 (1)(c).

9

government funding through service arrangements. Nursing homes are full ofvulnerable people: people who, because of their frailty, or as a consequenceof a mental or physical disability, cannot speak out to the public if they areabused. They are not necessarily forgotten. Although their family or friendsmay not have been able to provide home care to them, these family or friendsmay still maintain an active interest in their care. If a family member or friendsuspect that deficiencies in the quality of care available to a loved one in anursing home, they should be able to fmd out. For instance, they may wantto review what mechanisms are in place to ensure that those living in thehome receive adequate nutrition. They may want to fmd out whether enoughstaff are employed during the night. They may want to assess the safety ofmedication regimes in place: that medication is being given by properlyqualified staff and that medication is given for the benefit of patients, and notto pacify patients to make them easier for staff to manage. They may want toestablish that the programs that the nursing home management said to thegovernment that it would provide for its patients, are in fact being provided.

There are a number of other reasons to support our position. As you point outon page 107 of your issues paper, the present situation, which allows FOIaccess to medical records held in the public, but not the private, sector, isunnecessarily anomalous. This anomaly extends to all documentation availableunder FOI, not just medical records. Other reasons to support our position arecontained throughout the text of this submission. To summarise and expand -

Public power can be exerted in the private sector. This is particularlytrue for the provision of health services. Health care is a necessity oflife;

In exercising public power, the private sector should be accountable tothe people that their power affects. The public importance of healthservices is acknowledged by the amount of public funds that ourgovernments (both State and Federal) commits to it. For instance, theQueensland government is spending 22.7% of this year's $10 billionconsolidated fund budget on health. Health care consumers have bothan individual and collective interest in the provision of health care: itsstandard, accessibility, and cost;

At present, the private health sector is not accountable to the peopleaffected by its power. Individuals cannot get access to the medicalrecords that their money has paid for. Annual reports are not madeavailable through many health care services receiving governmentfunds of grants. Standards of care and treatment are difficult to assess;and

10

Individuals have a potentially important role to play in identifyingdecisions and actions undertaken in the private sector that affect publicsafety. This applies to the maintenance of health standards. This rolewill be assisted by allowing FOI access to information held by privatesector health care providers.

1.5 Individuals should have Freedom of Information rights to access anyinformation about them, or which has the potential to affect them (Issues129) 132, and 133).

}

The QNU agrees with the arguments that have been put forward in your issuespaper that support an extension of FOI legislation to enable individuals to beable to access personal information held by any organisation, irrespective ofwhether it is in the public or private sector. We believe that this should applyto organisations irrespective of their size.

Unquestionably, the law should give individuals the right to access anyinformation which refers directly or indirectly to them. Information held aboutan individual - whether it contains factual data or an opinion - should becapable of being scrutinised by that individual. It may be incorrect. Incorrectinformation about a person should be capable of being rectified. It should notremain on file - inviting reliance - unless it is right. For this reason, we donot think that mere right of access is enough. We prefer the New Zealandmodel, which encourages anyone filing information about a person to notifythat person about the content.

It is imperative that individuals be given the right to access information abouttheir health. Members of the Australian public want access to their medicalfiles and records. In the first year of operation of FOI legislation inQueensland, public hospitals were flooded with applications. Queenslandpublic hospitals are now governed by Regional Health Authorities. FourRegional Health Authorities (RHA) fell within the "top 20 State governmentagencies and departments that received and processed FOI applications in1992-93. Brisbane South RHA was second only to the Queensland CorrectiveServices Commission in the amount of applications it received and processed.Brisbane North RHA was third. Between them, these two RHAs received andprocessed 52,473 applications, 49,247 (93.8%) of which were granted infull 14 We believe that this avalanche of applications came predominantlyfrom consumers who had been previously been denied access to their healthcare records -and had waited until FOI legislation came into force to obtaininformation about themselves and their loved ones.

t4Attomey-Genera l (Queensland) (1993) Freedom of Information - Annual Report 1992-93 A-Gs Dept Brisbane on page85.

11

The effect of the present practice adopted by private sector medical servicesof refusing health care consumers access to their medical files and records,was explained in a recent report produced for Queensland's ConsumersHealth Advocacy, entitled My Body, My Health - is

Australian consumers face many barriers in bringing an action for compensationagainst a health care professional....

A final major impediment to taking legal proceedings is the widespread practiceamongst doctors of refusing consumers access to their medical records. This hamperslawyers and other professionals from assessing whether or not the doctor has slippedup. Unfortunately, this practice is not confined to consumers who are thinking aboutsuing their doctors. It applies to most consumers. You pay for the service providedby the doctor, the tests that the doctor arranges, and the reports about you from otherspecialists. Nevertheless, many doctors will refuse you access to these records. [Thisreport] records the harmful effect of this practice: it can cripple the continuity oftreatment, particularly in serious, complex or unusual cases. Courts overseas havecondemned the practice. The Supreme Court of Canada recently decided that a patientis entitled, on request, to examine and copy all of the information in his or hermedical records which the doctor was seeing and using in advising and treating thepatient. The court said that information about a person revealed to a doctor remainedthe person's information. It could be used by the doctor solely for the benefit of thepatient. Only if there was a significant likelihood of a substantially adverse effect ona patient's health, or harm to a third party, would a physician be entitled to withholdthe records ......

Recent studies have shown that only a small proportion of health care complaints

involving negligence result in legal proceedings. It has been estimated that only 5%

of people who suffer injuries involving possible negligence choose to sue. Of these,

more than half get nothing - either they lose the court case or they give up before the

court case starts.

The report concludes that the widespread practice of refusing consumersaccess to their medical records -

helps insulate doctors from accusations that they have acted negligently. ...it candamage the ability of consumers to obtain the best possible treatment. Practically, italso inhibits the ability of consumers to change from one doctor to another. In ourview, this practice deserves condemnation. Consumers pay for the advice given bydoctors, the reports that their doctors obtain, and the tests that are conducted to arriveat a diagnosis. The records are about their bodies. We cannot see how doctors cansustain a moral or ethical justification to support this practice. The practice is sowidespread and so potentially damaging of consumer health that legislativeintervention is required to stop it."

11(1994) Consumers Health Advocacy Brisbane on pages 13 and 14.

"McInerney v MacDonald (1992) 137 NR (3d) 35.

17 on page 43.

12

Your discussion paper asks whether documents that are in the possession ofa private sector body and that relate to health and medical records should besubject to FOI. We believe that it is imperative that consumers be givenfreedom of access to these files. Freedom of Information legislation shouldproclaim that it is the right of all health care consumers to have access to theirhealth and medical files and records upon request. Unlike access to otherforms of documentation, no cost should be attached for either an inspectionof records, nor copies of the contents of the files, records and reports. Theconsumer has already paid for this information to come into being. It shouldbe regarded as the property of the consumer, and treated as such.

Recently Justice Bryson of the NSW Supreme Court18 decided that doctorsowned the notes they made about patients. The QNU notes that the decisionhas been appealed. At the time that this submission was being finalised, thedecision of the Court of Appeal was reserved. The decision will have apersuasive, but not a determinative, effect in Queensland. The Court ofAppeal in this State may not follow the NSW Court of Appeal's decision. Forthis reason, we would ask the Australian Law Reform Commission and theAdministrative Review Council to make specific recommendations as part ofthe present review to give patients a right to access their medical files andrecords on request.

The QNU thinks that individuals should not only be given access toinformation that refers to them directly or indirectly. They should also beallowed to access information that has the potential to affect them. The firsttentative steps toward applying administrative law to the private sector werediscussed on pages 2 to 4 of this submission. The court cases where anextension of administrative law to the private sector has been allowed,predominantly involve decision making or actions that has affected, or has thecapacity to affect, the rights, interests or legitimate expectations of others. Webelieve that this is an appropriate test for FOI access. A worker should beentitled to access information about the safety of his or her workingenvironment, whether or not this is held by a private sector employer.Employees who are being retrenched because their employer says that theycan no longer afford to pay their wages, should be entitled to ask for financialinformation to substantiate this claim. A person living next to a factory whose12 year old daughter has recently developed asthma should be entitled toaccess information about the way the factory monitors effluent and the levelof the factory's emissions. Shareholders in a company should be entitled tofind out what the company that they have shares in, is doing, and why. Awoman who has had a silicone breast implant following a double mastectomyshould be entitled to information held by the manufacturer about the product'ssafety.

1877ze Australian 21 November, 1994

13

2. Exemptions can adequately address any problems that the private sector will faceonce Freedom of Information legislation is extended to it (Issues 130, 137 and 138).

Your afternoon workshop in Brisbane on 29 November, 1994 addressed whether FOIlegislation should be extended to the private sector. We attended that workshop. Oneof the reasons for our attendance was to ascertain the views held by industry aboutthis issue , so that these views could be taken into account in arriving at a position.We came to be educated. We left disappointed. Industry representatives made it clearthat they believed that FOI legislation should not apply to the private sector. Theirarguments to support this position were flimsy. They centred on cost, andinconvenience. In advancing these arguments, the industry representatives did notexplain why the present exemptions under the Act would provide them withinadequate protection. We still do not understand why the breadth of the presentexemptions would not adequately protect industry if FOI legislation were extended tothe private sector.

Your discussion paper lists a number of reasons not to extend Freedom of Informationlegislation to private sector bodies (on pages 107-109). We have the followingcomments to make about these arguments -

It is argued that the private sector does not have a duty to act only in theinterest of the community at large. It is entitled to act in its own self interest.We think that this misstates the duty of Australian citizens - corporate andindividual. Everybody is entitled to act in their own self interest, provided thattheir actions do not adversely or arbitrarily affect the rights of others. It is alegitimate role of the law to temper self- interested actions that work againstthe good of all or part of the community. Freedom of Information legislationwill provide one of the only means by which the community can assesswhether business is acting in a way that does not adversely or arbitrarily affectthe rights of others.

It is argued that self-regulation may be regarded as preferable. The reasonswhy we disagree with this proposition, are explained on pages 4 and 5.

It is argued that FOI legislation is often onerous and adversely affects thecommercial efficiency of private sector bodies. Providing access to documentsnecessarily involves administrative costs. We disagree that compliance withthe Act would be difficult for an organisation employing less than a setamount of employees. The size of the organisation will affect the amount ofdecisions the organisation will need to make. The smaller the organisation, theless paper work it will generate, and, therefore the less scope there will be forFOI applications to be made. Reasonable administrative costs can be passedonto the person making the application. Applicants should continue to have aright to inspect, and not incur photocopying expenses. Present legislation willnot allow private sector organisations to recoup all of their administrativecosts. Costs that cannot be recouped from the consumer should be taxdeductible.

14

It is argued that the extension of FOI to the private sector may expose privatesector bodies to the risk that information will be sought to reduce theircompetitive advantage. It is also argued that FOI rights will be misused bycompetitors to swamp bodies with FOI requests to hinder their operations orto divert their resources. These are legitimate concerns. They can, however,be adequately addressed through FOI exemptions. There must be a quick andcostless mechanism to which disputes about these exemptions can be referred.Costly court appeals should be avoidable. The Privacy Commissioner'spowers could be extended to conciliate and, if necessary, provide anindependent and enforceable decision when an applicant for informationdisputes a private sector body's reliance on these types of exemptions.

An additional argument was raised at your Brisbane workshop. It was argued thatthere is presently a range of legal remedies available to individuals if their individualor collective rights were abused, and that FOI merely adds to an alreadycomprehensive list. This is nonsense. Litigation is beyond the means of most of ourmembers. Community understanding of laws governing corporations, incorporatedassociations and health, are poor. Rights are not enforced because of ignorance. Bycontrast, FOI is easily comprehended. Applications are not difficult. Concepts areeasily understood. The process is a cost effective way in which citizens canparticipate in the democratic process, and (where appropriate) in protecting theirrights.

3. Other issues

3.1 Institutional access

The QNU is aware of the impediments faced by public interest institutions inaccessing the administrative law, particularly in obtaining standing to argue the publicinterest in court cases.19 This review presents an opportunity to allow organisationsto play a more effective role in public interest issues. Where access is sought toinformation about the environmental impact of certain industry practices, productsafety, and public health issues, the documentation may be voluminous. In thissubmission, we have argued that the cost of FOI should be passed onto the applicant.Most individuals will not be able to afford the photocopying and administrativeexpenses associated with requests involving extensive documentation. Public orrepresentative organisations are better placed to absorb these costs. Without thisallowance, many worthwhile applications will not be processed. In such cases, thepublic interest motivation for widening FOI legislation will be thwarted. This willfurther entrench the current public perception that the law is increasingly becomingan expensive commodity: a tool to be used by commercial interests and richindividuals.

"As evidenced, for instance, in The Australian Conservation Foundation Inc v Commonwealth (1980) 146 CLR 493

15

3.2 Standards of documentation

The maintenance and quality of the information held by the private sector is also anissue that deserves to be addressed during this review . It was an issue raised , but notdebated, during your 29 November workshop. Quite simply, the private sector canthwart the operation of FOI legislation unless -

enforceable guidelines are in place to prevent the destruction of thedocumentation or recording of information that has been brought into being;and

minimum standards are developed for recording the proceedings of meetingsand other decision making processes , and why these decisions are made.

Thank-you for the opportunity of providing input into your review of FOI legislation.I would be pleased if you would keep me informed of developments.

Yours sincerely

Health Information Management and Telemedicine

The ANF recognises the enormous potential of information technology and itsapplication to the health sector in improving health outcomes, work practices,efficiency, effectiveness, professional development, and recruitment and retention ofhealth professionals to remote communities. The benefits promise to beoverwhelming. However, for every opportunity there is usually a threat. It is for thisreason that the ANF pleads for caution and time, so that standards of utilisation andevaluation may be developed. Health professionals and others must acknowledge thatinformation technology is a tool which may facilitate accurate, relevant and timelyinterventions - it cannot take their place.

The Australian Nursing Federation maintains that the use of information technologymust be client focussed, with the stated expectation that its utilisation and itscorresponding resource commitment will result in improved client outcomes.

To date, information technology has been largely concerned with corporateresponsibilities and requirements - the classification and costing requirements ofDRGs being the main example.

When health information management and telemedicine are linked, one assumes thatwe are speaking about a clinical concept, which has advantages in terms of both healthservice delivery and health outcomes. However, unless stringent evaluation occurs,the advantages may be only for some health care providers and the software, hardwareand communications technology multinationals.

As Australia's peak nursing body, The Australian Nursing Federation has identifiedthree interrelated issues which are integral to this Inquiry and it respectfully urges theCommittee to consider these in the formation of policy which concerns healthinformation management and telemedicine.

These issues are:

• the place of the client. Here, ANF sees the client as both the individual and the

community• the evaluation process• the importance of standards

Only last week, an article in The Age newspaper applauded the use of healthinformation technology - videoconferencing - when a doctor at St. Vincent's used it tocommunicate with a paediatric specialist at the Royal Children's Hospital in order togain information needed to counter the effect of an ingestion of rat sack by a threeyear old. The outcome was optimal - the child's life was saved, and there was noresidual damage to the child's health. I do not dispute the fact that the interaction

Written by M.Gleeson, Australian Nursing Federation as preparation for the House ofRepresentatives Standing Committee on Family and Community Affairs hearing: Inquiry intoHealth Information Manangement and Technology, 16 April 1997


between the specialist and the generalist was central to saving the child ' s life - and Icongratulate them . However, I cannot and do not accept the fact that costly,sophisticated information technology was an essential component of the process andits outcome.

My point is simply this - a telephone call would have had the same outcome. It wasthe timeliness of the communication - not the technology - that saved the child' s life.An expensive face to face communication via videoconferencing was not needed.

I do not intend to labour the point, but, and this is where I believe ANF's threeidentified issues become apparent - we cannot justify the creation , implementation andutilisation of health information technology unless there are improvements in clinicaloutcomes . Roughly translated , that means that we must have observable, measurableimprovements in both individual and community health that would not have occurredunless the technology was in operation . We cannot espouse the virtues of healthinformation management and telemedicine unless there are industry acceptedstandardised evaluation processes in place.

In 1985, the Medical Services Division , Commonwealth Department of Health,undertook the Health Care Technology Assessment . The author of this report, D.M.Hailey concluded ..... "While advisory/policymaking groups are active in State andCommonwealth Health Authorities , decisions have tended to be made in reaction topressuresfrom professional bodies and the media and developments overseas andsometimes in accordance with Parkinson 's Law. " (Richardson , J, TechnologyAssessment in Medicine : An Australian Proposal , article, Prometheus , Vol. 4, No. 1,June 1986)

Research suggests that, as far as medical technology is concerned , ` more' is oftenequated with ` better '. ANF's position is that those professionals who make up thehealth care team have a responsibility to heed the lessons learned in the applicationand use of medical technology . Not only have inappropriate medical technologiesbeen introduced and efficacious procedures overused , but also that procedures havebeen introduced before the benefits have been known. Such lessons must caution usand guide the implementation and use of telemedicine . We need to ask the questions -at what cost , and for what outcome? Cost in this sense is not merely financial, but isused in the context of opportunity cost - what aspect of health care provision will beforgone with the introduction of health information technology?

For the purposes of this Inquiry, ANF believes that funding of such programs needs tobe linked to a standard set of evaluation criteria , which has the client as central. Suchstandards for evaluation need to include integrity of data, security of data, measurableimprovements in health outcomes and measurable improvements in work practices.

Written by M.Gleeson , Australian Nursing Federation as preparation for the House ofRepresentatives Standing Committee on Family and Community Affairs hearing : Inquiry into

Health Information Manangement and Technology , 16 April 1997


Without a coordinated approach , there is likely to be a plethora of expensive anddisparate pilot projects .

Part of a Registered Nurse's mandate is to protect the public . We cannot condonetelemedicine programs which do not guarantee high standards of policy , practice andprocedures addressing the issues of confidentiality and privacy.

Policy must be developed to protect the public from unwarranted and unlawful accessto medical information . The protection of personal information must be given prioritystatus. Computer networks store more and more personal information in a form whereaccess to it and alteration of it may pass undetected unless appropriate securitysystems are implemented.

Such issues are not new - health professionals have not been particularly good atmaintaining optimal levels of confidentiality with non technological means ofinformation management. Nurses , doctors and other health professionals are, by andlarge, computer illiterate or semiliterate . Guidelines, standards and competencies arerequired to ensure that users understand their responsibilities.

The introduction to AS 4400 -1995, the Standard for Personal Privacy Protection inHealth Care Information Systems, maintains that, "Overall, it is generally agreed thatexisting legislative protection of the privacy of personal information is patchy andinadequate , a matter which can be of particular concern to patients and careproviders alike" (AS 4400-1995, p.3)

Changes to health care such as Coordinated Care will bring with them changes in thecollection and storage of medical records , and the Electronic Patient Record is likelyto become a reality. Notions of ownership and access need to be addressed . The ANF

maintains that ownership of this record must lie with the client . The current Freedomof Information legislation does not apply to the private sector . Private providers thushave ownership of potentially sensitive information . Even minimum nonclinical data

is sensitive . The fact that someone is frail , elderly and lives alone may be utilised for

criminal reasons . Such concerns are not restricted to the health sector , but they doserve to illustrate the importance and responsibilities associated with protection ofinformation . Privacy issues must be seen as primarily a government responsibility -without appropriate regulation by legislation, there is little the individual healthworker is able to do to prevent the unauthorised use of their client's information.

The Australian Nursing Federation maintains that regardless of the setting - whether

remote, rural or metropolitan - the issue of standards for client protection and forevaluation purposes must be addressed . Once addressed , the potential of suchinnovation promises to be of benefit to clients and health care providers alike.

Written by M.Gleeson , Australian Nursing Federation as preparation for the House ofRepresentatives Standing Committee on Family and Community Affairs hearing: Inquiry intoHealth Information Manangement and Technology , 16 April 1997

Health Information Technology

Authors James Thom, Stephen Chu and Marcia Gleeson

May 1997

The health care industry is one of the most information intensive industry, and health informationtechnology [IT] is simply the use of technology to manage information in the provision of health care.It may be the use a calculator to determine a drug dose, the use of complex computer systems in brainscans, electronic patient records, or teleconferencing to aid cardiac surgery.

The health care industry exists to preserve and promote the health of the population . In Australia itaccounts for approximately 8% of GDP, and is regarded as one of the best in the world.'

IT, Telecommunications and Information Science constitute a large industry that impacts on virtuallyevery area of human endeavor. Yet in the last 30 years IT has had a minimal impact on healthcare.While it has made some contributions to the administrative arm of health care facilities, it has notimpacted significantly on the way in which clinicians care for their patients. There are, of course,some notable exceptions - epidemiology, radiology, and intensive care have been greatly effected byIT, but in general, the impact has been minimal and often disappointing.

The reasons for this lie with the complex nature of both the provision of health care and the health care

industry. A comparison with the financial sector serves to illustrate the point. The financial sector(which has enthusiastically embraced IT and, as a result, has been radically transformed) is based onhuge numbers of exacting but relatively simple numerical transactions. The match between the needsand wants of the financial sector and capapabilities of IT has been near perfect.

The health care sector, on the other hand, is characterised by many protracted and complex transactionswhich require complicated data designs systems in order to display clinical meaningful information.Research suggests that the average process worker has about eight different tasks, a laboratoryscientist, or office worker has about 25 to 30. A nurse working in a hospital setting performs around 90to 100 different tasks in any given shift'-'.

Essentially, health care is about diagnosing, treating and caring of individuals and communities. Thetreatment and care component is a information tracking process.

Health professionals constantly struggle with huge volumes of data, trying to find the informationwhich will allow the application of knowledge in a way which assists clients. It is only with theemergence of a powerful IT infrastructure and vast improvements in both the modelling and storage ofdata, and the presentation of that data as information that useful clinical systems may be built for arealistic cost.

' McAuley I. 1993: A Tax By Any Other Name - The real cost of private health insurance, p.16,Australian Consumers' Association, Marrickville, NSW2 Gardner E. (1992): Eliminating Inefficiencies Could Save Hospitals $6 billion ..... Study" Modern

Healthcare, Vol.22, No. 25. p36'Carroll, T. (1992) The Cost and Benefits of a Hospital Information System. In Lun, K.C., et al. (eds)

Proceedings, Medinfo '92. P.1216-1220.

i

These kinds of effectiveness gains can deliver huge benefits, allowing the cost of caring for a patient tobe markedly reduced. (Korpman, R.A., 1991)'. There is now overwhelming evidence that these gainsare realizable in trial settings (and often in full scale implementations).

While carefully designed and adequately resourced research projects have demonstrated remarkablegains, there is also a long history of catastrophic failures of health information systems

The following are health IT requirements:

• a national approach to health IT• patient records and communication systems that are accessible to clinical staff (ie, user friendly)• longitudinal records which are able cross the boundaries between acute, chronic, rehabilitation,

community care.• health IT solutior•., that communicate through standardized interfaces, with clear security and

privacy guidelines.• ways to ensure our systems are provided real solutions

The following points are considerations for health policy, plans and projects which deal with IT

1. A firm base of knowledge from which to make decisions.

It is relatively uncommon for IT professionals to be trained in another discipline (Ashley-Charles, C.,1994)8. Currently, the IT industry and the healthcare industry have a poor knowledge of each other.There are only about 50 people who are truly expert in the field of health IT in Australia at present,there are only a few hundred others who are solid in one field and becoming expert in the other.

There is no central group which acts as a central clearinghouse for knowledge and as a reference point

for expert advice.

There is an urgent need to build a national structure that allows and supports informed decisionmaking. Around this clearing house we need to bring together interested members of the following

groups• health IT specialists from various groups of clinicians [nurses, doctors, allied health workers]

• specialist health information managers especially medical record administrators and medicallibrarians

• representatives of support areas [supply, catering, administration]

2. A national strategic plan for health IT.

Once we have a group of people throughout the country who have access to an effective healthinformation and technology, a national strategic plan would be formulated. The purpose of thestrategic plan would be to create a framework to enable collaborative effort by interested groups on thedevelopment of tools for health IT implementation. The following is a list of the types of tools

required.• Measures of usefulness of proposed use of IT investments• Guidelines for implementation and evaluation of Health IT projects

• Standards dealing with issues such as Data Comms, Security, Privacy, Reliability telemedicine

• Standards for clinical use of Health IT systems

More details on these four example tools are available in Appendix ADetails of some current healthcare data communication standards are in Appendix B.

Korpman, R . A. (1991) Healthcare Information Systems: Patient centered integration is the key.Clin-Lab-Med. Vol. 11, No.1. p.203-220.

8 Ashley-Charles , C. (1994 ) How to overcome alphabet soup syndrome. Best's Review Life/Health.

Vol.95, No.3. p.78.

iii

There are several relevant overseas strategy efforts.

• The Good European Health Record [GEHR] a EU projecthttp://www.chime.ucl.ac.uk/Healthl/GEHR

• Canadian Institute for Health Information (CIHI)http://www.cihi.ca/

• Health Information Resource Service of the USA DoDhttp://hirs.brooks.af.mil/newhome/index.html

• The Medical Records Institutehttp://www.medrecinst.com/

• TeleMed project at USA DOS Los Alamos National Laboratory.http://www.acl.Ianl.gov?TeleMed/

3. Australia needs a permanent health IT secretariat.

Such a secretariat [hopefully built out of the preceding considerations] will act as the ongoingclearinghouse for health IT information and will provide a focus for the various research efforts.

The secretariat could be responsible for the following:

• The collection and disemination of health IT information to interested groups and individuals.• The provision of funding for health and IT professionals to work within the Standards Australia

structure in the development of standards of relevant standards.• Ensuring that peak and relevant bodies have input into policy formation, (eg, Health Informatics

Society of Australia, Australian Nursing Federation, Australian Medical Association)• Maintaining alliances with overseas health IT efforts and, in association with Standards Australia,

ensure funding for suitable Australian representation at these fora.• Acting as an advisory body to health industry accreditation organisations on the impact of health

IT on healthcare professionals and the organisations in which they work.• Working with interested groups to aid in the development and roll out of Health IT infrastructure

to enable widespread adoption of new technologies such as telemedicine in a manner thatpromotes optimal care outcomes in a cost effective manner.

Attached are Appendices that describe the efforts of the various groups, and the types of technologybeing developed around the world. These documents provide sound evidence of the fact that manynations are finding value in a strategic approach to health IT development.

iv

Our Ref: ACT2/7 LEGAL, CONSTITUTIONAL ANDYour Ref: ADMINISTRATIVE REVIEW COMMITTEEEnquiries : Mr G MeyersTelephone: (079) 31 1342 7 A U G 1 997Facsimile : (079) 22 1700

1 August 1997 IResearch DirectorLegal, Constitutional and Administrative Review Committee

Parliament HouseBRISBANE QLD 4000

Dear Sir/Madam

PRIVACY IN QUEENSLAND - ISSUES PAPER NO 2

I am writing in response to your letter of May 16, 1997, whereby you requested a submission or commentsregarding the general issues of privacy in Queensland.

I wish to advise that after a review of the supporting documentation, Council submits the following points for

your consideration:

♦ Given that privacy is a major issue in society and with the increase of contracting out of servicesin conjunction with the impact of the National Competition Policy, Council believes that theprivate sector should be subjected to the same requests and guidelines as local government.

♦ Costs and charges associated with privacy information should be on a "user pays" principle andshould be borne by the applicant.

♦ Consideration should be given to requests for documentation which is readily available underadministrative access (e.g. rate searches, building plans etc). Documentation which is easilyobtained via normal administrative procedure could become an added burden on Council's limitedresources unless clear and definite privacy standards are implemented.

♦ Council supports the establishment of a Privacy Commissioner or Committee to deal withlegislation and policy procedure as opposed to creating a new division with the Freedom ofInformation Commission.

♦ The Privacy Commissioner/Committee should have the power to enforce Information PrivacyPrinciples (IPP's) through sanctions such as fines or disciplinary action. Complete jurisdiction onpowers of access should also be granted.

If I can be of any further assistance, please do not hesitate to contact me.

B W DukeManager Administrative Servicesfor RD Noble Chief Executive Officer

GBM:JBk: \adm\ letters\recman\j b 08001. docc/c to Local Government Association of Queensland

Rock ,®,

C i ty itBolsover Street PO Box 243 Telephone (079) 31 1311

Rockhampton Rockhampton Email [email protected]

Queensland Qld 4700 Facsimile (079) 22 1700

S.

Privacy in QueenslandResponse to Issues Paper

issued by theQid Legal , Constitutional and Administrative Review Committee

May 1997

byI J Graham

1 August 1997

Contents:

A Introduction ...................................................... PagelB Issues with Respect to Privacy Protection ............................ Page 1C Attachment ....................................................... Page 6

1 Submission to Commonwealth Attorney-General's Discussion Paper`Privacy Protection in the Private Sector"

D Additional Reference Material ...................................... Page 6

I J Graham - 1 August 1997 Page 1

A Introduction

The Committee 's decision to conduct an inquiry regarding privacy issues and the releaseof the Issues Paper is both welcome and timely. The Issues Paper provides an excellent,and apparently well-researched, overview of the major issues and options and theCommittee is to be complimented on the preparation and release of such a paper.

The Federal Government' s decision not to extend privacy protection to the private sector,despite its election promise, is disturbing . The Queensland Government must act promptlyto introduce long overdue privacy protection applicable to the public sector , as well as tothe private sector. State regulation applying to the private sector should be developed witha view to ease of modification or withdrawal should a Federal Government eventuallyrealise that national regulation would be preferable to a plethora of differing State andTerritory regulation.

Issues with Respect to PrivacyProtection

1 Are there valid concerns relating to privacy protection which need to be addressed bylegislative and/or administrative action? If so, what particular concerns are mostpressing?

There are valid concerns and, given the almost total lack of privacy protection inQueensland , it is difficult to specify the most pressing . Privacy of personal data has becomeof major concern in recent years as technology has contributed significantly to the ease ofdata matching and data surveillance . However, privacy of the person - activities,communications, etc - continues to be of equal concern . Privacy protection should addressboth areas.

2 Is the current law in Queensland adequate with respect to privacy protection?

Definitely not.

3 If not, how should the right to privacy be protected in Queensland ? For example, shouldQueensland introduce one or a combination of the following means of regulation:information privacy principles (IPPs); a statutory tort of privacy; a privacycommittee/privacy commissioner: or some other means to protect privacy?

Legislated IPP, a privacy commissioner and provision for the development of codes ofpractice.

4 If IPPs are introduced what should they provide?

Protection at least equivalent to that required by the European Union Directive.

5 Should IPPs be in the form of guidelines or legislation?

Legislation . As noted in the Issues Paper, voluntary guidelines are unenforceable.

Graham - 1 August 1997 Page 2

6 Should individuals have to pay (a reasonable amount) to exercise their right to privacy?

No. People who wish to infringe others' privacy should bear the cost - assuming suchinfringement is legal. Furthermore, whilst technology facilitates infringing privacy, it alsofacilitates protecting it in many circumstances at no cost. A problem with permittingcharging for privacy protection, even in circumstances where it may appear reasonable, isthat it becomes a profit making opportunity for both the public and private sector. Forexample, it is inconceivable that it costs Telstra more than a, once-off, few cents to includea flag on a subscriber's electronic file signifying a silent telephone number which is not tobe output for printing in telephone directories or disclosed by directory services, yet dollarsare charged for this each quarter.

7 Would the costs associated with IPPs outweigh the public benefit flowing from theirimplementation?

It is not apparent that the public benefit can be quantified in dollar terms. There are widerissues relative to privacy protection than a philosophical desire for privacy. As one example,a person may re-locate to a new area/address with a view to personal security and safety (eg.after being stalked and physically attacked). If a government department/agency or privatesector organisation then discloses that person's address to members of the public, thatperson may find themselves again subject to harassment or physical abuse. The "cost" ofsuch abuse cannot be determined. Criminal law does not always provide adequateprotection in that regard, and nor will privacy protection regulation. However the latter cansignificantly decrease risks to such people.

Whilst monetary cost is an important consideration , this should not be used as an excuse tofail to provide privacy protection . Notably, although the Prime Minister claimed thatprivacy protection would be too costly for business , the Price Waterhouse May 1997 surveyshowed that 70% of Australian corporations surveyed supported the introduction of nationalprivacy legislation (Australian Associated Press, May 29, 1997).

8 If an office of privacy commissioner/committee is established:how should its independence be ensured;should the office be accountable to the Parliament, for example, via a parliamentarycommittee (with perhaps responsibilities in relation to matters such as appointments,suspensions, budgets and strategic reviews);

Yes. It especially should not be accountable to a single Minister.

and, should the office be combined with that of the Information Commissioner or any otheroffice?

No, the office should be solely concerned with privacy.

9 What functions should a privacy committee/commissioner have?

Those suggested in Section 6.2 of the Issues Paper.


10 What powers should a privacy committee/commissioner have? For example, shouldthese include the power to:enforce IPPs through sanctions such as fine or disciplinary action; and

Regulations must be enforceable and sanctions for non-compliance must be applicable.There must also be a simple means by which people can have complaints dealt with. Itwould be preferable for a privacy commissioner to have the power to enforce IPPs than torequire people to commence court action , which is generally expensive and involveslengthy delays.

exercise coercive powers such as powers of access?

This issue should be considered very carefully. It has the potential to invade the privacy ofcitizens in itself. Whilst there may well be a need for a privacy commissioner to have powersof access , such powers should certainly not be able to be exercised without a clearlydemonstrable need. As far as the writer_ is aware -, police in Queensland do not have the rightto conduct searches without a warrant. It seems unlikely that there is any necessity for aprivacy commissioner to be granted a right of access without a warrant either.

11 Would the costs associated with an office of privacy commissioner/committee outweighthe public benefit flowing from the establishment of such an office?

See 7 above.

12 Should privacy regulation apply to the private sector as well as the public sector?13 Should privacy regulation apply to government owned corporations?14 Should privacy regulation apply to local government activities?

Yes, in regard to all of the above.

15 Would the costs associated with privacy regulation ofthe private sector;

= government owned corporations;local government activities;


See 7 above.

16 If the private sector is not to be covered, how should privacy regulation apply to bodiesperforming services which the government has outsourced?

The private sector should be covered. However if it is not to be, bodies performingoutsourced services should be regulated by legislation equivalent to that applying to thepublic sector. Members of the public should not be left dependent on government agenciesto prosecute privacy breaches under terms of contract between the agency and the serviceprovider.


17 Should there be co-operative arrangements between the states, territories and thecommonwealth with respect to matters such as formal complaints regimes?

Given that many Commonwealth Government departments/agencies and private sectorcorporations/organisations operate in all States/Territories, national privacy legislation wouldbe preferable, with State Government entities subject to equivalent State legislation.However, as the Commonwealth Government appears to have lost sight of the importanceof privacy legislation since the last election, it is likely that a plethora of State legislationwill eventuate. A co-operative complaints process will obviously not be workable unlessStates first agree to enact equivalent legislation. However, there is likely to be benefit ina co-operative complaints process at least amongst States in agreement - this may reducedifficulties for members of the public who, for example, deal with a national corporationwith a head office in one State and agents selling their products or services in other States -in which case jurisdiction of State laws may cause problems.

18 How should any privacy protection legislation interrelate with freedom of informationlegislation? For example, should the access to, and amendment of, personal informationbe regulated by a Privacy Act alone?

Yes.

19 What additional measures , if any, should be taken with respect to:

- the 1995 European Directive; and

Privacy protection in Australia should meet the requirements of that Directive.

- the OECD Cryptography Policy Guidelines?

The Australian, and all other, governments should accept that fact that there is nothing theycan do to stop citizens using cryptography. They should, for purposes of certainty, enshrinein law a right of all citizens to protect the privacy of their communications and other dataand a right of all entities to protect data about customers, clients, etc by use ofcryptography.

The fundamental issue is that free encryption software is, and most likely always will be,readily available to Australians - particularly to the rapidly increasing numbers of citizenswith access to the Internet. Governments can ban the use of cryptography, or demand thatthey be provided with keys. However, the only people who will comply with such laws arelaw-abiding citizens. In fact, it is likely that a significant number of otherwise law-abidingcitizens would use encryption software without providing keys to government because therecan never be adequate assurance that governments/public servants will not, eitherintentionally or unintentionally, abuse such a privilege. Of more relevance, however, is thatcriminals will not take the slightest bit of notice - the benefits to them of usingcryptography, even if illegal to do so, will outweigh the risks given that they will be usingsame in the course of criminal activity in any case.

In short, there is no benefit in banning or regulating the use of cryptography, however thereare significant benefits arising from its use to protect personal data and communications.


22 What form of regulation should be introduced with respect to privacy issues arising inthe areas of.personal privacy, including surveillance (visual and listening) both in public and privateplaces;

telemarketing and direct marketing;the workplace;genetics

All of the above areas are of considerable concern with regard to invasion of privacy. Thewriter does not, at this time, have a specific view on the best form of regulation. However,regulation should be enforceable and include sanctions applicable to breach of same.

medical records, including access;

Legislation announced by the A.C. T . Government's Chief Minister, Kate Carvell, on 19May 1997 may provide a useful model relative to this issue.

23 Generally, what should be done to ensure that the law keeps abreast with developmentsin technology affecting individuals ' privacy?

A privacy commissioner must have an adequately staffed and funded research function.

c Attachment

1 Submission to Commonwealth Attorney-General's Discussion Paper "Privacy Protectionin the Private Sector".

This submission sets out a number of concerns in relation to the extension of theCommonwealth Privacy Act to the private sector without prior modification to take accountof technological developments since the introduction of that Act. It primarily addressesprivacy concerns relevant to users of on-line services such as the Internet.

D Additional Reference Material

A large quantity of relevant material is available on the Internet Web site of Dr RogerClarke at http://www.anu.edu.au/people/Roger.Clarke/DV/This site includes papers by Dr Clarke covering a vast number of privacy issues as well aslinks to other relevant sites.

One paper of particular relevance to the current inquiry is "Privacy and Dataveillance, andOrganisational Strategy", by Roger Clarke, at:http://www.anu.edu.au/people/Roger.Clarke/DV/PStrat.html


Privacy Protection in the Private SectorResponse to Discussion Paper

issued by the C'th Attorney -General's DepartmentSeptember 1996

byI J Graham

23 November 1996

Contents:

1. Introduction ............................................................. Pagel

2. Aspects of Privacy to be Protected ......................................... Page 1

2.1 Data Protection ....................................................... Page 1......................................................2.2 Data Definitions Page 2

2.3 Other Intrusions of Privacy .............................................. Page 3

3. Information Privacy Principles ............................................ Page 3..........................................................3.1 Definitions Page 3

3.2 Privacy Principles generally ............................................. Page 3

4. Codes of Practice ........................................................ Page 4

5. Transborder Data Flows .................................................. Page 4

6. Other issues to be resolved in establishing a private sector privacy regime ..... Page 46.1 Search Warrants ...................................................... Page 4

6.2 Confiscation of entire computer systems .................................... Page 5

7. Conclusion .............................................................. Page 5

Introduction

The Discussion Paper on the proposed extension of the Privacy Act to the private sector, and the opportunity tocomment on same, is welcomed. Although the proposed amendments suggest a considerable improvement overthe existing situation, it is disconcerting that the Paper primarily cover issues which should have been addressedat least eight years ago prior to the commencement of the Privacy Act. It is hoped that the current government willimplement increased privacy protection for Australian citizens promptly, particularly in view of the no less thanfive recommendations in that regard over the last two years.

2. Aspects of Privacy to be Protected

2.1 Data Protection

The following statement in the introduction to the Paper is of particular note:"If personal privacy is inadequately protected in the new electronic environment, the confidence ofnetwork users will be undermined inevitably preventing optimal use of these new communications

technologies and networks. "Whilst it is acknowledged that the proposed amendments are intended to be technology neutral, I am concernedthat the proposals appear to ignore many privacy issues of concern to users of on-line services such as the Internetand Bulletin Board services. If these issues continue to be ignored, the confidence of network users will

undoubtedly remain undermined.

Those issues include not only the recording of specific personal information which the Discussion Paper addressesto some extent, but also the wide range of opportunities for electronic surveillance and monitoring of the activities,interests and communications of users of on-line services. These aspects of the electronic environment are

23 November 1996 Page 1

obviously well known to, for example, the Privacy Commissioner and the NSW Privacy Committee as may be seenin extracts of their submissions to the Australian Broadcasting Authority's Investigation into the Content of On-line Services, eg:

New South Wales Privacy Committee: <http://www.dca.gov.au/aba/olssl62.htm>`Practices which would constitute intrusive electronic monitoring ofpeople's on-line communications,such as reading employee e-mail, logging chat sessions and newsgroups or seizing computer files wouldappear to escape the controls of this [Telecommunications] legislation altogether. Further progress onthe regulation of on-line services should involve a review of the relevant legislation on monitoringpeoples' electronic messages and traffic.

Interactivity also complicates the way in which we view transactions ... Once a user has connected to theiron-line service provider , should the fact that they have moved into a particular conference hosted by theservice be recorded at all? With these considerations in mind, we need to recognise the need to setrestrictions on the way that transactional data, which is automatically collected in the process of runningan on-line service , is stored and used.

[ ]This should be done in such a way that legitimate interests in the privacy of on-line communications areprotected, for example, by requiring warrants before there is surreptitious surveillance of E-mail orprivate con ferencing. "

Privacy Commissioner , Mr Kevin O'Connor: <http://w-V^vi.dca.gov.au/a.ba/olssl53.htm>"From a privacy perspective there are concerns with (1) the ability to generate finely-grainedinformation about individuals' interests, purchasing habits, hobbies, preferences, and so on, and (2) thepotential for such information to be used to map individuals' activities and to manipulate this informationto serve either commercial or other purposes.

The potential uses of the information generated through people's use of on-line services may go wellbeyond the reasonable expectations of the user. A person who subscribes to an on-line magazine wouldhe unlikely to anticipate, for example, that the amount of time they spend reading an advertisement ona particular page of the magazine would be capable of being recorded and linked against their useridentity details, for later use in direct marketing campaigns. Monitoring people's usage of on-lineservices in such manner amounts to a form of surveillance over activities which people traditionallyunderstand as being anonymous, private activities.

...Other types of sensitive information can be created when people participate in closed user groups orchat groups for example. Even if the actual content of the communication is private, information aboutthe nature of the service being provided, and the fact that an individual has an interest in such a service(for example a chat group with a political focus) could be used in ways potentially damaging to theindividual.

Ideally; there should be a delineation, in terms orusing personal information generated through people'suse of on-line services, between transaction information and content information. Once a service has beenprovided to an individual, it would better protect the individual's privacy if content information was notcapable of being linked with personally identifying information. "

It is disturbing that the Discussion Paper does not appear to address those and similar data surveillance issuesadequately, if at all.

2.2 Data Definitions

Within the Privacy Principles, the definition of "personal information" refers specifically to information recorded"about" a person; a document, a database, or a pictorial representation. It is doubtful whether such a definitionwill cover, for example, the storing of copies of users' E-mail correspondence, logging of chat sessions, recordingand/or storing of, details of, or material users access or view, etc. Those types of records may not include any


information "about" a person, but can infer information about them which can be used without the person'sknowledge or permission.

It is noted that the definition of "personal information" includes reference to information "whether recorded in amaterial form or not". This may be intended to cover information which can be inferred from the types of recordingand monitoring mentioned above, or perhaps those recordings themselves . However, if that is the case , it is farfrom clear.

Whilst the proposals may, perhaps, intend that inferred information must not be used to compile "personalinformation" records about people, it does not seem to prevent, for example, E-mail being monitored and/or copiesstored. In fact, the definition of a "record" specifically excludes "letters or other articles in the course oftransmission by post". That could exclude surveillance of E-mail or any other material being transmitted/postedvia an electronic network.

As the popularity of the Internet grows, there is an increasing and unprecedented ability for not only organisations,but individuals , to record and use information about other people. Many small intern et service providers andindividuals who provide Web sites and mailing lists etc will not be able to afford the costs of obtaining legal advicein order to understand poorly worded legislation. It is ess n;:ial that nriva,y legislation be drafted in such a wayas to ensure that ordinary- people can easily understand their responsibilities and rights. Legislation must make aserious attempt not to leave the door open to infringement of users' privacy through ignorance, particularly thatresulting from lack of clarity about what is, or is not, covered.

2.3 Other Intrusions of Privacy

This section of the paper tends to suggest that electronic surveillance of users' activities and communications maybe left to "guidelines" along with optical surveillance etc. This would almost certainly undermine the confidenceof network users in using new communications networks and technologies, contrary to one of the stated purposesof extension of the Privacy Act to the private sector.

information Privacy Principles

3.1 Definitions

No definition of "record keeper" or "collector" in relation to the Privacy Principles is provided in the DiscussionPaper. However, reference to the Privacy Act 1988 indicates that it is unclear whether some organisations andindividuals providing services via the Internet would come within those definitions with regard to all informationrecorded.

Within. the conventional meaning, those words suggest an organisation or person who intentionally collects orrecords information. However, in some circumstances inter et ser vice providers collect info mation automatically.Son le software programs enable recording without any action necessary by service provider to impienient same,for example, automatic saving of copies of files accessed by a user together with the identification code of the user.There is not only a question as to whether such collection of such information is included within the definition of"personal information" but also whether organisations automatically collecting such information are consideredto be record keepers or collectors and thus to be bound by the privacy principles in regard. to collection, disclosureand use of that information.

3.2 Privacy Principles generally

These principles appear woefully inadequate for application to the private sector. For example, there appears tobe no restriction whatsoever on an organisation adding a person's name and address to a "junk" mail list nor anyrequirement for them to remove it on request of that person. If an organisation is in the business of maintainingmailing lists, then it appears they could lawfully add a person's name to it under Principle 1 without the person'spermission or knowledge.


In the case of electronic mailing lists there is no need for organisations to solicit this information, they can simplyextract E-mail addresses from newsgroup messages and add them to the mailing list. Is this an "unfair" means ofcollection? It appears to depend on commercial organisations' perception of "fair". The limits on use of personalinformation appear not to cover this use because although those may restrict use of information for purposes otherthan for which it was collected, the person's permission for collection is not required in the first place.

The limits on use of personal information (Principle 10) have considerable potential to infringe on the privacy ofindividuals when considered in the context of the private sector. For example, Internet Service Providers mayinadvertently or intentionally obtain information about particular users' activities. They are unlikely to bequalified to know what presents a "serious and imminent threat" or is necessary for "enforcement of criminal law".In Queensland last year an Internet Access Provider infringed a customer's privacy and provided information topolice which was obtained automatically in the course of providing their service. This information was disclosedwith a view to enforcing criminal law. Fourteen months later the user was found not guilty. Considerable cost andtrauma to the user and his family would have been avoided if the Internet Access Provider had respected the user'sprivacy. Information regarding this case is available at <http://www.pobox.com/-rene/liberty/gcaseone.htnil>.

All principles need to be closely reviewed in relation to their applicability and relevance to the private sector andrevised to conform with the OECD Privacy Guidelines of 1980.

4. Codes of Practice

If data surveillance of users of on-line services is not intended to be clearly covered as "personal information" thenthere will be a dire and urgent need for a Code of Practice covering providers of on-line services with regard toissues such as those outlined above. Given some internet service providers current absolute lack of interest in, orprotection of, the privacy of their customers and users, this matter should not be left to industry self-regulation,nor to await the industry developing and submitting a privacy code of practice to the Privacy Commissioner.

Transborder Data Flows

An important aspect overlooked in this section of the Discussion Paper is the nature of on-line services and thepotential for information to be intercepted in any country including those without adequate privacy protection laws.When a record-keeper sends information to a third party in another country, for example via the Internet, theinformation does not leave Australia and go directly to the possession of the third party. It will pass throughnumerous computers in various countries and could be intercepted, copied, perhaps even altered, at various points.

To ensure the protection of personal information regarding its citizens, the Australian government must mandate,as a matter of urgency, the use by both government and private sectors of the strongest available encryption whentransmitting personal information outside, and for that matter within, Australia. There is no other method ofensuring the protection of private information regarding Australian citizens transmitted via on-line services.

6. Other issues to be resolved in establishing a private sector privacy regime

In view of advice in the Discussion Paper that feedback is sought on the "wide range of issues that need to beresolved in establishing the regime" related to the private sector, the following comments are provided.

The introduction to the Paper states:"New communication technologies and networks significantly increase the generation of personalinformation and the ability to collate it. Security of information and unauthorised use or disclosure ofinformation for purposes other than those for which it was supplied are particular concerns in this

context. "

Unfortunately, these technologies not only increase the potential for information to be used for purposes other thanthose for which it was supplied, they also increase the potential for disclosure of information by, and to, partiesto whom it was not specifically supplied. There is as much a need for increased privacy protection in this regardas for the intentional collection of "personal information". For example:


6.1 Search Warrants

Users of "new communications technologies" should be entitled to privacy of their communications and activitiesin relation to use of those technologies to the same extent as when they are not using those technologies. It is tosay the least disturbing that in Western Australia, for example, police or any other authorised person may, without

a warrant, enter an Internet Service Provider's (ISP's) premises and inspect all data and records contained thereinunder Section 112.2 of the WA Censorship Act, enacted 1 Nov 1996. This grants police the right to inspect E-mail communications or any other material related to any person - the ordinary people who are the ISP's customersincluding those who are not the subject of either investigation or suspicion - without a warrant. This is undoubtedlya gross infringement of the privacy of users of "new communications technologies" which results from theavailability of such information from organisations in the private sector.

Letters sent through Australia Post and telephone calls are afforded privacy protection. It is a disgrace that usersof electronic communication systems are not afforded the same privacy.

6.2 Confiscation of entire computer systems

It is well publicised that Australians are increasingly purchasing home computers for a wide variety of activitiesand storage of a wide range of information. In many cases, several members of a family rely on use of the samecomputer.It often contains the family's financial and insurance records, children's school assignments, adults' business orwork related information, several people's private correspondence and so on. One or more members of the familymay also use the computer for access to the Internet or Bulletin Boards.

Unfortunately, if one member of a family is accused of accessing illegal material on for example, the Internet, theentire family is subjected to invasion of privacy and loss of access to personal information and essential equipment.Police generally confiscate the entire computer and all disks in the household and withhold same until finalisationof the investigation and/or trial, often over 12 months later.

Prior to the advent of computers police were rarely able to justifiably seize entire filing cabinets , personal financialrecords, private correspondence , diaries , calculators, every book and magazine in the home, school assignments,work related materials, business information and so on of every member of the family . This is what in effecthappens when computers are seized.

Recent cases where home computers have been seized and withheld for long periods without resulting in aconviction indicate that there is a need for a better balance between peoples' privacy and attempts to apprehendcriminals. There is a need for inclusion in privacy legislation of greater controls on the circumstances under whichentire computers systems containing extensive private information may be confiscated.

7. Conclusion

It is essential that the proposed amendments be assessed against the guidelines contained in the followingdocuments and revised to ensure adequate privacy protection for users of electronic communications systems andnetworks:

OECD Privacy Guidelines <http://www.anu.edu.au/people/Roger.Clarke/DV/OECDPs.html>Bill of Electronic Rights and Ethics <http://www.zip.com.au/-pete/ere.html>Australian Privacy Charter <http://www.anu.edu.au/people/Roger.Clarke/DV/PrivacyCharter>

To proceed with amendments to the Privacy Act without so doing would be quite farcical for a government whostated in publicly disseminated election policy that:

"Labor's consistent neglect ofthe issue ofpersonal privacy is shown in its attempted introduction of the

Australia Card, its consistent advocacy of large-scale "dataveillance " of citizens, and its creeping

expansion of the use of the tax file number in stark contrast to Mr Keating's own solemn assurances to


the Parliament. To quote a recent senior Labor Minister, 'privacy is a bourgeois right, related to theconcept of private property".Such an ethos makes a mockery ofLabor's "commitment" to genuine information privacy safeguards. Incontrast, the Coalition regards personal privacy as a cherished right in a free society. "

The proposed amendments to the Privacy Act are a significant step forward in regard to information privacysafeguards for Australian citizens. However, they are inadequate, particularly for a government who regardspersonal privacy as a cherished right.

I J Graham


05,1@9/1997 14:29 07-2227257

5 August, 1997

50.

The Research DirectorLegal, Constitutional and AdministrativeReview CommitteeParliament House,-BRISBANE Qt D 4000

By Facsimile: (07) 3406 7691

Dear Sir

CHART INST COY SEES PAGE 81

LEGAL, CONS ANAL ANDADMINISTRATIVE REVIEW COMMITYEE

5 AUG 1997

Submission Be: Privacy in Queensland

The Institute wishes to draw the following matters to your attention:

Tice administrative, time and financial cost of establishing and ate. steringprivacy regimes is enormous. Also vast sums are spent annually to protect whatare generally abuses by very few, affecting very few There is the potential fornew proposals to impose a significant burden on corporate Australia.

Our concern is that unless appropriate "common sense" restraints are imposed, itwill potentially cost even small organisations thousands of dollars in t izM andmoney to establish and administer the schemes, particularly if there is an annualreporting process, as was originally suggested by the Commonwealth Attorney-General's Department.

To the extent that further costs are to be borne by Queens d business, this costshould not (and probably will not be able to be) be bonne by the organisations ortheir shareholders. Either it will be passed back to consumers generally or thereneeds to be an ability to recoup at least some costs from those who utilise thesystem eg by way of application fees, copying fees etc..

The Institute would appreciate being consulted on an ongoing basis in relation toany future drafts.

yftrs faithfully

Branch ManagerAl Utting

Rd, i ni/I792

CharteredSecretaries

Chart.,ed ttutuute of

camp," secretarl.,

In Aurtrstta Ltd

ACN ooe 619 9So

Qu..naland branch

"Vol 4

t90 Edward Street

Brisbane Old 400Q

GPO Box 1705

Brisbane Cod 4001

(07) 3229 6579 Tel

(07) 32,11 7367 Fax

New South Walls

Quean:lsnd

South Australia

Tasmania

VlttOrta

Western Austratta

05/08 '97 14:36 TX/RX NO.1748 P.001 n

01-Aiug-97 20:49 (AMERICAN EXPRESS American Express Int _ Di Collins -*Research Director 02112

AMERICAN EXPRESS SUBMISSIONTO THE QUEENSLAND LEGISLATIVE ASSEMBLY

LEGAL, CONSTITUTIONAL AND ADMINISTRATIVE-REVIEW COMMITTEE

Issues Paper No.2. Privacy

American Express is pleased to comment on Issues Paper No.2 regardingprivacy. We very much appreciate the variety of views which the optionsraise and believe that they are a highly relevant subject for publicdiscussion.

The following commentary is divided into:

• General Commentary• Privacy Policies at American Express• Uses of Customer Information at American Express• Consumer Privacy Concerns• Specific Comments on Issues Paper

General Commentary

Recognising consumer concerns, and the responsibility of companies inthis area, American Express has taken a number of steps, describedbelow, to ensure that our business practices do not compromise theprivacy of our customers and potential customers, whose goodwill andtrust are essential to the success of our business.

American Express fully supports the intent of protecting individualprivacy and of the need for guidelines. The benefits of sophisticatedinformation gathering and processing to consumers and companies aresignificant.

Targeted marketing techniques offer convenience to customers; costeffectiveness to product providers; and generally make available to themarketplace a wider range of competitive products and services. Anyproposed legislation, regulation or guidelines, should therefore seek tofind an appropriate balance between these benefits and the legitimateneed to safeguard individuals' privacy. It is in this context that AmericanExpress makes its comments.

American Express Submission to Legal, Constitutional andAdministrative Review Comm ittee, Queensland Legislative Assembly.

Issues Paper 2. Privacy

NAL ANDv'-"I COM r E

1997Lr 1.

01/08 '97 20:53 TX/RX NO.1746 P.002 n

01-Aug-97 20:49 (AMERICAN EXPRESS American Express Int_ Di Collins-Research Director

It is the fundamental belief of American Express that for legislation tobe truly effective it needs to be national and uniform . State-basedlegislation, while addressing local needs, adds unnecessary compliancecosts for trans-border commerce. The protracted development of theNational Uniform Credit Code is a very real case in point and highlightsthe difficulties involved in seeking to establish uniformity across differentjurisdictions. These difficulties are compounded where existinglegislation has been in force for some time.

Consequently, in contributing to the debate on privacy, American

Express does so in the belief that each jurisdiction should be seeking to

have over°ar•chinga federal legislation. Further to this it is American

Express 's belief `that any interim regulation: codes of conduct should be

developed in consultation and collaboration with other jurisdictions.

As an observation it is important to draw a distinction between datacollected by government and that collected by the private sector.Government usually collects data on a `mandatory' rather than 'voluntary'basis, without the true consent of individuals eg. Tax data, welfareservices, health, etc. On the other hand, data gathered by the privatesector is obtained as part of a voluntary contractual relationship in whichthe terms and conditions are agreed. Eg. Subscription to a magazine orjoining a club.

American Express believes that it is possible to identify solutions thatsafeguard personal privacy while preserving the benefits to consumersand companies involved in or benefiting from direct marketing. Incommenting on specific provisions of the discussion paper we have madeseveral suggestions for achieving the necessary balance.

Privacy Policies at American Express

As a leading provider of travel and financial services, American Expressuses information about customers and potential customers for a variety ofpurposes. Namely, to:-

• market new and existing services to customers and potentialcustomers,

• ensure that Cards and lending products, are made available to thosecustomers who have demonstrated responsible credit experience,

• inform Cardmembers of special offers and discounts available to them,

American Express Submission to Legal, Constitutional andAdministrative Review Committee, Queensland Legislative Assembly.


03!12

01/08 '97 20:53 TX/RX NO.1746 P.003

01-Atig-97 20:49 (AMERICAN EXPRESS American Express Int. Di Collins-*Research Director 04112

• market new services and products to Cardmembers.

The quality of our relationship with our customers is the mostfundamental factor in American Express' success in Australia and aroundthe world. As such we have to be sensitive to consumer concerns aboutthe use of personal information and have taken a series of steps tosafeguard the privacy, confidentiality and security of information heldabout our customers.

In 1978 American Express adopted a Privacy Code of Conduct whichprovided a clear statement for customers and employees of ourresponsibilities in the area of privacy. As changes in the field ofinformation processing and marketing have increased consumer concernsAmerican Express has continuously reviewed and updated its privacypolicies. In January 1991 the company issued the American ExpressConsumer Privacy Principles, which have now been distributed toemployees worldwide for implementation in all facets of our businesses.

In those principles (Attachment A) American Express conunits, amongother things to:

• collect only relevant information about consumers;• disclose generally to the customer how the information is to be

used;• give customers the option to have their names removed from

lists used for marketing mailings;• take all feasible measures to ensure the information that we do

hold is accurate and complete;• stringently limit access to consumer information and apply strict

security measures to safeguard confidentiality;• release information to third parties only with the customer's

consent (or when required by law or regulatory authority); andexplain the reasons to customers whenever we deny or terminatea service.

American Express has reviewed company practices in Australia and NewZealand and has found them to be fully consistent with these company-wide principles.

Further to these principles American Express has continued a practice itcommenced some twenty years ago of `informed consent'---a principlewhich can be found underlying much legislation in overseas jurisdictions.There are two elements to this concept:

American Express Submission to Legal, Constitutional and

Administrative Review Committee, Queensland Legislative Assembly.issues Paper 2. Privacy

3

01/08 '97 20:53 TX/RX NO.1746 P.004

# 01-Aug-97 20:49 CAMERICAN EXPRESS American Express Int_ Di Collins->Research Director 05112

• telling the customer why the information is needed and how itwill be used,

• providing the opportunity to say 'no' and to 'opt-out'.

The precise response rate varies from country to country; however, thehighest response rate is rarely above 4%. Many of our Cardmemberscomplain when the reverse applies and they don't receive the same offeras others . The reality of an opt-out option is that it is something whichour Cardmembers appreciate , and feel they have control about what theyare mailed.

Uses of Customer Information at American Express

At the outset it is worthy of note that the European Directive on Privacyprovides that personal data may be processed if `processing is necessaryfor the purposes of the legitimate interests pursued by the controller orby the third party or parties to whom the data are disclosed, exceptwhere such interests are overridden by the interests or fundamentalrights and freedoms of the data subject'.

While American Express in Australia and New Zealand, does notrent/sell its database to any third party, it regularly rents/purchases listsfrom other sources for prospecting purposes. These lists are purchased orrented according to a strict criteria and are subsequently coded to respondto any queries from consumers regarding the origin of their details.

Sophisticated data gathering and processing techniques offer a number ofadvantages to both customers and companies marketing goods andservices. These techniques enable companies to offer their products tothose customers who are more likely to want those products than thebroader population. Not only is this more cost effective than other formsof advertising, it also offers customers the advantage of receiving offersthat are likely to be of greater interest and thereby limiting unnecessarymail.

The key to making American Express direct marketing programstransparent, effective and fair to the individual, however, is the ability forindividuals to `opt-out' --- that is, to decide they do not want promotionalmail. American Express has long had an `opt-out' program available toCardmembers around the world.


Administrative Review Committee, Queensland Legislative Assembly.


4

01/08 197 20:53 TX/RX NO.1746 P.005M

if 01-Aug-97 20:49 !AMERICAN EXPRESS American Express Int_ Di Collins-s-Research Director 06112

American Express cannot over-emphasise the importance of opt-outprograms in a balanced privacy approach. It places the privacy choice onthose who should decide... the consumers. If he/she chooses to receivemail because he/she likes the product or services then there should be noimpediment to doing so. Conversely if it is felt that privacy is beinginfringed upon or there is a desire not to receive mail then the decisionshould be easily made. It is a situation where everyone, consumers andbusiness, attain their objectives.

While American Express experience shows that the large majority ofcustomers want to receive offers (and hence tend not take advantage ofthe opportunity to have their names removed from marketing lists), it is inthe Company's overall interest to take additional steps to ensure thatcommunications with customers are limited to offers and information thatare of genuine interest.

For instance, the availability of relevant customer intormation allowsAmerican Express to make a restaurant offer available only to thosecustomers in the vicinity of a certain restaurant. It assists in avoidingoffering products to customers who already have them. The availabilityof prospect lists from outside sources, including names and addresses ofindividuals who have responded to other product offers, likewise allowsAmerican Express to limit solicitations to those individuals who are mostlikely to want an American Express product or service.

Filling a customer's mailbox with irrelevant mail seriously undermines avaluable relationship and results in negative feelings towards anorganisation. Additionally it has the potential to become a substantialwaste both financially and environmentally for the company.

A second important use of customer information is to ensure thatfinancial services are offered only to those customers who can reasonablybe expected to use them responsibly. American Express seeksinformation directly from Cardmembers as part of the Card applicationprocess. With the individual's consent provided on the application, listedreferences are verified and inquiries made about that individual from acredit reference bureau. These checks are essential to ensure thatindividuals are not provided the opportunity to incur excessive debt.Indeed the current credit legislation expects credit providers to ascertainthe credit worthiness of an individual before extending credit.

Consumer Privacy Concerns

American Express Submission to Legal, Constitutional andAdministrative Review Committee, Queensland Legislative Assembly.Issues Paper 2. Privacy

5

01/08 '97 20:53 TX/RX NO.1746 P.006

:` 01-Aug-97 20:49 !AMERICAN EXPRESS American Express Int. Di Collins- Research Director 07112

Canadian Research . In 1994 the Canadian government and a groupof businesses, including American Express and key telephonecompanies, sponsored a national privacy survey to gauge the depth ofCanadian's privacy concerns. The results, although specific toCanada, are fairly indicative of consumer concerns in other markets.

The survey indicated that concern about privacy ranks just behindconcern over unemployment and education, and is equal to concern aboutthe environment. The only major issue that ranks below privacy isconcern about the unity of the country ---- a particularly Canadian issue.While 52% of Canadians are extremely concerned about privacy, 92%said they were at least moderately concerned. That leaves only 8% whodon't care at all. However, this doesn't mean that the rest of thepopulation believes its privacy is actually being violated. Other questionsin the survey determined that only 18% had ever experienced what theyconsidered to be a `serious' invasion of their personal privacy.

There is a clear message for government and business in these figures.While people may not feel immediately threatened by privacy violations,this is clearly a sensitive issue and is therefore one that must be handledwith care. This is especially true in industries such as financial services,where sensitive personal information is required in order to evaluatecreditworthiness and manage financial risk. It is clear that people arehighly sensitive about their personal privacy.

Privacy means different things to consumers . In Canada 75% of peoplesurveyed found it objectionable to be watched or listened to without theirpermission . The next concern was who can gather information (72%)and what kind of information is collected (68%).

Part of the Canadian survey identified those organisations to whichpeople had actually refused to provide information at one time or another.Canadians trust their doctor and their government. They did not seem toquite so readily trust their telephone company, survey companies, ordirect marketeers.

There are factors other than trust that influence consumer's decisions toprovide or withhold information. It may be that they believe they havelittle choice but to provide information when asked by the government, bytheir bank, or by their employer.

Privacy is a complex issue for businesses and government. It is also acomplex issue for consumers. When asked theoretical questions about

American Express Submission to Legal, Constitutional andAdministrative Review Committee, Queensland Legislative Ass crnbly.


6

01/08 '97 20:53 TX/RX NO.1746 P.007 M

01 -A- 20 : 49 (AMERICAN EXPRESS 'r 't: Express I L_ allins-+Rc n rch Director 08112

privacy consutrers' concerns took on distinct patterns and demonstratedrelatively high levels of concern. However when presented with specific,concrete examples drawn from real life, Consumers reacted quite

differently. in the Canadian survey a choice of 'trade-offs- were specifiedfor the use of information in return tier a possible benefit to themselves.Two such examples were:

1. Credit Checks42% agreed with the statement -I really don 't like the idea of

companies keeping computer record %, about individual ' creditworthines s

However 58% agreed that ' I don `t mind companies keepingcomputer records of'individuals' credit worthiness if this reduces thecost of had credit decisions "

2. Employer Checks56% agreed with the statement "_1 don't think that employers

should he allowed to pry into the p rivate lives o 'prospective employees "

However 44% agreed that "I think it's ok for employers to dobackground checks into the personal lives of prospective employees inorder to assess their reliability and character. "

2. USA Research

Research was also conducted in 1994 , by American Express, in theUnited States among customers and the general public. The purpose was

to determine their concerns about the use, by business, ofpersonaliiflorniation for marketing purposes. Those who expressed a degree of

concern were asked what, if anything, could business do to allay thoseconcerns and increase their level of comfort . Four factors clearly emergedthat influenced this: Trust and Knowledge ; End result/outcome; andControl (See Attachment B for detailed results). These factors can buildon each other to create a strong relationship between a. company and itscustomers. v j

Specific Comments on Issues Paper

1. A Statutory Tort of Privacy


Administrative Review Committee, Queensland Legislative AssemblyIssues Paper 2. Privacy

7

01/08 '97 20 :53 TX/RX NO.1746 P.008

# 01-Aug-97 20:49 !AMERICAN EXPRESS American Express Int_ Di Collins -o-Research Director 04132

This is not viewed as desirable given the differing judicial interpretationsand possible interminable and unpredictable litigation which would arise.Such a tort could be very easily exploited by customers who are unwillingto pay their bills or who have some particular issue to settle. Each newjudicial decision would carry the risk. that companies would have toadjust their operational processes, and services, to comply with the newfindings.

2. Establishment of a Privacy Committee or Privacy Comm issioner

It is felt that either a privacy commissioner or a privacy corn mittee couldbe an effective approach to adopt. In either situation it is important thatthere should be provision for extensive consultation and collaborationwith a wide range of business and community organisations to ascertainappropriate policies and needs.

The establishment of a privacy commissioner should be encouraged ifQueensland is seriously considering the introduction of InformationPrivacy Principles which are equivalent to European standards.

In such a circumstance, Queensland could establish leadership for the restof Australia to follow. `fhe danger is that other jurisdictions could wellintroduce different principles. Hence it would be essential that suchprivacy principles be established at a combined forum of state and federallegislators. Perhaps the Consumer Affairs Ministers meetings or thoseconvened by the different Attorneys-General may well be appropriate,

3. Information Privacy Principles

Australia, in general, needs to address those issues arising from theEuropean trans-border data provisions, by establishing a local dataprotection regime which is equivalent to EU standards. This can beachieved by national legislation or the promotion of uniform state laws.It is important that states are in joint consultation and collaboration in thismatter. The Uniform Credit Code as well as anti-money laundering lawsare uniform throughout Australia, and there is no compelling reason whyprivacy/data protection should be treated differently.

4. Self-Regulation by Industry Codes

American Express Submission to Legal, Constitutional andA hninistrative Review Committee. Queensland Legislative Assembly.


01/08 '97 20:53 TX/RX NO.1746 P.009 M

# 01-Aug-97 20:49 (AMERICAN EXPRESS American Express Int- Di Collins-*Researrh Director 10/12

While codes have much to commend them as a means of having industryassociations address issues specific to their industry there are inherentproblems with such an approach. Namely: how non-members in theindustry will comply; the level of compliance which can be expected frommember companies; what penalties t«r non-compliance will be put intrain; and proof that the industry does in fact deal effectively andappropriately with disputes and recalcitrants.

Where such issues can be effectively addressed industry associations canplay an important role in having privacy provisions developed which arehighly appropriate and designed for each industry.

5. Smart Cards and Electronic Banking

The technological implications and potential for smart cards andelectronic banking are not as yet fully understood. However it is clearthat any overarching privacy guidelines or principles should beapplicable to all consumer transactions. Voluntary codes may well beused to flesh out the details of various industries and products.

However, the fundamental need is to have some overarching frameworkunder which smart cards come. While some form of regulation for smartcards and stored value cards has been proposed in the Wallis Report, andelsewhere, some of the conflicting consumer concerns need to beaddressed.

Most notably such concerns relate to the need for resolution of disputeswhen cards are lost, stolen or are fraudulently used. If there is to berestitution such cases then clearly a tracking mechanism needs to be inplace. However, if one desires total privacy in transactions, such as existsfor cash, then anonymity implies a lack of information or trackingcapabilities by the issuer----which clearly raises consumer concerns overfraud, theft etc.

6. Telemarketing

a reasonable expectation that such an activity would come under anygeneral privacy principles, as well as those industry codes which arebeing developed by industry bodies. Additionally it would be appropriatefor the privacy commissioner to oversee such matters.

American Express Submission to Legal, Constitutional andAdministrative Review Committee , Queensland Legislative Assemhly.


9

01/08 '97 20:53 TX/RX NO.1746 P.010 N

# 01-Atig-97 20:49 (AMERICAN EXPRESS American Express Int_ Di Co11ins->Research Director 11112

Conclusion

American Express is keen to see privacy guidelines introduced whichenable companies to conduct business on a national level withoutdiffering legislative/regulatory regimes. Accordingly, American Expresswould welcome being involved with any ongoing consultativemechanisms between government, consumer organisations and commerce.

For flwther information or to discuss this submission further pleasecontact Di Collins, Director Public and Consumer Affi7irs onphone (0-7)-9271-1823 or fax (07) 9271-2554,

August 1", 1997

Di CollinsDirector, Public and Consumer AffairsAmerican Express International.

Attachments

American Express Submission to Le,-al, Constitutional andAdministrative Review Committee, Queensland Legislative Assembly.


10

01/08 '97 20:53 TX/RX NO.1746 P.011 U

1-Aug-97 20.49 (AMERICAN EXPRESS American Express Int_ Di Collins-rResearcb Director 12112

A. American Express Customer Privacy Principles

B. Further Details of American Express Privacy Research

American Express Submission to Legal, Constitutional andAdministrative Review Committee, Queensland Legislative Assembly.


1l

01/08 '97 20:53 TX/RX NO.1746 P.012 0

INSURANCECOUNCIL OF

AUSTRALIALIMITED

Incorporated in VictoriaA.C.N. 005 617 318

Level 6 Comalco Place12 Creek Street Brisbane 4000

Phone: (07) 3229 4733 Fax: (07) 3229 0735

Our Ref: GCJ:KPH L GA N

AI MIN TiVE REVIEW CORM 8

4 AUG 1997

1 August 1997

The Research DirectorLegal, Constitutional andAdministrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir/Madam,

Re: Privacy in Queensland

Thank you for providing us with the opportunity to comment on this issue.

Our submission is enclosed and we will be pleased to elaborate on any matter, or providefurther information, should you request it.

Yours faithfully,

Manager for QueenslandG.C. J

Enc. (Submission)

Submison/Privacy


RESPONSE TO LEGAL , CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMITTEE

ISSUES PAPER NO. 2

FROM

THE INSURANCE COUNCIL OF AUSTRALIA LIMITED

July 1997


SUMMARY

As significant users of personal information, members of the Insurance Council ofAustralia welcome the opportunity to comment on the Committee's Issues Paper,"Privacy in Queensland".

The general insurance industry has followed closely the calls for reform ofAustralia's privacy laws. We are aware of the increasing importance of privacyissues in the perception of the consumer. We are conscious especially ofconsumers' concerns for the protection of their personal information.

Our industry comes from a culture of privacy. It is a significant part of our businessto deal with sensitive personal and commercial information. There is no publicperception or suggestion that the insurance industry abuses this trust.

Insurers are examining the issues from the consumer viewpoint. This includes notjust customers' concerns about the privacy of their personal information but:

♦ The additional cost of complying with a privacy regime affecting the ultimateprice of insurance products.

♦ Protecting the community against fraud and other irregularities.

♦ The need for cost-efficient, speedy and accurate flow of data; in particular theinformation needed to assess response to a proposed insurance risk and tosettle customers' claims.

We have some concerns of an industry-specific nature and we comment on these atsome length . They relate to the sensitivity of information contained in insurers',brokers' and agents' claim files ; particularly where there are reasonable grounds toform the view that a claim may be fraudulent - to the accessibility of publicly heldinformation and the exchange of information among insurers - to the freedom ofcompanies operating within larger corporate groups.

Above all, the insurance industry is concerned that Australia's privacy regime shouldfollow a consistent national approach, free of the State and Territory variants whichhave confused much of our legislation in the past.

We thank the Committee for the opportunity to express our views on this veryimportant issue.

H:\jc\submiss\privacy 1


INTRODUCTION

This submission has been prepared by the Insurance Council of Australia Limited(ICA), which represents 120 private and public general insurers and their associatedcompanies whose combined annual premium is over 90% of the total private andpublic sector general insurance premium income in Australia. ICA was formed in1975 and operates as a non-profit organisation wholly owned by its members.

Insurance Industry Awareness

The general insurance industry has followed closely the calls for reform inAustralia's privacy laws. We have maintained an informed interest in State andFederal Government responses to public concerns, and to the views andrecommendations of:

♦ The Australian Privacy Charter Council;

♦ The Australian Law Reform Commission and the Administrative ReviewCouncil; and

♦ The Federal House of Representatives Standing Committee on Legal andConstitutional Affairs.

ICA is also aware of further recommendations linking the privacy issue with directmarketing. We are conscious that they have relevance to the methods ofdistribution of insurance products and other industry practices.

Prior to the Prime Minister's announcement in March 1997 that the Commonwealthwould not be implementing privacy legislation for the private sector, andsubsequently, ICA has taken an active interest in privacy issues and will continue todo so. We welcome the opportunity to respond to the Committee's Issues Paper onprivacy in Queensland.

We hold the view there are valid concerns within the business and domesticcommunity relating to privacy protection which need to be addressed. Ourrecommendations on how this could be done are contained in this submission.

INTERNATIONAL DEVELOPMENTS

New Zealand

The Australian general insurance industry has followed the progress of theimplementation of privacy legislation in other countries. In particular, we haveexamined the impact of the privacy regime on the general insurance industry in NewZealand.


However we are aware that, in the three years during which the New Zealandlegislation has applied to the private sector, the insurance industry has identified, inpractice, issues of concern which could now form the subject of some amendment tothe privacy laws in that country. These relate to the sensitivity of information ininsurance companies' claims files, particularly in circumstances where the insurermay have reasonable grounds to form the view that a claim may be fraudulent.

This is a significant concern and has implications for the Australian insuranceindustry, and we examine this issue more fully later in our submission.

Canada

The Issues Paper makes reference to the Canadian model and that country's plansto extend it to include the private sector. We are aware of the Canadian model. Webelieve it holds attraction for Australia's Federal Privacy Commissioner as a basisfor a national voluntary model for this country.

The European Community

We have examined the European Union Directive on data protection. Our industryhas followed the commentary, in Australia and elsewhere, on the possible tradingconsequences associated with the trans-border flow of data with members of theE.U. community.

We hold the view that much of the media comment in Australia has tended to beover-stated.

The Directive is scheduled to come into force in 1998. We do not believe Australiangovernments should be influenced unduly by this timetable, however, ICA isconcerned that general insurers could be disadvantaged if this issue is notaddressed in a satisfactory manner.

THE INSURANCE INDUSTRY OUTLOOK

A Culture of Privacy

The general insurance industry in Australia comes from a culture of privacy.Reflecting the heritage and traditions of our industry's development in Europe andNorth America, our culture derives from a background of dealing with sensitivepersonal and commercial information since the 17th century.

There is no public perception or suggestion that the insurance industry abuses thistrust.

We are aware of recent concerns expressed about the magnitude of informationdatabases maintained by the insurance industry. These have reflected the potentialof our information technology, rather than the ethos and integrity of our businessstandards and customer relationships.


Consumer Concerns

Our industry has examined, with great interest, the results of surveys conducted bythe Federal Privacy Commissioner and others. We are aware of the increasingimportance of privacy issues in the perception of the consumer. We are consciousespecially of consumers concerns for the protection of their personal information.

Many general insurance companies are already examining information privacyprinciples and are considering whether any additional consumer protection isrequired as we move increasingly into the information age.

Insurers are examining the issue from the consumer viewpoint. This includes notjust customers ' concerns about the privacy of their personal information but:

♦ the additional cost of complying with a privacy regime affecting the ultimateprice of insurance products;

♦ protecting the community against fraud and other irregularities; and

♦ the need for cost-efficient, speedy and accurate flow of data; in particular theinformation needed to assess response to a proposed risk and to settlecustomers' claims.

General insurance companies are major users of information technology. Theindustry is among the most advanced in its systems for maintaining the security ofpersonal and commercial information. The use of electronic information andcommunication technology provides the opportunity for highly developed securityarrangements for access to personal files and protection of computer records.

Specific Insurance Industry Concerns

The general insurance industry broadly supports the eleven Information PrivacyPrinciples (IPP's) proposed in the Federal Attorney-General's Discussion Paper"Privacy in the Private Sector" issued in September 1996.

However, two issues of concern have been identified, both relating to our industry'srole in protecting the wider community against fraud and other irregularities. Webelieve they should be subject to industry-specific consideration.

Possible Fraudulent Insurance Claims (IPP6)

The great majority of Australians are fair and honest in their dealings with insurancecompanies. Most citizens exhibit the utmost good faith that is required of bothparties to a contract of insurance. But regrettably there are still too many thatattempt to make fraudulent claims by a variety of methods.

Arson, with the expectation of claiming the proceeds of insurance, remains a provencause of a disturbingly high number of fire losses. Arson fraud persists as a majorcrime, contributing to significant national economic loss. For some years ICA has

H:yc\submiss\privacy 4

promoted and funded an Arson Reward Scheme, in co-operation with various Stateand Territory Police departments.

Of equal social and economic concern is the significant number of fraudulent orexaggerated workers ' compensation claims and personal injury claims arising frommotor vehicle accidents.

These problems have been recognised by most State Governments and lawenforcement agencies , which have co-operated with ICA in launching Fraud RewardSchemes across Australia.

Like the Arson Reward Schemes (in which Queensland participates), these providerewards for citizens who provide information leading to the conviction of personsresponsible for making fraudulent insurance claims.

Stage-managed "burglaries and thefts" and their accompanying claims are thesubject of too frequent insurance investigations.

In all of these circumstances the information held in insurance companies' filescould often be sensitive and critical in exposing fraudulent and criminal activities.The sensitivity is heightened when information is provided to insurers by public-minded third parties, which are entitled to expect their identity will be protected.

In these circumstances insurers need a defence against, or exemptions from,requests for access to their files.

This exemption should last at least during the period while the information remainssensitive and critical to the wider public interest. It should protect the identity ofinformants for as long as it is necessary and appropriate to do so.

Access To Information held by the Police and Other Government Agencies

In considering proposals from intending customers, insurers have the right to beinformed of all material facts which would influence their judgement on whether toaccept or reject a risk and under what terms and conditions to proceed with aninsurance contract.

Section 21 of the (Commonwealth) Insurance Contracts Act 1984 requires aproponent for insurance to disclose to the insurer, before the relevant contract ofinsurance is entered into, every matter that is known to the insured, being a matterthat -

(a) the insured knows to be a matter relevant to the decision of the insurerwhether to accept the risk and, if so, on what terms; or

(b) a reasonable person in the circumstances could be expected to know to be amatter so relevant.

H:\jc\submiss \privacy 5

This duty, known in the Act as the "duty of disclosure", also applies when a contractof insurance is renewed or varied.

Personal information, which may be relevant to the decision of the insurer, couldinclude details of traffic offences or criminal convictions. It may also include detailsof any previous insurance claims made against other insurance companies; orcancellation of cover by a previous insurer. The insurer has the right to check thatany information given by the insured is accurate and truthful.

It has been the legitimate practice of insurers to request Police confirmation of thevalidity of statements made by the insured regarding previous offences orconvictions.

And it has been a long established practice, within our industry, to provide andshare access to the previous claims history of an insured. The legitimate operationof the Insurance Reference Service is a visible and widely known example of thisco-operation within the industry.

We believe that insurers have a valid function and purpose in gaining access to thistype of personal information.

The Identity of Motor Vehicle Owners/Users

A disturbing feature which impacts on insurers and the insuring public is theincreasing number of motorists who are leaving the scene of an accident withoutstopping, or otherwise revealing their identity.

Where the registration number of a vehicle was obtained in these circumstances, itwas possible to trace the identity of the vehicle owner. This could be done by asimple request to the State or Territory road traffic authority.

Recently some authorities, not including Queensland, have announced that they willno longer make this information available.

Our broad view is that the information held by road traffic authorities, particularly inrelation to the registered owners of vehicles, should be in the public domain and thataccess to legitimate users of the data should be maintained.

Legitimate Access to Publicly held Information

Against the background of these specific insurance needs and concerns, we believethat it is necessary for any proposed privacy regime to provide clear powers to theinsurance industry to obtain information from the public sector, when authorised andappropriate to do so.

Our industry practice of sharing access to an insured's past claims history should berecognised and protected specifically by the legislation.

H:yc\submiss\privacy 6

We believe the point cannot be over-emphasised it is only when furnished withadequate and relevant information that an insurer can make a fair and appropriateassessment of a proposed risk. Importantly, this affects profoundly whether aninsurer will accept a particular risk, the level of premium to be charged, and theconditions of any agreed contract of insurance.

If an insurer is unable to obtain or verify information, consumers could bedisadvantaged by having insurers decline their risks or having to pay a higher levelof premium than their personal circumstances would otherwise merit.

A fundamental tenet of insurance is that participants in an insurance pool contributein proportion to the risk they bring to the venture. This principle has guidedunderwriters since the first policies of insurance covering marine adventures wereissued.

In today's society, the principle is no less relevant or necessary to prudentunderwriting; or to public acceptance of an insurance product.

We believe the principle could be destroyed or significantly impaired if insurers weredenied reasonable and legitimate access to all available information in assessing aproposed risk.

Companies Operating within Larger Groups

In the nature of the financial sector , a wide range of products and services ispromoted to consumers by a number of companies within larger corporate groups.This is true of banking as well as general and life insurance companies . Indeed thetrend is for financial sector organisations to grow increasingly larger in seekingnational and international competitive advantage and viability.

We believe the collection and exchange of information between related companiesor entities within the same group should be allowed, provided consumers are givenprior notification that it may occur and they have the opportunity to negate it.

SPECIFIC ISSUES

With specific reference to questions raised in the Issues Paper, we comment asfollows.

A Consistent National Approach

In March 1997, the Prime Minister announced that the Commonwealth would not beproceeding with statutory protection for information privacy in the private sectorbecause of concern about the compliance burden on business. At the same time,he indicated that the Privacy Commissioner would be available to help businessdevelop voluntary codes of conduct.

The Privacy Commissioner has responded positively to this need and is presentlyexploring the possibility of developing a general set of principles, accompanied by

H:\c\submiss\privacy 7

appropriate compliance mechanisms, that could provide consistency and certaintyfor information handler and individuals alike. It might also provide the basis formore specific standards where necessary, in particular sectors.

ICA welcomes this initiative by the Federal Privacy Commissioner. Above all, ourconcern is to have a consistent national privacy regime.

It seems likely that the Privacy Commissioner will shortly produce a discussionpaper which examines the need for a self regulatory scheme of information privacyprotection, how a scheme might work and the principles on which it might be based.

The development of any national privacy scheme, likely to be proposed by thePrivacy Commissioner , should be compatible with State and Territory initiatives.Any such regimes are likely to take as their starting point commonly acceptedprinciples such as those in the OECD Guidelines , which will then need to becustomised to fit the circumstances of public and private sectors.

Depending on the timing of any State and Territory initiative, it may be that the workon a national privacy scheme would be completed in time for its content to beincorporated in any State or sectoral regimes, thereby avoiding the problem ofinconsistency.

State Privacy Committee /Commissioner

ICA would be concerned if the appointment of a State Privacy Committee (orCommissioner) opened the possibility of conflict in approach or direction between itand the Federal Privacy Commissioner. Such conflict might be in relation toregulatory requirements and result in increased compliance costs and complexity forbusiness and industry.

Scope of Privacy Regime

ICA would expect States and Territories to adopt a privacy regime complementary tothat in place federally, to cover the public sector, Government owned enterprisesand Local Government bodies. We believe this should also apply to bodiesperforming services which have been out-sourced by any Government or LocalGovernment department or associated enterprise.

Reference has been made previously to the European Union Directive. Publicsector legislation and private sector codes should ensure that wherever practical,recognition is given to the E.U. requirements and their accommodation.

Further Consultation

General insurers look forward to continuing the consultative process and wouldwelcome the opportunity to develop any of the views expressed in this briefsubmission, should the Committee make such a request.

H:\c\submiss\privacy 8

ommunity

ousing & Information

entre Inc.

Fax(079)576295

The Research DirectorLegal , Constitutional & Administrative Review CommitteeParliament HouseBrisbane 4000Fax: (07) 34067691

Suite 4Planella HouseBrisbane StreetP.O. Box 1324MACKAY QLD 4740

Housing Resource ServicePh. (079) 576334

Community Rent SchemePh. (079) 57 6292

LEGAL, COi STITUTJCNAL I'ADMINISTRATIVE REVIEW COMMIT"

4 AUG 1997

Re: Legal, Constitutional and Administrative Review Committee's Issues PaperNumber 2 - Privacy in Queensland

Our service has a number of concerns in relation to the lack of privacy protections inQueensland. Unfortunately, resource limitations have prevented us from forwarding afull submission in response to the above mentioned Issues Paper.

We are aware, however, that the Tenants' Union of Qid will be forwarding asubmission which outlines concerns about the operations of tenants databasecompanies. Our service is also in regular contact with tenants who have privacyissues in relation to the operations of these database companies. We are concernedthat the database companies operate in a fashion which may allow misleading andinaccurate information about tenants to be circulated to member real estate agents..We see, first hand, the damaging impact a database listing can have upon a tenants'ability to access appropriate housing.

We believe that the operations of tenant database companies should be regulatedthrough the introduction of privacy legislation in Queensland.

Yours faithfully

f cum ^^--ci r Co.^ cap W k v

CARING FOR THE HOUSING NEEDS OF OUR COMMUNITY

1 August, 1997

Our Ref: R97012WS3

Tencnts' Uniono f q u e e n s l a n d i n c

109 Commercial RdTeneriffe 4005Phon e (07) 3257 141 1Fax • (07 ) 3257 1 135

e-mail • [email protected]

The Research DirectorLegal, Constitutional & Administrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir/Madam

Re: Issues Paper : Privacy in Queensland

:N TIUT,01 J

_ VIEW sit

ORIG INAL SENT BY

!MI L!!V

refer to the above and wish to thank the Committee for the opportunity to provide aIwritten submission to the review. We believe this review is a timely response towidespread and growing concerns regarding a range of privacy issues affecting ourcommunity.

Please find enclosed the Tenants' Union of Queensland's views concerning the issuesof privacy protection in Queensland. The enclosed submission deals specifically withprivacy issues affecting tenants in Queensland's private rental market. In particular,we focus on the privacy issues surrounding the operation of tenant database agencies.

Should you have any queries concerning this submission, please contact eithermyself on (07) 3257 1411 or Ms Narelle Sutherland (Co-ordinator, NorthQueensland Office) on (070) 31 3194.

Yours sincerely

For tenancy advicephone (07) 3257 1108(1800 ) 1 77761

TENANTS ' UNION OF QUEENSLAND INC.

PR IVACY IN QUEENSLAND

A Submission to the Legal , Constitutionaland Administrative Review Committee in

response to

ISSUES PAPER NO . 2 - PRIVACY INQUEENSLAND

August 1997

Privacy in Queensland : A Submission to the Legal, Constitutional andAdministrative Review committee

Introduction

The Tenants' Union of Queensland congratulates the Legal, Constitutional andAdministrative Review Committee on the production of an excellent Issues Paper. ThePaper has provided us with a useful summary of the main issues in relation to privacyprotection, and a good structure for framing our response.

In this submission we have confined our response to those issues which have directrelevance to tenants.

The Tenants' union of Queensland Inc.

The Tenants' Union of Queensland Inc. is a state-wide community based organisationthat provides services for, and seeks to represent the interests of, residential tenants inQueensland. The Tenants' Union was formed in 1986, and is a non-profit, communitylegal service, incorporated under the Queensland Associations Incorporation Act 1981.

The Tenants' Union of Queensland has offices in Brisbane and in Cairns and provides anumber of services, and engages in a range of activities aimed at assisting tenants.These include a full-time, state-wide tenancy advice, information and advocacy service,and a specialist legal service for tenants. The Tenants' Union receives around 8,000enquires from tenants each year. A significant and growing proportion of callers arenow seeking information about tenant databases, which are private companies thatcollect information about "problem" tenants for use by member real estate agents. Ourcallers are concerned about discrimination in access to housing and about the lack ofprivacy protection in relation to information held about them.

Over twenty-one per cent of Queensland's population live in private rentalaccommodation. A large number of these tenancies are managed by real estate agents.Residential tenancies and related legislation, which impacts upon tenants' ability toaccess appropriate housing should therefore be seen as an important part of governmentand social policy.

Are there valid concerns relating to privacy protectionwhich need to be addressed by legislative and/oradministrative action? if so, what particular concerns aremost pressing?

The Tenants' Union has concerns about the lack of privacy protections in relation to theoperations of both public and private sector agencies. Our concerns in relation to each

sector are discussed separately below.

Privacy Protection Concerns - Private Sector

Over the last three years, the Tenants' Union of Queensland has become increasinglyconcerned about the proliferation of private agencies operating tenancy database

Tenants' Union of Queensland Inc. Page 2

Privacy in Queensland : A Submission to the Legal , Constitutional andAdministrative Review Committee

registers. These agencies collect data regarding the alleged rental history of particulartenants.

The Tenants' Union of Queensland believes that the existence of these databases raisesserious social and ethical issues in relation to the privacy rights of rental housingconsumers. It is this organisation's submission that there is a need to develop strategiesthat ensure tenants are protected from discrimination and unfair treatment whenapplying for accommodation.

operations of ten, -i r dat4-' T, r.

The two biggest tenancy database organisations currently operating in Queensland arethe Tenancy Information Centre of Australia (TICA) and the Real Estate Access Bureau(REAB).

The stated purposes of these agencies are to:

n act as a central collection point for information about tenants;n provide this information to members assessing applications from prospective

tenants; andn establish a network of subscribing members that creates a deterrence to "problem"

tenants applying for rental housing.The agencies claim their services are required to counter a growing group of "problem"tenants who default on leases, leave large debts behind, or who damage rental property.These mostly unsubstantiated claims have been seized upon by the tabloid media. Inresponse to such coverage, tenancy database agencies assert that data registers are now anecessary service.

The declared long term aim of at least one of these agencies is to make it impossible for"problem" tenants to access rental housing. In the medium term, they claim the effect oftheir operations will be to force such tenants into housing managed by agents who arenot members of the database. They state that this will soon become a problem for theseagents, and the whole process will act as a method of recruiting new subscribers.

While some sections of the community may consider that, on the face of it, databaseagencies serve a legitimate purpose, when the methodologies the agencies employ tocompile the databases are more closely scrutinised, the potential for unfair anddamaging listings becomes quite plain.

The following overview attempts to explain how these organisations operate in practice.

Real estate agents, and occasionally landlords, are invited to join or subscribe to atenancy database. Members can use the service in two ways. Firstly, they can provideinformation to the agency about their own current or past tenants. This information isthen added to the database.

Secondly, when a prospective tenant applies for rental housing, a member agent canaccess information from the database to check whether the tenant is listed. This

Tenants ' Union of Queensland Inc. Page 3


information will then be used to assess the application, and on the basis of the datareport, the agent will approve or reject the tenancy. Our experience suggests that if atenant's name appears on the database they are almost certainly rejected.

Clearly tenants are not always advised why their application has been rejected, or of theparticulars of the data stored about them. The anecdotal experiences of tenantscontacting the Tenants' Union suggests that tenants are not given information abouttheir records.

To the best of our knowledge, the databases do not provide any particular informationabout the allegations of damage or arrears owed by the tenant to a previous lessor, andtenants are simply put on the list. Contact details for the listing agent are provided, andthe database companies rely on the prospective agent to check with the listing agentabout the extent and seriousness of the alleged damages. We do not believe that agentsalways seek details, and some may reject a tenant's application simply because theirname appears on the database.

The Tenants' Union of Queensland has a number of concerns regarding the existenceand operations of these tenancy databases. These concerns include:

There is no legislative protection for tenants affected by tenancy databases, as theactivities of such databases appear to be outside existing privacy legislation.

n Information collected and stored by member agents is not regulated or verified toany extent by the database agencies. It is highly likely that databases containinaccurate information, but there is no onus on the agencies to corroborate claimsby lessors and agents. TICA and REAB do not seek to corroborate any of theinformation they receive or distribute, and do not accept any responsibility for itsaccuracy. The information stored on the database is therefore highly subjective,and based upon the opinion of a single real estate agent. There are, no doubt, manyagents who treat the option of listing a tenant with all due caution. However, therewill inevitably be some real estate agents who list tenants simply on the basis ofsome personality difference, and on the basis of a dispute that arose due to the agentnot abiding with the requirements of the Residential Tenancies Act 1994. There isno requirement that alleged damages are substantiated by the appropriate legaljurisdiction, such as the Small Claims Tribunal.

n Tenants have no right to access the information stored about them, and have no rightof reply if they happen to discover false records are being kept.

n There is no obligation on the agencies to advise tenants that information is keptabout them, or that this information has been used to assess an application fortenancy. Agents and lessors using the information are not obliged to inform tenantsabout the contents of records, even if a tenancy is being refused on the basis of datasupplied.

Tenants ' Union of Queensland inc. Page 4

Privacy in Queensland : A Submission to the Legal, Constitutional andAdministrative Review Committee

n There is no requirement for a listing on the database to be removed after a certainperiod of time. Tenants who are listed are likely to remain so, even wheresuccessful tenancies have been maintained subsequent to the listing.

The data collected does not take into account the reasons why tenants may defaulton a tenancy lease. Loss of employment, cuts in social welfare benefits, illness, anddomestic violence can all force tenants to relocate or fall into rent arrears. Tenantsare likely to suffer penalties as a result of breaching or terminating their tenancyagreement. These tenants should not be discriminated against in future tenancies aswell.

n Housing is a fundamental human right. Public and community housing options arevery limited, and most households on low incomes are forced to rent in the privatemarket. Refusing access to rental housing may mean cutting off access to the onlyavailable form of housing.

The Tenants' Union is also concerned that tenants risk future discrimination simply bypursuing disputes with their lessor or agent. The existence of these databases seriouslyundermines tenants' confidence in exercising their rights in disputes, and the threat ofreporting may serve to force tenants into agreeing to unfair arrangements with theiragent.

The unfairness of some listings, and the lack of attention to basic privacy principles inthe operation of tenant database companies are exemplified in the following casesstudies taken from the Tenants' Union's client records. Names have been changed to

protect the confidentiality of the people involved.

CASESTUDY 1 - SARAH

In 1995, Sarah rented a unit in inner city Brisbane under a six month lease. Sarah

experienced ongoing problems with the standard of repair to the premises. The toilet

would not flush and leaked from the pedestal, the oven had not worked since the start ofthe tenancy and an electric switch in the second bedroom gave her a slight shock each

time that she turned it on.

After approaching the real estate agent several times unsuccessfully requesting repairs,Sarah obtained advice abut her capacity to get out of the lease. Sarah received adviceabout the dispute process that she was required to observe in order to terminate theagreement in accordance with tenancy law provisions. Sarah followed the appropriatesteps, and received no response from the agent. On the day she vacated the premises theagent turned up and demanded that Sarah sign over the bond for leaving early. Sarahreluctantly agreed to do this, thinking that it was a small price to pay for getting out ofthe tenancy. Sarah moved back in with her parents for about two years before applyingto a local real estate agency for a unit. To her dismay, Sarah was informed by this agentthat her application for the tenancy was not accepted on the basis that she was listedwithout a tenant database agency.

Tenants ' Union of Queensland inc. Page 5


Upon Sarah's insistence the agent rang the listing agent who stated that she was listedbecause she left a tenancy agreement early, and owed three months rent. Sarah tried toexplain that she had vacated the tenancy in accordance with the requirements of theResidential Tenancies Act 1994, and therefore had no liability for rent after the day shevacated. None the less, the agent refused to approve her application for tenancy.

CASESTUDY 2 - JOHN

John contacted the Tenants' Union North Queensland office after applying for a housein Cairns. On making his application John was advised by the real estate agent that hewould not be accepted on the basis of a listing with a tenant database agency. Johnprotested that he had a good tenancy record - upon which the agent informed him thathe had left a tenancy in Blackwater owing money. John told the agent that he had nevervisited Blackwater much less rented a house there, and said that this must be a case ofmistaken identity. The agent refused to reconsider John's application.

Both tenants in the situations described , subsequently experienced difficulty in

obtaining appropriate housing.

The Residential Tenancies Authority is a State Government agency which collects anenormous volume of personal information about tenants who rent in the private rentalsector. The Authority holds and manages bonds taken on residential tenancyagreements, and requires that all bonds taken from tenants be lodged with the Authority.The forms which must be lodged with the bond money require the tenants' name,address and telephone number to be supplied. Other forms forwarded to the Authority,such as applications for refunds of bonds, contain personal information about tenants.

The Tenants' Union is aware that the Residential Tenancies Authority provides, uponrequest, this information to a significant number of State and Commonwealthgovernment agencies. The Tenants' Union is also aware that the Residential TenanciesAuthority's forms, which are used to elicit personal information from tenants, provideno warning about the fact that the information supplied may be provided to third parties.The Union believes that tenants should be informed of the purposes to which personalinformation they supply may be put, and be given notice of other agencies to whom theinformation may be passed on. The Commonwealth Privacy Act 1988 has beeneffective in ensuring that Federal government agencies which collect personalinformation from members of the public, include warnings on their standard formsabout the third parties to whom personal information may be passed on.



Is the current law in Queensland adequate with respect toprivacy protection?

The Tenants' Union believes that the current law in Queensland is grossly inadequate inprotecting the legitimate privacy concerns of tenants in Queensland.

The Federal Privacy Act 1988 does not currently provide for regulation of tenantdatabase agencies, as they are neither government bodies nor credit providers. Clearlythe Commonwealth Privacy Act 1988 does not regulate the activities of Stategovernment agencies such as the Residential Tenancies Authority.

Anti-discrimination legislation does not cover this type of data collection anddissemination. The Tenants' Union of Queensland is not aware of any other State orFederal legislation that provides protection to tenants in relation to the concerns raisedabove. Subsequently, the scope for abuse is extensive.

If not , how should the right to privacy be protected inQueensland? For example should Queensland introduce oneor a combination of the following means of regulation:information privacy principles ; a statutory tort of privacy; aprivacy committee/privacy commissioner ; or some othermeans to protect privacy?

The Tenants' Union of Queensland believes there is an urgent need for privacyprotection legislation in Queensland which covers both public and private sectoragencies. Anecdotal evidence from callers to the Tenants' Union phone advice serviceindicates that there are frequent abuses of the tenancy database system and tenants areleft without any form of effective redress.

The Tenants' Union of Queensland supports a co-regulatory approach to privacyprotection involving the application of statutory Information Privacy Principles (IPPs)in addition to the development of Codes of Practice based on IPPs. It is vital however,that any Codes of Practice be clear, measurable and enforceable. The Tenants' Unionwould have concerns about any Codes of Practice that were purely voluntary or thatwould allow practices to subvert the intention of the IPPs.

The Tenants' Union of Queensland supports the introduction of a statutory tort ofprivacy that would enable a person a right to bring a legal action where there had been abreach of the statutory IPPs or Codes of Practice that led to their rights being infringed.However the Tenants' Union recognises that a statutory tort is unlikely to provide auseful remedy for the majority of tenants. The damages suffered by tenants as a resultof an improper listing are likely to be social rather than financial. Tenants are unlikelyto have the resources necessary to pursue such a civil remedy through the courts, and



the tightening of Legal Aid guidelines for civil matters is likely to mean that tenants willbe unable to access such assistance.

if IPPS are introduced what should they provide?

The Tenants' Union of Queensland believes that any IPPs to be introduced inQueensland should be modelled on those contained in the Privacy Act 1988 (Cwth).However there are some specific issues that arise when these IPPs are considered vis-a-vis tenancy database registers. In particular, strict definitions of "necessary"information collection, and collection by "unfair means" in IPP 1, and "relevant"information in IPP 3 should be applied to material on tenancy databases. The Tenants'Union of Queensland believes that other than bona fide statutory exemptions, thereshould be no obstacle to a tenant's right to access and correct personal information heldon a database

Should IPPS be in the form of guidelines or legislation?

The Tenants' Union considers that in order to achieve any significant level ofeffectiveness in ensuring privacy protection, the IPPs will need to be in the form oflegislation. The Tenants' Union believes that the issue of privacy protection is far tooimportant to allow IPPs to be simply in the form of guidelines, and for industries to berelied upon to self regulate. The Tenants' Union believes that without the potential forenforcement of the IPPs, unscrupulous operators would continue to ignore them.

Should individuals have to pay (a reasonable amount) toexercise their right to privacy?

The Tenants' Union of Queensland accepts that there may be costs associated withallowing access to information. However, the Tenants' Union argues that any accessfees should be linked to the reasonable or actual cost of supplying the information, andshould in no way allow the holder of material to profit financially from the disclosure.The Tenants' Union believes that, ideally, there should be a scale of allowable accesscosts, which could be reviewed in individual cases upon application to the PrivacyCommissioner/Committee.

The Tenants' Union of Queensland submits that fees should not be chargeable foraltering or deleting incorrect information, or for attaching a statement of any alterationsought. In the first case, a consumer should not be required to pay to have incorrect orinaccurate information amended if such incorrect information was recorded without theconsumer's knowledge. In the second case, the consumer should not be forced to sufferfinancially to be merely given the opportunity to fairly put their side of the case.

Tenants' Union of Queensland inc. Page 8


Where there is a determination that the material was in contravention of the privacyprotection legislation or should be deleted or amended, any access fees paid by theconsumer should be refundable by the record keeper.

Would the costs associated with IPPS outweigh the publicbenefit flowing from their implementation?

From the information holder's point of view, the relatively small costs involved couldeasily be absorbed through financial devices. For example, a tenancy database operatorcould build the anticipated costs into subscription fees. Further, the risk of such costswould serve to make the information holder more vigilant in ensuring the recordscomply with the relevant privacy laws. It also needs to be recognised that in the case ofthe tenant database agencies, these private companies are profiting precisely from thesupply of personal information to third parties. It is hardly unreasonable to require suchagencies to bear the relatively small cost of ensuring that the information they arepeddling is accurate and up to date.

What functions should a privacy committee/commissionerhave?

The Tenants' Union believes that the privacy committee/commissioner should beresponsible for a range of functions suggested in the Issues Paper, specifically:

n to draft and administer IPPs and industry codes of practice;n investigate complaints about breaches of privacy, and undertake, on their own

motion investigations of agencies suspected of routine breaches of privacy;n act as an advisory body to government on policy matters in relation to privacy

protection;n educate the public and stimulate informed debate on privacy protection.

10. What powers should a privacy committee/commissionerhave?

As indicate above the Tenants' Union believes that it would be ineffective to introduceprivacy legislation and create a privacy commissioner/committee without allowing forthe enforcement of breaches of IPPs through sanctions.

The Tenants' Union would prefer to see a compliance regime which allowed the PrivacyCommittee/Commissioner to pursue productive investigative activities in addition toinvestigating complaints made by individuals about breaches of the IPPs. Clearly limitsto proactive investigative powers would have to be incorporated in enabling legislation.



The Tenants' Union's experience has been that regulatory bodies which rely solely uponcomplaint driven investigations have been largely ineffective in ensuring widespreadindustry compliance.

Many tenants, for example, who had their privacy rights infringed, may not be in aposition to pursue a complaint due to social disadvantage, a lack of information abouttheir rights and complaint options, or a lack of the literacy skills required in order tolodge a written complaint. Proactive investigative powers would allow the PrivacyCommittee/Commissioner to investigate agencies where routine non-compliance withIPPs was suspected.

Clearly, in order to be able to effectively investigate breaches of IPPs by particularagencies the Privacy Committee/Commissioner would require powers of access topremises and to documents held by such agencies.

12. Should privacy regulation apply to the private sector as wellas the public sector?

The Tenants' Union of Queensland supports application of privacy legislation to allindividuals and organisations, both government (State and local) and private.

The Tenants' Union of Queensland recommends that individuals and organisationsshould be vicariously liable for the actions of their employees in the performance oftheir duties under any privacy legislation. Employers should not be responsible wherethe employer had taken all reasonable precautions and exercised due diligence.

The Tenants' Union of Queensland believes that privacy legislation should not apply toinformation that was solely or principally collected for a person's personal, family orhousehold affairs. However, the Tenants' Union believes that there should be clearstatutory definitions of such affairs. The proposed legislation should attempt to capturefamily affairs which are clearly commercial interests, for example family trusts, familybusinesses and similar structures.

15. would the costs associated with privacy regulation of theprivate sector outweigh the public benefit to be gained bythat regulation?

Please refer to the response to question 7.



18. HOW should any privacy protection legislation interrelatewith freedom of information legislation ? For example,should the access to, and amendment of, personalinformation be regulated by the Privacy Act alone?

The Tenants ' Union of Queensland believes that it is not suitable for access to, andamendment of, personal information to be regulated solely by privacy legislation. TheTenants' Union of Queensland recommends that if privacy legislation is to beintroduced , the package of FOI legislation and privacy legislation should be consideredas a whole so that an effective regime is introduced.

Conclusion

The Tenants' Union congratulates the Legal, Constitutional and Administrative ReviewCommittee on initiating public discussion on the important issue of legislative privacyprotection for Queenslanders. It is the Tenants' Union's hope that the release of theIssues Paper, and subsequent consideration of public submissions results, in the longerterm, in the introduction of privacy legislation in Queensland.

R97011 WS3


Anti-D1,C1'tinlnatlotl Connrlission

1 August 1997

The Research DirectorLegal, Constitutional & AdministrativeReview CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir/Madam

RE: ISSUES PAPER - PRIVACY IN QUEENSLAND

Attached for the information of the Committee is a submission from the Anti-Discrimination Commission Queensland in response to the above Issues Paper.

Yours sincerely

KAREN WALTERSActing Anti-Discrimination CommissionerQueensland

ANTI-DISCRIMINATION COMMISSION QUEENSLAND

Level 2, State Law Building, 50 Ann Street, Brisbane, Qid 4000. GPO Box 853, Brisbane, Qld 4001.Telephone: (07) 3239 3365 Facsimile: (07) 3239 6285 Toll Free: 1800 068 305

LEGAL, CONSTITUTIONAL AND ADMINISTRATIVE REVIEW COMMITTEEISSUES PAPER


Submission byAnti-Discrimination Commission Queensland

The submission addresses issues in the order in which they are set out in Part 12 of theIssues Paper.

INTRODUCTION:

The Anti-Discrimination Commission Queensland administers the Queensland Anti-Discrimination Act 1991.

Privacy is a significant human rights issue. Privacy rights are enshrined in Article 17of the International Covenant on Civil & Political Rights (ICCPR) which has been ratifiedby Australia and is scheduled to the Human Rights and Equal Opportunity CommissionAct 1986.

The Commonwealth has enacted the Privacy Act 1988 in part to meet the internationalobligations set out by the ICCPR. It is relevant to note also that Australia is a signatoryto the First Optional Protocol to the ICCPR which enables complaints to be lodgedabout violations of any of the rights set out in the Covenant, when all available domesticremedies have been exhausted.

With respect to the Queensland Anti-Discrimination Act 1991 the Queensland Anti-Discrimination Commissioner has an interest in privacy by virtue of the functionsoutlined in s 235 of the Act (attachment 1). The preamble to the Queensland Anti-Discrimination Act 1991 refers to relevant international instruments (including theICCPR) which the Commonwealth has ratified and further, s 4 of the Anti-DiscriminationAct 1991 states "human rights has the meaning given by s 3(1) of the Human Rightsand Equal Opportunity Commission Act 1986 of the Commonwealth. This thereforeprovides the Anti-Discrimination Commissioner with a clear interest in privacy issues.

Pursuant to the functions and mandate outlined above the Commission thereforemakes this submission.

GENERAL:

1 Are there valid concerns relating to privacy protection which need to beaddressed by legislative and/or administrative action? If so, whatparticular concerns are most pressing?

Yes. The current Commonwealth Privacy Act 1988 has limited coverageresulting in piecemeal protection of privacy rights.

Submission by 2Anti-Discrimination Commission Queensland

The most pressing concerns are:

a Collection, storage, handling and use of personal information byQueensland Government agencies, statutory authorities and governmentbusiness authorities, particularly in an environment of increasingcorporatisation and outsourcing.

b The interface between Queensland Government agencies and the privatesector particularly with respect to exchange of information which resultsfrom outsourcing and the extension to the private sector.

c Developments in technology such as internet, E-Mail and data systems.

2 Is the current law in Queensland adequate with respect to privacyprotection?

No. This inadequacy is clearly outlined in Part 3 of the Issues Paper.

3 if not, how should the right to privacy be protected in Queensland? Forexample, should Queensland introduce one or a combination of thefollowing means of regulation : information privacy principles (IPPs); astatutory tort of privacy; a privacy committee/privacy commissioner; orsome other means to protect privacy?

The Commonwealth model provides a useful model to consider.

A Queensland privacy regime should incorporate the following:

a An independent Privacy Commissioner, established by statute.

Given that the legislation may focus initially on the public sector, anindependent Commissioner would provide the guarantees theQueensland public need of a robust complaints, public policy, publiccommentary system.

The Privacy Commissioner could establish a reference or advisory groupif appropriate to provide specialist advice and a range of views.

b Statute based upon a set of information privacy principles which providethe framework within which agencies and individuals operate.

A low cost accessible complaint and dispute resolution system withenforceable outcomes.

c The capacity for broader functions such as research, education, publiccomment and development of codes of practice.


Other proposals such as a statutory tort of privacy and self-regulation havestrong disadvantages as outlined in Part 6 of the Issues Paper.

In particular, experience in the discrimination jurisdiction has shown thatbehaviour and attitudes are influenced by a combination of a strong legislativeframework which provides sanctions and education strategies.

OPTION - INFORMATION PRIVACY PRINCIPLES:

4 If IPPs are introduced what should they provide?

The Commonwealth Privacy Act provides a useful starting point. Consistencybetween State and Commonwealth legislation should be a consideration.Inconsistencies cause confusion and make legislation less accessible and user-friendly.

5 Should IPPs be in the form of guidelines or legislation?

They should be enshrined in a legislative framework which gives a PrivacyCommissioner both complaint handling and education functions. The legislationcould also confer a function to produce guidelines for the avoidance of privacybreaches such as that set down in s 67(1)(K) of the Commonwealth DisabilityDiscrimination Act 1992 (attachment 2) and s 27(1)(e) of the CommonwealthPrivacy Act 1988 (attachment 3).

6 Should individuals have to pay (a reasonable amount) to exercise theirright to privacy?

No. As privacy is a human right enshrined in the ICCPR which Australia hasagreed to uphold, the assertion of a right to privacy should be free, as are othergrievance processes such as use of anti-discrimination legislation, access to theOmbudsman, etc.

7 Would the costs associated with IPPs outweigh the public benefit flowingfrom their implementation?

No. The costs are those which are appropriate to maintain a free and fair societyand uphold basic human rights.

OPTION - A PRIVACY COMMISSIONER/PRIVACY COMMITTEE

8 If an office of privacy commissioner/committee is established:

• how should its independence be ensured;• should the office be accountable to the Parliament , for example, via

a parliamentary committee (with perhaps responsibilities in relation


to matters such as appointments, suspensions, budgets andstrategic reviews;); and

• should the office be combined with that of the InformationCommissioner or any other office?

As noted in response to question 3, the office of an independent Commissionershould be created by statute, accountable directly to the relevant Minister.

Commonwealth experience has demonstrated that the Privacy Commissionerhas functions separate to other human rights or information functions, such asthose undertaken by the Anti-Discrimination or Information Commissioners andin fact at Commonwealth level, consideration is being given to separating thePrivacy Commissioner from the Human Rights and Equal OpportunityCommission.

Given the Commonwealth experience and the fact that privacy will be a newissue in Queensland with a consequential need for high profile and education,a separate Privacy Commission is desirable.

9 What functions should a privacy committee/commissioner have?

The framework provided by s 27 of the Commonwealth Privacy Act 1988 couldprovide a starting point.

10 What powers should a privacy committee/commissioner have? Forexample, should these include the power to:

• enforce IPPs through sanctions such as fine or disciplinary action;and


A strong legislative framework with investigatory powers (e.g. powers tocompulsorily acquire information necessary to an investigation) and enforceableoutcomes is necessary.

11 Would the costs associated with an office of privacycommissioner/committee outweigh the public benefit flowing from theestablishment of such an office?

No. The same argument applies as that outlined in relation to question 7.



12 Should privacy regulation apply to the private sector as well as the publicsector?

It should, but it may be that a phased in approach could be used. In this way thepublic sector could be a model and take the lead (as it should) and the PrivacyCommissioner could exercise his/her educative, consultative and researchfunctions to determine appropriate lead-in activities.

13 Should privacy regulation apply to government owned corporations?

Yes. The public sector, including government owned corporations shouldprovide a model of leadership. In addition, this coverage will provide a usefulprelude to identify the issues which will arise when the private sector is covered.

14 Should privacy regulation apply to local government activities?

Yes. Local Government authorities are major employers and providers ofservices in Queensland and as such need to be covered.

15 Would the costs associated with privacy regulation of.• the private sector;• government owned corporations;• local government activities;outweigh the public benefit to be gained by that regulation?

No. Comments in relation to question 7 apply.

In addition the European Directive would indicate that there are strongcommercial imperatives for privacy regulation.

16 If the private sector is not to be covered, how should privacy regulationapply to bodies performing services which the government hasoutsourced?

The awarding of government tenders and contracts could be conditional uponthe private sector agency demonstrating it has met relevant guidelines or codesof practice in relation to Information Privacy Principles.

17 Should there be co-operative arrangements between the states, territoriesand the commonwealth with respect to matters such as formal complaintsregimes?

Yes. This is one reason for seeking consistency of legislative regimes. Suchinconsistencies in the anti-discrimination jurisdictions across Australia haveproven difficult in terms of confusion, equality of access, difficulties inestablishing performance indicators or benchmarks and arrangements for co-operative activities and resource sharing. The Standing Committee of Attorneys-


General has for this reason established a working committee of human rightsofficers to examine the complex issue of whether human rights legislation,across the states and at Commonwealth level, can be harmonised. It would besensible therefore that, at the outset, there is some consideration of legislativeconsistency and the possibility of co-operative arrangements.

18 How should any privacy protection legislation interrelate with freedom ofinformation legislation ? For example, should the access to, andamendment of, personal information be regulated by a Privacy Act alone?

The Acts should remain separate but be reviewed to ensure consistency asoutlined in part 9 of the Issues Paper.

19 What additional measures, if any, should be taken with respect to:

• the 1995 European Directive; and• the OECD Cryptography Policy Guidelines?

No comment in relation to this issue.


20 How should smart cards be regulated ? For example, by nationallegislation, state legislation or industry codes?

21 What form of regulation should be introduced with respect to the varioustypes of electronic banking and cash (not including those systems whichuse smart cards)?

It may be that the Privacy Commissioner utilises broad legislative functions toconsult widely on issues such as smart cards and electronic banking andfollowing such consultation, the management of privacy in relation to theseissues could be addressed by a Regulation.


22 What form of regulation should be introduced with respect to privacyissues arising in the areas of,

• personal privacy, including surveillance (visual and listening) bothin public and private places;

• telemarketing and direct marketing;• the workplace;• medical records , including access; and• genetics?

Privacy issues in the workplace, in relation to medical records and in geneticsmay raise issues in the anti-discrimination jurisdiction.


Like issues such as advancing technology (e.g. smart cards), surveillance anddata matching, these are complex matters which only serve to highlight the needfor a strong privacy legislative regime, oversighted by a Commissioner withbroad policy and consultative functions. Once in place, a Privacy Commissionercould establish priorities and commence a process of consultation and researchto determine the most appropriate response to these issues.

s234 107 s 235Anti-Discrimination Act 1991

s 236

CHAPTER 9-ADMINISTRATION

1 1) PART 1-THE ANTI-DISCRIMINATION

(h)

(i)

COMMISSION G)

The Anti-Discrimination Commission and Commissioner

234.(1 ) An Anti-Discrimination Commission is established. (k)

(2).There is to be an Anti-Discrimination Commissioner. (1)

(3) The Commission consists of the Commissioner and the staff of theCommission.

Commission's functions

235. The Commission has the following functions-

(a) to inquire into complaints and, where possible, to effectconciliation;

(b) to carry out investigations relating to contraventions of the Act;

(c) to examine Acts and, when requested by the Minister, proposedActs, to determine whether they are, or would be, inconsistentwith the purposes of the Act, and to report to the Minister theresults of the examination;

(d) to undertake research and educational programs to promote thepurposes of the Act, and to coordinate programs undertaken byother people or authorities on behalf of the State;

(e) to consult with various organisations to ascertain means ofimproving services and conditions affecting groups that aresubjected to contraventions of the Act;

(f) when requested by the Minister, to research and develop

(g)

additional grounds of discrimination and to makerecommendations for the inclusion of such grounds in the Act;

such functions as are conferred on the Commission under another

108 s238

Anti-Discrimination Act 1991

Act;

such functions as are conferred on the Commission under anarrangement with the Commonwealth under Part 3;

to promote an understanding and acceptance, and the publicdiscussion, of human rights in Queensland;

if the Commission considers it appropriate to do so-to intervenein a proceeding that involves human rights issues with the leaveof the court hearing the proceeding and subject to any conditionsimposed by the court;

such other functions as the Minister determines;

to take any action incidental or conducive to the discharge of theabove functions.

Commissioner 's powers

236.(1) The Commissioner has the powers given by the Act.

(2) The Commissioner also has power to do all things that are necessaryor convenient to be done for or in connection with the performance of theCommission's functions.

Financial administration

237. For the purposes of the Financial Administration and Audit

Act 1977, the Commission is a statutory body within the meaning of that

Act.

Appointment of Commissioner

238.(1) The Commissioner is to be appointed by the Governor inCouncil.

(2) Subject to sections 242 and 243, the Commissioner holds office forsuch term (not longer than 7 years) as is specified in the instrument ofappointment.

(3) The Public Service Management and Employment Act 1988 does notapply to the appointment of the Commissioner.

34 Disability Discrimination No. 135, 1992

Functions of Human Rights and Equal Opportunity Commission67.(1) The following functions are conferred on the Commission:(a) to inquire into alleged infringements of Part 2, and endeavour

by conciliation to effect a settlement of the matters to whichthe alleged infringements relate;

(b) to inquire into, and make determinations on, matters referredto it by the Minister or the Commissioner;

(c) to exercise the powers conferred on it by section 55;(d) to report to the Minister on matters relating to the development

of disability standards;(e) to monitor the operation of such standards and report to the

(I)

(g)

Minister the results of such monitoring;to receive action plans under section 64;to promote an understanding and acceptance of, and compliancewith, this Act;

5

10

15(h) to undertake research and educational programs, and other

(i)

G)

programs, on behalf of the Commonwealth for the purpose ofpromoting the objects of this Act;

to examine enactments, and (when requested to do so by theMinister) proposed enactments, for the purpose of ascertaining 20whether the enactments or proposed enactments are, or wouldbe, inconsistent with or contrary to the objects of this Act, andto report to the Minister the results of any such examination;on its own initiative or when requested by the Minister, toreport to the Minister as to the laws that should be made by 25the Parliament, or action that should be taken by theCommonwealth, on matters relating to discrimination on theground of disability;

(k) to prepare, and to publish in such manner as the Commission

(1)

(m)

considers appropriate, guidelines for the avoidance of 30discrimination on the ground of disability;where the Commission thinks it appropriate to do so, with theleave of the court hearing the proceedings and subject to anyconditions imposed by the court, to intervene in proceedingsthat involve issues of discrimination on the ground of disability; 35to do anything incidental or conducive to the performance ofany of the preceding functions.

(2) The Commission is not to regard an enactment or proposedenactment as being inconsistent with or contrary to the objects of thisAct for the purposes of paragraph (1)(i) because of a provision of the 40enactment or proposed enactment that is included for the purposereferred to in section 45.

(3) The Commissioner must not participate in any inquiry held bythe Commission under Division 3 or attend any meeting of the

C

5

10

15

20

25

30

35

40

Disability Discrimination No. 135, 1992 35

Commission, be present during any deliberation of the Commission, ortake any part in any decision of the Commission, in connection withsuch an inquiry.

Functions of Commissioner68. The functions of the Commission under paragraph 67(1)(a) and

the function of the Commission under paragraph 67(1)(m) to the extentthat it relates to the performance of those functions, are to be performedby the Commissioner on behalf of the Commission.

Complaints69.(1) A complaint in writing alleging that a person has done an

act that is unlawful under a provision of Part 2 may be lodged withthe Commission by:

(a) a person aggrieved by the act:

(i) on that person's own behalf; or(ii) on behalf of that person and another person or other

persons also aggrieved by the act; or

(b) 2 or more persons aggrieved by the act:(i) on their own behalf; or

(ii) on behalf of themselves and another person or otherpersons also aggrieved by the act; or

(c) a person on behalf of another person or other persons aggrievedby the act.

(2) If it appears to the Commission that:(a) a person wishes to make a complaint under subsection (1); and(b) that person requires assistance to formulate the complaint or to

reduce it to writing;it is the duty of the Commission to take reasonable steps to provideappropriate assistance to that person.

Commissioner taken to be a complainant70. If:

(a) the Commissioner has referred to the Commission a matterthat came before the Commissioner otherwise than as the resultof the making of a complaint to the Commission; or

(b) the Minister has referred a matter to the Commission undersection 78;

then, for the purposes of any inquiry into the matter by the Commission,this Act has effect as if:

(c) the matter had been the subject of a complaint; and(d) the reference to the complainant in section 84 were a reference

to the Commissioner; and(e) a reference to the respondent were a reference to the person

s.27

Privacy Act 1988

(c) to undertake research into, and to monitor developments in,data processing and computer technology (including data-matching and data-linkage) to ensure that any adverse effectsof such developments on the privacy of individuals areminimised, and to report to the Minister the results of suchresearch and monitoring;

(d) to promote an understanding and acceptance of the Informa-tion Privacy Principles and of the objects of those Principles;

(e) to prepare, and to publish in such manner as the Commis-sioner considers appropriate, guidelines for the avoidance ofacts or practices of an agency that may or might be interfer-ences with the privacy of individuals or which may otherwisehave any adverse effects on the privacy of individuals;to provide advice (with or without a request) to a Minister oran agency on any matter relevant to the operation of this Act;

to maintain, and to publish annually, a record (to be known asthe Personal Information Digest) of the matters set out inrecords maintained by record-keepers in accordance withclause 3 of Information Privacy Principle 5;

(h) to conduct audits of records of personal information main-tained by agencies for the purpose of ascertaining whether therecords are maintained according to the Information PrivacyPrinciples;

whenever the Commissioner thinks it necessary, to inform theMinister of action that needs to be taken by an agency inorder to achieve compliance by the agency with the Informa-tion Privacy Principles;

(k) to examine (with or without a request from a Minister) al fproposa or data matching or data linkage that may involve an

interference with the privacy of individuals or which mayotherwise have any adverse effects on the privacy ofindividuals and to ensure that any adverse effects of suchproposal on the privacy of individuals are minimised;

for the purpose of promoting the protection of individualprivacy, to undertake educational programs on the Commis-sioner's own behalf or in co-operation with other persons orauthorities acting on behalf of the Commissioner;

(n) to encourage corporations to develop programs for the han-dling of records of personal information that are consistentwith the Guidelines on the Protection of Privacy andTransborder Flows of Personal Data issued by theOrganisation for Economic Co-operation and Development;

(o) to do anything incidental or conducive to the performance ofany of the preceding functions;

Privacy Act 1988

(p)

(q)

51

s. 28

to issue guidelines under the Data-matching Program (Assis-

tance and Tax) Act 1990;to monitor and report on the adequacy of equipment and usersafeguards;

(r) may, and if requested to do so, shall make reports andrecommendations to the Minister in relation to any matter thatconcerns the need for or the desirability of legislative or

administrative action in the interests of the privacy of

individuals.

(2) The Commissioner has power to do all things that are neces-sary or convenient to be done for or in connection with the perfor-mance of his or her functions under subsection (1).

Functions of Commissioner in relation to tax file numbers

28. (1) In addition to the functions under sections 27 and 28A,the Commissioner has the following functions in relation to tax file

numbers:(a) to issue guidelines under section 17;(b) to investigate acts or practices of file number recipients that

may breach guidelines issued under section 17;

(c) to investigate acts or practices that may involve unauthorisedrequests or requirements for the disclosure of tax file numbers;

(d) to examine the records of the Commissioner of Taxation to

ensure that:(i) he or she is not using tax file number information for

purposes beyond his or her powers; and

(ii) he or she is taking adequate measures to prevent theunlawful disclosure of the tax file number informa-tion that he or she holds;

(e) to conduct audits of records of tax file number information

maintained by file number recipients for the purpose ofascertaining whether the records are maintained according toany relevant guidelines issued under section 17;

(f) to evaluate compliance with guidelines issued under section17;

(g) to provide advice (with or without a request) to file numberrecipients on their obligations under the Taxation Administra-

tion Act 1953 with regard to the confidentiality of tax filenumber information and on any matter relevant to the opera-

tion of this Act;(h) to monitor the security and accuracy of tax file number

information kept by file number recipients;

01.'08 197 15:41 '$`070 510743

P0Box7381CAR NS QLCi_ 4870Phone: 070 316733Fax 070 51©743

ACCESS CON HOUSE

Access CommunityHousing

TO. Research Director, Legat, Constitutional From

And Adrr►inistratirre Review Committee

Fax: 07 7691 Date:

Ph m

Re: Privacy in Queensland CC:

U urgent Q For Review

Susanne Johnston, Acmes Community

Housing

August 1, 1997

three

0 Please Comment Q Please Reply q Please Recycle

•Comment Please find fallowing my submission to the LEGAL , CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMITTEE in response to ISSUE PAPER NO. 2 - PRIVACY INQUEENSLAND

01/08 197 15:44 TX/RX NO.1740 P.001

0001

01.'08'97 15:41 $070 510743 ACCESS COM HOUSE

Rccolss Community Housing1iutociat1ion Inc.

HOUSING RESOURCE SERVICE

0002

I ST FLOOR PosTAl AbDR. ss

TROPICAL ARCA17r PO Box 7381

-f Shirts S2 r CAIRNS (Z4870CAIRNS Q`$870 PHONE: (070) 31 6733

FAX: (070) S1 0743

4LEGAL CONSTITUTIONAL AND

The Research Director,

ADMINISTRATIVE REVIEW COMNIITT6Legal, Constitutional and AdministrativeReview Committee 1 AU G 1997Parliament MouseBRISBANE QLD. 4001

1 August 1997

Dear Sir / MadamSubmission to Committee , in response to

Issues Paper NO.2 -PRIVACY IN QUEL+ NSLAND

UnfortunatelyI limited resource prevent me from making a full submission. I have outlined majorconcerns. I understand the Tenant's Union of Qld. will be forwarding a detailed submission, andI am sure they will raise issues I would support- I am concerned that the database agencies willallow misleading and inaccurate information about tenants to be used by member real estateagents, and will have a marked effect on their ability to access private rental.

The Housinr Resource ServiceThis program,; funded by the Residential Tenancies Authority from interest on tenant's bonds, andadministered l y the Qld. Dept. of Housing, provides an advice and advocacy service to privaterental tenants- Housing Resource Services are placed in about twenty-eight areas in Queensland.This Service is well placed to comment on the effects of privacy legislation as it relates to theprivate sector- '

Privacy Protedtion IssuesTenancy database registers are becoming increasing used as a tool for real estate agents to screentenants. These agencies collect information about the rental history of particular tenants; in,particular those tenant's that may have defaulted during the tenancy.

The information kept on these database raises serious concerns in relation to the privacy rights oftenants. Agents can and do list information about tenants that is not always correct, not updated,and tenants about whom the information is held have no access to the information, so are not in aposition to dispute it's correctness.

Operations of tenancy databasesThere are two well known agencies operating is Queensland, Tenancy Information CentreAustralia (TICA; .) and the Real Estate access Bureau (REAB). Real Estate Agents becomemembers of these agencies, and can then access / provide information about tenants historyAustralia wide.! It is said their services are required to deal with "problem tenants" who default onleases and leave huge debts, or who damage a property before leaving.

However, the real result is that many tenants are denied access to private rental accommodationbecause they are "listed". They have no right to information listed about them, and need to

P.00201/08 '97 15:44 TX/RX N0.1740 0

01/08 `97 15:42 $070 510743 ACCESS CON HOUSE

negotiate with the real estate agent who "listed" them to find out. Many times that agent isunwilling to talk about it. This leaves the tenant in a very vulnerable position, often not being ableto access accommodation through any real estate agent.

I have discovered cases where the information listed is clearly incorrect, exaggerated, or notupdated after a bond claim is finalized. Ifa tenant has come from another State and needs to sortit out with previous real estate agent it regularly proves difficult.

The real estate agents also use their membership of these agencies as a threat to tenants during thetenancy. I have seen form letters to tenants, from their agent, outlining their membership of atenant database, and advising the tenant that should they even fall behind in rent they will belisted. If a tenant has a dispute with the agent they threaten to list, regardless of weather a debt isincurred.

Issaaes abort in}ormartort held.• No legislative protection for affected tenants, as these private databases seem to be outside of

existingprivacy legislation-

* No regulation or verification of information collected and stored. Information held can beincorrect, but no onus on agencies to validate information provided by lessors and agents.

• Tenants have no right of access to information stored about them, therefore no right tochallen^e.

• No obligation on real estate agents to advise tenants that information is listed or what thatinformation is.

* No process to ensure information is updated-

0 No requiement for information to be removed after a period of time. Once listed alwayslisted, even if a successful tenancy i s maintained later.

• Does notjtake into account reasons for default. Could be related to loss of employment, cutsin social welfare payments, illness, domestic violence etc-, all of which can lead to hardshipand rent arrears. These reasons, often beyond the control of the tenant, cause hardship, anddiscrimination of peoples right to housing.

CONCLUSIONCr; rr e n t. P ri v rcy LawsCurrent law in Queensland does not protect the rights of private rental tenants, because theFederal Privacy Act 1988 does not provide regulation of tenant database agencies, because theyare neither government bodies or credit providers. The Act must be reviewed to provideregulation of private databases to protect the privacy of rental tenants.

Yours truly

SUE JOHNSTpN

01/08 '97 15 :44 TX/ RX N0.1740 P.003

JA003

0

}^. U Si "i" R R. L- t ,n. h t BCD FR R C? F1 ATE _ A V\/ Y E. i -. S A C> C 1^ T I V i^

TO:

COMPANY:

F. NO

MESSAGE-

The Research Director

Legal, Constitutional and Administrative R.view Committee7 3406 7691

Kim .Tubb

07 3252 7528I August, 1997

Please find attached submission on behalf of Australian Corporate LawyersAssociation - Issues Paper No_ 2.

01/08 197 14:07 TX/RX NO.1737 P.001

A.c; :. 003 1 96 76"

Direst Number 07 33612534

Facsimtk 07 -1252 7529

GPO Box 2065B SaANE QLD 4001

1 August, 1997


Dear Sir/Madam,

Re: Issues Paper No 2 _ Privacy in Queensland

Au1 13r

We take this opportunity to provide the following comments on the above IssuesPaper on behalf of our members . ACLA is art organisation which. has a membershipprimarily within corporate and government sectors which are mot likely to beaffected by the matters raised in the Issues Paper.

Specifically, the majority of our members are engaged in activities which involvemaintaining a balance between the tights of third parties to privacy and the costsassociated with upholding those rights.

Given that your committee proposes to further refine the scope of its enquiry wepropose to restrict our comments at this stage to matters of genera it concern to ourmembers. We are keenly interested in being given the earliest opportunity to considerand comment on issues arising out of your consideration of submissions on the IssuesPaper.

We accept that those organisations to which existing privacy legislation does notapply generally support measures to address privacy issues where those issues exist,provided the measures taken to achieve that end are cost effective:. In this respect wenote that the administrative and consequent financial burdens to be imposed uponparties to whom measures would apply are potentially significani and it is likelybusiness will need to pass this on to consumers.

We believe it should be acknowledged, however, that privacy colcerns will differbetween industries. it is also important that the principles reiati&,g to privacy and theapproach to enforcement are consistent. Clearly these imperatives will often conflictdepending on the differences in approach to privacy issues by d.ii ferent industrygroups and the ability to consistently apply those principles to eE sure compliance-

01/08 '97 14:07 TX/RX NO.1737 P.002

43.

0

01/08 '97 14:13 $`81 7 3252 7528 RACQ 1 STWR.NTS

We believe the best way to achieve these outcomes would be for z,, nationally

consistent approach to be adopted.

The benefits of this approach would include the wider acceptance of such a regimewhere the relevant principles are clear and the increased likelihood that members ofthe public will be able to more clearly understand their privacy rights. It would beexpected that the stated option for appointment of a privacy conraissioner/committeewould best achieve this outcome by:-

1. Being an independent supervisory body

2. Providing a cost effective avenue for resolving privacy or, ncerns

3. Promoting awareness of privacy codes and initiatives

We believe the above approach would avoid the need to legislate privacy principlesand would allow for establishment of industry codes of practice, ipproved by thecommissioner. This approach would be expected to promote a fl %xibility of approachto specific industry solutions. It could also be expected that the ;;stablishment andpromotion of the existence of those Codes would remove the xn jority of the privacyconcerns currently being experienced or discussed and would be cost effective withoutimposing an undue regulatory burden on the parties. This appro. tch would be mosteffective where a Code, although explained in general terms, conild specify the classesof conduct regulated by a Code within each industry.

Please note the above address as our primary contact. Should yn ru otherwise .requireany further information please contact the writer by telephone, f 7 3361 2539 or by fax07 3252 7528.

Yours faithfully,

Ij 003

01/08 '97 14:07 TX/RX NO.1737 P.003

ELECTORAL COMMISSION

QUEENSLAND

31 July 1997

IN REPLY PLEASE QUOTE

CONTACT OFFICER

TELEPHONE

FACSIMILE

Mr Neil LaurieResearch DirectorLegal, Constitutional andAdministrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Mr Laurie

EX/52 GEA:RLA

Mrs Trudy Aurisch

(07) 3227 7590

(07) 3229 7391 42- -

LEGAL, CONS ONAL AlbADMINISTRATIVE REVIEW COMMITTEE

A 1 U L 1997

I enclose three copies of a submission by the Electoral Commission Queensland in responseto the Legal , Constitutional and Administrative Review Committee 's Issues Paper No 2'Privacy in Queensland'.

Thank you for inviting submissions from the Commission.

Yours sincerely

D J O'SHEAElectoral Commissioner

QUEENSLAND

GPO BOX 1393 BRISBANE QUEENSLAND 4001 AUSTRALIALEVEL 6 FORESTRY HOUSE 160 MARY STREET BRISBANE

cc(ELECTORAL COMMISSION

QUEENSLAND

SUBMISSION

TO THE


BY THE

ELECTORAL COMMISSION QUEENSLAND

IN RESPONSE TO

ISSUES PAPER NO 2


JULY 1997

TABLE OF CONTENTS

CONTENTS Page

1. Introduction .......................................... 1

2. Importance of the Electoral Roll ............................ 2

3. History of Roll-Keeping in Queensland ........................ 4

4. What Information Does the Roll Contain and Who May Access It? .... 7

5. Problems with the Roll .................................. 10

6. New and Better Options for Roll-Keeping ..................... 14

7. Impact of Privacy Legislation Upon Electoral Roll Maintenance ..... 16

8. Conclusion .......................................... 18

9. Bibliography .......................................... 19

1

1. INTRODUCTION

1.1 In December 1996, the Legal, Constitutional and Administrative Review Committeeof the Queensland Legislative Assembly resolved to conduct an enquiry into theprotection of privacy in Queensland.

1.2 In May 1997 the Committee released Issues Paper No 2 "Privacy in Queensland"with the stated aims of:

providing the community with information on some of the topicalissues concerning privacy;

• stimulating discussion; and• identifying issues which submissions to the committee may

address. "'

1.3 The Issues Paper has identified privacy as encompassing a group of rights includingthose relating to personal privacy (which includes freedom from surveillance),privacy of communications and information or data privacy.

1.4 "Information" privacy is then further defined as "the claim of individuals, groups, orinstitutions to determine for themselves when, how, and to what extent informationabout them is communicated to others". 2

1.5 The Electoral Commission Queensland recognises and respects the fact that eachQueenslander's privacy should be adequately protected. However, this right has tobe balanced against public benefits that can arise from the collection of certaininformation. For example, electoral roll data is used for certain health programs,such as the program for the treatment and prevention of tuberculosis. TheCommission is anxious that the correct balance is struck between these competingdemands.

1.6 The Commission proposes that, as an accurate electoral roll is fundamental to thedemocratic process, privacy laws should not restrict the Commission in obtainingand using information for roll keeping purposes but rather such laws shouldprescribe a right in the Commission to obtain such information. Each Queenslanderhas a basic right to a free, honest and fair electoral system and this right is just asimportant as each Queenslander's right to privacy.

Legal, Constitutional and Administrative Review Committee (J Gamin MLA, Chairman ), Privacyin Queensland, ( Issues Paper No 2), Legislative Assembly Queensland, 1997, p.1.

2 ibid., p.2.

2

2. IMPORTANCE OF THE ELECTORAL ROLL

2.1 The highest standards should exist in the preparation and maintenance of theelectoral roll. As the Electoral and Administrative Review Commission (EARC)stated in its "Report on The Review of The Elections Act 1983-1991 and RelatedMatters":

"Electoral rolls are a fundamental component of any voting system. Rolls constitutethe official list of electors and are prima facie evidence of electors' right to vote.Enrolment procedures therefore need to strike the right balance between the needto be rigorous to ensure integrity of the rolls, and the need for flexibility to ensurethat peoples' rights to enrol and vote are protected. " 3

2.2 Inaccurate rolls reflect adversely on the legitimacy of any election using those rolls.As the Liberal Party of Australia stated in its Submission to the Commonwealth JointStanding Committee on Electoral Matters' Enquiry into Resource Sharing in theConduct of Elections:

"The greatest concern the Liberal Party has regarding the administration of electionsin Australia is the maintenance and integrity of the Commonwealth, State, Territoryand Local Government electoral rolls.

It is essential that the highest standards are maintained to ensure the integrity ofelectoral rolls. Accurate electoral rolls are necessary to safeguard public confidencein the democratic process and importantly, given the recent trends for state andfederal elections to be determined by close margins in a small number of seats, theyare essential for ensuring that the democratic wishes of the voters are notcorrupted." 4

2.3 An accurate roll is also essential for any State redistributions and for the LocalGovernment Boundary Reviews which have recently become the province of theCommission.

2.4 In Queensland, the roll is also used for other important purposes. It acts as asource for compilation of jury lists and for certain other functions in the public

3

a

Electoral and Administrative Review Commission (T Sherman, Chairman), Report on TheReview of the Elections Act 1983-1991 and Related Matters, (91/R7), QueenslandGovernment Printer, Brisbane, 1991, p.46.

Submission by the Liberal Party of Australia to the Joint Standing Committee on ElectoralMatters ' Inquiry into Resource Sharing in the Conduct of Elections, December 1991,paragraph 4.1-4.2.

3

interest eg. by the Health Department for the administration of various public healthprograms. Copies of the roll are also supplied electronically to Members of theLegislative Assembly, Local Governments and registered political parties. The useof the electoral roll for these purposes both underscores the need for its accuracyand currency and increases the likelihood of any errors on the roll being identified(which in turn can translate into a lack of public confidence in the roll).

2.5 The 1996 census has confirmed that between 1991 and 1996 the population ofQueensland grew by 12.7%, which was the fastest growing population in Australia.This figure compares with growth in the same period of 10.7% in the NorthernTerritory, 8.2% in Western Australia, 5.9% in the Australian Capital Territory, 5.2%in New South Wales, 3.2% in Victoria, 1.8% in South Australia and 1.2% inTasmania.' The 1996 census also revealed that the Sunshine Coast area isAustralia's fastest region of growth, and that its population had grown 30% over thepast five years. According to the 1996 census, Queensland should overtake Victoriaas the nation's second most populous State in 2020.6 The Queensland population,like the rest of modern Australia, is also highly mobile within State boundaries. Allthese population movements add to the difficulty of establishing, and maintaining,an accurate and up-to-date roll in Queensland.

5 Australian Bureau of Statistics Australian Demographic Statistics 1996 Census Edition(3101.0), Australian Government Publishing Service, Canberra, 1997, p.3.

s The Courier Mail, 16 July 1997, p.1.

4

3. HISTORY OF ROLL-KEEPING IN QUEENSLAND

3.1 Queensland maintained its own electoral roll from 1859 to 1991. In fact, until 1986,when a joint electoral card was introduced, the Commonwealth and State hadentirely separate systems and persons enrolling or amending their enrolment wererequired to complete separate Commonwealth and State enrolment cards.

3.2 As part of its obligations under the Electoral and Administrative Review Act 1989,EARC issued two Reports of great relevance to Queensland's electoral system andelectoral rolls. These were the "Queensland Joint Electoral Roll Review" Report,issued in October 1990, and "The Review of the Elections Act 1983-1991 andRelated Matters" Report dated December 1991.

3.3 The first of these Reports resulted from EARC's examination of whether Queenslandshould maintain a separate Electoral Roll or enter a Joint Electoral Roll Arrangementwith the Commonwealth and, if the latter, what the nature of that Arrangementshould be. EARC's key recommendations were that a Joint Electoral RollArrangement should be negotiated by the Queensland Government with theCommonwealth as soon as practicable, and that the existing Commonwealth Rollshould form the basis of the Joint Electoral Roll.

3.4 EARC also recommended that State enrolment qualifications should be the sameas the current Commonwealth qualifications, including the adoption ofCommonwealth criteria for eligibility of non-Australian British subjects (subject to theproviso that any non-Australian British subjects currently on the State roll beretained on the roll for State elections). EARC further recommended that a JointElectoral Roll Management Committee, comprising senior officers from theCommonwealth and State electoral authorities, be established to assist with thenegotiation of the Joint Electoral Roll Arrangement and its subsequentimplementation.

3.5 Chapter 5 of EARC's later "Report on The Review of the Elections Act 1983-1991and Related Matters", which contained as Appendix H a draft Bill for an ElectoralAct, developed the recommendations in its previous report and set out EARC'sviews on the legislative provisions and administrative arrangements necessary toestablish and maintain the joint roll and to manage access to roll information.

3.6 Acting on EARC 's recommendation , Queensland and the Commonwealth enteredinto a Joint Electoral Roll Arrangement on 4 November 1991 . The Arrangementtook effect on 1 January 1992. Queensland was the last of the States andTerritories to enter into a Joint Electoral Roll Arrangement with the Commonwealth,the first such arrangement having been negotiated between the Commonwealth and

5

Tasmania in 1908 . The Joint Electoral Roll Arrangements are not uniform as theyhave been negotiated by the Commonwealth with each individual State or Territory.They therefore leave different levels of responsibilities with the State/TerritoryElectoral Commission and the Australian Electoral Commission (AEC) and , as notedby EARC, the later Arrangements "reflect the increasing priority of financialmanagement within the public sector, and the management of information throughcomputer databases".

3.7 Queensland 's Joint Electoral Roll Arrangement contains the following importantprovisions:

• the computer records constituting the roll , in accordance with section 111 ofthe Commonwealth Electoral Act 1918 , shall be the roll for the purposes of theelectoral laws of the Commonwealth and the State;

• any data provided to the AEC relating to any redistribution of electoralboundaries for either a State or Local Government election is to be includedin the joint roll within 12 weeks;

• the joint roll is to contain all matters required by the electoral laws of theCommonwealth and the State to be contained in the roll;

the AEC is to provide in electronic format, within seven days of the closing ofthe roll for a State or Local Government election, a copy of so much of the rollas has been specified by the Electoral Commissioner for Queensland;

the Electoral Commissioner has the right to inspect at all reasonable timesboth the computer records constituting the roll and any source documentationheld;

the AEC will conduct a habitation review of the roll within each period requiredby the Commonwealth Electoral Act 1918 or any State law , provided that ahabitation review is not to be conducted in the period between the issue of awrit for either a Commonwealth election or a State election and the day of thatelection;

the Electoral Commission Queensland may charge State agencies for thesupply of data from the roll; and

Electoral and Administrative Review Commission (T Sherman , Chairman), Report onQueensland Joint Electoral Roll Review (901R3 ), Queensland Government Printer, Brisbane,1990, p.34.

6

• Queensland is to pay the AEC an annual sum, payable quarterly, for theupkeep of the roll. The amount paid is calculated in accordance with a formulaset out in the Arrangement, and is based on the actual costs incurred by theAEC in maintaining the roll being shared equally between the Commonwealthand State. In the 1996/97 financial year, the amount paid by Queensland wasapproximately $1.2334 million.

3.8 However, Queensland's Joint Electoral Roll Arrangement provides that the AEC issolely responsible for the maintenance of the roll through processing newenrolments, amending enrolments, and initiating and determining objections.Perhaps even more importantly, the AEC is in total control of the timing of its rollmaintenance activities. For this reason, the term "joint electoral roll" is a misnomer.

7

4. WHAT INFORMATION DOES THE ROLL CONTAIN AND WHO MAY ACCESS IT?

4.1 The AEC's Joint Electoral Roll database (RMANS) records the elector's full name,address, sex, occupation, date of birth and date enrolled. This informationconstitutes what is termed the "entire" roll. The entire roll is updated daily by theAEC and the Commission has on-line access to search the data base maintainedin Canberra.

4.2 RMANS , however , cannot meet all of Queensland 's requirements . Therefore aduplicate of the roll , in electronic format , is maintained by CITEC for State purposes.

4.3 Under the provisions of the Electoral Act 1992, the Commission is required to keepan electoral roll for each of the 89 Electoral Districts of Queensland. The Act statesthat the roll must contain an elector's surname and given names, address, sex,occupation, date of birth, and identifying number.

4.4 The Commission is obliged to make available for inspection by any person, withoutfee, a copy of the most recent printed version of the publicly available part of theelectoral roll at the office of the Commission and at the office (if any) of each StateReturning Officer. However, the publicly available roll, in accordance with EARC'srecommendation, consists only of the elector's surname and given names andaddress.

4.5 The Commission may make available for inspection, without fee, a copy of thepublicly available part of any electoral roll, in electronic format, at any place theCommission considers appropriate. There is further provision in the Electoral Actfor the Commission to sell copies of the publicly available part of each electoral roll,either in a printed or non-printed form, at a price fixed or determined under aregulation. Currently the electoral roll price is $9 per district.

4.6 The Electoral Act 1992 also requires the Commission to:

• supply each member of the Legislative Assembly, free of charge, with areasonable number of copies of the most recent printed version of the entireelectoral roll for the electoral district the member represents and to also givethis information to the member in electronic format at least once during eachLegislative Assembly;

• as soon as practicable after the cut off day for the nomination of candidatesfor an election, supply a free certified copy of the entire electoral roll for anelectoral district, as at the cut-off day, to each candidate for election for thedistrict who requests a copy;

8

• at the Commissioner's discretion, allow any State Government department orState public authority to have access in electronic format, and without fee, toa copy of the most recent version of the entire roll for any electoral district;

• make available to a member of the Legislative Assembly, free of charge,copies of the changes to the most recent electronic version of the entireelectoral roll for the electoral district that the member represents;

• make available electronically a copy of the entire electoral roll (and anychanges thereto) for any electoral district wholly or partially within a localgovernment's area for purchase by the local government at a price fixed undera regulation; and

• make available a copy of the entire roll (and any changes to it) for any or allelectoral districts, in electronic format, for purchase by any registered politicalparty.

4.7 Section 152 of the Electoral Act 1992, however, in line with the CommonwealthElectoralAct 1918 and following EARC's recommendation, places certain restrictionson the use to which the non-publicly available information contained on the entireroll may be put.

4.8 In order to fulfil the Commission's obligations under the Electoral Act 1992, CITEC'sduplicate electoral roll supplies the Sheriffs Office so jury lists may be prepared, isforwarded to various State Government departments for their purposes (for example,it is used by the Health Department to administer various health programs and bythe Justice Department to maintain a register of Justices of the Peace andcommissioners for declaration) and is supplied to local governments, candidates forelection, registered political parties and Members of the Legislative Assembly.

4.9 When examining the proposal for a Joint Electoral Roll and the ancillary issue of thepublication and availability of the roll in Queensland, EARC commented:

"Given the legal complexity of any jointly owned data base, it would benecessary to establish in advance of inaugurating any joint roll, the usesto which the data may be put, the organisations which may secureaccess to the data base, and the extent to which electors' privacy can beprotected in any regime of divided responsibility. " 8

e ibid., p.24.

9

4.10 EARC further reported that , because of the Commonwealth Privacy Act 1988, allCommonwealth agencies wishing to access the non-public data on theCommonwealth roll had had to justify such access as being in the public interest.The usual justifications related to law enforcement , security and the protection ofpublic revenue . Further, the enrolment claim card used by the Commonwealth listedall Commonwealth agencies with access to the non-public data on theCommonwealth roll.

4.11 Should the State introduce its own privacy legislation, it could impact on the currentarrangements . for the supply of the roll to external organisations. For example, itwould probably affect the exercise of the Commission's discretion, conferred insection 61 (3) of the Electoral Act 1992 , to allow any department or State publicauthority to access , without fee , either in computer disk or computer tape format, theentire electoral roll for any electoral district . It is noted that the joint Queenslandand Commonwealth " Electoral Enrolment Form " currently advises applicants forenrolment that the AEC makes certain specified items of information "available togovernment agencies listed on the back of this card ".9 Each of the federalgovernment agencies are then individually listed . In contrast, the form states, inrelation to Queensland, that "information is also provided by the ElectoralCommission Queensland to certain Government organisations'"0 but the individualorganisations are not listed. If Queensland enacts its own legislation, it may be thatapplicants for access to the entire electoral roll may have to apply again to theCommission , justifying their reasons more fully and demonstrating compliance withany privacy principles that may be made in Queensland . This whole issue warrantscloser examination once the content of any such legislation becomes more clearlydefined . As EARC commented in its report "Queensland Joint Electoral RollReview":

"The State agency responsible for roll maintenance should also beresponsible for determining right of access to non-published roll data inaccordance with any State privacy legislation that may be promulgated". "

9

10

71

Australian Electoral Commission , Electoral Enrolment Form (ER016 -2/92), QueenslandGovernment Printer, Brisbane, 1992.

ibid.

Electoral and Administrative Review Commission (T Sherman, Chairman), Report onQueensland Joint Electoral Roll Review, (901R3), Queensland Government Printer, Brisbane,1990, p.32.

10

5. PROBLEMS WITH THE ROLL

5.1 Currently, the electoral roll is updated by the AEC as a result of the followingactivities:

(a) individuals enrolling for the first time and electors notifying change of enrolmentdetails;

(b) door knock ("Habitation") reviews of every residence (or mail contact in areaswith difficult terrain, high security buildings, sparsely populated rural land etc),generally conducted every two years;

(c) enrolment activity generated by close of roll publicity prior to elections andreferendums;

(d) information received by the AEC when it follows up apparent non-voters afterFederal elections;

(e) information received by State or Territory electoral authorities flowing from thefollow up of apparent non-voters after State or Local Government elections;

(f) AEC or State/Territory initiated enrolment stimulation activities, that is, theidentification of key elector target segments and the conduct of planned,coordinated marketing activity with the aim of motivating elector initiatedenrolment activity; and

(g) information regarding deaths and name changes provided by the Registrar-General.

5.2 The Habitation review (also called an Electoral Roll Review (ERR)) has, for manyyears, been the principal method employed by the AEC to update the electoral roll,outside the processing of enrolment cards received in the normal course ofbusiness.

5.3 Queensland is presently divided into 26 Commonwealth Electoral Divisions with aDivisional Returning Officer (DRO) appointed for each Division. The DROs have theresponsibility of maintaining the roll for their Division. In order to do this, ERRs arecarried out (with the timing of the ERR dependant on the AEC) and, frominformation and enrolment forms obtained, the electoral roll of the Division isupdated.

5.4 Each field officer employed by the AEC for the purposes of the ERR is given a

11

specific area , or "walk". The field officer door-knocks each residence in the walk(with the exception of those residences where it is impracticable to arrange door-knocks and those where silent electors reside ) in order to check enrolment detailswith a responsible member of the household.

5.5 Should an ERR reveal that an elector is no longer at the address shown on theelectoral roll, DROs issue a "notice of objection" before determining whether theelector 's name should be removed from the roll . Objection action of this kind is alsoregularly taken by the AEC when mail is forwarded to it by State or FederalMembers of Parliament who have written to their constituents and had the mailreturned unclaimed.

5.6 There has been growing concern , particularly by State and Territory electoralauthorities, with the perceived inadequacy of existing roll -keeping methods. Suchconcerns date back to at least 197412 and were expressed at length to theCommonwealth Joint Standing Committee on Electoral Matters when it was holdingits Inquiry into resource sharing in the conduct of elections.

5.7 In 1995 , The Australian Joint Roll Council (AJRC ), which is a consultative councilof electoral commissioners and chief electoral officers from the electoral authoritiesof the Commonwealth , States and Territories , engaged a firm of managementconsultants , Australian Strategic Planning Pty Limited (ASPL) to:

"Identify appropriate methodologies for maintaining a complete , up-to-dateelectoral roll of all eligible electors for Federal, State, Territory and LocalGovernment elections , having regard to, but not limited by:

• existing roll maintenance and management systems ... and practices, egHabitation Reviews;

• pilot studies in electoral roll reviews already carried out by State andCommonwealth electoral authorities; and

cost effectiveness. " 13

5.8 ASPL delivered its comprehensive report "Electoral Roll Review Alternatives " in April

12

13

Joint Standing Committee on Electoral Matters (A Bevis , Chairperson ), The Conduct ofElections : New Boundaries for Cooperation , Australian Government Publishing Service,Canberra , 1992 , p.170.

Australian Strategic Planning Pty Limited Electoral Roll Review Alternatives , Report to theAustralian Joint Roll Council, Sydney, 1996, p.6.

12

1996. The arguments advanced in the report against the continued use of the"Point In Time" ERRs were many and compelling. The Report identified thefollowing problems with ERRs:

(a) they are expensive, costing between $15 million and $16 million at least everytwo years;

(b) contact is required to be made with all residences in Australia, even though theroll details for more than 60% of residences are correct. Consequently, onlyabout 30% of the ERR's work achieves a result and accordingly approximately$9 million ($15 million by 60%) is difficult to justify;

(c) an ERR takes a considerable amount of time to complete as field workaverages from 3-4 months and follow-up work takes a further 3 months. Insome instances, the reviews can take up to 9 months to complete. It ispossible for an ERR to be interrupted and much of the work in progress to beinvalidated if an election is called during an ERR. If an election (eitherCommonwealth, State or Local) is announced, the ERR is halted in the areaconcerned. A partially completed ERR could result in allegations of roll-stacking or roll-manipulation, in which the suggestion is raised that areas witha bias to one-side of politics were canvassed;

(d) changing social attitudes and standards are reducing the success rate of doorto door information gathering activities, although the severity of the problemvaries between States. There is an increasing reluctance by residents to openthe door to a stranger, and there are more and more apartment buildings withrestricted public access. The personal safety of field staff could also beconsidered to be increasingly at risk. Further, a large number of casual staffneed to be recruited and trained for every ERR, thereby increasing their cost.The use of such large numbers of casual staff can also lead to problems withthe accuracy of results;

(e) since the timing of ERRs is set by the Commonwealth, priority is given to theFederal election timetable and this usually does not accord with State orTerritory requirements. A State election could be called when an ERR has notoccurred for some time;

(f) ERRs produce workload peaks and troughs, as they concentrate large amountsof work into a six month period. This also means that, in the absence of anERR or the close of rolls rush at election time, the electoral roll lags behind atother times and the accuracy of the roll is not consistent;

13

(g) there is a roll lag, as while an ERR is being conducted and after completion,electors are changing their address at a significant rate. Research has shownthat Australian society is more mobile than ever, with approximately 20% of thepopulation moving house each year.14 This is not reflected in enrolmentactivity.

(h) timing of an ERR is difficult, for example, Australia's climate is not conduciveto a door-knock in many parts of the country much of the year and the numberof school holidays each year also reduces the time available to conduct ERRssatisfactorily; and

(i) a basic flaw with ERRs is that it is easier to get off the roll than on it. The ERRprocess of sending out "Objection Notices" to addresses where electors do notrespond means that electors are removed from the roll at that address withouta corresponding addition at their new address.

5.9 The Commission agrees with ASPL's findings on the shortfalls in the ERR process.Research within the Commission has confirmed that, in the absence of an election,the accuracy of the roll seriously declines. For example, in the 1993-94 financialyear Queensland's population growth was reported as being 3.17%. The growth inthe electoral roll in Queensland during that year was only .034% and theregistrations actually fell at a national level. The following year, an ERR generated400,000 transactions in Queensland and resulted in 120,000 names being deletedfrom the roll. Clearly, the poor state of the rolls in the latter part of 1993-94 and theearly part of 1994-95 would have had a profound effect should an election,particularly a close election, or a redistribution have been held at that time.

5.10 The following graph (Fig. 1) illustrates the radical fluctuations in enrolments over a5 year period from June 1992 to June 1997. The increases and decreases inregistrations result largely from ERRs or elections generating a significant numberof changes to the roll. Ideally the roll in Queensland should show a gradual andsteady growth in line with population growth.

14 ibid., p.26.

Fig. I - Monthly Enrolment - QLDJune 1992-97

2,120,000 -

2,100,000 -

2,080,000 'r-

I2,060,000

0 2,040,000

(.J 2,020,000 -

0O 2,000,000 -

z1,980,000 -r-

1,960,000 -1

1,940,000 -

Federal Election - 13 March 1993

Objection Action following the 1994 Electoral Roll Review -January 1995

Objection Action following the 1993 Federal Election - November 1993

Objection Action following the 1992 Electoral Roll Review- December 1992

I -^^-1Jun Aug Oct Dec Feb Apr Jun Aug Oct Dec Feb Apr Jun Aug Oct Dec Feb Apr Jun Aug Oct Dec Feb Apr Jun Aug Oct Dec Feb Apr Jun

Jul Sep Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan Mar May

1992 1993 1994 Month 1995 1996 1997

Federal Election 2 March 1996

Ob lion Action lollowin the1996 Federal Election - June1996

Queensland State Election -15 July 1995

QueenslandState Election -19 September1992

14

6. NEW AND BETTER OPTIONS FOR ROLL-KEEPING

6.1 The main recommendation by ASPL was that:

"The AJRC, Australian Electoral Commission (AEC), and State ElectoralCommissions (SECS) proceed with the implementation of a system ofContinuous Roll Updating (CRU) to replace the current Habitation Reviewapproach to roll updating" 15

6.2 The CRU process involves continuously identifying those persons who are notaccurately recorded on the roll and concentrating roll maintenance activities onthem. A key component of the CRU system is the use of outside sources ofinformation (instead of ERRs) for the timely acquisition of possible enrolmentchanges.

6.3 ASPL identified a number of events, recorded by various entities , which could triggerchanges in roll data as:

(a) an existing or potential (ie eligible but not enrolled) elector moves from acurrent address;

(b) an existing or potential elector moves into a new address;

(c) an existing elector changes name;

(d) an existing elector, by reason of being of unsound mind, is unable tounderstand the nature and significance of enrolment and voting;

(e) an existing elector dies;

(f) a potential elector becomes 18;

(g) an existing elector becomes ineligible to vote, for example, the elector isconvicted and under sentence for an offence punishable by imprisonment for5 years or longer; and

(h) an immigrant becomes an Australian citizen and consequently a potentialelector.

15 ibid., p.3.

15

6.4 A number of State Government departments and agencies are routinely advised ofthe matters listed in paragraph 6.3 and are therefore invaluable though untappedsources of information for roll keeping purposes. Such bodies include:

(a) Office of State Revenue. A reduction in stamp duty is granted onconveyancing transactions where the property is declared to be the purchaser'sprincipal place of residence;

(b) Department of Public Works and Housing (public housing records);

(c) Residential Tenancies Authority (rental property information);

(d) Electricity supply authorities;

(e) Department of Transport (as regards 17-18 year olds who obtain a driver'slicence or permit);

(f) Corrective Services Commission (information on sentencing and imprisonment);

(g) Department of Health and the Public Trust Office, for information on personswho are no longer capable of managing their affairs; and

(h) Registrar of Births, Deaths and Marriages for information regarding electors'deaths or change of name.

6.5 The supply by these bodies of relevant data would be extremely useful to the CRUprocess. It is proposed that information held by the above-mentioned bodies couldbe initially supplied to the Commission which would then pass it on to the AEC.

6.6 The data supplied could be processed against RMANS to identify elector matches."Please re-enrol" or "please enrol" forms, together with a letter encouragingenrolment/re-enrolment, could be sent to the elector or potential elector (forexample, at the elector's new address) and the person would only have to fill in anymissing details, sign the form and post it back.

6.7 Following the ASPL report, the AJRC commissioned a CRU Pilot Study usingchange of address data supplied by Australia Post. This has recently beencompleted and the results are very promising. The State holds valuable informationwhich could very much increase the accuracy of the roll if supplied to the AEC,particularly as the CRU Pilot Study revealed that less than 65% of movers useAustralia Post forms.

16

7. IMPACT OF PRIVACY LEGISLATION UPON ELECTORAL ROLL MAINTENANCE

7.1 Successful implementation of a CRU process is dependent on data-matching, aprocess defined in the Commonwealth Privacy Commissioner's voluntary guidelinesas:

"the large scale comparison of records or files of personal information,

collected or held for different purposes, with a view to identifying matters

of interest. i16

7.2 The ASPL Report proposed using Australia Post, as well as State Governmentagencies , as sources of data for the CRU system . It highlighted the privacyimplications of such data-matching in the context of the Privacy Act 1988(Commonwealth ), which places on Commonwealth government departments andagencies an obligation to comply with eleven Information Privacy Principles (IPPs).

7.3 However , the AEC has statutory power to obtain information for roll keepingpurposes which would otherwise be in breach of the Commonwealth privacylegislation . Section 92 ( 1) of the Commonwealth Electoral Act 1918 provides:

"All officers in the service of the Commonwealth , all police , statistical, andelectoral officers in the service of any State , officers in the service of anylocal governing body, and all occupiers of habitations shall uponapplication furnish to the Electoral Commission or to any officer actingunder its direction all such information as the Electoral Commissionrequires in connexion with the preparation, maintenance or revision of theRolls. "

7.4 Despite this legislative power , the Commonwealth Privacy Commissioner assertsthat:

"The S92 provisions you wish to rely on were written a long time ago inan era when , I believe , the Parliament had in mind the old 'door-knock'habitation reviews . While the S92 powers do refer broadly to reviewingthe rolls "in such a manner as the Commission considers to beappropriate", I am confident the Parliament was not, at that time, thinkingabout an electronic data matching exercise . It may well be that theParliament considers you should have such data-matching powers but,given the history of debate over data-matching that has occurred in this

1 6 ibid., p.41.

17

country over the past 10 years, / believe it is a debate we would need to

have. 17

7.5 The Privacy Commissioner has also expressed the view that , in the absence of apower such as section 92 of the Commonwealth Electoral Act, the consent of eachperson must be obtained before relevant information can be passed on to anelectoral authority without breaching the Commonwealth Privacy Act. Clearly,obtaining consent from each person severely limits the opportunity to update the rollusing alternative data bases of information.

7.6 Similarly, in the absence of appropriate legislative power, State privacy legislationwould most likely prevent State departments and instrumentalities providingessential information to the Electoral Commission for roll maintenance purposes.

17 M Scollay, Continuous Roll Updating and Privacy Considerations, address to the AustralianJoint Roll Council, Sydney, 19 June 1997.

18

8. CONCLUSION

8.1 It is in two main areas that tensions may arise between the Commission'sperformance of its powers and functions under the Electoral Act 1992 and anylegislation seeking to protect the privacy rights of Queenslanders, namely:

• the exercise by the Commission of its discretion to allow the data on the entireroll to be supplied to certain State departments and agencies in the overallpublic interest of Queenslanders; and

• the proposal to seek relevant data from State agencies which could be "data-matched" by the AEC for CRU purposes so that the joint electoral roll inQueensland is as accurate and current as possible.

8.2 The best possible outcome from the Commission's viewpoint would be for anysupply of information for data-matching CRU processes to be exempt from any Stateprivacy legislation, or, more significantly, provide the Electoral CommissionQueensland with legislative power to obtain essential information for roll keepingpurposes similar to that contained in the Commonwealth Electoral Act 1918 (s92(1)).

8.3 Any reasonable use of personal information in order to maintain the accuracy andcurrency of Australia's electoral roll should not be regarded as an invasion ofprivacy, but as the responsibility of living in a modern democracy. The cornerstoneof democracy is universal suffrage, and it is essential that all possible assistance isgiven to electors to maintain their ability to exercise this.

8.4 For this reason, it is vital that any State privacy legislation not impede thedissemination of information held on the entire roll to approved State Governmentagencies (provided always that the public interest in distributing the informationoutweighs any privacy considerations), nor the CRU process, which aims to makeAustralia's electoral roll more accurate more of the time.

19

9. BIBLIOGRAPHY

1. Arrangement between the Governor -General and the Governor of Queenslandfor a Joint Electoral Roll , 4 November 1991.

2. Australian Bureau of Statistics 1997 , Australian Demographic Statistics 1996Census Edition (3101.0), Australian Government Publishing Service , Canberra.

3. Australian Electoral Commission 1992, Electoral Enrolment Form (ER016-2/92), Queensland Government Printer , Brisbane.

4. Australian Joint Roll Council Steering Committee 1997 , Report on theContinuous Roll Update Pilot Study 1996-7, unpublished report to theAustralian Joint Roll Council.

5. Australian Strategic Planning Pty Limited 1996 , Electoral Roll ReviewAlternatives , unpublished report to the Australian Joint Roll Council.

Electoral and Administrative Review Commission 1990 , (T Sherman,Chairman ), Queensland Electoral Roll Review (90/16), QueenslandGovernment Printer , Brisbane.

7. Electoral and Administrative Review Commission 1990, (T Sherman,Chairman ), Report on Queensland Joint Electoral Roll Review (90/R3),Queensland Government Printer , Brisbane.

Electoral and Administrative Review Commission 1991 , (T Sherman,Chairman ), Report on the Review of the Elections Act 1983-1991 and RelatedMatters (91/R7), Queensland Government Printer, Brisbane.

9. Electoral Commission Queensland 1994 Annual Report 1993-1994,Queensland Government Printer , Brisbane.

10. Electoral Commission Queensland 1996 Annual Report 1995-1996,Queensland Government Printer , Brisbane.

11. Joint Standing Committee on Electoral Matters 1992 (A Bevis, MP,Chairperson ), The Conduct of Elections : New Boundaries for Cooperation,Australian Government Publishing Service, Canberra.

12. Legal , Constitutional and Administrative Review Committee 1997 (J GaminMLA, Chairman ), Privacy in Queensland, (Issues Paper No 2), LegislativeAssembly Queensland.

13. Liberal Party of Australia 1991, Submission to the Joint Standing Committeeon Electoral Matters' Inquiry into Resource Sharing in the Conduct ofElections.

14. Scollay , M 1997, Continuous Roll Updating and Privacy Restrictions , addressto the Australian Joint Roll Council , Sydney , 19 June 1997.

15. The Courier-Mail, 16 July 1997.

L4

Sandy Musch

From : Alex Bowman[SMTP:[email protected]]Sent : Thursday, 31 July 1997 13:02To: LCARCSubject : Privacy in Queensland

I am concerned that the current proposed legislation which comes underRegional Open Spaces System (ROSS) will set up means by which privatelandowners will be forced/coerced into having members of the public givenaccess to their (the landowner) private property in order that they (thepublic) might engage in environmental study /pursuits relating to theecology or ecotourism. This will be an invasion of privacy and open up alltypes of potential legal claims for damages and the like.This legislation , the Open Spaces system is currently under review by anumber of bodies, Brisbane City Council, & local Councils, who inviteselected minority environmental groups who are not stakeholders , to beincluded in the review process, but have not to date made the details orthe Draft principles available to the general public who will have a directinterest, especially if they are stakeholders with Rural/Rural residentialproperties

Alex Bowman1034 Beenleigh Redland Bay RdCarbrook 4130ph 38290515ah33627141bh

Page 1

Queensland

C> FFICE -'1. : 7-:-' INFO

Your ref. -Our ref. Misc. GJS:MD

31 July 1997

T-1 0 C ;L C !'

The Research DirectorLegal, Constitutional and Administrative Review

CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir/Madam

25th FloorJetset Centre

288 Edward StreetBRISBANE QLD 4000

Telephone: (07)3246 7100Facsimile: (07) 221 0836

LEGAL , CONSTITUTIGNAL ;i4ADMINISTRATIVE REVIEW CCMMII1i L

1 AUG 1997

RE: ISSUES PAPER NO 2 RELEASED BY THE LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMITTEE - "PRIVACY IN QUEENSLAND"

My office has obtained Issues Paper No 2 by the Legal, Constitutional and AdministrativeReview Committee, "Privacy in Queensland" (May 1997). I would like to make some briefobservations on the relationship between the Freedom of Information Act 1992 Qld (the FOI

Act) and any proposed privacy legislation.

There would be an area of overlap between the FOI Act (in particular s.44 and Part 4 of theFOI Act) and any Queensland privacy statute that is broadly modelled on the Privacy Act

1988 Cth. It would not be possible to completely eliminate that overlap by a measure such asremoving all rights of access to, or amendment of, personal information (concerning aparticular applicant) from the FOI Act into a proposed privacy statute. If the FOI Act were tobe confined to requests for government information, rather than personal information of theparticular applicant (assuming that could be practicably achieved, which I doubt) manyrequests for government information will encompass personal information concerningpersons other than the applicant for access, and privacy considerations would have to be takeninto account in deciding whether access should be given to that information under the FOIAct. (Moreover, on the reverse side of the coin, if a regime for access to personal informationwere contained in a new privacy statute, it would still need exemption provisions similar tothose in the FOI Act. Many applicants for personal information under the FOI Act arerefused access where the information is exempt under provisions like s.36, s.37, s.38, s.40,s.41, s.42, s.45 and s.46).

There will always be a fundamental tension between privacy laws and Freedom ofInformation laws, and the practical problems of bringing them into harmony should not beunderestimated. Governments are in the business of policing and regulating the activities ofindividuals and corporations, providing services and benefits to individuals and corporations,and collecting taxes and charges from individuals and corporations to fund governmentoperations. The FOI Act seeks to enhance greater public scrutiny of, and greateraccountability for, the performance by government of its functions, which will inevitablyencompass the performance of those functions in respect of particular individuals. In manyinstances, the objects of the FOI Act can be achieved without intruding into the privacy of

2

individuals, but, in other instances, achievement of the objects of the FOI Act may justifiablybe considered to warrant some intrusion into the privacy of individuals. The way the balanceis presently struck under s.44(1) of the FOI Act means that the privacy interest in respect ofinformation concerning an individual's "personal affairs" (a term which, I note, is not as broadin scope as the term "personal information" used in the Privacy Act 1988 Cth) must prevail,unless there exist identifiable public interest considerations favouring disclosure of theparticular information in issue which are of such weight as to warrant a finding thatdisclosure of the information would, on balance, be in the public interest.

I consider it important that a roughly similar balance be preserved (I say "roughly similar"because I think there is good case for amending s.44(1) of the Queensland FOI Act to adoptthe "unreasonable disclosure" test used in the privacy exemption provisions of all other FOIstatutes in Australian jurisdictions), and that privacy legislation should be so framed that itdoes not unduly inhibit public scrutiny of the performance of government functions.

One key issue, for example, is whether the FOI Act and the proposed privacy statute shouldbe harmonised around the central concept of privacy protection attaching to "informationconcerning a person's personal affairs" or to "personal information". As interpreted by a FullCourt of the Federal Court of Australia in Re Colokovski and Australian TelecommunicationsCorporation (1991) 100 ALR 111 and by the New South Wales Court of Appeal inCommissioner of Police v District Court of New South Wales and Perrin (1993) 31 NSWLR606 (both of which I have endorsed and followed in Queensland), the term "informationconcerning a person's personal affairs" is not as broad in scope as the term "personalinformation". I have interpreted the former term to mean information about the privateaspects of a person's life, and it has been established that the term does not extend toinformation which merely concerns the performance by a government employee of his or heremployment duties (see Re Pope and Queensland Health (1994) 1 QAR 616 at pp 658-660).This approach harmonises with the object of promoting greater scrutiny and accountability, inrespect of the performance of government functions. In jurisdictions like the Commonwealth ofAustralia and Western Australia, which have in recent years based their privacy exemption inFOI legislation on the phrase "personal information", special provision has had to be made inrespect of information concerning the performance by a public sector employee of his or herduties of employment.

It is important that relevant provisions of the FOI Act and any Queensland privacy statute (theapplication of which carries the potential to bring the law into disrepute by leading toinconsistent results when applied to essentially identical information) should be brought intoharmony so far as practicable. There is no point in attempting to anticipate and address all thepossible difficulties, in a submission of the present kind. Rather, I respectfully suggest that yourCommittee recommend that the experience and expertise of myself and my senior staff indealing with issues relating to privacy protection, be availed of in the drafting process withrespect to any new privacy legislation and any consequential amendments to the FOI Act, andthat we be given opportunities for consultation and comment upon any draft Bills that areproduced.

As to a new office of Privacy Commissioner being added to the already significant demandsof the offices of the Parliamentary Commissioner for Administrative Investigations(Ombudsman) and Information Commissioner, I have mixed feelings. The staff of the Officeof the Information Commissioner already have experience and expertise which would behighly relevant to some of the functions proposed for a Privacy Commissioner (i.e., questionsconcerning access to, and amendment of, personal information), but experience and expertisewould have to be acquired to undertake other proposed functions.

3

It may be that a separate office of Privacy Commissioner charged with a policy role and aninvestigative/auditing/monitoring role would be more appropriate, with a right of appeal(involving full merits review ) lying to the Office of the Information Commissioner for aperson aggrieved by a decision claimed to be contrary to any rights conferred , or obligationsimposed , under a new Queensland privacy statute. In that regard, much will depend onwhether legal rights or obligations are conferred or imposed in the final form of any privacystatute that emerges. Cost considerations with respect to the establishment of a new statutoryoffice of Privacy Commissioner, in contrast to the cost of adding the function to an existingstatutory office, are likely to loom large in any final decision made by Cabinet on this issue.

I should be happy to meet with yourself or the Members of the Parliamentary Committee toprovide more detailed comment on any significant issue you encounter in the course of yourinquiry, in respect of which the experience and expertise of the Office of the InformationCommissioner may be of assistance.

Yours faithfully

F N ALBIETZINFORMATION COMMISSIONER

3.

AUSTRALIANPRESSCOUNCIL

31 July 1997

Suite 303149 Castlereagh StreetSydney NSW 2000

Tel: (02) 9261 1930Fax: (02 ) 9267 6826E-mail: [email protected]

Ms Judy Gamin MLAChairmanLegal, Constitutional and Administrative Review CommitteeLegislative Assembly of QueenslandParliament HouseGeorge StreetBRISBANE QLD 4000

Dear Ms Gamin,

ChairmanProfessor David Flint

Executive SecretaryJack R Herman

LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMIT'i EE

4 AUG 1997

In response to your letter of 16 May, and on behalf of the Council's Chairman, ProfessorDavid Flint, I enclose the attached submission from the Press Council commenting on theIssues Paper, Privacy in Queensland.

Professor Flint has asked me to indicate that he would be willing to discuss the PressCouncil's submission with your committee in order to clarify the its position on the issuesraised.

The Council extends its thanks to you for the opportunity of presenting its submission.

Yours sincerely,

Jack(R HermanExecutive Secretary

Please address all correspondence to the Executive Secretary at address above.

i'l.•F•i'i,.•iJ

ITT

31 July 1997

Suite 303, 149 Castlereagh Street, SYDNEY NSW 2000Phone: (02) 9261 1930 Fax: (02) 9267 6826

Email: [email protected]

INTRODUCTION

This is a Submission from the Australian Press Council to the Legal, Constitutional and

Administrative Review Committee of the Queensland Legislation Assembly on its Issues

Paper, "Privacy in Queensland", May 1997.

2. EXECUTIVE SUMMARY

The Council sees no public interest in the introduction of laws which would regulate

news gathering activities, in public, whether or not assisted by unusual skills or

manufactured devices.

The Council has itself looks at, and has ruled on, the ethical legitimacy of alleged

intrusions by invasive means into private property and believes such intrusions by the

press are not a serious concern in Australia.

AUSTRALIAN PRESS COUNCIL

The Australian Press Council is a voluntary association of organisations and persons

established on 22 July 1976. The membership of the Council is set out in Annexure A.

Its objects are:

(i) To maintain the character of the Australian press in accordance with the

highest journalistic standards and to preserve its established freedom.

(ii) To consider, investigate, and deal with complaints about the conduct of the

press and the conduct of persons and organisations towards the press.

(iii) To keep under review developments likely to restrict the supply by and to the

press of information of public interest and importance.

To report publicly on developments in press ownership and control and to

publish statistical information about them.

(v) To make representations concerning the freedom of the press on appropriate

occasions to governments, public inquiries, and other organisations in

Australia and abroad.

(vi) To publish reports recording the Council's work, to review from time to time

developments in the press and factors affecting them; and to exchange

information with other similar bodies.

2

4. PRIVACY AND THE AUSTRALIAN PRESS COUNCIL

4.1 The Australian Press Council believes that freedom of the press is the freedom of

the people to be informed. This is the justification for upholding press freedom as

an essential feature of a democratic society. This freedom, won in centuries of

struggle against political and commercial interests, includes the right of a

newspaper to publish what it reasonably considers to be news, without fear or

favour, and the right to comment fairly upon it.

4.2 The Council believes that freedom of the press is more important because of the

obligations it entails towards the people than because of the rights it gives to the

press.

4.3 The Council has adopted certain general propositions on those obligations. These

are contained in the Statement of Principles (Annexure B). Of particular relevance

is Principles 3 which provides:

Readers of publications are entitled to have news and comment

presented to them honestly and fairly, and with respect for the privacy

and sensibilities of individuals. However, the right to privacy should

not prevent publication of matters of public record or obvious or

significant public interest. Rumour and unconfirmed reports, if

published at all, should be identified as such.

4.4 The Council believes that while there is a need to make better provision for the

protection of privacy in relation to electronic data bases, the existing common and

statutory law provides sufficient protection of personal privacy.

4.5 In particular, the Council stresses that unlike most comparable democracies,

Australia makes no express provision in the Constitution guaranteeing freedom of

speech and of the press. In this submission the "press" may be taken to refer to

the media generally. (There is a however limited freedom of political

communication recognised as arising from the concept of representative and

responsible government: see Lange v ABC, High Court, unreported 7 July

1997.)

4.6 In the absence of such an express guarantee, and the minimal impact of the implied

freedom of political communication, laws restricting free speech and the media

will not therefore be subject to the same judicial scrutiny as in most comparable

countries. Hence there is need for great care in enacting new legislation in this

area.

3

4.7 The Council believes that the role of the press in informing the people on all

matters of public interest necessarily requires that the press be able to gather that

information. Without this prior ability, the press would be unable to exercise the

role which society expects the press to play.

4.8 While the Council accepts the justification for laws respecting privacy on private

property (eg the laws of trespass , nuisance , and protecting the privacy of

telephonic communications ), the Council would be opposed to laws which restrict

legitimate newsgathering activities in public places . In principle there does not

seem to be any objection to the use of unusual skills (eg lip reading), or

manufactured devices (telescopes , binoculars, cameras, video recorders, zoom

lens' etc) to assist this activity . Nor can the Council see any advantage in

distinguishing between those devices of general use which can be used for

surveillance , for example glasses or cameras, and those whose use seems

designed for surveillance , eg zoom lens.

4.9 The Council therefore sees no public interest in the introduction of laws which

would regulate news gathering activities , in public , whether or not assisted by

unusual skills or manufactured devices.

4. 10 The Council has itself ruled on the ethical legitimacy of the intrusion by invasive

means into private property in Adjudication No. 916 (Annexure Q. It believes that

most of the press respect such restrictions and that , based on the small number of

complaints it receives in this area and the small number of such complaints

received by, for example, the NSW Privacy Commission on similar matters, such

intrusions by the press are not a serious concern in Australia.

ANNEXURE A

THE AUSTRALIAN PRESS COUNCILMEMBERS

August 1997

Chairman

Professor David Flint

Industry Membei 10 Representing Alternates

Mr Warren Beeby News Ltd vacant

Ivls Pamela Bone David Syme & Co Ltd Mr Bruce Guthrie

M r Paul Murray WA Newspapers Mr Mike Polkinghorne

Mr Ian hicks John Fairfax Group Mr Milton Cockburn

ivfr Chris McLeod Herald & Weekly Times Ltd Ms Linda Smith

Mr David McNicoll Australian Consolidated Press Ms Lenore Nicklin

Mr David Sommerlad Country Press Australia vacant

Mr Tony Vert-ricer Australian Associated Press Mr Col Burgess

Mr John Radovan

Mr Lloyd Whish-Wilson Regional Dailies of Australia Ltd Mr Dale Jennings

one vacancy - currently negotiating with sections of the ethnic community to see if a representative of the non-

Anglophone press can be appointed.

Public Members 7 members}

AMIr Lange Powell

Ivlr John Ensor

Mrs Caroline Gale

Prof H P Lee

Mr Kevin McCreanor

Ms Natascha McNamara

Mrs Judy Taylor

Journalist Members (2)

Mr Peter Costigan

Ms Margaret Jones

Editorial Panel [one member of the panel attends each meeting]

Mr John Morgan (on leave), Mr Dan O'Sullivan, Mr Roy Theodore

Vice-Chairman

Panel of Alternates

Mr David Cotton

Sir John Mason

Ms Kezia Purick

Mr Giuliano Ursini

Panel of Alternates

Mr Ken Randall

Mr Evan Whitton

Executive Secretar r (non voting)

Mr Jack R Herman

ANNEXURE B

AUSTRALIAN PRESS COUNCIL

STATEMENT PRINCIPLES

To help the public and the press, the Australian Press Council has laid down the broad principles to which it iscommitted.

First, the freedom of the press to publish is the freedom of the people to be informed. This is the justification forupholding press freedom as an essential feature of a democratic society. This freedom, won in centuries of struggleagainst political and commercial interests, includes the right of a newspaper to publish what it reasonably considersto be news, without fear or favour, and the right to comment fairly upon it.

Second, the freedom of the press is important more because of the obligation it entails towards the people thanbecause of the rights it gives to the press. Freedom of the press carries with it an equivalent responsibility to thepublic. Liberty does not mean licence. Thus, in dealing with complaints, the Council will give first and dominantconsideration to what it perceives to be in the public interest.

The Council does not lay down rules by which publications should govern themselves. However, in consideringcomplaints, the Council will have regard for these general principles.

11. Newspapers and magazines ("publications") should not publish what they know or could reasonably beexpected to know is false, or fail to take reasonable steps to check the accuracy of what they report.

2. A publication should make amends for publishing information that is found to be harmfully inaccurate byprinting, promptly and with appropriate prominence, such retraction, correction, explanation or apology aswill neutralise the damage so far as possible.

3. Readers of publications are entitled to have news and comment presented to them honestly and fairly, andwith respect for the privacy and sensibilities of individuals. However, the right to privacy should not preventpublication of matters of public record or obvious or significant public interest. Rumour and unconfirmedreports, if published at all, should be identified as such.

4. News obtained by dishonest or unfair means, or the publication of which would involve a breach of confidence,should not be published unless there is an over-riding public interest.

5. A publication is justified in strongly advocating its own views on controversial topics provided that it treats itsreaders fairly by

0 making fact and opinion clearly distinguishable;0 not misrepresenting or suppressing relevant facts;e not distorting the facts in text, headlines, pictures, billboards or posters;Q disclosing any commercial or other interest which might be construed as influencing the publication's

presentation of news or opinion.

6. A publication has a wide discretion in matters of taste, but this does not justify lapses of taste so repugnant asto be extremely offensive to its readership.

7. Publications should not place any gratuitous emphasis on the race, religion, nationality, colour, country oforigin, gender, sexual orientation, marital status, disability, illness, or age of an individual or group. Nevertheless,where it is relevant and in the public interest, publications may report and express opinions in these areas.

8. Where individuals or groups are singled out for criticism, the publication should ensure fairness and balancein the original article. Failing that, it should provide a reasonable and swift opportunity for a balancing responsein the appropriate section of the publication.

9. Where the Council issues an adjudication, the publication concerned should prominently print the adjudication.

The Council strives to ensure that its adjudications on complaints reflect both the conscience of the press and thelegitimate expectations of the public.

OCTOBER 1996

ADJUDICATION No. 916 (April 1997) ANNEXURE C

The Australian Press Council has described as a blatant example of the unjustifiedbreach of privacy the publication by The Daily Telegraph, Sydney, of sneakphotographs of Senator Bob Woods and his wife Jane in private discussion in thebackyard of their home.

The complaint by James Gallagher, of Castle Cove, who asserted that publication of thephotographs breached three Press Council principles - covering privacy, the obtainingof news by unfair means, and the issue of taste - has been upheld.

These matters often call forth subjective judgments by readers. But the Press Councilis bound by its rules to balance elements of press intrusiveness against the over-ridingprinciple of public interest - which, broadly, means publication of matters the public isentitled to know about.

In this case Senator Woods was emerging from a relationship with woman who was aLiberal Party worker. At the time the photographs were taken he had returned to thefamily home. He was also being investigated by Federal Police over allegations he hadrorted his Parliamentary expenses.

These were issues of public interest, and the Telegraph had every right to explorethose issues.

The photographs were taken by a photographer standing outside the house. Despitethe distance involved, the photographic expertise gave the pictures the appearance ofhaving been taken close to Senator Woods and his wife. Indeed they looked as if theyhad been taken in the couple's backyard.

The pictures were published on the front page and page 3 of the Telegraph of 7February.

The headline accompanying the front-page picture of a private and apparentlyemotional discussion between the couple read: "In the garden of their home, asenator and his wife confront a scandal."

The story on page one set out the Telegraph's interpretation of its photographs: "Thebody language said it all ... tense backyard meeting ... but she remained steely-eyed."

Nothing in the story suggested the manner in which the Telegraph obtained itspictures.

In the view of the Press Council publication of the photographs was a blatant exampleof a breach of privacy. But was publication justified by public interest?

The Telegraph claimed it was, in its written response to the Press Council. Its assistanteditor set out that there was no trespass involved, so the pictures were legal. As to thepublic interest, Senator Woods was a public figure involved in issues of legitimateinterest to the public, who after all paid his salary, and his wife was involved in theissues being aired before the public.

Essentially, the defence extended the public's right to know to a right to publish thesneak photographs.

The Press Council does not accept this argument. It regards publication of the picturesas a breach of its principle relating to "respect for the privacy and sensibilities ofindividuals" and sees no compelling public interest in the obtaining and publicationof pictures of this kind.

LEGAL, CONSTITUTIONAL AADMMTRATIVE REVIEW COMMM19

I I'M

31 July, 1997

The Research DirectorLegal, Constitutional and Administrative Review CommitteeParliament HouseBrisbane QLD 4000

Dear Director

The Real Estate Instituteof Queensland

Thank you for the opportunity to comment on the proposed inquiry into privacy inQueensland.

The following submission summarises a number of activities that occur within the real estateindustry. It then outlines some of the areas that we believe would be impacted by privacylegislation.

Please contact me on my direct line 3891 5792 should you require anything further.

Yours faithfully,

D L MolloyGENERAL MANAGER

The Real Estate Institute

of Queensland Ltd

Turbo Drive, Coorparoo

PO Box 1555

Coorparoo DC Qld 4151

Ph: (07) 3891 5711

Fax: (07) 3891 5742

http://www.reiq.com.au

email: [email protected]

ACN 009 661 287

REIQThe Real Estate Institute

of Queensland

Real Estate Issues

Executive SummaryWe believe that any requirements of privacy legislation include both the private and publicsectors . However, such requirements should provide comprehensive consumer protectionmechanisms without imposing significant administrative imposts on small businesses.

Any privacy legislation should impose strict information handling provisions on thoseresponsible for collecting the information while assisting in the commercial activities that theconsumer has entered.

While industry-specific issues could be addressed through a legally enforceable code ofpractice, the REIQ believes that legislation adopted at State level would be more effective incontrolling the wider private sector.

As the property management industry requires significant and sensitive personal detailsfrom a range of clients, it is necessary that appropriate consumer protections be in place.

These provisions would have a twofold effect:

• Since the turnover of property managers tends to be high , appropriate controls andprotections would provide consumers with assurance that their sensitive information washandled appropriately;

• Similarly, property managers would have established guidelines to which they can referwhen dealing with this sensitive information.

The REIQ believes any proposed legislation be administered by a Privacy Commissionerwho could be attached to a suitable body, such as the Human Rights and Equal OpportunityCommission.

Since any proposed privacy legislation would have wide -ranging implications for manyindustries throughout the private sector, we believe that the consultation process becomprehensive . With this in mind, the REIQ, as the peak professional organisation for thereal estate industry, would welcome any opportunity to join a working party formed to furtherdevelop this legislation.

GeneralThe real estate industry uses a variety of information sources to gather relevant data for arange of commercial and private transactions . This information is used when selling andbuying property , managing investment property on behalf of investors so they can be rentedout, collecting information from potential tenants as to their suitability as clients , commercialand business transactions, and others.

Recent legislation , such as the Body Corporate and Community Management Act and theproposed Commission Agents and Motor Dealers Bill, impose added disclosurerequirements on industry practitioners.

Industry practitioners often liaise with financial organisations and solicitors on behalf fortheir clients and have access to both private and occasionally commercially sensitiveinformation.

Little in the way of current legislation and codes of conduct address the privacy issues withthe above access to and communication of sensitive data. However, the REIQ hasrecognised that all dealings between agents and their clients should be confidential. Thisrequirement is recognised through the REIQ Code of Ethics, which all REIQ members mustabide by. However, other industry practitioners are exempt from the REIQ conditions andmust only comply with the current provisions of the Auctioneers and Agents Act 1971.

Conclusion: We believe that any requirements of privacy legislation include both theprivate and public sectors. However, such requirements should provide comprehensiveconsumer protection mechanisms without imposing significant administrative imposts onsmall businesses.

Equally, any privacy legislation should impose strict information handling provisions onthose responsible for collecting the information while assisting in the commercial activitiesthat the consumer has entered.

While a number of these industry-specific issues could be addressed through a legallyenforceable code of practice, the REIQ believes that legislation adopted at State levelwould be more effective in controlling the wider private sector.

Sales IssuesIn the normal course of their duties , a salesperson collects a variety of information fromboth sellers of property and from buyers , much of which is private in nature.

Some of information deals with:

• The motivation for selling;

• The asking price;

• Deeds for the property;

• Any mortgages held the property;

• The buyer's ability of purchase the property;

• The buyer's preferences in property types and features;

• Other relevant financial and personal details.

Much of this information is kept confidential and used only within the confines of the officefor which the salesperson works . However , in some circumstances , principals and clericalstaff may be required to use this information in the preparation of documents, includingcontracts of sale , listing information , auctions , and other legislatively required documents.

While the REIQ , through its Code of Ethics , requires its members deal confidentially withthis information, little in the way of guiding principles are available.

Agencies seeking listings have access to Valuer-General records and other databases,which often can contain a variety of personal and sensitive information . This can be used byagencies to telephone and canvass by mail consumers for business. This has significantimplications for consumer privacy issues.

Conclusion: While a number of these industry-specific issues could be addressed througha legally enforceable code of practice , the REIQ believes that legislation adopted at Statelevel would be more effective in controlling the wider private sector.

Property Management IssuesThe nature of the Property Manager 's role requires that they have access to a variety ofsensitive information from both their lessors and tenants.

Resident unit management is also a thriving industry within Queensland and subject toconsiderable growth . While the role of the resident manager is similar to that of the propertymanager , they have the added responsibilities of maintaining body corporate information.

Lessors provide property managers with:

• Personal details;

• Information about their related bank accounts;

• Cash-flow projections;

• Insurance policies; and

• other details.

This information is provided under specific written authorities to the agency. Again, theinformation is kept within the authorised agency, however a number of people, from theproperty manager to their assistants, have access to the information. This is also true ofConsumer Affairs investigators and other authorised Government Departments.

Tenants are similarly required to provide:

• substantial personal details when applying to rent property;

• Who will live at the property;

• Bank account details;

• Employment and income; and

• Relatives.

This information is gathered by the authorised Property Manager and is used to establishthe suitability of the applicant . These duties are undertaken in recognition of the agency'sresponsibilities towards the lessors for such things as credit checks.

Again, the information is kept within the authorised agency, however a number of people,from the property manager to their assistants, have access to the information. This is alsotrue of Consumer Affairs investigators and other authorised Government Departments.

When the tenant relocates, the originating property manager is often asked for thisinformation and to act as a referee for the tenant. This information is then used similarly bysubsequent property managers.

Conclusion : As the property management industry requires significant and sensitivepersonal details from a range of clients, it is necessary that appropriate consumerprotections be in place.

These provisions would have a twofold effect:

• Since the turnover of property managers tends to be high, appropriate controls andprotections would provide consumers with assurance that their sensitive information washandled appropriately;

• Similarly, property managers would have established guidelines to which they can referwhen dealing with this sensitive information.

Administration of any privacy legislationOne of the key issues in this submission is the manner any proposed legislation beadministered . The REIQ believes that, rather than establish a tribunal to enforce the act, aPrivacy Commissioner with appropriate jurisdictions could be attached a suitable body, suchas the Human Rights and Equal Opportunity Commission.

Development of LegislationSince any proposed privacy legislation would have wide-ranging implications for manyindustries throughout the private sector , we believe that the consultation process becomprehensive . With this in mind , the REIQ, as the peak industry professional organisationfor the real estate industry , would welcome any opportunity to join a working party formed tofurther develop appropriate legislation.

31 July 1997

The Research DirectorLegal , Constitutional and AdministrativeReview CommitteeParliament HouseBRISBANE QUEENSLAND 4000

Facsimile No.: (07) 2406 7691

Dear Sir\Madam


LEGAL, CONSTITUTIONAL ANDADMINISTRATIVE REVIEW COMMIT` L

4 AUG 1997

FACTS' submission to the Legal, Constitutional and Administrative Review Committee's inquiryinto Privacy in Queensland is attached.

Yours sincerely

OANNE COURTDirector Legal and Broadcast Policy

jec\priv\gId1.1

FEDERATION OF AUSTRALIAN COMMERCIAL TELEVISION STATIONS44 Avenue Road Mosman NSW 2088 Australia Telephone (02) 9960 2622 Facsimile (02) 9969 3520

31

31 July 1997

Judy Gamin MLAChairmanLegal , Constitutional and Administrative Review CommitteeLegislative Assembly of QueenslandParliament HouseGeorge StreetBRISBANE QUEENSLAND 4000

Dear Chairman


LEGAL, G4 ONALANDS TIVE REVIEW COMMITT99

4 AUG 1997

The Federation of Australian Commercial Television Stations (FACTS) thanks the Legal,

Constitutional and Administrative Review Committee for the opportunity to make

submissions to the Committee ' s wide ranging inquiry into privacy in Queensland.

FACTS represents the licensees of all 44 commercial free-to-air television stations inAustralia including the operators of the following Queensland stations:

BTQ-7 (Brisbane - Seven Network)

QTQ-9 (Brisbane - Nine Network)

TVQ-10 (Brisbane - Ten Network)

STQ (Sunshine Coast - Seven Network)

RTQ (Rockhampton - WIN Group)

TNQ (Townsville - TEN Queensland)

QQQ (Queensland Satellite Television)

We agree with the comment made by the Committee in its Issues Paper that the issue of

privacy protection is a complex one largely because privacy concerns arise in many, often

divergent, areas. The issue of privacy protection, and the appropriate response to privacyconcerns, need to be considered separately in each context in which the issue and concerns

arise.

Privacy in the media context is not a topical issue in Queensland or elsewhere in Australia.

It is significant that there have only been four complaints made concerning alleged breachesof privacy in broadcasts by commercial television stations in Queensland in the last four

FEDERATION OF AUSTRALIAN COMMERCIAL TELEVISION STATIONS44 Avenue Road Mosman NSW 2088 Australia Telephone (02) 9960 2622 Facsimile (02) 9969 3520

Privacy in Queensland Page 2.

years.' As is clear from the Committee's Issues Paper, the focus of current privacy concerns

is the development and convergence of new technologies which allow private informationconcerning individuals to be economically and efficiently collected, stored and used in newways which extend far beyond the mere disclosure of private information.

The media is not subject to any general data protection legislation in Australia nor is the mediasubject to such legislation in other comparable jurisdictions internationally. It is trite to saythat the media is a special case but as far as privacy protection is concerned, it is undoubtedly

true.

We are not suggesting that the media should (or does) have free rein to publish or broadcast

private information or images in any manner or for any purpose . The Australian media is

already subject to laws which protect against the inappropriate or unfair means of gatheringor disclosing personal information and images including the laws of trespass , nuisance, breach

of confidence and most relevantly , defamation. Under the law of defamation in Queensland,it is not a defence to the publication of personal information which is defamatory to establishthat the information is true; the information must be true and its disclosure must be to the

public benefit. The public benefit element of the justification defence serves a privacy

protection function . The Invasion of Privacy Act 1971 (Qld) also provides privacy protection

in relation to listening devices.

Additional legal regulation is an inappropriate response to potential media incursions onindividual privacy particularly in view of the risk this poses to the media's role in facilitatingfree speech. The public and the media generally have legitimate interests in publishing orbroadcasting private information or images even if, in some instances, the individualconcerned objects. The `gagging writ' issue was identified in the Committee's Issues Paper

in the discussion of the introduction of a new tort of privacy. A general privacy law whichplaces restrictions on the publication of information by the media in the interest of privacywould inevitably be used by the wealthy, powerful and\or dishonest to prevent access to, and

the publication of, information which the public should rightfully have. The Issues Paper

refers to the `information' privacy right as being the right of individuals, groups, or

institutions to determine for themselves when, how, and to what extent information about them

is communicated to others. If such a right was granted in general privacy legislation in

Queensland, in the absence of applicable qualifications or exceptions, the freedom and abilityof the Queensland media to report on news and current affairs would be greatly and unduly

restricted.

Media self-regulation, through codes of practice and effective complaints procedures, is thebest way of achieving the right balance between the public's right to know, the media's

These were complaints made under the Commercial Television Industry's Code of Practice whichis discussed later in this submission. FACTS collects data concerning complaints made under theCode and analyses of this data are published in annual reports. The 1996 report is attached to this

submission for the Committee's information.


interest in disseminating news of concern and interest to its audience and respect for privacyincluding personal tragedy and grief. Codes of practice set standards of behaviour and havea vital educative function for journalists and media management. A direct complaintsprocedure not only provides a more immediate and accessible form of recourse for thecomplainant than the courts system, journalists and management are made more aware of thepublic's concerns and can more readily modify or end the practice or behaviour which gaverise to the complaint(s).

FACTS supports the Federal Government's decision not to introduce privacy laws coveringthe private sector and its encouragement of the development of industry specific codes ofpractice. Industry self-regulation by national industries such as commercial television,encourages uniformity of practice and avoids the difficulties arising from differences in Statebased legislation and statutory disincentives to Queensland based operations.

The commercial television industry effectively addresses the privacy concerns of its viewers(and others) through the Commercial Television Industry Code of Practice ('the Code'). Thebalance of this submission provides the Committee with information on the nature andoperation of the Code including that part of the Code dealing with privacy and news andcurrent affairs programs.

The Commercial Television Industry Code of Practice

The commercial television industry introduced the Code of Practice2 in response to majorchanges in broadcasting legislation and the introduction of the Australian BroadcastingAuthority which is intended by the Broadcasting Services Act to have a less day-to-dayinvolvement in the industry. All 44 commercial television services throughout Australiaagreed to support and abide by the new Code.

The Code replaced a mixture of industry guidelines and regulatory standards administered bythe Federal statutory authority responsible for regulating broadcasting (formerly the AustralianBroadcasting Tribunal and from 1992, the Australian Broadcasting Authority).

The Code represented a measure of industry self-regulation, although the Federal Parliamentand the ABA retained extensive powers of supervision and approval. The Code only cameinto force in 1993 following the approval and registration of the Code by the ABA.

The Code retained the main obligations of the former system. It carried over every significantrequirement to what stations could put to air, and when, while adding new obligationsconcerning program content and complaints handling. The main provisions of the Code coverclassification issues (including taste and decency and violence), commercial content,placement of commercials for sensitive products, fairness and accuracy in news and current

2 A copy of the current Commercial Television Industry Code of Practice is attached to thissubmission.


affairs, discriminatory references , and closed captioning for hearing impaired people.

FACTS has recently completed a detailed review of the Code including an extensive

consultation process over many months . Public consultation and responsiveness to calls for

change are crucial to the public's acceptance of any self -regulatory system . FACTS acceptedmany amendments, additions and textual improvements from the individual viewers, interestgroups, Government agencies and members of parliament who responded to our invitation

to comment on the Code . As a result of this consultation we believe we have a Code ofPractice which more closely reflects community standards and is readily understandable and

workable . The revised Code is currently being reviewed by the Australian BroadcastingAuthority and we expect that the Code will be registered and publicly released within the next

few months.

Of course the limited self-regulatory system for commercial television will only work iftelevision viewers are aware of the Code of Practice and the Code's complaints procedure,and if television stations are committed to implementing the Code and effectively responding

to complaints.

Publicising the Code

FACTS has distributed close to 15,000 copies of the Code since 1993. Since that time theindustry has been publicly committed to broadcasting public information spots explaining theoperation of the Code of Practice and its complaints procedure, and will increase thecommitment to 360 spots a year for each station under the proposed new Code of Practice.FACTS is preparing several different spots, which between them will provide clear advice onthe broad nature of the Code of Practice including where to obtain a copy and the complaintsprocedures. The ABA's research3 suggests that there is already a good level of awareness of

the Code. We are confident that the industry's efforts will lift that awareness significantly

over the next few years.

Complaints handling

Complaints handling is at the core of any self-regulatory system. Complaints are an important

indication of viewer reaction to a station's service . They are the trigger for investigation ofpossible breaches of Code provisions. Complaints handling is an effective bench-mark of a

station's professionalism and commitment to self-regulation.

The Code requires a responsible, structured and speedy response to viewer complaints. Thecomplaints-handling process is set out in Section 7 of the Code. In short, it requires stations

to:• ensure that telephoned complaints are brought to the attention of management;

3 Summarised in Your Say: A Review of Audience Concerns about Australia's Broadcast Media,

1996 (June, 1996).


• advise people who wish to take a telephoned complaint further how they may lodge

a written Code complaint;

• provide a written response within 30 working days to a Code complaint. ( In practice

the great majority of responses are made within 15 days, but some complex complaints

need all of those 30 days to resolve);

• advise any complainant who is dissatisfied with the station ' s response that he or she

may take the matter to the ABA;

• provide a response to any subsequent ABA inquiry within 30 working days;

• provide details of Code complaints to FACTS, for compilation and publication;

• publicise complaints procedures.

FACTS recognised from the outset that the success of the Code would depend heavily on how

stations handled complaints . FACTS and stations generally have devoted a lot of effort totraining staff to recognise their responsibilities in this area, and to acquit them conscientiously.

We believe that the industry has responded very positively to the challenge of self-regulation.The system of united self-regulation clearly works , as stations have upheld 125 complaints

out of the 2,608 lodged to the end of 1996. When a station does uphold a complaint, it hasa salutary effect on station staff, and recurrent breaches of the same provision are most

uncommon . The follow-up action ranges from counselling of staff through to reviews of

operational procedures and staff training.

The degree of viewer satisfaction with the system is probably best gauged by the fact that

round 90 % of viewers who lodge complaints choose not to `appeal' a station ' s decision to

the ABA.

There have, of course , been lapses and instances of unprofessional behaviour . They areobviously of concern to the industry, though we see them as relatively isolated indications thatwe need to work harder to bring everyone in the industry up to the standards we set ourselves,rather than as proof that self-regulation does not, or cannot, work.

The overall thrust of public responses to the public review of the Code of Practice has been

favourable to self-regulation , and the ABA has said publicly on a number of occasions that

it considers self-regulation to be working successfully.

The Code ofPractice and Pri► 'acv

Most concerns regarding the broadcast of private information or images occurs with respect


to news and current affairs programs.

One of the objectives of Section 4 of the Code covering news and current affairs programs

is that `....news and current affairs take account gfpersonal privacy.....( clause 4.1.3).

Clause 4.3 of the current Code provides that in broadcasting news and current affairs

programs , licensees:

4.3.5 must not use material relating to a person's personal or private affairs, orwhich invades an individual's privacy, other than where there areidentifiable public interest reasons for the material to be broadcast;

4.3.6 must display sensitivity in broadcasting images of or interviews withbereaved relatives and survivors or witnesses of traumatic incidents; .....

Under the revised Code there are three significant new clauses which are relevant to privacy.These provisions restrict the use of footage of dead and wounded people (clause 4.3.3),prohibit the unfair identification of individual people or companies in items about thebehaviour of a group of persons or businesses (clause 4.3.7) and require care in not identifyingmurder or accident victims before relatives are notified by authorities (clause 4.3.8). Theseclauses have been introduced to provide further protection in relation to upsetting material,and have strengthened the fairness requirements on stations. The new provisions are

reproduced below:

4.3 In broadcasting news and current affairs programs, licensees:

4.3.3 should have appropriate regard to the feelings of relatives and viewers when

including images of dead or seriously wounded people . Images of that kindwhich may seriously stress or offend a substantial number of viewers shouldbe displayed only when there is an identifiable public interest reason fordoing so;

4.3.7 should avoid unfairly identifying a single person or business when

commenting on the behaviour of a group of persons or businesses;

4.3.8 must take all reasonable steps to ensure that murder and accident victims arenot identified directly or, where practicable, indirectly before their immediate,families are notified by the authorities ......

FACTS members are sensitive to privacy concerns and will consider and weigh up the interest

of the individual concerned before deciding to broadcast a news story which that person may


consider breaches his or her privacy. All commercial television stations have agreed by theiradoption of the Code that certain private or personal matters should only be broadcast by themwhere it is in the public interest to do so or where it would not cause undue distress to

victims' families.

The effectiveness of limited self-regulation in ensuring sensitivity to privacy concerns is borneout by the very small number of complaints relating to privacy matters that commercialtelevision stations have received since the commencement of the Code in 1993. Statistics onthe subject matter of complaints collated by FACTS show that complaints concerningbreaches of privacy by commercial television viewers throughout Australia amounted to only0.65% of all complaints in 1994, 1.29% in 1995 and 0.85% in 1996. As stated above,Queensland stations have only received four complaints relating to breach of privacy since theCode commenced operation and each of those complaints were dealt with by the stations.

We trust that the information we have provided in this submission will be of assistance to theCommittee. Please contact us if you would like any further information on the Code of

Practice orany other related matter.

Yours sincerely

OANNE COURTrector Legal and Broadcast Policy

jec\priv\gld.sub

nWHAT IS FACTS?

The Federation of Australian Commercial Television Stations (FACTS) is an industryassociation which represents all of Australia's commercial television services. It is one ofthe few industry associations in Australia which represents every company in its industry.FACTS provides a forum for discussion of industry matters by its members and is thepublic voice of the industry on a wide range of issues.

WHAT DOES FACTS DO?

FACTS charter commits it to:

• promote, protect and conserve the rights and interests of its members in televisionbroadcasting in Australia;

• consider and deal with all matters involving and affecting the business of television;

• improve and promote television broadcasting as an effective advertising medium;

• broaden the base of advertising usage, and assist the expansion of advertisingexpenditure;

• assist and develop effective advertiser use of television at all levels;

• stimulate general interest in television broadcasting in Australia.

FACTS policies are established by general meetings of members. FACTS Federal Council(its board of directors) is nominated at each Annual General Meeting , and guides theorganisation in between general meetings . FACTS Federal Council is supported by anumber of expert standing committees which formulate advice and recommendations inrelation to broadcast technical issues, industrial relations policies, training and other areasaffecting the industry . Project committees may also be formed to address specific matters.

FACTS has a small secretariat based in Sydney, which is responsible for implementingpolicy decisions of general meetings and FACTS Federal Council, and pursuing a range ofactivities on behalf of members. These fall into several broad categories.

n Broadcasting Policy

• monitoring political issues which may affect broadcasting• liaising with government and politicians at State and Federal level, and

with interest groups, educationalists and interested members of the publicon issues relating to commercial television

• co-operating with other broadcasting and related organisations on mattersof common interest.

FEDERATION OF AUSTRALIAN COMMERCIAL TELEVISION STATIONS44 Avenue Road Mosman NSW 2088

n Industrial Relations

• negotiating with trade unions on industrial matters affecting the industry.

n Self-Regulation

• co-ordinating the formulation, administration and review of theCommercial Television Industry Code of Practice

• actively participating, along with other media and advertising industrygroups, in other self-regulatory code formulation and administration bodies

• on behalf of member stations, checking that television commercials complywith the law, Australian Broadcasting Authority Standards, and self-regulatory codes. (This is done by the Commercials Acceptance Divisionof FACTS.)

n Engineering

• co-ordinating member station input to technical planning and standard-setting bodies

• participating in national and international negotiations about thedevelopment of the broadcasting system and related technical matters, suchas technical and safety standards.

n Marketing and Information

• assisting users and creators of advertising to make effective use oftelevision

• disseminating information about television to business users of television,interested viewers and students and teachers of media.

n Training

• Co-ordinating industry training, particularly in relation to the provision ofrelevant courses by external training bodies.

FACTS actively participates in a number of government and industry bodies. This includesoverseas broadcast organisations, such as the European Broadcasting Union, Asian andPacific Broadcasting Union, and the US National Association of Broadcasters.

February 1997

Advisory NotesThe Portrayal of Aboriginal and Torres Strait Islander Peoples

These Advisory Notes are to help and encourage reporters and program producers to produceprograms which treat the Aboriginal and Torres Strait Islander peoples as an integral andimportant part of contemporary Australia, and which respect the dignity , traditions , diversityand contemporary achievements of these peoples . They also suggest ways to avoidencouraging or endorsing prejudice, stereotyping or unwarranted generalisation.

1. In reporting or portraying events or situations concerning indigenous peoples, youshould be conscious of your own preconceptions , and be aware of the cultural normsand experiences of these peoples.

2. Balanced portrayal is particularly important when the reports or programs deal withnegative aspects of the Aboriginal and Torres Strait Islander peoples' lives.Descriptions of problems should , where possible, be balanced by details of effortsbeing made by the people themselves to resolve them , and should provide anopportunity for the person or group concerned to comment on the issue.

3. To avoid misrepresenting indigenous peoples' circumstances and traditions , reportersshould , wherever practicable , consult local indigenous groups when preparing news andcurrent affairs . Program makers should encourage indigenous peoples' involvementin all relevant stages of production of programs relating to them.

4. You should respect local social protocols and codes of behaviour , and obtain anynecessary permission before entering Aboriginal and Torres Strait Islandercommunities.

5. You should be careful not to use language which indigenous peoples find offensive ordiscriminatory . This includes terms such as Full -blood , Half-caste, Part-Aboriginal,Walkabout and the use of "aboriginal " except as an adjective (i.e. avoid reference to"an aboriginal").

6. Aboriginal and Torres Strait Islander paintings and symbols should not be used inprograms without seeking appropriate guidance.

7. Indigenous religious and cultural beliefs should be respected , particularly thewidespread prohibition on displaying images of the deceased or naming them duringperiods of mourning . When the mourning period cannot readily be ascertained , the useof images of recently deceased Aboriginal persons should be preceded by anappropriate oral warning.

8. In scripting and casting drama and selecting on-air talent, management and producersshould be concerned to reflect the place of the Aboriginal and Torres Strait Islanderpeoples in contemporary Australia.

August 1994

FEDERATION OF AUSTRALIAN COMMERCIAL TELEVISION STATIONS44 Avenue Road Mosncan NSW Australia Tel: (02 )9960-2622 Fax: (02)9969-3520

Advisory Notes

The Portrayal of Cultural Diversity

These Advisory Notes are to help and encourage reporters and program producers to produceprograms which treat all people with equal respect , regardless of their national , ethnic orlinguistic background . They also suggest ways to avoid promoting or provoking prejudice,stereotyping or unwarranted generalisation . These notes complement the separate AdvisoryNotes on the Portrayal of Aboriginal and Torres Strait Islander Peoples.

Be sensitive to language and images which people from non -English speaking orminority racial backgrounds may reasonably find offensive or discriminatory. Inparticular:

(a) avoid the unwarranted introduction of race or ethnicity into a story, andparticularly the unnecessary use of ethnic -specific labels in reporting onsuspected or convicted criminals;

(b) avoid references to the ethnic or racial origin of a person or groupwhich imply that only people from English -speaking backgrounds areAustralian (e.g. do not automatically refer to an Australian of Chinesebackground as "a Chinese man");

(c) generally avoid outdated representations of how people from non-English speaking backgrounds speak English or behave.

2. When reporting or portraying events involving people with racial backgrounds whichdiffer from your own, you should be conscious of your own preconceptions and besensitive to the cultural norms and experiences of those people.

3. Any reports on race-related issues should be well researched , and not based solely onthe claims of particular groups.

4. The religious and cultural beliefs and practices of people from non -English speakingor minority racial backgrounds should receive no less respect than those of the English-speaking majority . Editorial comment in these areas should be factually based, andculturally aware.

5. In scripting and casting drama and selecting on-air talent , management and producersshould be concerned to reflect Australia ' s complex and culturally diverse society.

August 1994

FEDERATION OF AUSTRALIAN COMMERCIAL TELEVISION STATIONS44 Avenue Road Mosinan NSW Australia Tel: (02 )9960-2622 Fax: (02)9969-3520

Advisory Notes

The Portrayal of Women and Men

These Advisory Notes are designed to help reporters and program producers to understand andbe responsive to the concerns of many people about how television portrays women and men.

In describing and portraying women and men, you should avoid encouraging or endorsinginaccurate , demeaning or discriminatory references or descriptions, stereotyping orunwarranted generalisation . In particular:

1. Do not place inappropriate or irrelevant emphasis on gender , or on physical

characteristics or family status.

2. Avoid language that unnecessarily excludes one sex or gives unequal treatment towomen and men.

3. Avoid stereotyped gender portrayals which associate particular roles , ways ofbehaviour , personal or social attributes or use of products or services with people onthe basis of gender.

4. Avoid implying that a person is inferior because of his or her gender , or that either sexis naturally superior at certain tasks or in certain fields.

5. Recognise in reporting and in commentary that women and men nowadays are involvedin an equally diverse range of roles.

6. Try to achieve a better balance in the use of women and men as experts and authorities,and give more prominence to the achievements of women in areas such as sport.

7. Take particular care when reporting instances of violence (particularly sexual assault)

to:

(a) avoid offering explanations which may reasonably be seen to diminishindividual responsibility for the violence, or even shift blame to thevictim; and

(b) avoid gratuitous detail , such as the state of dress or undress of a sexualassault victim , and unnecessarily detailed description of the crime.

August 1994

FEDERATION OF AUSTRALIAN COMMERCIAL TELEVISION STATIONS

44 Avenue Road Mosuuni NSW Australia Tel: (02)9960-2622 Fax: (02)9969-3520

The commercial television industry is proud to release its Code of Practice. It is endorsed by

all Australian commercial television stations.

The Code reflects the commercial television industry's commitment to self-regulation of its

broadcasting operations, in accordance with community standards. It covers the matters

prescribed in s.123 of the Broadcasting Services Act 1992 , and other matters relating to

program content that are of concern to the community. The Code is intended to operate

alongside the Australian Broadcasting Authority's Standards which regulate programs forchildren and the Australian content of programs and advertisements.

The Code provides concise and clear guidance to television staff, but it is also intended tobe readily understood by interested viewers. It covers all areas of programming and

advertising, except for those areas just mentioned which will continue to be regulated by the

Australian Broadcasting Authority. The Code also lays down for the first time detailedrequirements on how stations are to respond to written complaints.

The Code comes into effect when it is registered by the Australian Broadcasting Authority.

It reflects extensive consultation with government advisory bodies, community interestgroups and the public generally. The industry intends to review the Code again after three

years. Community comment on how the Code has worked in practice will be an integral

part of that review.

While licensees are committed to implementing the Code, the Australian Broadcasting

Authority will retain ultimate control over their compliance . The Broadcasting Services Act1992 empowers the Australian Broadcasting Authority to:

impose a condition on a licensee requiring it to comply with a Code (s.44).A licensee which does not comply with a notice requiring it to comply with a condition

of licence is guilty of an offence carrying a penalty of $2,000,000 (s.142); or

determine a standard in relation to a matter if it is satisfied that there is convincing

evidence that the Code is not operating to provide appropriate community safeguards(s.125).

The Code sets out a wide range of requirements which the industry has willingly embraced

as part of its service to viewers. We have set them out as clearly as possible, so that our

viewers can readily assess our performance.

(continued overleaf)

THE COMMERCIAL TELEVISION INDUSTRY CODE OF PRACTICE AUGUST 1993 PAGE 1

These specific requirements will take their place alongside a wider range of industry

commitments -

to Australian programming, and in particular programming which reflects our complexand culturally diverse society and respects the principle of equality between women

and men;

to service to the local community;

to equal opportunity employment in every area;

to continuing our extensive and year round on-air support for charitable and community

service activities and causes.

Underlying each of these points is each station's strong sense of community, and its firmcommitment to respond to the ever-changing interests and needs of its viewers.

We hope that this strong commitment to the community emerges clearly from this Code.

Bob CampbellChairman


TABLE OF CONTENTS

1tiS Introduction 4on :ec

Section 2 : Classification 7

Section 3 : Program Promotions 14

Section 4 : News and Current Affairs Programs 17

Section 5 : Time Occupied by Non-Program Matter 19

ti n 6 :S _Classification and Placement of Commercials 22ec o _

Section 7 : Handling of Complaints to Licensees 25


SECTION '.

INTRODUCTION

Objective

1.1 This Section of the Code is intended to ensure that:

1.1.1 the structure and purpose of the Code and its place in television regulationis clearly stated;

1.1.2 licensees understand their responsibilities under the Code;

1.1.3 licensees and viewers are aware that the relevance and effectiveness of theCode will be reviewed periodically;

1.1.4 a range of matters which falls outside the operational sections of the Codeis given Code recognition.

Scope and Interpretation of the Code

1.2 Where the intent or scope of the Code is in doubt, it must be interpreted in the lightof the Objectives, and of the intention that the Code operate to regulate what maybe broadcast and to assist viewers in making informed choices about their own andtheir children's television viewing.

Compliance with Code

1.3 Licensees must endeavour to comply fully with the Code, but a failure to comply willnot be a breach of the Code if that failure was due to:

1.3.1 a reasonable mistake;

1.3.2 reasonable reliance on information supplied by another person;

1.3.3 an act or default of another person, or to an accident or to some othercause beyond the licensee's control, and the licensee took reasonableprecautions and exercised due diligence to avoid the failure.

1.4 Where it is possible to remedy a failure to comply with the Code resulting from oneor more of those circumstances, licensees must do so promptly.

Review of the Code

1.5 This Code will be formally reviewed after it has been in effect for three years. If anysubstantive changes to the Code are necessary before that time, members of thepublic will be given an adequate opportunity to comment on those changes.


Proscribed Material

1.6 A licensee may not broadcast a program which is likely, in all the circumstances to:

1.6.1 simulate news or events in such a way as to mislead or alarm viewers;

1.6.2 depict the actual process of putting a subject into a hypnotic state;

1.6.3 be designed to induce a hypnotic state in viewers;

1.6.4 use or involve the process known as `subliminal perception' or any othertechnique which attempts to convey information to the viewer bytransmitting messages below or near the threshold of normal awareness;

1.6.5 seriously offend the cultural sensitivities of Aboriginal and Torres StraitIslander people or of ethnic groups or racial groups in the Australiancommunity;

1.6.6 stir up hatred, serious contempt or severe ridicule against a person orgroup of persons on the grounds of age, colour, gender, national or ethnicorigin, physical or mental disability, race, religion or sexual preference.

1.7 Except for Clause 1.6.3, none of the matters in Clause 1.6 will be contrary to thisSection if said or done reasonably and in good faith:

1.7.1 in broadcasting an artistic work (including comedy or satire); or

1.7.2 in the course of any broadcast of a statement, discussion or debate madeor held for an academic, artistic or scientific purpose or any otheridentifiable public interest purpose; or

1.7.3 in broadcasting a fair report of, or a fair comment on, any event or matter ofidentifiable public interest.

Presentation of Broadcast Material

1.8 A commercial, community service announcement, program promotion or stationpromotion must be readily distinguishable by viewers from program material.

1.9 This applies to material broadcast:

1.9.1 between programs;

1.9.2 during or within a program;

1.9.3 as a visual or audio superimposition over a program.


1.10 Clause 1.8 does not require non-program material broadcast other than in programbreaks to be labelled or visually differentiated. However where material may not bereadily distinguishable by viewers from program material (e.g. where sponsors paylicensees for information to be presented in a segment of a program), licenseesmust adequately distinguish the material.

Closed Captioning for Hearing Impaired and Deaf People

1.11 Licensees will:

1.11.1 ensure that closed-captioned programs are clearly indicated in programinformation provided to the press and in program promotions;

1.11.2 exercise due care in broadcasting closed captioning, and provide opencaptioned advice if technical problems prevent scheduled closedcaptioning;

1.11.3 endeavour to increase the amount of closed-captioned programming, inconsultation with organisations representing hearing-impaired and deafviewers.

Interviews and Telephone Conversations

1.12 Licensees must comply with relevant Federal and State law when broadcastinginterviews and telephone conversations.


SECTION 0CLASSIFICATION

Objective

2.1 This Section is intended to ensure that:

2.1.1 licensees apply the film classification system administered by the Office ofFilm and Literature Classification, and make any necessary modifications to"M" and "MA" films to ensure that they are suitable for broadcast;

2.1.2 each broadcast day is divided into classification zones which are based onthe majority audience normally viewing at that time, and particularly whetherchildren are viewing in significant numbers;

2.1.3 only material which is suitable for a particular classification zone isbroadcast in that zone, and nothing is permitted in the "M" and "MA"classifications which was not previously permitted in the "AO" classification;

2.1.4 viewers are provided with information about the nature of material to bebroadcast;

2.1.5 news, commentary on current events, and serious presentations of moralor social issues are presented with appropriate sensitivity to theclassification zone in which they are broadcast, but are not unreasonablyrestricted.

Scope

2.2 This Section requires material to be classified appropriately, and broadcast only insuitable classification zones. It applies to all programs and to all non-programmatter, such as commercials, program promotions, community serviceannouncements and station identifications. Section 3: Program Promotions appliesmore stringent restrictions to commercials and program promotions, and takesprecedence over this Section wherever their requirements differ.

Classification of Material

2.3 All Material to be Classified : Except for news, current affairs and live sportingprograms (see Clause 2.3.1), all material for broadcast must be appropriatelyclassified according to Clauses 2.9 - 2.17, or (where applicable) according to thestricter requirements of the Section 3: Program Promotions. All commercials mustalso satisfy the Media Council of Australia Codes of Advertising. Material whichdoes not satisfy the requirements set out in Clauses 2.9 - 2.17 must not bebroadcast.

2.3.1 News, Current Affairs and Live Sporting Programs : These programs donot require classification, but when broadcast in a "G" classification periodmust comply with Clauses 2.6 and 2.7.


2.4 Classification Considerations : The suitability of material in terms of Clauses 2.9 -2.17 will often depend on the context in which it appears. Some actions,depictions, themes, subject matters, treatments or language may be acceptable inone program but not in another. Such questions as the merit of the production, thepurpose of a sequence, the tone, the camera work, the intensity and relevance ofthe material, and the treatment, must all be taken into account and carefullyweighed. The time of day at which the program is to be broadcast and the likelycomposition of the audience are also important considerations.

2.5 Programs Dealing in a Responsible Way with Important Moral or Social Issues:A program which deals in a responsible manner with important moral or socialissues may be broadcast outside the times appropriate to its classification providedthat clear advice of the nature and content of the program is given both inpromotions for, and at the start of, the program. That advice must avoid detailwhich may in itself seriously distress or offend viewers.

2.6 News, Current Affairs and Live Sporting Programs : These programs may bebroadcast in "G" classification periods, provided that care is exercised in theselection and broadcast of all material. News material broadcast outside regularbulletins in "G" classification periods must be compiled with special care, particularlywhen many children may be watching.

2.7 Material Which May Distress or Offend Viewers : Licensees may broadcast a newsor current affairs program containing visual or aural material which, in the licensee'sreasonable opinion, is likely to seriously distress or offend a substantial number ofviewers only if there are identifiable public interest reasons for broadcasting thematerial and if adequate prior warning is given to viewers (see Clause 2.25).

2.8 Excerpts from Certain Feature Films : Excerpts from feature films classified "MA"(cinema or television) may be broadcast before 7.30pm, and excerpts from filmsclassified "R" (cinema) may be broadcast before 8.30pm, only in news or currentaffairs programs, in film review programs or segments directed at a predominantlyadult audience, or in programs which deal in a responsible manner with seriousmoral or social issues.

2.8.1 Excerpts from "MA" or "R" programs broadcast in promotions for theprograms referred to in Clause 2.8 must comply with Clause 3.6 - 3.9 ofthe Code;

2.8.2 Excerpts from "MA" or "R" programs broadcast in accordance with Clause2.8 must be selected with due care, having regard to the composition ofthe audience.


The Children's ("C") and Preschool Children's ("P") Classifications

2.9 Material classified "C" or "P" must satisfy the requirements of the Children'sTelevision Standards. "C" and "P" classification zones are movable within bands laiddown in the Children's Television Standards. These zones overlap otherclassification zones, and have precedence over them.

The General ("G") Classification

2.10 Material classified "G" must not contain any matter likely to be unsuitable forchildren to watch without the supervision of a parent.

2.10.1 Violence: Depictions of physical and psychological violence and the use ofthreatening language, weapons or special effects must not be likely tocause alarm or distress to children, must be strictly limited to the context orstory line of the program, and must not show violent behaviour to beacceptable or desirable.

2.10.2 Sex and Nudity: Depictions of and references to sexual behaviour must belimited and discreet. Discreet portrayal of nudity only when absolutelynecessary to the story line or program context.

2.10.3 Language: Mild expletives or language which may be considered sociallyoffensive or discriminatory may only be used in exceptional circumstanceswhen absolutely justified by the story line or program context.

2.10.4 Drugs: References to the consumption of illegal drugs must be limited anddiscreet and allowed only when absolutely justified by the story line orprogram context. Use of legal drugs must be depicted with care.

2.10.5 Suicide: Reporting of suicide must be straightforward, and not includegraphic details or images. Discreet references to suicide are acceptableonly if justified by the story line or context and not presented as a romantic,heroic, alluring or normal act.

2.10.6 Other: Dangerous playthings may only be depicted where absolutelyjustified by the story line or context, and must be depicted in such a way asto minimise the likelihood of imitation.

Where music, special effects and camera work areused to create an atmosphere of tension or fear, caremust be taken not to cause unnecessary distress tochildren.

Care must be taken in the treatment of themes dealingwith social or domestic conflict.


2.11 General ("G") classification zones

Weekdays 6.00am - 8.30am4.00pm - 7.30pm

Weekends 6.00am - 7.30pm

In "G" zones, only material classified "G", "C" and "P" may be broadcast (thoughnote exemptions in Clauses 2.5 and 2.6).

The Parental Guidance Recommended (" PG") Classification

2.12 Material classified "PG" may contain adult themes or concepts but must remainsuitable for children to watch under the guidance of a parent or guardian.

2.12.1 Violence: Any violence depicted must be inexplicit, discreet or stylised andappropriate to the story line or program context. No overly realistic, bloodyor horrific depictions of violence are permitted.

2.12.2 Sex and Nudity: Depictions of and references to intimate sexual behaviourmust be discreet and appropriate to the story line or program context, andmust not dominate the theme of a program. Discreet portrayal of nudityonly where justified by story line or program context.

2.12.3 Language: Low-level offensive language may only be used when justifiedby the story line or program context, and then only infrequently.

2.12.4 Drugs: Techniques for the consumption of illegal drugs must not bedemonstrated, and illegal drugs must not be depicted favourably. Use oflegal drugs must be depicted with care.

2.12.5 Suicide : The depiction of suicide or attempted suicide must be inexplicitand discreet, and must not be presented as the means of achieving adesired result or as an appropriate response to stress, depression or otherproblems.

2.13 Parental Guidance Recommended ("PG") classification zones

Weekdays (schooldays) 5.00am - 6.00am8.30am - 12.00 noon3.00pm - 4.00pm7.30pm - 8.30pm

Weekdays (school holidays) 5.00am - 6.00am8.30am - 4.00pm7.30pm - 8.30pm

Weekends 5.00am - 6.00am7.30pm - 8.30pm

In "PG" zones, only material classified "PG", "G", "C" and "P" may be broadcast(though note exemptions in Clause 2.5).


2.13.1 School holidays mean Government primary school holidays in the State orTerritory in which the service originates.

The Mature ("M") Classification

2.14 Material classified "M" is recommended for viewing only by persons aged 15 yearsor over because of the matter it contains, or of the way this matter is treated.

2.14.1 Violence: May be realistically depicted only if it is not too frequent orimpactful, appropriate to the story line or program context, and not undulybloody or horrific.

2.14.2 Sex and Nudity: Intimate sexual behaviour may only be implied i.e. at most,inexplicitly simulated. It must be relevant to the story line or programcontext. Portrayal of nudity must be relevant to the story line or programcontext.

2.14.3 Language: The infrequent use of offensive language must be appropriateto the story line or program context.

2.14.4 Drugs: No detailed instruction in the use of illegal drugs. Illegal drugs mustnot be depicted favourably.

2.14.5 Suicide: Suicide must not be depicted favourably, and methods of suicidemust not be depicted in realistic detail.

2.15 Mature ("M") classification zones

Weekdays (schooldays) * 12.00 midnight - 5.00am12.00 noon - 3.00pm8.30pm - 12.00 midnight

*(When the time of reception anywhere in a licence area is more than one hour inadvance of the time of origin of the service, the "M" classification zone onschooldays extends between noon and 2.30pm, rather than 3. OOpm).

Weekdays (school holidays) 12.00 midnight - 5.00am& Weekends 8.30pm - 12.00 midnight

In "M" zones, any material which qualifies for atelevision classification may be broadcast, except that"MA"-classified material is restricted to the times setout in Clause 2.17.

2.15.1 School holidays mean Government primary school holidays in the State orTerritory in which the service originates.


SECTION "

The Mature Adult "MA" Classification

2.16 Material classified "MA" is suitable for viewing only by persons aged 15 years orover because of the intensity and/or frequency of violence, sexual depictions, orcoarse language, or because violence is central to the theme.

2.16.1 Violence: No sustained, relished or excessively detailed acts of violence.Violence occurring in a sexual context is to be assessed more stringently.Depictions with a high degree of realism or impact must be brief andcontextually justified. Violence may not be presented as desirable in itsown right.

2.16.2 Sex and Nudity: No explicit depiction of sexual acts, or depiction ofexploitative or non-consenting sexual relations as desirable. Intimate sexualbehaviour may only be implied or simulated.

2.16.3 Language: No excessive and grossly offensive language. The use ofoffensive language must be appropriate to the story line or program contextand not overly frequent or impactful.

2.16.4 Drugs: No detailed instruction in the use of illegal drugs. Illegal drugs mustnot be depicted favourably.

2.17 Mature Adult ("MA") classification zones

All days between 9.00pm and 5.00am.

In "MA" zones, any material which qualifies for a television classification may bebroadcast.

Material Not Suitable for Television

2.18 Material which cannot appropriately be classified "MA" or any lower televisionclassification, because of the matter it contains, or the way that matter is treated, isunsuitable for television, and must not be broadcast.

2.19 The following categories indicate what will invariably be unsuitable for television:

2.19.1 Violence : Sustained, relished or excessively detailed acts of violence;

2.19.2 Sex and Nudity: Explicit depiction of sexual acts, or depiction ofexploitative or non-consensual sexual relations as desirable;

2.19.3 Language: Excessive and grossly offensive language;

2.19.4 Drugs: Detailed instruction or encouragement in the use of illegal drugs.


Display of Classification Symbols

2.20 An appropriate classification symbol must be displayed as close as is practicable tothe start of those programs which Clause 2.3 requires to be classified, and withinany promotion for the program. The classification symbol is to be at least 32television lines in height, and in a readily legible typeface. It is to remain visible for atleast 3 seconds. The classification symbol must also be broadcast as soon as ispracticable when the program recommences after each break.

2.21 Clearly visible classification symbols are to accompany all press advertising ofprograms which is placed by licensees.

Consumer Advice for "M" and "MA" Programs

2.22 "M"-classified feature films and all "MA"-classified programs must carry, in additionto the classification symbol, brief consumer advice giving the principal elementswhich have contributed to the classification and indicating their intensity and/orfrequency. The advice will be in a style consistent with the guidelines on consumeradvice published by the Office of Film and Literature Classification.

2.23 Spoken and written consumer advice must be broadcast at the start of theprogram. The consumer advice is to be in a readily legible typeface, and is toremain visible for at least five seconds. Briefer written consumer advice is to bebroadcast as soon as is practicable after the resumption of the program at eachbreak.

2.24 Clearly visible consumer advice is to accompany all press advertising of programsplaced by the licensee.

Warnings Before Certain News, Current Affairs and Other Programs

2.25 Where news, current affairs, or other programs not classified "M" or "MA" includefor public interest reasons, material which is, in the licensee's reasonable opinion,likely to seriously distress or offend a substantial number of viewers, the licenseemust provide adequate prior warning to viewers. The warning must precede therelevant segment in news and current affairs programs and precede the program inother cases.

2.26 Warnings before the broadcast of material of this nature must be spoken, and mayalso be written. They must provide an adequate indication of the nature of thematerial, while avoiding detail which may itself seriously distress or offend viewers.

2.27 Where licensees include in promotions for a program advice that it contains materialwhich may seriously distress or offend viewers, that advice must comply with everyrequirement for program promotions in the period in which it is broadcast.


SECTION 3PROGRAM PROMOTIONS

Objective


3.1.1 program promotions are subject to more stringent content restrictions thanthose which Section 2: Classification applies to broadcast materialgenerally;

3.1.2 program promotions are not scheduled inappropriately having regard totimes when children are a substantial part of the viewing audience;

3.1.3 program promotions for "MA"-classified programs are not broadcast before7.30pm or in "G"-classified programs between 7.30pm and 8.30pm.

Scope

3.2 This Section applies to all material promoting programs for which the licensee holdstelevision rights and which is transmitted in breaks within or between programs orby visual superimposition on a program.

Promotions between 4 .00pm and 5 .00pm on Weekdays and Within andAdjacent to "P" and "C" Programs

3.3 Between 4.00pm and 5.00pm on weekdays and within (and in the breaks adjacentto) "C" and "P" programs, promotions for only "P", "C" and "G" programs may bebroadcast. The content of those promotions must comply with Clause 3.6 and theChildren's Television Standards.

Promotions between 5.00pm and 6.00pm on Weekdays and in CertainOther "G" Programs

3.4 During the times and the programs set out below, promotions for only "P", "C","G" and "PG" programs may be broadcast, and the content of those promotionsmust comply with Clause 3.6:

3.4.1 between 5.00pm and 6.00pm on weekdays;3.4.2 cartoon programs in "G" viewing periods on any day;3.4.3 "G"-classified programs in "G" viewing periods at weekends which are

promoted for viewing by children, or are likely to attract substantialnumbers of children.


Promotions for "MA" -Classified Programs

3.5 Promotions for "MA"-classified programs may not be broadcast between 5.00amand 7.30pm on any day or in "G"-classified programs between 7.30pm and 8.30pmon any day. The content of "MA"-classified promotions scheduled in "PG"-classifiedprograms between 7.30pm and 8.30pm must comply with Clause 3.7.

Promotions in "G" Viewing Periods and in all "G" Programs Starting at3.30pm , or Broadcast Between 7.30pm and 8.30pm

3.6 In "G" viewing periods and in all "G" programs starting at 3.30pm on a weekday, orbroadcast between 7.30pm and 8.30pm on any day, no program promotion mayinclude material (whether visual or auditory) which involves:

3.6.1 the use of guns, other weapons or dangerous objects in a manner clearlyintended to inflict harm or to seriously menace;

3.6.2 heavy punches, blows or other physical violence against people or animals;3.6.3 any form of violence or cruelty to children;3.6.4 genuinely threatening or frightening situations;3.6.5 sequences that involve loss of life;3.6.6 close-up vision of dead bodies;3.6.7 close-up vision of bloodied, maimed or wounded bodies;3.6.8 nudity or partial nudity;3.6.9 depictions of, or discussions about, sexual activity except of the most

innocuous kind;3.6.10 improper language, including mild expletives;3.6.11 approving or condoning references to illegal drug use.

Promotions in "PG"-Classified Programs Broadcast Between 7.30pmand 8.30pm

3.7 In "PG"-classified programs broadcast between 7.30pm and 8.30pm on any day,no program promotion may include material (whether visual or auditory) whichinvolves:

3.7.1 the use of guns, other weapons or dangerous objects against a victim inthe foreground;

3.7.2 anything beyond fleeting violence against people or animals;3.7.3 action sequences which include obvious loss of life;3.7.4 close-up shots of dead or seriously injured bodies;3.7.5 sexually explicit scenes;3.7.6 nudity other than of a discreet or incidental nature;3.7.7 offensive language;3.7.8 sexual violence.

3.8 For the purposes of Clause 3.7, all sporting coverage 7.30 - 8.30pm will be deemedto be "PG"-classified.


SECTION 3

Promotions in "G" or " PG"-Classified Programs Scheduled to Start at,or Continue Past , 8.30pm

3.9 In "G" or "PG"-classified programs scheduled to start at 8.30pm, or in a stationbreak preceding such programs, program promotions must comply with therequirements of Clause 3.7 for the "PG" viewing period. The same restrictionsapply to that part of a "G" or PG"-classified program starting before 8.30pm, whichcontinues past 8.30pm. Where such a program is classified "G", promotionsbroadcast in it before 8.30pm must comply with Clause 3.6.

3.10 For the purposes of Clause 3.9, all sporting coverage after 8.30pm will be deemedto be PG"-classified.

Promotions for News, Current Affairs, Sportingand Certain Other Programs

3.11 Promotions for news, current affairs and sporting programs, and for programsdealing in a responsible way with important social or moral issues, must comply inevery respect with the requirements for the viewing zone in which they arebroadcast and, as far as is practicable, with the additional restrictions set out inClauses 3.6 to 3.10.

Display of Classification Symbols

3.12 All promotions for programs other than news, current affairs and sporting programsmust display the classification of the program promoted. The requirements for thedisplay of classification symbols in program promotions are set out in Clause 2.20.


SECT I ON 4NEWS AND CURRENT AFFAIRS PROGRAMS

Objective


4.1.1 news and current affairs programs are presented accurately and fairly;

4.1.2 news and current affairs programs are presented with due care, havingregard to the likely composition of the viewing audience at the time ofbroadcast (and, in particular, the presence of children);

4.1.3 news and current affairs take account of personal privacy and of culturaldifferences in the community;

4.1.4 news is presented impartially.

Scope of the Code

4.2 Except where otherwise indicated, this Section applies to news programs, newsflashes and current affairs programs. A "current affairs program" means a programfocussing on social, economic or political issues of current relevance to thecommunity.

News and Current Affairs Programs

4.3 In broadcasting news and current affairs programs, licensees:

4.3.1 must present factual material accurately and represent viewpoints fairly,having regard to the circumstances at the time of preparing andbroadcasting the program;

4.3.2 must not present material in a matter which creates public panic;

4.3.3 must comply with Clauses 2.7 and 2.25 of this Code in selecting andbroadcasting visual and/or aural material which may seriously distress oroffend a substantial number of viewers;

4.3.4 must include only sparingly material likely to cause some distress to asubstantial number of viewers;

4.3.5 must not use material relating to a person's personal or private affairs, orwhich invades an individual's privacy, other than where there are identifiablepublic interest reasons for the material to be broadcast;

4.3.6 must display sensitivity in broadcasting images of or interviews withbereaved relatives and survivors or witnesses of traumatic incidents;


4.3.7 must not portray any person or group of persons in a negative light byplacing gratuitous emphasis on age, colour, gender, national or ethnicorigin, physical or mental disability, race, religion or sexual preference.Nevertheless, where it is in the public interest, licensees may report eventsand broadcast comments in which such matters are raised;

4.3.8 must make reasonable efforts to correct significant errors of fact at theearliest opportunity.

4.4 In broadcasting news programs (including news flashes) licensees:

4.4.1 must present news fairly and impartially;

4.4.2 must clearly distinguish the reporting of factual material from commentaryand analysis.


SECTIONTIME OCCUPIED BY NON - PROGRAM MATTER

Objective


5.1.1 there is a reasonable balance between program and non-program matterbroadcast by licensees, having regard to the interests of viewers in havinguncluttered program presentation, and the commercial interests ofadvertisers and stations;

5.1.2 stations enjoy some flexibility in scheduling non-program content, havingregard to the needs of advertisers and the artistic integrity of programs;

5.1.3 there are firm limits on the amount of commercial and promotional matterscheduled in any one hour, and a continuation of the traditional loweroverall limits between 6.00pm and midnight;

5.1.4 special rules apply in "P" and "C" periods, reflecting the limits previouslyimposed by regulation.

Scope

5.2 This Section sets limits for non-program matter scheduled , as distinct from non-

program matter actually broadcast . This is intended to avoid the need for complexexemption provisions when operational problems (e.g. unpredictable programsegment lengths in live programs) make it difficult for licensees to comply with an"as broadcast" clock hour requirement without compromising high quality programpresentation. It is not intended to allow increased levels of non-program matter,and may not be interpreted by licensees in that way. Nothing in this Section relatesto the classification of non-program material, which is dealt with in Section 2:Classification, and Section 3: Program Promotions.

5.3 In this Section, non-program matter comprises:

5.3.1 spot commercials, namely advertising for products, services, beliefs orcourses of action which is scheduled within program breaks or betweenprograms, or by full-frame visual superimposition on a program, and forwhich licensees receive payment or other valuable consideration. Thisincludes bonus and make-good advertisements, but excludes communityservice announcements, announcements on behalf of election authoritiesand sponsorship announcements before and after a program or programsegment.

5.3.1.1 community service announcements are announcements whichpromote a charitable cause or activity or which constitute apublic service, and which are broadcast free-of-charge by alicensee.


5.3.2 Program promotions. These include station identifications and programline-ups which contain more than 10 seconds of visual material from anyprogram for which the licensee holds television rights, but exclude voice-over program promotions transmitted during the closing credits of aprogram, or superimposed text occupying only part of the screen.

Hourly Limits

5.4 Subject to paragraphs 4 of this Section, on any day licensees may schedule onaverage in each hour up to:

5.4.1 between 6.00pm and midnight, 13 minutes of non-program matter;

5.4.2 at all other times - other than in "P" or "C" periods - 15 minutes of non-program matter.

5.5 In any hour, licensees may (provided that the averages in 5.4 are satisfied) schedulethe following amounts of non-program matter:

5.5.1 between 6.00pm and midnight - up to 15 minutes per hour, but with nomore than 14 minutes scheduled in any four of those hours;

5.5.2 at all other times - up to 16 minutes.

5.6 In "P" and "C" periods scheduled in accordance with the Children's TelevisionStandards:

5.6.1 no commercials may be broadcast in any "P" period;

5.6.2 each 30 minutes of a "C" period may contain no more than 5 minutes ofcommercials and one minute of "G"-classified program promotions orstation identification.

Non-Program Content Displaced by Election Period Policy Speechesor Debates

5.7 If a licensee agrees to broadcast free of charge the policy speech of a political partyor a debate between leaders of political parties, and by doing so is unable tobroadcast the non-program matter permitted by Clause 5.4, the licensee mayschedule additional non-program matter equivalent to the shortfall in that hour orthose hours. That additional matter is to be scheduled elsewhere in the same zone(i.e. 6.00pm to midnight or off-peak) on that day or on other days within fourteendays of the broadcast.

5.7.1 The amount of non-program matter made up in other hours may notexceed one minute in total in any one hour.


Make-Up of Non-Program Matter from Certain BroadcastsUninterrupted by Non -Program Matter

5.8 If a licensee wishes to broadcast a program or part of a program of a clearlycharitable or community service nature without the insertion of non-program matter,the licensee may schedule elsewhere additional non-program matter equivalent tothe shortfall in that hour or those hours. That additional non-program matter is tobe scheduled elsewhere in the same zone (i.e. 6.00pm to midnight or off-peak) onthat day or on other days within fourteen days of the broadcast.

5.9 The amount of non-program matter made up in other hours may not exceed oneminute in total in any one hour.


SECTION 3

CLASSIFICATION AND PLACEMENT OF COMMERCIALS

Objective


6.1.1 television commercials are classified and broadcast appropriately, in thelight of current community attitudes and of the need to limit the exposure ofchildren to material intended for adult viewing;

6.1.2 commercials for products and services which are of particular concern orsensitivity are subject to additional placement restriction;

6.1.3 public health and safety messages are not unreasonably restricted;

6.1.4 viewers who are concerned about the content of television commercials aremade aware that this is governed by Media Council of Australia Codes ofAdvertising and the Australian Broadcasting Authority's Children'sTelevision Standards.

Scope

6.2 This Section covers all commercials and community service announcementsbroadcast in breaks within or between programs or by visual and/or oralsuperimposition on a program. All references to commercials in this Section referequally to community service announcements. It is to be read in conjunction withSection 2: Classification and Section 3: Program Promotions, the Media Council ofAustralia Codes of Advertising and the Children's Television Standards. Exceptwhere the provisions of another Section of this Code specifically relate to aparticular class of commercials, the provisions of this Section take precedence.

6.2.1 Community service announcements are announcements which promote acharitable cause or activity or which constitute a public service, and whichare broadcast free-of-charge by a licensee.

Compliance with the Code , Media Council of Australia Codes ofAdvertising , the Children's Television Standards and the Law

6.3 All commercials broadcast by licensees must comply with this Section, with Section2: Classification and Section 3: Program Promotions, with applicable Media Councilof Australia Codes of Advertising, with any relevant requirements of the AustralianBroadcasting Authority's Children's Television Standards, and with relevantrequirements of State and Federal law.


Approval of Commercials

6.4 In the case of commercials to be broadcast in more than one market, licensees maychoose to require that the Commercials Acceptance Division (CAD) of FACTS certifythat the commercial complies with the requirements set out in Clause 6.3.

6.4.1 Licensees may choose not to require CAD approval where all stations onwhich the commercial is to be broadcast have non-metropolitan licence areas.

Classification of Commercials

6.5 All commercials must be given an appropriate television classification.

Commercials for Alcoholic Drinks

6.6 A commercial which is a direct advertisement for alcoholic drinks may be broadcastonly in "M" or "MA" classification periods, or as an accompaniment to the livebroadcast of a sporting event on weekends and public holidays.

6.6.1 A commercial for an alcoholic drink may not be broadcast during a "C"classification period, as defined in the Children's Television Standards.

6.7 Alcoholic drinks means any beer, wine, spirits, cider, or other spirituous orfermented drinks of an intoxicating nature.

6.8 Direct advertisement for alcoholic drinks means any commercial which is broadcastby a licensee that draws the attention of the public, or a segment of it, to alcoholicdrinks in a manner calculated to promote directly their purchase or use.

Commercials Relating to Betting or Gambling

6.9 Except in news, current affairs and sporting programs, a commercial relating tobetting or gambling must not be broadcast in "G" classification periods Monday toFriday, nor on weekends between 6.00am and 8.30am, and 4.00pm and 7.30pm.

6.10 Commercials relating to betting or gambling do not include commercials relating tosuch things as Government lotteries, lotto, keno or contests.

Commercials Relating to Products of a Particularly Intimate Nature

6.11 A commercial for products of a particularly intimate nature, such as sanitarynapkins, condoms, and vaginal deodorants may only be broadcast in "PG", "M"and "MA" classification periods, unless it contains a public health or safety messageand satisfies Clause 6.12.


Commercials Containing Public Health and Safety Messages

6.12 A licensee may broadcast a commercial containing a public health or safetymessage in a "G" classification period, provided that it exercises due care, havingregard to the likely composition of the viewing audience at the time of broadcast.

Commercials for Cinema , Video or Videodisc Films

6.13 Subject to Clause 6.15, a commercial for a cinema film, video film or videodisc filmmust be scheduled in accordance with Section 3: Program Promotions.

6.14 All such commercials must display the Office of the Film and LiteratureClassification's cinema classification for the cinema film, video film or videodisc filmadvertised.

6.15 Commercials for "R"-classified films may only be broadcast after 8.30pm, andcommercials for "X"-classified films may not be broadcast.

Commercials Directed to Children

6.16 All commercials directed to children must exercise special care and judgement, andcomply with Children's Television Standards 17 - 21.

6.16.1 For the purposes of the Children's Television Standards, children arepeople younger than 14 years of age.

6.17 Only commercials which satisfy "G" classification requirements and which complywith Children's Television Standards 10, 17 - 21 and 22 - 23 may be broadcastduring a "C" period or in breaks immediately before or after a "C" or "P" period.

6.17.1 "C" and "P" periods are as defined in the Children's Television Standards.


SECTION 't'HANDLING OF COMPLAINTS TO LICENSEES

Objective

7.1 This Section is intended to ensure that licensees:

7.1.1 publicise the existence of the Code and its complaints procedures;

7.1.2 maintain adequate procedures for receiving and responding to oralcomplaints;

7.1.3 advise complainants of their right to make a written complaint aboutmaterial broadcast by a licensee which allegedly breaches the Code;

7.1.4 respond promptly to written complaints of this kind, and make everyreasonable effort to resolve them.

Scope

7.2 This Section applies to any matter covered by the Code which is the subject of awritten complaint to a licensee which adequately identifies the material broadcast,the nature of the complaint, and the identity of the complainant. Letters ofcomplaint need not specify the Section of the Code to which the complaint relates.All written complaints about the content of a commercial (as distinct from itsplacement or the amount of commercials broadcast) will be referred to theAdvertising Standards Council of Australia, or (in the case of advertising directed tochildren) to the Australian Broadcasting Authority, as the responsible complaintsbodies.

Publicising of Code

7.3 Licensees will provide regular on-air information about the Code and its complaintsprocedures, and explain how viewers may obtain copies.

Procedures for Handling Oral Complaints

7.4 Licensees welcome telephoned comments from viewers, which they regard asvaluable feed-back on viewer reaction to their service. Licensees will continue torecord the substance of these responses and bring them to the attention of keystaff, and to respond directly to callers who provide their name and contact details.The present Code will provide an additional avenue for viewers who wish to make aformal complaint about material broadcast by a licensee which they believe tocontravene the Code.


Advising Complainants of their Right to Make a Formal Complaintabout a Code Matter

7.5 Licensees will advise viewers who complain by telephone about material broadcastwhich is alleged to breach the Code, and who wish to pursue the complaint further,that they may make a written complaint to the licensee in question within 30 days ofthe particular broadcast, and that the licensee is obliged to respond in writing tothat complaint;

7.5.1 Where a complaint of this nature is made to a licensee by means of atelephone typewriter, it will be treated as an oral complaint but the licenseewill write to the complainant within 10 days to advise him or her of theformal complaint procedures set out in Clause 7.5.

7.6 If a written complaint is made to a licensee more than 30 days after a broadcast,this Section does not oblige the licensee to comply with the requirements of thisSection in responding to the complaint.

7.7 Licensees will advise viewers who complain about the content of a commercial (asdistinct from its placement or the amount of commercials broadcast) to direct theircomplaint to the Advertising Standards Council of Australia or to the AustralianBroadcasting Authority (in the case of advertising directed to children).

Time Limits on Responses to Written Complaints about a Code Matter

7.8 Where a viewer complains in writing of material within thirty days of its broadcast,the licensee must seek to provide a substantive written response within ten workingdays. That response will also advise the complainant that he or she may refer thematter to the Australian Broadcasting Authority if not satisfied with the licensee'sresponse.

7.9 When a licensee cannot provide a substantive written response within ten workingdays, the licensee will undertake in writing to provide a substantive reply within afurther 20 working days.

7.10 If the material complained of was provided on broadcast relay by another licensee,or was otherwise the responsibility of another licensee, the first licensee may referthe complaint to that licensee for written response direct to the complainant. If alicensee does so, it will advise the complainant within ten working days of receipt ofthe complaint, and provide the complainant with the name of a contact person atthe second licensee.

7.11 Where a licensee refers a complaint to another licensee for reply, that other licenseewill have 30 working days to provide a substantive response to the originalcomplainant.


Resolution of Complaints

7.12 Licensees will make every reasonable effort to resolve promptly complaints coveredby this Section, except where a complaint is clearly frivolous, vexatious or an abuseof the Code process.

Referral of Complaints to the ABA or the Chairman of FACTS

7.13 If a complainant is not satisfied with a response to a written complaint, and raisesthe matter further in writing with the licensee, then the licensee will:

7.13.1 reply substantively to the further letter, and further advise the complainantthat he or she may take the complaint to the Australian BroadcastingAuthority; or

7.13.2 alternatively , or as well , advise the complainant that the licensee will referthe complaint to the Chairman of FACTS.

7.14 Where the licensee is satisfied that the complaint is factually groundless, it maydecline to refer the complaint to the Chairman of FACTS. This will not affect thecomplainant's right to take the complaint to the ABA.

Handling of Complaints Referred to the Chairman of FACTS

7.15 In the event that a complaint is referred by a licensee to the Chairman of FACTS, heor she will:

7.15.1 refer the complaint in writing to the Chief Executive of the licensee inquestion for a further response (which response is to be copied to theChairman of FACTS);

7.15.2 take whatever additional steps he or she considers necessary to assistresolution of the complaint;

7.15.3 advise the licensee and the complainant that a report on the complaint willbe listed in the Annual Code Administration Report published by FACTS.

Licensees to Report Written Complaints on Code Complaints to FACTS

7.16 Each licensee will report to FACTS, within 15 working days of the end of eachquarter, the number and substance of written complaints alleging specific breachesof the Code, including for each complaint the date received and date or dates ofresponse. These reports to FACTS will not include the name or address of anycomplainant.


SECTION 7

7.17 FACTS will provide a summary of this information to the Australian BroadcastingAuthority within 15 days of its receipt.

Code Administration

7.18 FACTS Code Administration Council will meet four times each year to reviewadministration of the Code. A member of the ABA will be invited to attend eachmeeting of the Council as an observer.

7.19 The Chairman of FACTS will cause to be published each year a report on Codeadministration by licensees. This report will be available to the public and willcontain:

7.19.1 the number and substance of written complaints relating to compliancewith the Code received by licensees, and the outcome of each complaint;

7.19.2 the number and substance of complaints referred to the Chairman ofFACTS , identifying the licensee or licensees involved , and the outcome ofthe reference.


COMMERCIAL TELEVISION

INDUSTRY

CODE OF PRACTICE:

1996 ANNUAL REPORT

COMMERCIAL TELEVISION INDUSTRY CODE OF PRACTICE:1996 ANNUAL REPORT

Introduction

The Commercial Television Industry Code of Practice was introduced in September 1993,following extensive public consultation by the commercial television industry, and approval of theCode by the Australian Broadcasting Authority. The Code of Practice sets out the obligations ofcommercial television stations in relation to classification of programs, program promotions andcommercials, commercial content, placement of commercials for sensitive products, fairness andaccuracy in news and current affairs, discriminatory references, and closed captioning for hearingimpaired viewers. '

All forty-four commercial television stations agreed to abide by these requirements. They alsoabide by the Code of Practice requirements concerning complaint handling. These set out thesimple process by which any viewer can lodge a formal Code of Practice complaint with a station.The Code does not require anyone making a written complaint to specify the Section of the Codeto which the complaint relates. Where a complaint relates to an area covered by the Code ofPractice, stations regard it as a Code complaint.

The Code also sets out the detailed requirements which stations must meet in assessing andresponding to Code of Practice complaints. Viewers who are not satisfied with a station's writtenresponse to a Code complaint, or who fail to receive a response within sixty days, may refer theircomplaint to the Australian Broadcasting Authority (ABA).

Appendix Six of this Report contains the complaints procedures of the Code of Practice.

It should be noted that a public review of the Code of Practice began in August 1996, and isexpected to be completed in early 1997.

The Code does not cover the content of television commercials. This is currently regulated by themore detailed requirements of the Media Council of Australia Codes of Advertising. During thereporting period, complaints about television commercials were referred to the Advertising StandardsCouncil for adjudication. (The Advertising Standards Council has since been abolished, though areplacement complaints handling body is expected to he established shortly.) Complaints aboutcommercials are not included as Code complaints unless the complaint concerns the placement of thecommercial rather than its content.

COMMERCIAL TELEVISION INDUSTRY CODE OF PRACTICE : 1996 ANNUAL REPORT PAGE 2

Publicising the Code and the Complaints Process

Codes of Practice and complaints process are of value only if consumers - viewers in this case -are aware that they exist. Commercial stations devoted substantial amounts of on-air time topublicising the Code in January/February 1996. Each station agreed to commit four 30-secondspots a day over three weeks, with one in four of the spots located in or adjacent to the mainevening viewing period. Each station also devoted similar airtime in June/July 1996 to two spotspublicising the television program classification system.

These national campaigns involved airtime valued at several million dollars, and would have beenseen at least once by close to ninety percent of all commercial television viewers. As in theprevious year, almost 4,000 copies of the Code were distributed to interested viewers, schools andcommunity groups during the year, helping to achieve a broad public awareness of the Code ofPractice.

How Stations Interpreted the Code

Stations have been encouraged by FACTS - their industry association - to interpret the Code ofPractice broadly in responding to viewer complaints. In practice, stations have included as Codecomplaints some matters which fall outside the Code, notably those relating specifically to theindustry's Advisory Notes. These advisory documents deal with the portrayal of women and men,of Aboriginal and Torres Strait Islander People, and of cultural diversity.

Stations have generally not included those complaints of violence, sexual content or otheroffensive material which are couched in very general terms, and are not related to the station'sprograms. The inclusion of complaints of this kind would reduce the value of the complaintfigures as a long-term measure of viewer response to programming.

The Year' s Experience

This report covers the twelve months to 30 September 1996. It deals only with written Code ofPractice complaints. Under the Code, stations are required to maintain procedures for receivingand responding to oral complaints. They receive large numbers of telephoned comments andcomplaints, most of which do not involve Code of Practice issues. Where a telephoned complaintdoes involve such an issue, and the caller indicates a wish to do more than simply register thecomplaint, he or she is invited to put the complaint in writing.

Stations received 937 written Code complaints in the course of the year. The previous year's totalwas 618, while the 1994 total was 928. The tables in Appendix One analyse complaints byprogram category and subject matter. As might be expected, most complaints were about thecontent of programs - perceived violence, inappropriate language, sexual content or nudity, inparticular - or the appropriateness of program scheduling in terms of audience composition. Theseaccounted for round fifty-five percent of all complaints. Similar complaints about the content andscheduling of program promotions made up a further nine percent of all complaints.

Complaints of bias and inaccuracy, or of discriminatory or offensive references of some kindaccounted for a further twenty-six percent. Thirty percent of complaints about discriminatory oroffensive references were of comments or images perceived as offensive to Christians, while thirty-two percent concerned images or remarks which were perceived as racist. Seven percent wereof comments or images considered sexist or otherwise offensive to women. Complaints about

COMMERCIAL TELEVISION INDUSTRY CODE OF PRACTICE : 1 996 ANNUAL REPORT PAGE 3

comments or images perceived as offensive to Aboriginal or Torres Strait Islander peoplecomprised a further four percent.

One other matter to attract a significant number of complaints was the placement of commercialsconsidered by complainants to be offensive or inappropriate for a general audience (fortycomplaints, or 4.3 percent of the total). Feminine hygiene commercials attracted six complaints,and alcohol commercials two. Most other complaints related to the sexual or violence content incommercials, language considered coarse, or perceived discriminatory references. There were alsotwenty-four complaints (5.2 percent of the total) concerning the amount of advertising ontelevision, mostly in drama programs. Eighteen complaints were received concerning closedcaptioning, and smaller numbers of complaints concerning invasion of privacy, and news or currentaffairs programs having inadequate regard to the sensitivities of victims of tragedy or theirrelatives.

The program categories which attracted most complaints were drama series and serials, news,current affairs , and program promotions . Program placement attracted over twenty percent of allcomplaints , with most complaints focussed on Pacific Drive (a PG-classified serial scheduled at3.3Opm on weekdays - 100 complaints), The Bold and the Beautiful (a formerly PG-rated serialscheduled in an edited G-rated form at 4.30pm on weekdays - forty-two complaints) and Sex/Life(an M-classified information program scheduled at 8.30pm on Thursdays during the period - fifty-four complaints ). Many of these complaints appeared to be the result of organised campaigns.

Programs which attracted most complaint were Pacific Drive (100), Sex/Life (68), 60 Minutes(44), The Bold and the Beautiful (42), Midday (29), A Current Affair (28) and The Footy Show(28). News, as a category, attracted 121 complaints , spread across twenty -five stations . Of these,Seven Network city stations accounted for thirty-eight complaints , Nine seventeen and Ten thirty-six. The balance of news complaints were made to regional stations.

Individual program items which attracted most complaint were a Footy Show skit which, in theopinion of some viewers, ridiculed Christianity (nineteen complaints ), a Sixty Minutes segment onchild molestation allegations against staff at a Christian Brothers institution (eighteen complaints),and a program promotion for the drama program American Gothic.

The final table in Appendix One analyses the fluctuations in the number and subject matter ofcomplaints over the four quarters. Quarterly numbers fluctuated by almost 50% around theaverage of 225. The focus of complaints fluctuated greatly over the year, though violence, sexand nudity, program classifications and discrimination were prominent categories throughout theyear.

The tables in Appendix Two analyse the geographical distribution of complaints, and their spreadbetween metropolitan and regional stations and between different station groupings. In all, thirtyout of the national total of forty-four stations received written Code complaints during the year.This included fourteen out of fifteen metropolitan stations, twelve of the fourteen regional stationsin multi-station markets, and four stations from single-station markets (Golden West Network,Griffith, Darwin and Mt Gambier).

The charts in Appendix Three compare complaints in 1995 and 1996.


Complaints Upheld by Stations

Thirty-nine complaints were upheld by stations, involving twenty-three separate matters. Ten ofthe fifteen metropolitan stations upheld complaints, as did one regional station. The Ten Networkupheld nine complaints, the Seven Network three and the Nine Network twenty-five complaints.

Details of the complaints upheld in stations are set out in Appendix Four. The chart in AppendixFive sets out the quarterly number of complaints upheld and not upheld since the Code came intooperation in 1993.

The follow-up action taken by stations ranged from counselling of staff through reviews ofoperational procedures and staff training.

Unresolved Complaints Considered by the ABA

A number of complaints were referred by viewers to the ABA, after stations had concluded thatthey did not breach the Code of Practice. Some of these complaints related to the previousyear. The ABA found that sixteen of these referred complaints involved breaches of the Code(eight breaches were upheld in the previous year).

The breaches found by the ABA comprised:

1. BTQ-7, Brisbane, News, 20 April 1994. Breach of Clause 1.6.6 in an item on a marchby Aboriginal people and others.

2. TEN-10, Sydney, Take 40 video hits program. Breach of Clause 2.10 in a video clipentitled "I'm an Asshole".

3. TEN-10, Sydney, promotion for Seaquest DSV on 2 April 1995. Breach of Clause3.6.1 in scheduling the promotion in a G-classified program viewing zone.

4. BTQ-7, Brisbane , Real Life program , 8 June 1994 . Breach of Clause 2. 7 in an itemon a Gold Coast " strip boat".

5. TEN-10, Sydney, Bold and the Beautiful, 13 February 1996. Breach of Clause 2. 10.1in a segment of the program broadcast in a G-classified program viewing zone.

6. Prime Network, Rudy Coby: The Coolest Magician on. Earth, 23 October 1995. Breachof Clauses 2.10.1 and 2.10.6, by depicting physical violence, the use of weapons andthe use of dangerous playthings in ways inappropriate to a G-classified program.

7. TCN-9, Sydney, News, 13 January 1995. Breach of Clause 4.3.1 in broadcasting aphotograph not of the person it was identified as being.

8. ADS-10, Adelaide, News, 27 April 1995. Breach of Clause 4.3.1 in a report on watertreatment, and of Clauses 7.8 and 7.9 in failing to respond substantively to a complaintwithin the period required.

9. TCN-9, Sydney, 60 Minutes, 16 June 1995. Breach of Clauses 2.25 and 2.26, by


failure to provide a prior warning giving an adequate indication of the nature of thematerial.

10. GTV-9, Melbourne , A Current Affair, 24 January 1995 . Breach of Clause 7.9 in failingto respond substantively to a complaint within the required period.

11. WIN Tasmania, News Update, 27 December 1995. Breach of Clause 4.3.5 in a reporton a man 's death by drowning.

12. GTV -9, Melbourne , A Current Affair, 21 July 1995 . Breach of Clause 7 . 9 in failingto respond substantively to a complaint within the period required.

13. TEN Victoria , Bendigo, News, 27 June 1995 . Breach of Clause 4.1.2 in broadcastinga segment dealing with drug usage, and of Clause 7.11 in failing to respondsubstantively to a complaint within the required period.

14. STW-9, Perth, Basic Instinct, 29 October 1995 . Breach of Clauses 7.8 and 7.9 infailing to respond substantively to a complaint within the required period.

15. TVW-7, Perth, Today Tonight, 1995. Breach of Clause 2.26 in a segment on theprogram "Executioners".

16. BTQ-7, Brisbane, Sportsworld, 9 April 1995. Breach of Clause 2.10.3 in broadcastinga mild expletive without adequate justification.


APPENDIX 1

CODE COMPLAINTS BY

CATEGORY AND BY QUARTER

Appendix 1Code Complaints from October 1995 to September 1996 - By CategorySex/ Language Violence Classif. Bias/ Privacy Trauma Discrim. Commerc. Commerc. Closed Complaint Total:Nudity (Other * Inaccuracy Content Placement Caption Handling

Childrens 5 3 10 17 3 1 39Comedy 17 4 5 9 6 1 42Current Affairs 2 1 2 13 75 4 2 14 1 114Documentary 2 2 4Drama Series/Serials 136 7 22 32 5 7 5 5 219Game 7 2 3 1 4 1 18Information 61 1 2 8 1 3 3 3 82Movies 12 6 21 13 5 2 1 60Music Video 1 1 2News 1 3 38 56 4 4 14 1 121Sport 1 2 1 2 25 3 3 37Varie 21 3 9 33Unspecified 1 1 1 5 7 3 26 12 56

romos 26 29 28 3 24 110Total: 293 27, 104, 166 135 8 6 115 24 40 18 1 937J1

% All Complaints: 31.3 2.9 11.1 17.7 14.4 0.9 0.6 12.3* See details of this category in the accompanying table

2.6 4.3

Classification (Other) - Complaints By Sub-CategorySimulating Classif. Classif. Classif. Not Suitable Upsetting Miscell. TotalEvents (G Zone) (PG Zone) (M Zone) Television Material

Childrens 14 3 17Comedy 1 3 3 2 9Current Affairs 6 2 3 2 13DocumentsDrama Series/Serials 21 3 3 5 32Game 1 1Information 2 2 4 8Movies 2 1 6 4 13Music VideoNews 24 14 38Sport 2 2VarietyUnspecified 2 3 5Promos 11 6 1 1 1 10 28Total: 1 59 18 14 0 27 47 = 16=6 1

% All Complaints: 0.1 6.3 1.9 1.5 0.0 2.9 5.0 17.7* Of these, 10 were complaints about depictions of violence or firearms(half of these in news and half inother programs), 10 about inappropriate sexual content (mainly in news and information programs), sixwere complaints of material causing panic or distress to viewers, and six of unsuitable program promotionplacement. The balance were unspecific complaints about program material or its placement.

1.9 0.1 100.0

% All

omplaint

4.24.512.20.423.41.98.86.40.212.93.93.56.011.7

100.0

Appendix IComplaint Breakdown , 1995/96

Complaint Handling (0.11 %)Cations 1. 92% ) -

m (Ad. Place ' t(4.27%

)Ad. Content 2.56%

Other Class . (17.72%)

Appendix 1

Main Complaint Categories 1995-96, By Quarter140

-------------------------------------------------------------------

-------------------------------------------------------------------

anguage Violence Bias Discrim. G Zone PG Zone M Zone Upsetting

1st Qtr 2nd Qtr 3rd QtrE

Appendix 1

Complaints Breakdown by QuarterQ411995

Hmr

M 1-Complaint Handling (0.00%)U) Captions (4.80%)z Ad. Place ' mt (8.80%)-j, ---,<-Sex/Nudity (18.40%)

Ad. Content (4.00%)CV)H< Discrim . ( 10.40%)C)0M Trauma ( 0.00%)oT

Privacy (2.40%)

Q2/1996

Captions (0.70%)Ad. Place mt (5.28%)

Ad. Content (2.11 %)Discrim. ( 5.28%)

Trauma (1. D6 %)Privacy ( 0 .70%)

D0m

Complaint Handling (0.00%)

Sex/Nudity (36.27%)

Language (2.11%)

Violence (17.25%)

Q1/1996

Captions (0.52%)'Ad. Place mt (_4. 9%)

Complaint Handling (0.00%)

Ad. Content (3.14%)

Discrim. (28.80%)

Trauma (1.05%)-Privacy (1.05%)

Bias (9.95%)

Q311996

Complaint Handlin (0.30%)Captions 2.67%)

' mt `4.4 %)Ad. PlaceAd. Content (2.08%)

Discrim. (9.20%)Trauma (0.30%)Privacy (0.30% Sex/Nudity (39.17%)

Language (2.37%)Violence (10.39%)

APPENDIX 2

CODE COMPLAINTS BY STATE

AND BY STATION CATEGORY

APPENDIX 2

CODE COMPLAINTS BY STATEOCTOBER 1995 TO SEPTEMBER 1996

STATIONS RECEIVING COMPLAINTS *

Metre Stations Regional Stations Total

NSW 3 (314) 6(113) 9 (427)

VIC 3 (123) 2 (18) 5 (141)

QLD 3 (162) 3 (40) 6 (202)

SA 3 (68) 1 (5) 4 (73)

WA 2 (40) 1 (1) 3 (41)

TAS 0 (0) 2 (51) 2 (51)

NT 0(0) 1(2) 1(2)

TOTAL 14 (707) 16 (230) 30 (937)

* Figures in brackets refer to numbers of complaints

COMPLAINTS BY STATE

Metro - % Metro Reg - % Regional % All

NSW 44.4% 49.1% 45.6%

VIC 17.4% 7.8% 15.0%

QLD 22.9% 17.4% 21.6%

SA 9.6% 2.2% 7.8%

WA 5.7% 0.4% 4.4%

TAS 0.0% 22.2% 5.4%

NT 0.0% 0.9% 0.2%

TOTAL 100 .0% 100 .0% 100.0%


APPENDIX 2

CODE COMPLAINTS BY STATION GROUPING,OCTOBER 1995 - SEPTEMBER 1996

SEVEN NETWORK Complaints Upheld

Sydney 65 1Melbourne 33Brisbane 42Adelaide 16 2Perth 18

Total 174 3

NINE NETWORK Complaints Upheld

Sydney 162 16Melbourne 37 5Brisbane 75 4Adelaide 28 -Perth - -

Total 302 25

TEN NETWORK Complaints Upheld

Sydney 87 3Melbourne 53 2Brisbane 45 2Adelaide 24 1Perth 22 1

Total 231 9


APPENDIX 2

CODE COMPLAINTS BY STATION GROUPING,OCTOBER 1995 - SEPTEMBER 1996 (cont)

SEVEN AFFILIATES Complaints

Queensland 5NNSW 1SNSW -Victoria -Tasmania 18

Total 24

Upheld

0

NINE AFFILIATES Complaints Upheld

Queensland 12NNSW 16SNSW 30Victoria 16Tasmania 33

Total 107 1

TEN AFFILIATES Complaints Upheld

QueenslandNNSWSNSWVictoria

232621

2Total 72 0

UNAFFILIATED STATIONS Complaints UpheldGolden West 1 1Mt Gambier 5 -Darwin 2 -Griffith 19 -

Total 27

GRAND TOTAL 937

1

39


APPENDIX 3

CODE COMPLAINT BREAKDOWN

COMPARED TO PREVIOUS YEAR

Appendix 3Complaints Breakdown Compared

to Previous Year

1995

Ad. Place mt (8.41 /o)Captions .I3%)

Complaint Handlin (129%)T

Sex/Nudity (14.08%)

Language (4.37%)

Violence (9.71%)

Trauma (0.32%)Privacy (1.29%)

1996

Ad. Content (2. 56%)Ad. Place mt 64.27 /o)

Captions ( 092%)Complaint Handling (0.11%)

Discrim . (12.27%)

Trauma (0.64%Privacy (0.85%

Other Class . (17.72%)


APPENDIX 4

CODE COMPLAINTS UPHELD

APPENDIX 4

CODE COMPLAINTS UPHELD, OCTOBER 1995 - SEPTEMBER 1996

Program Name Program Type Complaint CodeClause

No.

Midday Variety Nudity unsuitable for broadcast in 2.12.2 1school holidays

What's Up Doc Children's Reference to Satanism unsuitable in 2.10 1children's program

Macgyver Program Unsuitably violent content 3.6 2Promotion

NRG Sport Offensive coarse language in 2.10.3 2backing song

Eyewitness News News Erroneous identification of a 4.3.1 1person in a news story

Eyewitness News News Inaccurate description of events in 4.1.1 1a news item on a death in Israel

"R"-classified cinema Advertisement Unsuitable for placement in G- 6.15 2feature classified program at 9.SOam

Eyewitness News News Insensitive attempt to interview 4.3.6 2relative of Port Arthur victim

Eyewitness News News Unduly graphic footage on the 4.3.4 1stabbing of a rabbi in Israel

60 Minutes Program Inappropriate placement in a G- 3.6 2Promotion viewing zone program

Today Current Affairs Excerpt from "Naughtiest 2.10.2 1Commercials" program

inappropriate in a G-viewing zoneprogram

Hey, Hey It's Saturday Comedy Sexual reference in song lyrics 2.10.2 1inappropriate in a G-viewing zone

program

National Nine News News Vision of gun at a child's head 2.10.1 2unacceptable

60 Minutes Current Affairs Viewpoint misrepresented in story 4.3.1 13on allegations about a Christian

Brothers institution

Today Current Affairs Vision of vigilante murder 4.3.3 1unacceptable in G-viewing zone


APPENDIX 4

CODE COMPLAINTS UPHELD, OCTOBER 1995 - SEPTEMBER 1996 (cont)

Program Name Program Type Complaint CodeClause

No.

The Footy Show Sport Sexual references inappropriate in 2.12.2 1a PG-classified program

GWN News Hour News Vision of vigilante murder 4.3.3 1unacceptable in G-viewing zone

Seinfeld Comedy Sexual references unsuitable in G- 2.10.2 1viewing zone program

Seven Nightly News News Complaint not responded to within 7.9 1time prescribed by Code

NBN News News Inappropriate close-up of covered 4.3.4 1body of child accident victim

Roseanne Program Unsuitable for placement in 3.6 1Promotion morning children's program


APPENDIX 5

CODE COMPLAINTS UPHELD

AND NOT UPHELD SINCE 1993

n0

350MM2

M

m

0z

Appendix 5

Code of Practice ComplaintsQuarterly Totals Upheld and Not Upheld

314

300 ------------------------------------------------------------------------------------------

266

z

°c 250 -----------

00200 -194------

n ^^^

D

F) Z 150 -

0)

z 100 ---M -----zcDr

,C7m.9O

H504--®------

129

093/04 94/01

233

195----- ------------------------------- ---------------

167

112

X136 5

132

10 12

94/02 94/03 94/04 95/01 95/02Quarter

95/03 95/04

279

96/01 96/02 96/03

Not Upheld UpheldMNN

APPENDIX 6

CODE OF PRACTICE

COMPLAINTS PROCEDURES

HANDLING OF COMPLAINTS TO LICENSEES

Objective

7.1 This Section is intended to ensure that licensees:

7.1.1 publicise the existence of the Code and its complaints procedures;

7.1.2 maintain adequate procedures for receiving and responding to oral complaints;

7.1.3 advise complainants of their right to make a written complaint about materialbroadcast by a licensee which allegedly breaches the Code;

7.1.4 respond promptly to written complaints of this kind, and make every reasonableeffort to resolve them.

Scope

7.2 This Section applies to any matter covered by the Code which is the subject of a writtencomplaint to a licensee which adequately identifies the material broadcast, the natureof the complaint, and the identity of the complainant. Letters of complaint need notspecify the Section of the Code to which the complaint relates. All written complaintsabout the content of a commercial (as distinct from its placement or the amount ofcommercials broadcast) will be referred to the Advertising Standards Council ofAustralia, or (in the case of advertising directed to children) to the AustralianBroadcasting Authority, as the responsible complaints bodies.

Publicising of Code

7.3 Licensees will provide regular on-air information about the Code and its complaintsprocedures, and explain how viewers may obtain copies.

Procedures for Handling Oral Complaints

7.4 Licensees welcome telephoned comments from viewers, which they regard as valuablefeed-back on viewer reaction to their service. Licensees will continue to record thesubstance of these responses and bring them to the attention of key staff, and to responddirectly to callers who provide their name and contact details. The present Code willprovide an additional avenue for viewers who wish to make a formal complaint aboutmaterial broadcast by a licensee which they believe to contravene the Code.

Advising Complainants of their Right to Make a Formal Complaint about aCode Matter

7.5 Licensees will advise viewers who complain by telephone about material broadcastwhich is alleged to breach the Code, and who wish to pursue the complaint further, thatthey may make a written complaint to the licensee in question within 30 days of theparticular broadcast, and that the licensee is obliged to respond in writing to thatcomplaint;


7.5.1 Where a complaint of this nature is made to a licensee by means of a telephonetypewriter, it will be treated as an oral complaint but the licensee will write tothe complainant within 10 days to advise him or her of the formal complaintprocedures set out in Clause 7.5.

7.6 If a written complaint is made to a licensee more than 30 days after a broadcast, thisSection does not oblige the licensee to comply with the requirements of this Section inresponding to the complaint.

7.7 Licensees will advise viewers who complain about the content of a commercial (asdistinct from its placement or the amount of commercials broadcast) to direct theircomplaint to the Advertising Standards Council of Australia or to the AustralianBroadcasting Authority (in the case of advertising directed to children).

Time Limits on Responses to Written Complaints about a Code Matter

7.8 Where a viewer complains in writing of material within thirty days of its broadcast, thelicensee must seek to provide a substantive written response within ten working days.That response will also advise the complainant that he or she may refer the matter tothe Australian Broadcasting Authority if not satisfied with the licensee's response.

7.9 When a licensee cannot provide a substantive written response within ten working days,the licensee will undertake in writing to provide a substantive reply within a further 20working days.

7.10 If the material complained of was provided on broadcast relay by another licensee, orwas otherwise the responsibility of another licensee, the first licensee may refer thecomplaint to that licensee for written response direct to the complainant. If a licenseedoes so, it will advise the complainant within ten days of receipt of the complaint, andprovide the complainant with the name of a contact person at the second licensee.

7.11 Where a licensee refers a complaint to another licensee for reply, that other licenseewill have 30 working days to provide a substantive response to the originalcomplainant.

Resolution of Complaints

7.12 Licensees will make every reasonable effort to resolve promptly complaints covered bythis Section, except where a complaint is clearly frivolous, vexatious or an abuse of theCode process.

Referral of Complaints to the ABA or the Chairman of FACTS

7.13 If a complainant is not satisfied with a response to a written complaint, and raises thematter further in writing with the licensee, then the licensee will:

7.13.1 reply substantively to the further letter, and further advise the complainant thathe or she may take the complaint to the Australian Broadcasting Authority;or


7.13.2 alternatively, or as well, advise the complainant that the licensee will refer thecomplaint to the Chairman of FACTS.

7.14 Where the licensee is satisfied that the complaint is factually groundless, it may declineto refer the complaint to the Chairman of FACTS. This will not affect thecomplainant's right to take the complaint to the ABA.

Handling of Complaints Referred to the Chairman of FACTS

7.15 In the event that a complaint is referred by a licensee to the Chairman of FACTS, heor she will:

7.15.1 refer the complaint in writing to the Chief Executive of the licensee inquestion for a further response (which response is to be copied to theChairman of FACTS);

7.15.2 take whatever additional steps he or she considers necessary to assistresolution of the complaint;

7.15.3 advise the licensee and the complainant that a report on the complaint will belisted in the Annual Code Administration Report published by FACTS.

Licensees to Report Written Complaints on Code Complaints to FACTS

7.16 Each licensee will report to FACTS, within 15 working days of the end of each quarter,the number and substance of written complaints alleging specific breaches of the Code,including for each complaint the date received and date or dates of response. Thesereports to FACTS will not include the name or address of any complainant.

7.17 FACTS will provide a summary of this information to the Australian BroadcastingAuthority within 15 days of its receipt.

Code Administration

7.18 FACTS Code Administration Council will meet four times each year to reviewadministration of the Code. A member of the ABA will be invited to attend eachmeeting of the Council as an observer.

7.19 The Chairman of FACTS will cause to be published each year a report on Codeadministration by licensees . This report will be available to the public and will contain:

7.19. the number and substance of written complaints relating to compliance with theCode received by licensees, and the outcome of each complaint;

7.19.2 the number and substance of complaints referred to the Chairman of FACTS,identifying the licensee or licensees involved, and the outcome of the reference.


AUSTRALIAN BANKERS ' ASSOCIATION

ig377r1

30 July 1997

The Research DirectorLegal Constitutional and Administrative Review CommitteeParliament HouseBRISBANE QLD 4000

Dear Sir


®NAL AND1E REVI C M E

4 AU 1991

Australian Bankers' Association's submission in response to Issues Paper No 2 "Privacy inQueensland" dated May 1977 is enclosed.

We hope that the submission is informative and is of assistance to the Committee in itsconsideration of this very important subject.

We are appreciative of the opportunity to make this submission.

erely

Ian GilbertDirector Legal

Encl.

55 Collins Street Melbourne 3000Telephone (03) 654 5422 • Telex AA151880 • Facsimile (03) 650 1756

"PRIVACY IN QUEENSLAND"

A Response by Australian Bankers' Association

to Issues Paper No 2 of May 1997

released by

Legal Constitutional and Administrative Review Committee

Legislative Assembly of Queensland

1. INTRODUCTION

The importance of information

Banks in Australia play an obvious and significant role in the financial system. Over theyears, the core activity of banks (taking deposits, lending money on security, providingcheque and savings accounts) has changed as the number and variety of services provided

has diversified and grown.

Once a heavily regulated environment, the removal of many of the regulations affectingbanks and banking was inevitable in the face of increasing pressure from customers for

better, and better value, services. Increasing competition between banks and theirresponding to customers needs with an expanded and innovative product range has gonehand in hand with advances in technology.

The situation today is that we are in an environment of ongoing change which is customerdriven and technology facilitated . All types of financial institutions are under increasingpressure to respond to increasingly demanding customers who require mobile, flexibleaccess to financial services.

The collection, storage, retrieval and use of data electronically will increase over time. In acomputer literate society, individuals understand and have accepted that varying aspects oftheir personal information are already stored on databases across the country. Shareholdersin public companies, licensed drivers, taxpayers, rate payers, employees, magazinesubscribers, credit card holders, telephone users, and retail customers of all kinds havevoluntarily disclosed their personal details, invariably to be stored electronically, with theexpectation but not necessarily the precise knowledge, of the uses to which thatinformation may be put.

Many of these databases are in the form of public registers which members of the publicare free to search and extract information for their own purposes. Examples includeregistries relating to births, marriages and deaths, land titles, REVS (Register of Electronic

ig369r1

Vehicle Securities) offices of the Registrar General (bills of sale, powers of attorney,dealings in relation to general law land) and many and varied bodies holding registration orlicensing details covering a multitude of businesses, professions, and other activities.

The very nature of these databases, being public registers, ensures that the public, whichhas a legitimate interest in the information contained in those registers may access thosedatabases in pursuit of their legitimate interests. Banks and other financial institutions relyheavily upon the ability to interrogate these databases as part of everyday business. Theability to verify the identity of the registered proprietor of land, to ascertain the nature andextent of registered interests affecting the property of a customer and to verify otherinformation (for example, such as a business name) are basic information needs in thecourse of carrying on business.

Therefore, it is imperative that general freedom of access to such information is maintainedand that no fetters or impediments are placed on access or on the uses to which thatinformation may legitimately be put. For example, a creditor seeking the whereabouts ofan errant debtor will frequently access public database information to assist in this pursuit.

A business seeking to tailor its products and services or its marketing activities to arelevant sector of the community may use public database information in order to achieve

this.

Also, organisations obtain information from their customers. The sources of thisinformation can be directly from the customer or derived from customer transaction

activity.

The collation of selected information produces a further class of information, "enhanced"information that is the product of the organisation.

Information is a critical ingredient in enabling commercial enterprises to anticipate theneeds of identifiable people or in their pursuit of their legitimate interests.

Despite the fact that the giving of personal details is a part of our everyday life, Australianshave nevertheless been found to consider confidentiality of such information a veryimportant social issue.

Polls on privacy issues conducted by the Privacy Commissioner in Australia each yearbetween 1990 and 1994 (other than 1992) show an increasing degree of importance placedon confidentiality of personal information and a growing desire to prevent unwantedintrusions into homes and offices.

But the concerns expressed in the polls are not evenly directed to all recipients of personalinformation, and it is recognised that certain information is required by some organisationswhich provide goods or services that the customers want but will not be able to havewithout the supplier first having ready access to relevant personal details and the ability tocheck them.

ig369r1 2

An obvious example is applying to a bank for a loan or to a card issuer for a transactioncard facility of some kind. Applicants in these situations expect the bank to carry outchecks on their credit history, credit worthiness and their suitability to be provided with theparticular product or service. The Privacy Commissioners' polls provide graphicillustration of this in the following opinion response -

"Takefinance.

You want to borrow money.

Organisations have to be able to build up profiles of

you. They have to be able to know whether you can pay

or not.

If organisations aren 't allowed to go to that sort of

detail you'll have trouble with bad debts and it 's going

to cost us more to borrow whatever we want to

borrow' .I

1.2 The Banking and Finance Industry - a Service Provider

In the present financial environment in Australia, it is important to recognise that manyfinancial institutions are diversified financial services businesses with organisational

structures developed to house and manage their business units.

Customers now have before them the choice of a larger number of institutions from whichto source banking and financial services, due to the migration of non banks into bankingstatus, the entry of foreign banks and other players and the diversification of existing

financial services.

Customers now shop around for the most attractive products, with their associated ratesand returns, to a far greater extent than previously. Recently introduced credit laws(Consumer Credit Code) are designed to facilitate consumers making comparisons andinformed choices. When customers go to a financial institution for the first time, it isunderstood that their financial profile will be looked into. This use of personal informationis acceptable and makes good business sense - customers would hardly expect to be given aloan without the lender first seeking a credit reference check. Acceptance of this practice isrecognised in the Privacy Commission's paper "Community Attitudes to Privacy".

Not only has the range of bank products increased considerably over the last few years (eg:in 1980 there were 26 different types of mortgages, in 1995 there were 1,800) but so toohave the types of services offered by banks.

i Information Paper No. 3. "Community Attitudes to Privacy" Privacy Commissioner. Page 14.ig369r1 3

Financial conglomerates have arisen largely in response to the institutional basis of financesector regulation and perceived increases in profits from wider use of customer bases toidentify a wider range of financial services for known customers.

In a corporate group, related services provided by companies in the group may include lifeinsurance, stock broking, funds management, trustee services, travel, nominee services and

financial advice.

Information obtained by a bank about its customers through their normal use of retailbanking services and products, assists banks to offer other products of the group to thosecustomers and to develop the type of additional products that will be attractive to them as

their financial preferences evolve.

2. COMMENTS ON THE ISSUES PAPER

2.1 Current Privacy Law

The Issues Paper deals in a general way with common law and statutory protection for the

privacy of individuals. However the statement on page 2 of the Issues Paper that "thecommon law generally does not protect the right to privacy in Queensland (or Australia)" is

not strictly accurate as it applies to the banking sector. Banks are subject to a duty of

confidentiality which is an implied term in every bank and customer contract. For over ahundred years the Courts have recognised this duty as an implied contractual term under thecommon law2. The duty of confidentiality covers the state of the customer's account with thebank and the transactions which pass through the account. It also covers informationobtained from sources other than the account where the need for obtaining the informationarose out of the banker and customer relationship. It is important to note that the dutycontinues beyond the period after the customer's account is closed or becomes inactive.

The common law duty to keep the customer's affairs confidential has four exceptions which

are

(i) the customer's consent - expressed or implied

(ii) disclosure in the interests of the bank (for example, so that a bank can defend itself inlegal proceedings brought by a customer)

(iii) disclosure under legal compulsion and(iv) disclosure pursuant to a public duty (for example, to prevent the commission of a

serious crime)

Banks go to great lengths in staff training programs to emphasise the importance of this dutyof confidentiality and in some cases internal codes of conduct in banks and employmentcontracts make the duty of confidentiality a term of the employee's service with the bank.

2 Foster v Bank of London (1862) 3 F & F 214. See also Tournier v National Provincial and Union Bank of

England (1924) 1 KB 461.ig369r1 4

In addition to the duty of confidentiality, 18 banks in Australia which have a significant retailpresence in Australia (a list of the banks appears as Annexure 1) have formally adopted theCode of Banking Practice as part of their contractual relationships with their personal

customers. A copy of the Code of Banking Practice appears as Annexure 2. Particularreference is made to Section 12 of the Code. Under Section 12.1, the common law duty ofconfidentiality is restated. Also Section 12 contains permission for a bank to share personalinformation of a customer with a related entity of a bank to enable a total assessment to bemade of the financial position of the customer. It also permits a bank to share a customer'spersonal information with a related entity which provides financial services which are relatedor ancillary to those provided by the bank but the Code gives the customer the explicit rightto instruct the bank not to do so.

Other parts of Section 12 of the Code provide protection in relation to the collection, storage,disclosure and use of the personal information and provide personal customers with rights ofaccess to and to request the correction of their personal information.

The Code of Banking Practice has contractual force. If a bank were to breach the provisionsof Section 12 of the Code (or for that matter the duty of confidentiality generally) the bankwould be liable for damages for any loss suffered by the customer occasioned by that breach.

Further, it is strongly arguable that if a bank, which formally adopted the Code of BankingPractice, failed to adhere to the privacy provisions of the Code the bank could be held liablefor misleading and deceptive conduct under Section 52 of the Trade Practices Act. Remediesunder the Trade Practices Act includes damages and injunctive relief.

Although mentioned briefly on page 7 of the Issues Paper under the heading "Should privacylegislation extend to the private sector?", the Issues Paper does not bring out the veryprescriptive and restrictive regime that Part IIIA of the Privacy Act 1988 imposes upon banksand other financial institutions which provide credit. Part IIIA imposes a stringent creditreporting regime and explicit limits on the information which a bank might use which hasbeen derived from the report of a credit reporting agency Section 18N of the Privacy Act1988 is very restrictive about the way in which a bank may disclose information of a creditsensitive nature irrespective of whether the information has been derived from a credit reportor some other source. In this context, information of a credit sensitive nature under Section18N extends to any record or information in writing, oral or other form that

"has any bearing on an individual's credit worthiness, credit standing,credit history or credit capacity" other than publicly available

information.

The Credit Reporting Code of Conduct 1996 sets out precise controls on what may bereported and recorded about an individual's credit standing and provides rights of access toand correction of information held on credit reporting agencies' databases. A copy of theCredit Reporting Code of Conduct appears as Annexure 3.

ig369r1 5

The Electronic Funds Transfer Code of Conduct which governs EFT transactions involving

plastic cards used in conjunction with PINs also contains privacy provisions . A copy of the

relevant provisions appears as Annexure 4.

Together, these legal constraints on the disclosure and use of an individual's personalinformation in a banking context are significantly powerful. Financial institutions such asbuilding societies and credit unions have adopted codes of practice incorporating similarprivacy and confidentiality provisions. Although these Codes do not expressly incorporate aduty of confidentiality as with the case of the Code of Banking Practice, there is the view thatthe duty of confidentiality applies in the cases of building societies and credit unions.3 Inaddition, the provisions of the Privacy Act 1988 referred to above (including the CreditReporting Code of Conduct 1996) extend not only to banks but also to building societies,credit unions, other lending corporations and retail businesses which issue credit cards tomembers of the public in connection with the sale of goods or services.

2.2 Privacy Law at the International Level

The Issues Paper refers to a number of international initiatives for privacy protection and

makes reference to Canada.

An additional protection in Canada is the Model Code developed in 1985 by the Canadian

Standards Association. A copy of the Code appears as Annexure 5. The Canadian ModelCode is an excellent example of self-regulation.

3. SPECIFIC ISSUES IN RESPECT TO PRIVACY PROTECTION RAISED BY

THE ISSUES PAPER

3.1 Concerns about Privacy Protection

The Privacy Commissioner's paper "Community Attitudes to Privacy" identifies theconcerns individuals have with respect to use of their personal information and iseffectively a summary of the polls conducted between 1990 and 1994.

Some of the identified responses, in no particular order, are -

• the least trusted holders of personal information are organisations, with whichthe individual has no connection, that are trying to sell something

• use of personal information where necessary or to the advantage of theindividual is acceptable

3 Alan Tyree "Does Tournier apply to building societies?" Journal of Banking and Finance Law and PracticeVolume 6, September 1995, p.206ig369r1 6

• the most disliked use of personal information includes mailing lists and cold callselling (particularly out of hours)

• there is no way of telling where an individual's personal information ends up

• there is little control by the subject over the use of personal information

• individuals distinguish between collection and use of personal information bygovernment and non-government groups

Some inferences that might be drawn from the Privacy Commissioner's paper are -

• use of credit checks to assess loan applicants is accepted practice

• some control over who can receive personal information is required

• authorisation for the use of personal information may, in some circumstances, be

an issue.

• who is collecting personal information, for what purpose and who will receive itshould be revealed by collectors of personal information at the time of collection

• an individual should be able to have access to his or her own personal

information.

These issues could be collectively reduced to two basic principles - one is a communityneed for disclosure based on empowering the individual and the other is transparency of

functions of institutions.

The final report ("Wallis Report") of the Financial Services Inquiry established by theFederal Treasurer and constituted by a committee chaired by Mr Stan Wallis was released

in April 1997.

The Wallis Report considered the question of privacy (pages 517 to 524 of the Wallis Report

appear as Annexure 6). Although its comments were confined to the financial sector, thearguments advanced by the Wallis Report in support of a national single regime administratedby the Commonwealth Privacy Commissioner are very strong.

An information privacy protection regime which is not national and uniform and whichfails to recognise group structures, contractual outsourcing of processing and otherfunctions and the need for responsible but diverse and flexible utilisation of personalinformation could seriously impede the international competitiveness of Australiancompanies and the market driven changes in that environment.

ig369rt 7

3.2 Adequacy of Queensland Law

In so far as the banking sector is concerned, it is submitted that the combination of commonlaw, contract law and Part IIIA of the Privacy Act together provide a strong basis for theprotection of the privacy of the individual in Queensland (and throughout Australia). If asingle State were to regulate privacy protection through its own legislation, it would face twomajor difficulties in doing so. First, to the extent that any State legislation dealt with mattersalready covered under the Part IIIA of the Privacy Act 1988 (Commonwealth) as far as itapplies to the private sector, to the extent of any consistency the State law would be invalid(Section 109 of the Commonwealth Constitution).

Secondly, organisations which collect personal information about customers are often andincreasingly becoming involved in borderless transactions. The comments on Page 7 of theIssues Paper about the disadvantages of a State-by-State approach and discriminating andcompetitive disadvantages are very apt in this context.

ABA submits that this is not a desirable way of regulating the information marketplace in theprivate sector. It is likely to produce non-uniform, inconsistent and unclear regulation.

The relevance and importance of personal information about customers and the need forconfidence by customers in trusting organisations not to misuse or manage that informationbeyond the limits of their reasonable expectations warrant the initiative to raise communityawareness of privacy issues in the terms of the Issues Paper.

ABA is concerned that whatever regime emerges in Australia it must take into account andsufficiently recognise the need to appropriately balance the current state of and futurechanges in the structure of the market for financial services, the importance of personalinformation for institutions to effectively compete with each other and, of course, thelegitimate expectations of the individual in appropriate protection of the privacy of his or

her personal information.

There is one overriding factor in implementing a private sector information privacyprotection regime in Australia; that is the regime must be a single, nationally effectiveand uniform regime under a single regulator.

If for no other reason, Directive 95/46 of the Executive Committee of the EuropeanParliament and of the Council dated 24 October 1996 on the protection of individuals withregard to the processing of personal data and on the free movement of such data (EUDirective) will require member states of the European Union to only permit transfer ofpersonal data to third countries which ensure an adequate level of protection.

In the case of Australia's laws, their adequacy or otherwise for EU purposes can beexpected to be viewed as a whole.

Piecemeal and non-uniform laws at a regional (State and Territory) level dealing withprivate sector information privacy protection (or none at all) could seriously affect

ig369r1 8

Australia being recognised by EU as having an adequate level of protection. Therefore,individual State and Territory initiatives to develop their own privacy laws for the privatesector (it is conceded that for constitutional law reasons they must develop their own publicsector privacy protection regimes) must be discouraged.

Virtually all financial institutions in Australia carry on business across one or more Stateand Territory boundaries. A piecemeal approach to private sector privacy regulation wouldproduce non-uniform systems of compliance, increase costs of compliance, increase therisks of non-compliance and potentially impede the flow of personal information between

jurisdictions. This would be likely to disadvantage the individuals concerned.

In deciding not to introduce Commonwealth legislation regulating privacy protection in theprivate sector, the Prime Minister, Mr Howard, said on 21 March 1997 that the privatesector should seek to self-regulate in this matter and the Privacy Commissioner would beavailable to assist in the development of relevant codes of practice.

The Commonwealth Privacy Commissioner has foreshadowed her intention of establishinga Working Party to reach a consensus on a set of national information privacy principles.Her information paper of April 1997 appears as Annexure 7.

The Privacy Commissioner is currently working on developing an issues paper drawing onover 100 submissions made to the Commonwealth Attorney-General last year in responseto the Commonwealth Attorney-General's Discussion Paper "Privacy Protection in the

Private Sector". That Discussion Paper is expected to be released during the month ofAugust 1997 to be followed by a round of consultations with interested parties throughout

September and October 1997.

Therefore, ABA submits that it would be premature and pre-emptive for Queensland andany other State to take any steps in respect of private sector privacy regulation given theinitiatives that are currently underway with the Commonwealth Privacy Commissionerand, in the case of the banking and finance sector, the existing substantial legal protections

already in place.

However, we do submit that establishing an office of Privacy Commissioner inQueensland with a community educative role would be a positive initiative. It is evidentfrom research carried out by the former Commonwealth Privacy Commissioner thatconsumers understand the importance of information in obtaining benefits from an

organisation. The excellent example provided in Information Paper No 3 "CommunityAttitudes to Privacy" Privacy Commissioner and set out on page 3 of this submission bears

this out.

There are, however, circumstances in which consumers do not understand how theirpersonal information might be used by organisations and that they have a choice as towhether to provide information in certain circumstances. ABA sees self-regulation by

consumers of the information that they are prepared to provide is just as important as anyregulatory framework. If the reasonable expectation of the individual concerned is that hisor her personal information will be used or disclosed in a particular way then that

ig369r1 9

individual has a choice as to whether to provide that personal information in the first placeor to signify his or her refusal to the use or disclosure of that information.

We would see a role being able to be fulfilled by a Privacy Commissioner in informing thegeneral public about such matters.

3.3 Scope of a Privacy Regime

Other than our earlier comments concerning the maintenance of public access to state andlocal government information databases for lawful and legitimate purposes , it would beconsistent that as Commonwealth Government agencies are subject to privacy regulation itwould follow that State public sector bodies and State Government -owned corporationsalso should be subjected to some form of privacy regulation . But it does not necessarilyfollow that the private sector should be regulated or regulated in the same way.

Customer service and profit orientated commercial enterprises approach information andthe business potential of information from a different perspective than a limited , definedfunction statutorily charged public sector body may be required to do. Information notonly serves to enable a commercial enterprise to satisfy the immediate needs of a customerand to maximise its profitability but also it serves to maximise a customer's understandingof the full range of products and services which the enterprise has on offer.

In a competitive environment where an individual ' s custom is paramount and is competedfor an enterprise needs to use personal information to protect that asset through appropriateservicing of the customer . For example , a customer who frequently reaches or exceeds adesignated credit limit i.e. a credit card facility, may be disadvantaged by an unnecessarilylow credit limit or may be experiencing liquidity problems. The nature and pattern oftransactions may provide the financial institution which issued the card with informationon which to base a decision to extend and offer of further credit to the customer oralternatively restrict the customer ' s access to credit . Another example is of customers whotend to use automated banking facilities in preference to branch based facilities. Customersmay be more receptive to overtures by the bank to embrace new electronic products andservices than those who show a preference for branch banking. A better understanding ofcustomers ' needs by being able to model information means that customers are more likelyto get what they want . In the second example mentioned , the first type of customer can beintroduced to the new products and services and the second type left alone.

There is, in effect, a paradox in a customer's relationship with an organisation such as abank group and the reported findings of the Privacy Commissioner on public attitudes to

privacy. Customers expect a bank group to know things about them; things derived frominformation provided on a prior occasion or from a third party source which the group iscapable of retrieving and using on a later occasion for the same or an unrelated purpose.However, the Privacy Commissioner's surveys on community attitudes to privacy recordconcerns over the accumulation by companies, including financial institutions, of personal

information.

ig369rl 10

Customers' expectations of what a bank group knows about them in their relationshipswith the group are reasonable expectations. Privacy regulation should be predicated on theconcept of the individual's reasonable expectation of the management of his or herpersonal information. For example, a customer seeking service from a single point oroutlet of a business such as over the telephone, is more likely expect a comprehensivestandard of service which is attainable if the business organisation is able to centralise andaccess information from a number of points.

It might be suggested that the resolution of the paradox lies in the notion that the concernof the individual may occur only where the management of personal information is

detrimental to the individual.

Regulators and legislation increasingly are imposing upon banks and other financialservice providers obligations to ensure that particular products and services are suitable forcustomers or that customers can afford to meet their obligations. This "know your client"trend is apparent from the provisions of the uniform Consumer Credit Code (Section70(2)), the Code of Practice for Sale Practices and Customer Complaint Handling in theLife Insurance Industry, provisions of the Corporations Law dealing with securitiesadvisers (Section 851) and the ASC/ISC joint proposals for achieving consistency in the

regulation of the investment advisory industry.

In order to discharge these responsibilities, financial institutions need access to personalinformation which may be used on a repetitive basis as individuals seek further products

and services.

Any law which unreasonably restricts a financial institution's access to and use of personalinformation about an individual works against the principle of "know your client".

However, on the other hand, although a limited function, monopoly public sector body hasa need for information to properly service its clients it is not in competition with any otherbody for provision of the same or like services and it will not lose a client to a competitoras would be the case with a private sector body which is in competition with many other

private sector bodies. This is a critical distinction which must be recognised between the

private sector and public sector.

Another important distinction between public and private sector bodies is that in the vastmajority of cases, public sector bodies are single entity structures. This is not the case inthe private sector where extensive group corporate structures are developed on holdingcompany and subsidiary company relationships. This is done for commercial and financialreasons and, in the case of banks, for reasons related to regulatory requirements.

An added dimension is the development of strategic contractual alliances, particularly inthe financial services industry where the maintenance of customer relationships is achievedand enhanced through such things as loyalty programs and reciprocal recognition ofutilisation of each others products and services . These arrangements and programs depend

upon the participants ' ability to share information.

ig369r1 11

In a holding company structure the separate entities comprising the structure frequently actin aid of each other. For example, a core entity having significant computer facilities mayact as a service provider to another business unit (entity) within the group. The servicecould be simply a processing function or something more substantial such as a funds

management function.

ABA recognises that privacy protection has a role to play in ensuring that disclosure anduse of customer information is responsible, legitimate and consistent with customer

expectations.

3.4 Outsourcing of Government Functions

This difficulty has arisen in the Commonwealth context and it is understood that theCommonwealth Government is proposing to amend the Privacy Act 1988 to extend thepublic sector privacy protection under the Act to private sector bodies to which government

functions are outsourced.

Of course, there is a relatively simple protective measure that can be taken in anyoutsourcing arrangement where the record-keeper has possession of personal information.Enforceable contractual agreements about confidentiality entered into between the record-keeper and the entity to which the function is outsourced would be an effective legalrestraint on unauthorised use and disclosure of personal information by that external entity.

4. SPECIFIC ANSWERS TO QUESTIONS RAISED IN PART 12 OF THE

ISSUES PAPER

Although not all of the questions raised in Part 12 of the Issues Paper have been dealt within the foregoing discussion, some of the answers to specific issues raised in the Issues

Paper emerge from that discussion.

What follows is a short statement of our view on each of the specific issues raised andwhere some of those issues have not been covered in this submission we shall endeavour to

provide an answer here.

In so far as the banking industry is concerned, no.

2. In so far as the banking industry is concerned, yes

3. In the interests of national uniformity and having regard to the current protectionsin place for the banking industry, Queensland should not move to regulate privacyother than through creating the office of Privacy Commissioner to providecommunity education on the importance of privacy protection.

ig369r1 12

4,5,6,7 Queensland should not develop information privacy principles but should defer tothe Commonwealth Privacy Commissioner's project of establishing a set of agreednational privacy principles.

8. The office of Privacy Commissioner could be established to provide a communityeducation service on the importance of privacy protection. It could be a separatestatutory office reporting to the Parliament or, alternatively, an executive positioncreated within the portfolio administered by the Attorney-General or the Ministerfor Consumer Affairs.

9. The functions of the Privacy Commissioner should be purely educative andinformative which, of course, would include maintaining a level of awareness aboutemerging technology and privacy implications arising from that technology.

10. The Privacy Commissioner should not have any coercive or disciplinary powers.The powers should be purely advisory or consultative in nature. For example, an

organisation wanting to introduce a self-regulatory arrangement for privacyprotection should be able to seek guidance on the development with assistance fromthe Privacy Commissioner.

11. It is not possible to carry out a cost-benefit analysis from ABA's perspective.However, by keeping the powers of the Commissioner limited to communityeducation and guidance the cost of establishing and maintaining the office would beminimised. It might be presumed that some public benefit would flow from an

office of this nature.

12. For the reasons outlined in this submission, Queensland should not move tointroduce privacy regulation to the private sector.

13. There would seem to be a case for applying privacy regulation to government-

owned corporations where those corporations are exercising governmental

functions.

14. It would be consistent for privacy regulation to apply to local government bodies aswell as other public sector agencies in Queensland but not so as to limit legitimatepublic access to databases of public information such as Land Tittles Officesrecords, Registrar General's records and the like.

15. The real issue in respect of the relationship between the costs associated withprivacy regulation and the public benefit is whether any benefits accrue to thepublic from privacy regulation. We have learned from New Zealand that there isevidence that organisations are not collecting and storing some information aboutindividuals because of the compliance regime surrounding that activity. This has

resulted in a reduction in the number of databases which of themselves presented noreal harm to individuals. Other examples are that examination results are no longerpublished, airlines will not reveal whether a particular person is on a particularflight even where there may be an emergency and hospitals will not confirm

ig369rt 13

whether a particular person is a patient in the hospital at a particular time. It is onlyin this context that the cost associated with privacy regulation can be consideredrelevantly. In New Zealand some of the cost of compliance concerns with the New

Zealand regime include

• organisations' time taken up to consider privacy requests

• the cost of complying with a request to supply information (the NewZealand Act prescribes a set fee which does not allow full costs to be

recovered).

• deciding whether a privacy request is vexatious

• determining the scope of information to be released - third party informationhas to be culled, which, in turn, creates fertile ground for the partyrequesting access to dispute what has been culled.

• frequently, requests for information involve questions of legal professionalprivilege and this provides fertile ground for a party requesting access toinformation, to dispute information being withheld on this ground

• despite nominated officers being appointed to handle privacy requests inorganisations, other staff in organisations are frequently contacted for

privacy requests which is a cost to the organisation in terms of its

employee's time.

Many organisations including banks have vast repositories of personal information,some of it in electronic form but a significant proportion in paper based storage. A

privacy regime which applied to all existing information would create a potentiallyhuge cost of compliance burden on the organisation to regularise the data it is holding.For example, banks and other organisations would be holding information aboutindividuals where the original purpose for its collection cannot be ascertained. To

continue to use that information would, on normal information privacy principles,necessitate the organisation contacting the customer concerned to obtain explicitconsent to the continued use of that information. It can be readily seen that such anexercise would be enormously costly to carry out across an organisation's customer

base.

16. Outsourced government functions can be adequately dealt with through contractualarrangements incorporating guarantees on confidentiality. The European Union

Directive (Article 26 Clause 2) recognises a contractual safeguard as one means ofprotecting the privacy of an individual where the individual's data is to be transferredto a third country which does not have an adequate level of protection according to

EU standards. The Federal Government also is considering amendments to thePrivacy Act 1988 to deal with the protection of individuals' privacy in an outsourcing

environment. It is submitted that Queensland should defer to the FederalGovernment's initiative in this respect and model its response accordingly.

ig369r1 14

17. A co-operative arrangement would be necessary where there was no single nationallyuniform scheme of privacy protection.

18. The two should be kept separate. Freedom of information is a regime which goesbeyond an individual obtaining access to personal information about that individual.Freedom of information deals with the question of the community's right to knowabout the activities of government. In a commercial setting, such information iscompetitive and hence commercially sensitive.

19. The European Commission has yet to establish the criteria for determining theadequacy of a third country's privacy protection. Other than to pressure the EU todisclose that criteria, Australia should seek to develop its own position on privacy

protection in the private sector.

20,21 In light of the existing protections in the banking and finance industry furtherregulation in this area should be deferred so as to make certain that cost of regulatingthese activities would produce tangible public benefit.

22. On personal privacy concerning surveillance and in the workplace ABA submits thatbanks should be able to install and maintain all surveillance and other securitymeasures at branch and other locations to ensure that the personal safety of customers,employees and the general public is given the highest priority. Direct marketing is adeveloping and important means of efficiently promoting and selling goods and

services. Technology provides a prime medium for such activity. Provided directmarket approaches do not unnecessarily intrude upon the personal comfort of theindividual, regulation should recognise the positive benefits which this activity

provides to consumers.

23. The Commonwealth Privacy Commissioner has a specific reference under Section

27(1)(c) of the Privacy Act 1988 to

"undertake research into, and to monitor developments in dataprocessing and computer technology (including data-matchingand data-linkage) to ensure that any adverse effects of suchdevelopments on the privacy of individuals are minimised, and to

report to the Minister the results of such research and

monitoring."

Any further regulation at a State level in this respect would overlap with and duplicate

this function.

Australian Bankers' Association.30 July 1997.

ig369r1 15

ANNEXURE 1

RESERVE BANK OF AUSTRALIA

DATE 24/07/97

PAGES INCLUDING THIS PAGE

Fax No (02) 9551 8024Phone No (02) 9551 8782

TO Mr Russell Barnier

Australian Bankers' Association

Fax No (03) 9650 1756

FROM Robert LightfootSecretaryAustralian Payments System Council

CODE OF BANKING PRACTICEADOPTION OF CODE

Financial System Department

GPO Box 3947

SYDNEY NSW 2001

The following banks have informed Council's Secretariat that they have adopted the Code;

ANZCBANABWBCAdelaide BankArab BankBank of MelbourneBank of QueenslandBankWestBendigo BankCitibankColonial State BankHongkongBank of AustraliaLloydsMacquarie BankPIBASt George BankSt George PartnershipTown & Country

This facsimile is intended only for the named addressee and may contain information that is confidential. If you are not theintended recipient you are hereby notified that any dissemination , copying or use of any of the information is prohibited. Ifyou have received this facsimile in error , please notify us immediately by telephone and destroy the original message.

If you do not receive all pages, callthe above Enquiries Number

\\data2\fsdata\apse\bcode mon\gcnera1\12783fs.doc

"?4 71 n IQ? 1 P: 172 r ,

ANNEXURE 2

ANNEXURE 3

Credit Reporting: Code of Conduct 1996 andExplanatory Notes(replacing the Code issued in 1991)

Credit reporting: Code of Conduct 1996 andExplanatory Notes

made under Privacy Act 1988, s. 18A

HistoryThe Credit Reporting: Code of Conduct was issued by the Privacy Commissioner on 11

September 1991 (Commonwealth Government Gazette No. S 252, 13 September 1991).

In November 1992 the Privacy Commissioner instituted a system for referring to

instruments issued under the Privacy Act in accordance with the recommendations of

the Senate Standing Committee on Regulations and Ordinances.

Following a period of review, some changes to the Code were issued by the Privacy

Commissioner (Special Gazette No. S 82, Thursday, 9 March 1995) and took effect on

27 March 1995. These changes are annotated throughout the text wherever the

amendments were made.

Commissioner's NoteThis Code of Conduct was issued by the Privacy Conanrissioner; as required under

s. 18A(1) of the Privacy Act, by way of a notice published in the Commonwealth

Government Gazelle. 'File Code became fully operational on 25 February 1992 together

with the provisions of Part ILIA of the Privacy Act. The Code of Conduct is legally

binding. The provisions of the Code of Conduct appear in plain text and the numbering

system appears in bold.

In the Code of Conduct as originally issued, the accompanying Notes for the Code

provisions were described as Explanatory Notes. But for the sake of consistency with

the rest of the Handbook, the Notes are described as Commissioner's Notes in the text

which follows.

The Notes appear in italicised text and are provided to assist in understanding the

relationship between the Code of Conduct and the Act. They are not legally binding,

unlike the provisions of the Code of Conduct. The Notes seek to summarise the

requirements of the Act and contain guidance on what practical steps should be takento achieve compliance with the Act and the Code of Conduct. The Notes were updated

and some amendments made at the same time as amendments to the Code of Conduct.

The Notes as amended reflect the state of the law as at 18 January 1994, being the

date of commencement of the Law and Justice Legislation Amendment Act 1993, No. 13

of 1994.

On occasions, the paragraph headings relate only to the Notes and do not contain legallybinding Code provisions. Where this is the case, the headings are listed in the Table ofContents in italicised text. This will assist in identifying where the legally binding Codeprovisions are located. For ease of reference the Commissioner's Notes have retained thenumbering system used in the original Explanatory Notes.

Determinations relating to credit reporting under the Privacy Act appear behind theDeterminations tab in this Handbook.

1003 Release 5

Federal Privacy Handbook

Contents

PART 1 - CREDIT REPORTING AGENCIES

Credit information files ............................................................................... [5000]• Preamble ..................................................................................................[5003]• Permitted contents ..................................................................................[5005]

Deletion ...................................................................................................... [5010]

• Storage and security ....................................................................................[5015]

• Accuracy of information .........................................................................[5020]

• Access by an individual or his/her agent ............................................. [5025]

• Fees for access .........................................................................................[5030]

• Requests by individuals for amendment ...................................................... [5035]

• Inclusion of statements ...........................................................................[5040]

• Notification of amendment to third parties ........................................ [5045]

• Disclosure .................................................................................................[5050]Commercial informatian .............................................................................. [5055]

Reports to Privacy Commissioner on serious credit infringementlistings ..........................................................................................................[5060]

PART 2 - CREDIT PROVIDERS

Applications for credit notice and agreement requirements ................................ [5065]

Notice of disclosure to a credit reporting agency .......................................... [5070]

v: 14313tfw's.`:. • Agreements with individuals .......................................................................[5075]

Access to credit reports .....................................................................................[5080]

Uses of credit reports ........................................................................................[5085]

Notice of refusal of credit .................................................................................[5090]

Disclosures to credit reporting agencies ................................................... [5095]

• Reporting of unspecified credit limits .................................................. [5100]

• Reporting mistakes as to identity .......................................................... [5105]

• Reporting current credit provider status ...................................................... [5110]

Reporting that an individual is no longer overdue . .................................... [5115]

• Reporting discharge of credit commitments ....................................... [5120]

Rectifying reporting procedures ................................................................. [5125]

Reporting overdue payments ...................................................................... [5130]

Reporting overdue payments to a credit reporting agency .................... [5135]

Reporting overdue payments to another credit provider ..................................... [5140]

Reporting overdue payments to a debt collection agent ... .................................. [5145]

Reporting serious credit infringements .....................................................[5150]

Disclosure between credit providers .......................................................... [5155]

Disclosures to agents of individuals ........................................................... [5160]

Other disclosures .......................................................................................... [5165]

Access by an individual to a credit report .. .............................................. [5170]

Requests for amendment to a credit report .............................................[5175]

Release 5 1004

Credit Reporting: Code of Conduct 1996 and Explanatory Notes

PART 3 - DISPUTE SETTLING PROCEDURES

General requirements ..................................................................................[5180]Amendment to a credit information file or a credit report ................... [5185]Inclusion of statements ................................................................................[5190]Advice of dispute outcome ..........................................................................[5195]Other credit reporting disputes ..................................................................[5200]Maintenance of records ....................................................................................[5205]Investigation of complaints by the Privacy Commissioner .......................[5210]

PART 4 - OTHER MATTERS

Staff Training ................................................................................................[5215]Modifying time limits ...................................................................................[5220]Review of the operation of the Code of Conduct ....................................[5225]Terms used in the Code ..............................................................................[5230]

Preamble

Together, Part IIIA of the Privacy Act and the Credit Reporting Code of

Conduct seek to apply information privacy principles to the specialised areaof consumer credit reporting. The information privacy principles aim toprotect information by emphasising the need for information collectors to be

open, fair and accountable in their use of information, to ensure that theindividual is given a measure of control over the manner in which personal

information about him or her is used and disseminated. The principles coverit number of areas including the following:• Restricting collection of personal information to lawful purposes and fair

means;

• Informing people why information is collected;• Ensuring personal information collected is of good quality and not too

intrusive;• Ensuring that personal information collected is accurate, up to date,

complete and not misleading;• Ensuring proper security of personal information;• Allowing people access to records of personal information held about

them;• Allowing people to obtain amendments to information about them;• Limiting the use of personal information to the purposes for which it was

collected;• Restricting the disclosure of information to third parties.

These broad principles are reflected in the requirements of Part IIIA of theAct (passed in 1991 and fully operational in February 1992), and the Codeof Conduct (issued by the Privacy Commissioner in 1991 and fully operationalin February 1992), which together relate specifically to the informationhandling practices of credit providers and credit reporting agencies.

[5003]

1005 Release 5


The Code of Conduct supplements Part IIIA on matters of detail notaddressed by the Act. Among other things, it requires credit providers andcredit reporting agencies to:• deal promptly with individual requests for access and amendment of

personal credit information;• ensure that only permitted and accurate information is included in an

individual's credit information file;• keep adequate records in regard to any disclosure of personal credit

information;• adopt specific procedures in settling credit reporting disputes;• provide staff training on the requirements of the Privacy Act.

Part IIIA and the Code of Conduct generally only apply to consumer credit.As such, commercial credit is generally unaffected other than in limitedexceptional circumstances. Exceptions include where consumer creditinformation relating to an individual is disclosed in the context of acommercial credit application.

The Code of Conduct, like Part IIIA of the Act, is legally binding. The Code

is accompanied by Explanatory Notes which seek to explain, in a systematic

way, how Part IIIA and the Code interact.

Part I - Credit Reporting Agencies

[5000] Credit information files

[5005] Permitted contents

Commissioner's Note1. Personal information must not be included in an individual 's credit information

file unless that information is permitted to be on the file in accordance with s. 18E ofthe Privacy Act. Section 18E(1) of the Privacy Act permits inclusion of the following

information:

• information that is reasonably necessary to identify the individual

• a record of an enquiry made by, a credit provider in connection with an applicationby the individual for credit or commercial credit, together with the amount of creditsought

• a record of an enquiry made by a mortgage insurer in connection with mortgageinsurance to be provided to a credit provider in respect of the individual'sapplication for mortgage credit

• a record of an enquiry made by a trade insurer in connection with trade insuranceto be provided to a credit provider in respect of the individual's application forcommercial credit

Release 5 1006


• a record of an enquiry made by a credit provider about the individual having offeredto act as a guarantor to a loan

• the name of a credit provider who is a current credit provider in relation to theindividual

• a record of credit in respect of which the individual is more than 60 days overdue

and for which steps have been taken by the credit provider to recover all or part ofthe amount outstanding

• a record of a cheque for at least $100 which has been drawn by the individual and

has been presented and dishonoured twice

• court judgments and bankruptcy orders made against the individual

• the opinion of a credit provider that the individual has, in the circumstancesspecified, committed a serious credit infringement

• a statement provided by the individual describing a correction, deletion or addition

he or she sought to have made to personal information contained in his or her creditinformation file

• a record of any disclosures made by a credit reporting agency of personal information

contained in the individual's credit information file

• a note to the effect that the individual is no longer overdue in making the payment,

or that the individual contends that he or she is not overdue, as the case may be

• information included in a credit information file before 25 February 1992 which is

not covered by one of the above categories but which has been. permitted by

determination issued by the Privacy Commissioner under s.18K(3)(b) to continue to

be disclosed.

1.1 A credit reporting agency recording an enquiry made by a credit providerin connection with an application for credit may include , within the recordof the enquiry, a general indication of the nature of the credit being sought.

Commissioner's Note2. Because of the size of the credit reporting system, and the large number and varietof reedit applications recorded every year it is accepted that an account type indicatorshould be allowed to be included in the file in order to facilitate speedy and accurateidentification and verification by credit providers of the enquiries recorded in creditinformation files.

3. Credit reporting agencies will advise members as to acceptable forms of account typeindicator following consultation with the Privacy Commissioner

Deletion

Commissioner's Note4. Credit reporting agencies must ensure that personal information contained in creditinformation files is deleted in accordance with the requirements of s. 18F and s. 18V(3)of the Privacy Act.

[50101

1007 Release 5


5. Section 18F provides time limits for the retention of personal information permitted

under s. 18E to be included in a credit information file. Section 18V(3) provides that

these time periods commence on 25 February 1992. Credit reporting agencies must,within one month of the expiry of the permitted time period (referred to as `maximumpermissible periods) applying to each category of personal information, delete personal

information from the file. The length of time personal information may be retained is

as follows:

• enquiries by credit providers, mortgage insurers, trade insurers - 5 years from thedate of the enquiry

• a record of a credit provider being a current credit provider - 14 days after the credit

reporting agency is notified that the credit provider concerned is no longer a current

credit provider in relation to the individual concerned

• information about overdue payments - 5 years from the day the credit reportingagency was notified of the overdue payment

• information about dishonoured cheques - 5 years commencing on the day on which

the second dishonouring of the cheque occurred

• information about court judgments - 5 years from the date of judgment

• information about bankruptcy orders - 7 years from the dale of the order

• serious credit infringements believed to have been committed by the individual - i

years from the date of inclusion in the credit information file.

[50151 Storage and security

Commissioner's Note6. Credit reporting agencies must take reasonable steps to ensure that personal

information contained in credit information files is protected by security safeguards

against loss, unauthorised access, use, modification or disclosure and against othermisuse. These requirements are spelt out in section 18G of the Act which requires credit

reporting agencies to:• ensure the file is protected by security safeguards as are reasonable in the

circumstances; and

• if it is necessary for the file to be given to a person providing a service to the credit

reporting agency, that everything reasonably within the power of the credit reporting

agency is done to prevent unauthorised use or disclosure of personal informationcontained in the file.

[5020] Accuracy of information

Commissioner's Note7. Credit reporting agencies must ensure that personal information contained in creditinformation files is accurate, up-to-date, complete and not misleading. 11]iere there isdoubt as to a credit reporting agency's ability to comply with these standards of aceuran,up-to-dateness, and completeness in respect of any item of information, such items shouldbe removed from the credit information file (see s. 18G of the Act).

Release 5 1008

Credit Reporting. Code of Conduct 1996 and Explanatory Notes

8. For the purposes of s. 18j(]), reasonable steps to amend credit information files created

before the commencement of the Act may be considered to have been taken by a credit

reporting agency when the credit reporting agency, upon discovering that the contents

of any credit information file are not accurate, up-to-date, complete or are misleading,immediately makes any amendments which the agency considers are necessary to render

the contents of the credit information file accurate, up-to-date, complete and not

misleading.

1.2 To ensure that personal information included in credit information filesand credit reports is accurate, up-to-date, complete and not misleading, acredit reporting agency must issue to credit providers or other personssupplying it with personal information detailed instructions on the types ofpersonal information permitted to be given to a credit reporting agency.

1.3 To ensure that only permitted information is included in a creditinformation file, a credit reporting agency must take the following steps:

(a) Where a credit reporting agency receives information from a credit

provider for creation of, or inclusion in, a credit information file,and it appears to the credit reporting agency that the informationbeing supplied by the credit provider may not be permitted to beincluded in a credit information file, the credit reporting agency

must:(i) refuse to accept the information; and

(ii) notify the credit provider, in writing, that the inclusion ofthe information may he in breach of the Act.

(b) Where a credit reporting agency becomes aware that informationsupplied by a credit provider and included in a credit informationfile appears to be of a type not permitted to be included in the file,the credit reporting agency must:

(i) remove the information from the credit information file;

(ii) notify the credit provider in writing that the information

may not be permitted to be included in the file; and

(iii) make a written record of its actions in relation to (i) and(ii) above.

1.4 Where a credit reporting agency:(a) becomes aware that information supplied by a credit provider

relating to an overdue payment or a serious credit infringementmay be inaccurate; and

(b) reasonably believes that other credit information files may containsimilar inaccurate listings,

the credit reporting agency must, as soon as practicable:(i) notify the credit provider concerned, in writing, that it

may have listed an inaccurate overdue payment or seriouscredit infringement against the individual concerned;

(ii) request the credit provider to ascertain whether otherindividuals' credit information files may be similarly

1009 Release 5


affected, and to investigate the accuracy of any overduepayment or serious credit infringement listings in thoseother individuals' files; and

(iii) advise the Privacy Commissioner in writing of the aboveactions.

1.5 Where a credit reporting agency becomes aware that it has disclosedpersonal information from a credit information file, and the personalinformation relates to an individual other than the individual who was thesubject of the enquiry, the credit reporting agency must as soon as practicable:

(a) notify the enquirer that personal information was mistakenlyprovided about an individual other than the one to whom the

enquiry related;(b) make the necessary amendments to the credit information file

which has been disclosed in error;(c) advise, in writing, any other persons who had been supplied with

the incorrect personal information within the previous threemonths; and

(d) review its operations to ensure that recurrence will be minimised.

Commissioner's Note9. Where information from an individual's credit information file has been disclosed

in error, the credit reporting agency will, in accordance with the requirements Of s. 18K(5)of the Act, record on the individual's credit information file a note of the disclosure:having mistakenly occurred.

10. Once a credit provider has received advice from a credit reporting agency of a kinddescribed in Code provisions 1.3 and 1.4 above, the credit provider is then subject to

the requirements of provisions 2.4 and 2.6 of the Code of Conduct that steps be taken

to ensure that non pernhitted information is not supplied to a credit reporting agency.

[50251 Access by an individual or his/her agent

Commissioner's Note11. A credit reporting agency is required under s. 18H of the Act to take reasonable steps

to ensure that an individual or his or her authorised agent can obtain access to theindividual 's credit information file. This provision of the Act comes into force on 24September 1991.

12. A credit reporting agency giving to an individual or to his or her authorised agent

access to the individual's credit information file should take reasonable steps to

safeguard delivery of the copy of the file to the individual concerned or to his or her

agent, and should ensure that the information is in a form that is readily intelligible.

1.6 A credit reporting agency must ensure:(a) information is freely available to individuals, explaining the

procedures by which access to personal credit information files maybe obtained; and

Release 5 1010


(b) adequate facilities are available for responding to requests foraccess to credit information files in its possession.

1.7 A credit reporting agency must ensure that an individual is given accessto his or her personal credit information file in circumstances where therequest for access

(a) relates to refusal of the individual's application for credit, or(b) is otherwise related to the management of the individual's credit

arrangements.

History of 1.71. 7 new paragraph issued by the Privacy Commissioner Special Gazette No. S 82,

9 March 1995

1.8 Where a credit reporting agency receives a request from an individual tohis or her credit information file, and:

(a) it appears to the credit reporting agency that the access is notrelated to either of the purposes described in paragraph 1.7, above;and

(b) the processing of the request would impact unreasonably on theability of the credit reporting agency to process requests made inaccordance with paragraph 1.7;

the credit reporting agency may;(i) refuse the request for access;

(ii) defer the request for access; or(iii) charge a fee for access to offset the impact of the request

on its operation, as described in (b), above.

History of 1.81.8 new paragraph issued by the Privacy Commissioner Special Gazette No. S 82,

9 March 1995

Commissioner's Note13. A credit reporting agency may provide a copy of an individual's credit information

file to a person who has been authorised in writing to act on the individual's behalfIn accordance with s. 18H of the Act, such an agent of the individual may exercise therights on behalf of the individual only in connection with:

(a) an application, or a proposed application, by the individual for a loan; or(b) the individual having sought advice in relation to a loan.

This provision would typically apply to situations where an individual engages theservices of a debt counsellor or a financial advisor.

APPOINTMENT OF AGENT - ACCESS TO CREDIT REPORTINGAGENCY RECORDS

Authority for agent to obtain access to an individual 's credit informationfile held by a credit reporting agency (Privacy Act 1988)

1011 Release 6


1. Financial Counsellors

I/zue [name/s] authorise [counsellor's name] or other persons providingfinancial counselling employed by [counselling agency 's name] to:

action• act on nay/our agent in seeking access to my/our consumer credit

information file held by [name of credit reporting agency].

limit of authorityThis authority only applies to enquiries made by [counsellor's name] or

persons employed by [counselling agency's name] in connection with:• an application, or proposed, application by me/us for credit• my/our having sought advice in relation to existing credit.

(Signed and dated by the parties).

2. Others (e.g. accountants, solicitors or financial advisers)

I/use [name/s] authorise [name of agent] to:

action

• act as my/our agent in seeking access to my/our consumer credit

information file held by [name of credit reporting agency].

limit of authorityThis authority only applies to enquiries made by [agent's name) in

connection with:

• an application, or proposed, application by me/us for credit

• my/our having sought advice in relation to existing credit.

(Signed and dated by the parties).

1.9 Where a credit reporting agency refuses or defers a request by anindividual or his/her authorised agent for access to the individual's creditinformation file, or charges a fee for such access, the individual or his/herauthorised agent may complain to the Privacy Commissioner, who may orderthe credit reporting agency to provide access to that person (including anorder that access be provided free of charge).

History of 1.91.9 new paragraph issued by the Privacy Commissioner Special Gazette No. S 82.

9 March 1995

1.10 In meeting an individual's request for access to his or her creditinformation file, a credit reporting agency should require such evidence as isreasonable in the circumstances to satisfy itself as to the identity of theindividual.

Release 6 1012


History of 1.101.10 formerly 1.7 issued by the Privacy Commissioner Special Gazette No. S 82,

9 March 1995

1.11 A credit reporting agency in receipt of a request by an individual foraccess to his or her credit information file, for purposes described inparagraph 1.7 above, must give access within 10 working days of havingreceived the request for access.

History of 1.111. 11 fotnely 1.8 prior to Special Gazette No. s. 82, 9 March 1995

1. 11 amendment issued by the Privacy Commissioner Special Gazette No. S 82,

9 March 1995

Fees for access (50301

1.12 A credit reporting agency may not charge a fee for access by an

authorised agent of an individual unless the agency believes on reasonablegrounds that the agent has requested a copy of the individual's credit

information file while acting as a business intermediary between theindividual and the credit provider.

History of 1.121. 12 formerly 1.11 prior to Special Gazette No. S 82, 9 Alarch 1995

Commissioner's Note14. In considering Whether or not an agent of the individual should be charged a fee

for access, credit reporting agencies should take into account the nature of the service

being provided by the agent . For example, where the service is provided by a financialcounsellor to assist the individual in meeting his or her re-edit obligation , a fee shouldnot be charged.

1.12A Where a credit reporting agency denies access to an individual or hisor her authorised agent because the individual or the agent has refused topay the fee, the agency should advise the individual concerned that he or shemay refer the matter to the Privacy Commissioner.

History of 1.12A1. 12A formerly 1.12 prior to Special Gazette No. S 82, 9 March 1995

Requests by individuals for amendment [50351

Commissioner's Note15. Section 18J(1) requires a credit reporting agency to take reasonable steps by way ofmaking appropriate amendments to ensure that the contents of credit information filesare `accurate , up-to-date, complete and not misleading'.

1013 Release 5


16. Where an individual requests an amendment to his or her credit information file,

a credit reporting agency should promptly address the question of whether the amendment

sought can be made and, if possible, acconiniodate the individual's request.

17. Where a credit provider refers to a credit reporting agency an individual's request

for amendment or inclusion of a statement to the individual's credit information file,the credit reporting agency should:

(a) treat the request as if it luul received the request from the individual direct;and,

(b) provide the credit provider which referred the request with details of any

amendments or inclusions made to the file as a result of the individual'srequest, including a cope of amended credit reports as necessary.

[5040 ] Inclusion of statements

Commissioner's Note18. Where the credit reporting agency does not crake the change(s) sought, the agencyshould advise the individual of his or her rights to have a statement included in the

file of the amendment sought by the individual. If the individual requests that a

statement be included in the file, the credit reporting agency is then required by s.18f(2)

to take reasonable steps to include the statement in. the file within 30 days of theindividual's request.

1.13 Where a credit reporting agency is provided with a statement by anindividual of an amendment sought, and the credit reporting agencyconsiders the statement unduly long, the credit reporting agency shall, as soon

as possible, but in any event no later than 30 days, refer the statement to thePrivacy Commissioner for a reduction as considered appropriate. In referring

the statement, the credit reporting agency may include a suggested shortenedversion prepared by the credit reporting agency for consideration by the

Privacy Commissioner. A copy of the suggested shortened version must, at thesame time, be given to the individual concerned.

Coniniissioner's Note19. Credit reporting agencies should attempt to accommodate the wishes of anindividual in regard to the length of a statement before referring the statement to thePrivacy Commissioner : As a guide, credit reporting agencies should generally be preparedto accept statements of up to 150 words in length.

[5045] Notification of amendment to third parties

1.14 Where an amendment has been made to, or a statement has beenincluded in, an individual 's credit information file, and the amendedinformation or the statement relates to information of a type detailed in anyone or more of subparagraphs (i), (v), (vi), (vii), ( viii), (ix ) or (x) ofparagraph 18E(1) (b) of the Act, the credit reporting agency must, within 14days of amending the information or including the statement:

Release 5 1014


(a) provide the individual with a copy of the amended creditinformation file;

(b) advise the individual , in writing , that he or she may nominate any

person who had been given information from the file during the

previous three months, and whom the individual wishes to benotified of the amendment or of the inclusion of the statement to

the file;

(c) notify such persons (if any) of the amendment or inclusion madeto the file, within 30 days of the persons being so nominated to thecredit reporting agency by the individual; and

(d) advise the individual, in writing, of his or her right to complain tothe Privacy Commissioner if dissatisfied with the action taken by the

credit reporting agency.

Disclosure

Cornmissioner's Note20. A credit reporting agency must not disclose personal information contained in a

credit information file unless the disclosure is in accordance with s . 18K of the Privacy

Act. Generally, disclosure by a credit reporting agency of personal information contained

in credit information files is limited to:

• a credit provider-

• a current credit provider

• a mortgage insurer-

• a trade insurer

• another credit reporting agency

• a person/body to whore disclosure is authorised or required by or under law (thiswould include disclosure to the individual concerned or to his or her authorised

agent as permitted by s. 18H of the Act)

• a credit provider or a law enforcement authority in connection with a `seious creditinfri ngement'.

21. Where a credit reporting agency receives a request fry a law enforcement authority

for disclosure of information from an individual's credit information file in connection

with a serious credit infringemment , the credit reporting agency should , wherever

practicable, obtain from the law enforcement authority, a notice in writing to the effect

that the law enforcement authority believes that the individual concerned has committed

a serious credit infringement.

22. A credit reporting agency may, in accordance with s.18K(1)(D, disclose a creditreport to a credit provider listed as a current credit provider in relation to the individualwhere the credit reporting agency had received information about the individualsoverdue payments, and held such information on the individual 's file for at least 30days before disclosing the information.

1.15 Before a credit reporting agency discloses personal informationcontained in a credit information file, the credit reporting agency should

[50501

1015 Release 5


ensure that the recipient of the information has been notified of therequirements of the Act governing limitations on use and disclosure ofpersonal information contained in credit reports and credit information files.

Commissioner's Note

23. This may be achieved by way of the credit reporting agency making its membership

conditional upon the credit provider observing the requirements of the Privacy Act. The

notice may be given at the time membership is granted, or at renewal of membership.

1.16 A credit reporting agency should include in a credit report a warning to

the effect that overdue payments which were listed prior to 25 February 1992may need to be verified by the credit providers which listed the overduepayments in order to ensure the currency of the listings. This warning is tobe given on all reports for five years after 25 February 1992.

Commissioner's Note

24. It may be difficult for some credit providers to ascertain whether a report of an

overdue payment had been made to a credit reporting agency prior to 25 February 1992.

This warning is aimed at assisting credit providers in meeting the requirements under

s. 18F(3) that a credit provider must inform a credit reporting agency, as soon as

practicable, of the fact that an individual has ceased to be overdue in making a payment

or contends that he or she is not. overdue in making the payment, where the credit

provider had previously reported to the credit reporting agency about the overdue

payment.

25. In disclosing personal information to a credit provider listed on an individual'scredit information file prior to 25 February 1992 as being a current credit provider in

relation to the individual, the credit reporting agency should request the credit provider

to verify that it is still a current credit provider in relation to the individual. The agency

should take reasonable steps to remove from an individual's credit information file

names of any credit providers not currently providing credit to the individual.

1.17 On each occasion a credit reporting agency discloses personalinformation contained in an individual's credit information file, a note of thedisclosure must be included in the file, setting out:

(a) the date on which the information was disclosed;(b) to whom the information was disclosed; and(c) where the disclosure related to only a part of the information on

the file, the part that was disclosed.

[5055] Commercial information

Commissioner's Note26. The Act does not impose restrictions on the disclosure by a credit reporting agencyof commercial credit information where the disclosure is in response to enquiries by creditproviders for purposes associated with the giving of commercial credit.

Release 5 1016

Credit Reporting.- Code of Conduct 1996 and Explanatory Notes

27. In giving a credit report to a credit provider for the purposes of the credit provider

assessing an individual's application for consumer credit, a credit reporting agency

must observe the requirements of s. 18K(6), which prohibits the credit reporting agency

froin including in the report any information about the individual's commercialactivities, other than commercial information that the credit reporting agency is

permitted under s. 18E to include in the individual's credit information file. Examples

of permitted commercial information include.

• enquiries by a commercial credit provider in connection with an application for

commercial credit and the amount of credit sought

• enquiries by a trade insurer to assist in assessing whether to give trade insurance to

a credit provider giving the individual commercial credit.

Reports to Privacy Commissioner on serious credit [50601infringement listings

1.18 Credit reporting agencies must maintain annual records, which must bemade available upon request to the Privacy Commissioner, indicating theoccurrence of serious credit infringement listings made by individual creditproviders where the listings had not been previously reported as overduepayments.

Commissioner's Note28. Such records must be capable of detailing specific serious credit infringement reports

made by individual credit providers.

1017 Release 5

[5065] Applications for credit - notice and agreement requirements

[5070] Notice of disclosure to a credit reporting agency

Commissioner's Note29. 44'Irere a credit provider intends to obtain a consumer credit report issued 14 a credit

reporting agency to assess an application for either consumer or commercial credit, the

credit provider will first need to notify the individual that items of personal it formationwill be disclosed to a credit reporting agency by the credit provider

30. There are other occasions during the life of the individual's loan contract with the

credit provider where the credit provider may wish to disclose personal information to a

credit reporting agency. The credit provider will not be permitted to do this unless the

individual has previously been notified of the disclosure. These notices should be given

at the time the individual applies for credit with the credit provider: If such a noticewas given, credit providers would then. not be required to issue a specific notice prior to

any subsequent disclosures.

31. The notice may be given orally. However, obtaining a written acknowledgment,

where practicable, is advisable for reasons of certainty.

32. The notice should explain clearly what items of the individual's personal

information may be disclosed to a credit reporting agency. As a guide only to credit

providers, the following form. of wording is considered to be an appropriate form of

notification. It should be noted that not all of the information categories listed below

need to be included in the notice.

Notice of disclosure of your credit information to a credit reporting agency

(Privacy Act 1988)[Name of credit provider] may give information about you to a credit reporting

agency for the following purposes:

• to obtain a consumer credit report about you, and/or• to allow the credit reporting agency to create or maintain a credit information

file containing information about you.

This information is limited to:• identity particulars - your name, sex, address (and the previous two

addresses), date of birth, name of employer, and drivers licence nnumber-

• your application for credit or commerical credit - the fact that you have appliedfor credit and the amount

• the fact that [name of credit provider] is a current credit provider to you.• loan repayments which are overdue by more than 60 days, and for which debt

collection action has started• advice that your loan repayments are no longer overdue in respect of any

default that has been listed

Release 5 1018


• information that, in the opinion of [name of credit provider] you havecommitted a serious credit infringement (that is, acted faudulently or shownan intention not to comply with your credit obligations)

• dishonoured cheques - cheques drawn by you for $100 or more which havebeen dishonoured more than once

period to which this understanding appliesThis information may be given before, during or after the provision of credit toyou.

(Signed by the individual/s)

Agreements with individuals [5075]

Commissioner's Note

33. Specific agreements with individuals are required in a number of circumstances.However; it should be noted that not all agreements will be required in most cases. For

example, it is not anticipated that in the case of applications for commercial credit,

access to consumer credit reports is automatically required, and vice versa.

34. The agreements with credit applicants required to be obtained under the Privacy Actrelate to activities engaged in by:• credit providers when:

(a) assessing applications for consumer credit(b) assessing applications for commercial credit(c) assessing the credit worthiness of a guarantor in connection with another

individual's application for credit

(d) disclosing information to a potential or exisiting guarantor(e) collecting overdue payments in respect of commercial credit(f) exchanging references with other credit providers about an individual's

consnrner credit worthiness

History of 3434. updated in Marc* 1995

• trade insurers when:

(9) using a consumer credit report to assess the provision of insurance to a creditprovider in respect of commercial credit given by the credit provider to anindividual.

35. When entering into agreements with an individual, credit-providers will first needto ascertain whether the type of credit being applied for is consumer or commercial credit.If a credit provider is unable to ascertain the nature of the credit being applied for; theindividual who is applying for the credit should be requested to advise the credit provideras to the nature of the credit being sought.

36. As a guide to credit providers, the following paragraphs give forms of wording whichare considered likely to meet the requirements of the Privacy Act.

1019 Release 5


(a) Assessment of applications for consumer credit

In assessing an application for consumer credit a credit provider must not

use any information concerning an individual's commercial activities or

commercial credit worthiness that was obtained from a commercial reporting

agency unless the individual has given his or her prior written agreementto the information being obtained by the credit provider for this purpose. The

agreement need not be in writing when, the application is, in the first

instance, made orally.

SEEKING COMMERICAL CREDIT HISTORY INFORMATION

Agreement to a credit provider using commercial credit information to

assess a consumer credit application (Privacy Act 1988)

I/we agree that [name of credit provider] may:

action• obtain information about me/us from a business which provides

information about the commerical credit worthiness of persons

purpose• for the purpose of assessing my/onur application for consumer credit

(Signed and dated by the individual/s)

(b) Assessment of application for commercial credit

Where a credit provider in receipt of an individual s application for-

commercial credit wishes to obtain a consumer credit report from a credit

reporting agency in order to assess the individual 's application for

commercial credit, the credit provider must obtain the specifi c written

agreement (unless the application for commercial credit was in the first

instance made orally, in which case the agreement need not be in writing)

of the individual to receive information from a credit reporting agency for-

that purpose.

ASSESSING COMMERCIAL CREDIT APPLICATIONAgreement to a credit provider being given a consumer credit report by a

credit reporting agency to assess a commercial credit application (Privacy

Act 1988)I/we agree that [name of credit provider] may:

action• obtain a consumer credit report containing information about me/trs

from a credit reporting agency

purpose• for the purpose of assessing my/our application for commerical credit.


Release 5 1020


(c) Assessment of a guarantor

Under the Act a credit provider may not obtain a credit report issued by a

credit reporting agency in respect of an individual who has offered to actas a guarantor to another individual's loan with the credit provider unless

the credit provider has obtained the guarantor's specific agreement to thereport being given to the credit provider for that purpose.

GUARANTOR'S AGREEMENTAgreement to a credit provider being given a consumer credit report by acredit reporting agency to assess a guarantor (Privacy Act 1988)

I/we agree that [name of credit provider] nun}:

action• obtain from a credit report agency a consumer credit report containing

information about me/us

purpose• for the purpose of assessing whether to accept nze/u.s as a guarantor for

credit applied for by, or provided to, the borrower(s) [named below]

limit of agreement• I/we agree that this agreement commences front the date of this agreement

and continues until the reedit covered I'V the borrower(s) application

cease.S.

(Signed and dated bl, the individual/.r)

(d) Disclosing information to a potential or existing guarantor

A credit provider must obtain an individual's specific written agreement in

order to disclose personal information to a person who is acting as guarantor

or who has provided property as security for a loan, unless the following

circumstances apply:

• the guarantee or security was given before 7 December 1992• the disclosure is for the purpose of giving to the person information about

the amount or possible amount of the person's liability under theguarantee or security

• the credit provider has, prior to the disclosure, informed the individualthat such disclosures may take place.

A credit provider must also obtain an individual 's specific written agreementwhen disclosing personal information to a person who is considering whetherto offer to act as guarantor or to offer property or security for the individual'sloan.

The agreement need not be written when the application is, in the firstinstance, made orally.

1021 Release 6


DISCLOSURE TO GUARANTORAgreement to a credit provider disclosing a report including a consumercredit report to a potential or existing guarantor (Privacy Act 1988)

1/we agree that [name of credit provider] may:

action• give to a person who is currently a guarantor, or whom I/we have

indicated is considering becoming a guarantor, a credit report containing

information about me/us

purpose• for the purpose of [name of the prospective guarantor] deciding whether

to act as guarantor, or• to keep [name of the existing guarantor] informed about the guarantee

I/we understand that the information disclosed can include anything about

my/our credit worthiness, credit standing, credit history or credit capacity

that credit providers are allowed to disclose under the Privacy Act, andincludes a credit report.


(e) Collection of overdue payment in respect of commercial credit

Where an. individual becomes overdue in making a payment in respect ofcommercial credit given by a credit provider that credit provider may only

obtain a consumer credit report from a credit reporting agency to assist incollecting overdue payments if.-

(i) the individual's written agreement was obtained by the credit

provider at the time of application to the use of the individual's

consumer credit report for the purposes of the commercial creditapplication assessment (s.18K(1)(h) of the Act); or

(ii) the credit provider provided the commercial credit before 25

February 1992 (in which case no agreement from the individual

is required); or(iii) the individual has specifically agreed, in writing, that the report

may be obtained for that purpose.

OVERDUE PAYMENT - COMMERCIAL CREDITAgreement to credit provider being given a consumer credit report tocollect overdue payments on commercial credit (Privacy Act 1988)

I/we agree that [name of credit provider] may:

action• obtain a consumer credit report about me/us from a credit reporting

agency

Release 6 1022


purpose• for the purpose of collecting overdue payments relating to commercial

credit owed to me/us.


(1) Exchange of references between credit providers

The exchange of commercial or trade references between credit providers inrelation to commercial credit transactions is unaffected by the Privacy Act.

Where a credit provider in accordance with s.18N(1)(b), wishes to obtain

from, or to give to, another credit provider, a report about an individual's

consumer credit worthiness for a particular purpose, the individual 's specific

written agreement will need to be obtained for the particular purpose (unlessthe report is sought for the purpose of assessing an application for credit orcommercial credit that was initially made orally, in which instance the

agreement need not be in uniting). Ideally, credit providers should draw to

the individual 's attention , and explain at the time of obtaining the specific

agreement, the effect of such an agreement.

It should be noted that, for the purpose of this provision of the Act, a `report'

means a credit report issued by a credit reporting agency , as well as and

other record or information which has a bearing on an individual's credit

worthiness (see s.18N(9) of the Act).

EXCHANGE OF CREDIT WORTHINESS INFORMATIONAgreement to a credit provider exchanging with other credit providers a

consumer credit report or other ii formation relating to my/our credit

worthiness (Privacy Act 1988)

I/we agree that (name of credit provider] may:

action• exchange information about me with those credit providers named in this

application or named in a consumer credit report issued by a credit

reporting agency

for the following purposes

• to assess an application by me/us for credit• to notify other credit providers of a default by me/us• to exchange information with other credit providers as to the status of

this loan where I am in default with other credit providers• to assess my/our credit worthiness.

I/we understand that the information exchanged can include anythingabout my/our credit worthiness, credit standing, credit history or creditcapacity that credit providers are allowed to exchange under the Privacy Act.


1023 Release 6


(g) Assessment by a trade insurer

Trade insurers wishing to obtain a credit report from a credit reporting

agency for the purposes of assessing whether to provide insurance to a credit

provider in respect of commercial credit provided by the credit provider to the

individual must have the individual's specific written agreement to the

report being given to the trade insurer for that purpose.

DISCLOSURE TO TRADE INSURERAgreement to trade insurer seeking a consumer credit report from a creditreporting agency (Privacy Act 1988)

I/we agree that [name of trade insurer] may:

action• obtain a consumer credit report about ire/us from a credit reporting

agency,

purpose• for the purpose of assessing whether to provide trade insurance to [name

of credit provider] in relations to my/our application for commercial credit.


[5080] Access to credit reports

Commissioner's Note

37. A credit provider may only obtain access to a credit report issued by a credit reportingagency if the credit provider is permitted by law to be given the information by the creditreporting agency.

38. Access to credit information contained in a credit information file held by a creditreporting agency is generally restricted to those businesses or persons falling within thedefinition of "credit provider"given under s.11B of the Act. The Privacy Commissionerhas issued a determination (which appears behind the Determinations tab in thisHandbook) under sub-paragraph (v) of s.I1B(1)(b) to declare to be `credit providers'those businesses which are not automatically covered by those categories defined inparagraphs (a), or (b)(i) - (iv) of s.1IB(1).

[5085] Uses of credit reports

Commissioner's Note39. A credit provider must not use any personal information contained in a credit reportissued by a credit reporting agency unless the use is in accordance with s.18L of theAct. Section 18L of the Act permits only the following uses:

0

Release 6 1024

Credit Reporting..- Code of Conduct 1996 and Explanatory Notes

• to assess an application for consumer credit• to assess an application for commercial credit where the individual has consented

to such a use

• to assess whether to accept a person as a guarantor to a loan where the person actingas guarantor has consented to such a use

• to assist the individual avoid defaulting on his or her credit obligations, where thecredit provider is a current provider in relation to an individual

• to collect overdue payments in respect of credit provided to the individual by thecredit provider

• a use for the internal management purposes of the credit provider, being purposes

directly related to the provision or management of loans by the credit provider; e.g.building scorecards

• a use required or authorised by or under law

• a use in connection with a serious credit infringement which the credit provider

believes on reasonable grounds that the individual has committed.

Notice of refusal of credit [5090]

Commissioner's Note

40. A credit provider who has refused an individual's application for credit based on

a credit report issued by a credit reporting agency must provide the individual withwritten notice of refusal, informing the individual:

(a) that refusal was based wholly or partly on the credit report;(b) of his or her rights to obtain access to his or her credit information file held

by the credit reporting agency; and(c) of the name and address of the credit reporting agency.

History of 4040 amended in March 1995

40A. A credit provider who refuses an individual's application for credit because of a

credit report issued by a credit reporting agency about a proposed guarantor must

provide the individual with written notice of refusal, informing the individual that the

refusal was based wholly or partly on the guarantor's credit report.

History of 40A40A added in March 1995

41. A credit provider must also, in refusing an application for credit made jointly by

an individual and one or more other persons and the refusal was based wholly or partly

on a credit report relating to one of those other persons, inform the individual of thisfact.

42. In advising applicants for credit that the credit has been refused, the followingstandard statement may be used:

1025 Release 5


NOTICE OF REFUSAL OF CREDITNotice of refusal of credit to an individual where the application is refuseddue to an individual 's consumer credit report (Privacy Act 1988)

Dear [applicant's name]

Our decisionI am writing to inform you that your application for credit has not beenapproved.

Basis of decision

Our decision is refuse your application was based wholly/partly on

information obtained from [credit reporting agency] about you.

information obtained from [credit reporting agency] about your joint

applicant/s [navze/s]/

information obtained from [credit reporting agency] about your

guarantor/s.( delete as applicable)

Your rights

Under the Privacy Act 1988, you have the right to obtain access to yourcredit information file held by a credit reporting agency. The most convenientway for you to obtain access to your credit information file is to contact[nanne of credit reporting agency] at [address of credit reporting agency].

When. writing to the credit reporting agency, you should paint your nameand address in full. The credit reporting agency may require you to provideother identifying particulars.

[5095] Disclosures to credit reporting agencies

[5100] Reporting of unspecified credit limits

2.1 Where a credit provider makes an enquiry to a credit reporting agencyin connection with an application for credit, and the amount of credit soughtis unknown or incapable of being specified, the credit provider may ad\isethe credit reporting agency that the amount of credit being sought isunspecified. The credit reporting agency may then record that an unspecifiedamount of credit is being sought.

Commissioner's Note43. Circumstances where an amount of credit sought in an application for credit is notspecified typically involves credit relating to:• an overdraft

• a line of credit

• a credit card.

Release 5 1026

Credit Reporting- Code of Conduct 1996 and Explanatory Notes

Where the amount of credit being sought is known, the Act requires, under

s.18E(1)(b)(i)(B), that the amount sought must be recorded.

Reporting mistakes as to identity

2.2 Where a credit provider has made an enquiry to a credit reporting agencyin connection with an application for credit, and subsequently becomes awarethat the credit report given by the credit reporting agency related to anindividual other than the one to whom the enquiry related, the creditprovider must:

(a) advise the credit reporting agency of the mistake as to identity;(b) advise any other persons who were given a copy of the credit report,

or information derived from the credit report, of the mistake as toidentity and of the need to destroy the credit report; and

(c) destroy the credit report.

Commissioner's Note44. Upon. being ii formed of the mistake as to identity, the credit reporting agency will,

in accordance with s. 18K(5) of the Act, record on the individual's credit information

file a note of the disclosure having been mistakenly made.

[5105]

Reporting current credit provider status [5110]

Commissioner's Note45. ;1 credit provider who has approved an individual 's application for credit and

entered into a credit agreement may notify any credit reporting agency that it is a currentcredit provider in relation to the individual.

46. The credit provider will then be listed on the individual's credit information file as

a `current credit provider ' for the purposes of receiving information about overdue

payments owed by that individual to another credit provider

Reporting that an individual is no longer overdue [5115]

Commissioner's Note47. [-[were a credit provider has previously notified a credit reporting agency that anindividual to whom it provided credit is overdue in making a payment and thatindividual subsequently fulfils his or her obligations in relation to that payment , or thatthe individual contends that he or she is not overdue in making the payment, the creditprovider must, as soon as practicable, notify the credit reporting agency that theindividual concerned is no longer overdue , or that the individual contends that he orshe is not overdue in making the payment, as the case may be (s. 18F(3)).

48. As it may be difficult for credit providers to ascertain whether a report of an overduepayment had been made to a credit reporting agency before 25 February 1992, it issuggested that in order to fulfil this obligation , credit providers should, as far aspracticable, adopt the practice of noting the credit reporting agency as a matter of

id,

1027 Release 5


course when an individual is no longer overdue in making a payment, or contends thathe or she is not overdue , as the case may be. (See also Code provision 1.16 andparagraph 24 of the Commissioner 's Notes).

49. In the case of an instalment loan where the individual is overdue in respect of a

payment, the individual is considered to remain overdue until all arrears are broughtup to date. That is, the credit provider is not required to make a series of reports of

overdue payments and reinstatements in respect of the loan while the individual is stillbehind in payment.

[51201 Reporting discharge of credit commitments

2.3 Where a credit provider has informed a credit reporting agency that it

was a current credit provider in relation to an individual, and the creditprovider ceases to be a current credit provider in relation to the individual,the credit provider must as soon as practicable, but in any event no later than

45 days after ceasing to he a current credit provider, notify the creditreporting agency that it is no longer a current credit provider in relation tothe individual.

Commissioner's Note

50. For the purposes of revolving credit arrangements, the obligation upon a credit

provider to notify a credit reporting agency that it is no longer a current credit provider

in relation to an individual does not apply until such time as the revolving creditarrangement ceases to exist between the credit provider and the individual. That is, the

credit provider ceases to be a credit provider only when the account is actually closed,

and not when the account is merely inactive (e.g. there is a `nil' balance on the account).

51. A credit provider ceases to be a current credit provider in relation to an individual

where:

(a) the credit provider legally assigns to a third party the debt owed to it by theindividual concerned;

(b) the individual's debt is enforceable by virtue of the statute of limitations.


52. Where a credit provider is aware that, or would expect that, it notified a credit

reporting agency prior to 25 February 1992 that it was providing credit to an

individual, and the individual discharges his or her credit obligations after 25 February1992, the credit provider should take reasonable steps to advise the credit reporting

agency that the individual's credit obligations have been discharged. This could be

achieved by responding to a request by a credit reporting agency for verification of

current credit provider status (see paragraph 25 of the Commissioner's Notes).

Release 5 1028


Rectifying reporting procedures [5125]

2.4 Where a credit provider has been notified by a credit reporting agency inaccordance with paragraph 1.3 that it has given the credit reporting agencyinformation which the credit reporting agency is not permitted under the Actto include in an individual ' s credit information file, the credit provider musttake steps to remedy its reporting procedures to ensure that the requirementsof the Act may be complied with in future.

2.5 Where a credit provider becomes aware that:(a) it has given to a credit reporting agency personal information which

was inaccurate at the time of giving the information , and which mayhave, or might , adversely affect the decision to grant credit; or

(b) it has given information of a type not permitted to be included inan individual ' s credit information file by a credit reporting agency,

the credit provider must immediately advise the credit reporting agency of

the inaccuracy or the existence of prohibited information.

2.6 Where a credit provider has been notified by a credit reporting agency in

accordance with paragraph 1.4 it shall:(a) alert the agency to any other individuals ' credit information files

that may be similarly affected, and investigate the accuracy of any

listings in relation to overdue payment or serious creditinfringement listings in those other individuals' files; and

(b) within 30 days, advise the Privacy Commissioner in writing of theaction the credit provider has taken to rectify the problem.

Reporting overdue payments [5130]

Reporting overdue payments to a credit reporting agency [5135]

Commissioner's Note53. A credit provider must not give to a credit reporting agency personal informationabout an individual unless the credit provider has reasonable grounds for believing thatthe information is correct.

54." Where an individual becomes overdue in respect of credit given by a credit providerthe credit provider may not report the overdue payment to a credit reporting agencyunless the credit provider has first notified the individual that the credit provider maylodge a report about the overdue payment against the individual with a credit reportingagency.

55. A credit provider may report an overdue payment to a credit reporting agency inrespect of a savings account, or a similar facility which has been overdrawn, providedthat the credit provider has first notified the individual of the disclosure.

1029 Release 5


I

55A. The prohibition in paragraph 2.8 includes the re-listing of information with the

same credit reporting agency after the maximum period permitted for the retention of

such information on a credit information file has expired.

55B. Care and judgment should be exercised by the credit provider when reporting an

overdue payment to a credit reporting agency, to ensure that such reporting accords with

the requirement that information contained in credit information files is accurate.

up-to-date, complete and not misleading (refer section 18G).

55C. An overdue payment reported by a credit provider to a credit reporting agenes

should generally reflect the amount which, if paid, would result in the individual no

longer being overdue in respect of the debt. This may vary according to the terms of the

particular loan. For example, with some loans the entire balance of the loan falls die

where the individual falls into arrears by a certain amount, or on the occurrence of a

particular event. Where this is the case, it should be reflected in the information reported

to the credit reporting agency. The amount to be reported will not necessarily be the

amount recoverable at law, which may be affected by other contingencies not foreseen atthe time of reporting.

55D. A credit provider may seek amendment of overdue payment information prceznousls

reported to a credit reporting agency, where legal or other developments have occurred

which affect the amount by which the individual is regarded as being overdue. Change;s

to the credit information file may be needed to ensure that the information remains

accurate, up-to-date, complete and not misleading.

55E. A credit provider may only report an arrangement for repayment to a credit

reporting agency where the arrangement relates to an overdue payment or serious credit

infringement which has been reported by the credit provider to the credit reporting agenc,_

An arrangement for repayment may only be reported to a credit reporting agency when'

it is a formal written arrangement involving a substantial renegotiation of the termsof the loan. An arrangement would normally involve a significant variation of the

individual's obligations with regard to one or more of the main elements of file conIn-.,,-I

such as the period of the loan, or the size and frequency of repayments. For the purposes

of paragraph 2. 10 an arrangement would not include, for example, a verbal agree s t

to allow a one-off late payment.

55F Where the arrangement has the effect of rendering the individual no longer ovenine

in respect of their payments under the loan and the credit provider has reported the

overdue payment(s) to a credit reporting agency, then the credit provider is obliged under

section 18F(4) of the Act to report to the credit reporting agency that the individual is

no longer overdue. A revised schedule of repayments would not normally be regarded as

rendering the individual no longer overdue. On the other hand, an arrangement where

the overdue amount is `forgiven" would most probably be regarded as having that efict.

This distinction is important because the reporting of arrangements is optional, whereasreporting that the individual is no longer overdue is mandatory. The above examples

are intended as general guidance only; in all cases the question of whether the

arrangement has the effect of rendering the individual no longer overdue will depend

on the intention of the parties as indicated by the terms of the arrangement and any

other relevant circumstances.

Release 5 1030


55G. Where information relating to an arrangement for repayment has been reportedto a credit reporting agency, the individual is entitled under the Act to requestamendment of the it formation by way of correction, deletion, or addition. The request

should be directed to the credit reporting agency in possession of the credit informationfile.

History of 55A-G55A-G added in March 1995

2.7 A credit provider may report an overdue payment to a credit reportingagency:

(a) once 60 days has elapsed since the day on which the payment wasdue and payable; and

(b) if the credit provider has sent a written notice to the last knownaddress which:

(i) advises the individual of the overdue payment andrequests payment of the amount outstanding; or

(ii) in the case of a joint debt where the parties concerned liveat separate addresses and those addresses are known . advisesthe individuals against whom the overdue payment is to berecorded and requests payment of the amount outstanding.

2.8 A credit provider must not give to a credit reporting agency informationabout an individual being overdue in making a payment where recovery ofthe debt by the credit provider is barred by the statute of limitations.

2.9 A credit provider must not report to a credit reporting agency all overduepayment listed against a guarantor:

(a) until 60 days has elapsed since the day on which the borrower'spayment was due and payable; and

(b) until steps have been taken to recover either the whole or part ofthe amount outstanding from the guarantor, including advising theguarantor, by notice in Writing, of the overdue payment incurredby the borrower.

2.10 Where a credit provider has previously listed with a credit reportingagency an overdue payment or a serious credit infringement against anindividual in respect of an amount outstanding, and the credit provider

subsequently enters into an arrangement with the individual for repayment

of the outstanding amount, the credit provider may contact the creditreporting agency to advise that a note should be included in the individual'scredit information file to the effect that an arrangement has been enteredinto with the individual for repayment of the outstanding amount.

History of 2.102.10 amendment issued b'c the Privacy Commissioner Special Gazette No. S 82,

March 1995

zi

1031 Release 5


[5140] Reporting overdue payments to another credit provider

Commissioner's Note56. A credit provider may report an overdue p ayment to another credit provider only

where the individual's specific written agreement to the credit provider exchanging such

information with the credit provider for this particular purpose has been obtained

(unless the disclosure is for the purposes of the other credit provider assessing an

application for credit which was at first instance made orally to that other credit

provider, in which case the agreement need not be in writing).

[5145] Reporting overdue payments to a debt collection agent

Commissioner's Note57. A credit provider which has law fully obtained a credit report for the purposes of

collecting overdue payments in respect of either consumer or commercial credit provided

by that credit provider may use the entire report only for `in- house ' debt collection

activities . That is, where such activities are conducted by a debt recovery department

established within the credit provider's organisation , and no outside debt collection

agents are involved.

58. W here a credit provider wishes to commence recovery action in respect of either

consumer or commercial credit provided and in so doing engages the services of a debt

collection agent, the credit provider may provide the debt collection agent with only

certain items of information derived from a credit report obtained from a credit reporting

agency for this purpose.

59. Section 18:V(1) (c) of the Act provides that the only information contained in, or

derived from, a credit report issued by a credit reporting agency which a credit provider

may pass to a debt collection agent for the purpose of collecting overdue consumu>r credit

payments owed to that credit provider is the following information:

(a) identifying information as permitted to be kept on a credit information file;

and

(b) information about overdue payments, other than overdue payments in respect

of which a note has been attached to the individual 's credit information file

to the effect that he or she is no longer overdue in making a payment; and

(c) information about court judgments and bankruptcy orders, being items of

publicly available information.


59A. Section 18N(1)(ca) of the Act provides an equivalent to section 18N(1)(c), butin relation to commercial credit. It provides that the only information contained in, orderived from, a credit report issued by a credit reporting agency which a credit providermay pass to a debt collection agent engaged in the collection of overdue commercial credit

is the following:(a) identifying information as permitted to be kept on a credit information file;

and

Release 5 1032


(b) information about court judgments and bankruptcy orders, being items ofpublicly available information.

History of 59A59A added in March 1995

60. Any other items of information in the possession of the credit provider which arenot derived from a credit report issued by a credit reporting agency may also be givento a debt collection agent, but only for the purposes of the agent collecting overduepayments owed to the credit provider

Reporting serious credit infringements [5150]

Commissioner's Note61. Under s.6(1) of the Act a "serious credit infringement" is defined to mean. an actdone Ins a person:

(a) that involves fraudulently obtaining credit, or attempting fraudulently toobtain credit; or

(b) that involves fraudulently evading the persons obligations in relation to

reedit, or attempting fraudulently to evade those obligations; or(c) Wit a reasonable person would consider indicates an intention , on the part

of the first-mentioned person, no longer to comply with the first-mentionedperson's obligations in relation to credit; ".

62. Where a credit provider has reasonable grounds to believe that an individual towhom it has provided credit has committed a serious credit infringement, that credit

provider may notify a credit u porting agency, another credit provider or a lawenforcement authority of the infringement.

63. Section 18E(8) requires that a credit provider may not give personal information,including a report of a serious credit infringement, to a credit reporting agency unlessthe credit provider has reasonable grounds for believing that the infor mation is correct.Further; before a credit provider reports a serious credit infringement to a credit reportingagency, the credit provider must have notified the individual of the disclosure to the

agency. For loans which were taken out before 25 February 1992, the requirement tohave first notified the individual before disclosure to an agency may be satisfied bywriting to the individual at his or her last known address, not Vying him or her of thedisclosure prior to the disclosure to the agency.

64. A credit provider is not required to notifi• the individual concerned before reporting

a serious credit infringement to another credit provider or to a law enforcement authority.

65. Caution should be exercised in reporting a serious credit infringement. Overduepayment alone is not a sufficient ground for reporting a serious credit infringement.

11,7zere a credit provider forms a view in accordance with paragraph (c) of the definition

of "serious credit infringement ", a guide as to what could reasonably be considered an

intention on the part of an individual no longer to comply with credit obligations mayinclude:

1033 Release 5


• the individual has stopped making payments under a credit agreement/contract or

breached it in some other serious way, and the credit provider has made reasonable

efforts to contact the individual either in person or in writing, but has been

unsuccessful in establishing contact, or

• the credit provider has made contact with the individual and the individual hasunlawfully refused to meet his or her credit obligations by resuming payments, or

• the individual does not comply with the terms of a debt judgment.

2.11 Where a credit provider has reported a joint serious credit infringementin respect of an amount outstanding, and is subsequently satisfied that oneof the individuals was released from the obligation to repay the outstandingamount by an order of a court or by legal agreement, the credit providershould advise the credit reporting agency that the serious credit infringementlisting should be removed from that individual's credit information file.

Commissioner's Note66. A typical example of the above situation would be cases where a deserted spouse has

been, left with insufficient means to meet financial obligations incurred during the

marriage. A serious credit infringement may have been listed against both spouses by acredit provider: A subsequent settlement is made by an order of the Family Court to

absolve the deserted spouse from repay men! obligations. Where the credit provider is

satisfied that such an order exists, the credit provider should advise the credit reporting

agency that the serious credit infringement listing should be removed from the deserted

spouse's credit information file.

67. Credit providers should note that credit reporting agencies are required, under

provision 1.18 of the Code of Conduct, to report amorally to the Privacy Commissioner

listings made by credit Providers against individuals of serious credit infringements

where such listings had not been previously listed by the credit providers concerned as

overdue payments.

[5155] Disclosure between credit providers

2.12 Before a credit provider obtains from another credit provider a reportabout an individual's consumer credit worthiness, the credit providerobtaining the report must be satisfied that the individual has given his or herspecific written agreement to the disclosure (unless the report is requestedfor the purpose of assessing an application for either consumer credit orcommercial credit that was at first made orally, in which case the agreementneed not be in writing).

Commissioner's Note68. Where a credit provider has received an oral agreement to the disclosure of creditinformation to another credit provider in the circumstance described in provision 2.12of the Code, and the individual subsequently puts the application in writing, the credit

Release 5 1034


provider must at that point obtain the agreement, in writing, front the individual forany subsequent disclosures.

2.13 A credit provider which has been requested by another credit providerto disclose to the latter information about an individual's consumer creditworthiness should be satisfied that the second credit provider has obtainedthe individual's specific agreement to the disclosure. If the individual'sspecific agreement has not been obtained, the first credit provider may not,unless it had itself obtained the individual's specific agreement to thedisclosure for the particular purpose, disclose the personal information to thesecond credit provider.

Connnissioner's Note69. A credit provider should ensure that personal information relating to anindividual's credit worthiness is not disclosed to any person. unless that person is

permitted under the Act to be given the information.

2.14 Whenever a credit provider obtains from another credit provider areport about an individual ' s consumer credit worthiness , the credit providerrequesting the report shall make a record of:

(a) the date on which the report was obtained;(b) the name of the credit provider from whom the report was

obtained;(c) a brief description of the contents of the report; and(d) where the individual ' s specific agreement to the disclosure is

required , a note to the effect that the individual 's specificagreement to the disclosure has been furnished.

Commissioner's Note70. A credit provider receiving from another credit provider personal inforntatiorrrelating to an irdlividual's credit worthiness should restrict the use of the personalinformation to the particular propose for Which the specific agreement of the individualhas been obtained.

2.14A A record which is made by a credit provider in accordance withparagraph 2.14 should be retained for a minimum period of 12 months fromthe date on which it is made.

History of 2.14A2.14A amendment issued by the Privacy Commissioner Special Gazette No. S 82,

9 March 1995

2.15 There a credit provider has obtained from another credit providerinformation about an individual's credit worthiness, and subsequentlybecomes aware that the report given by the other credit provider was mistakenbecause it related to an individual other than the one to whom the enquiryrelated, the first credit provider must:

1035 Release 5


(a) advise the second credit provider which gave the report of themistake as to identity; and

(b) destroy the report.

2.16 A credit provider which is a bank may not disclose to another bank a`banker's opinion' relating to an individual's consumer credit worthiness,unless that individual's specific agreement to the disclosure of suchinformation for the particular purpose has been obtained.

Commissioner's Note71. The provision by banks of opinions relating to an individual 's commercial credit

worthiness is unaffected by the provisions of the Code of Conduct or the Privacy Act.

[51601 Disclosures to agents of individuals

2.17 Where a credit provider has been requested by an agent of an individual

to disclose to the agent personal information relating to the individual's creditarrangements with the credit provider, the credit provider should satisfy itselfthat the agent is acting under the specific written agreement of the individual

before disclosing the information. Where the credit provider is not satisfiedthat a written agreement exists, the credit provider shall request that the agent

produce evidence of the specific written agreement before making the

disclosure.

2.18 A credit provider may furnish to an individual's authorised agent onlyinformation permitted by the scope of the individual's written agreement.

Connnissioner's Note71A. As a guide only some suggested forms of wording to be used by agents when

obtaining credit information from credit providers and credit reporting agencies are

provided below.

APPOINTMENT OF AGENT - ACCESS TO CREDIT PROVIDERRECORDSAuthority for agent to obtain access to information about an individualheld by a credit provider (Privacy Act 1988)

1. Financial counsellorsI/we (name/s] authorise [counsellor's name] or other persons employed by

[counselling agency's name] to:

action• act as my/our agent in seeking access to consumer credit information held

by [name of credit provider] about me/us

Release 5 1036


limit of authorityThis authority continues until the matter which is the subject of the query

is resolved , or until I/we otherwise revoke this authority.

This authority only applies to enquiries made by [counsellor's name] or

persons employed by [counselling agency's name] in connection with:

• an application, or proposed, application to me/us for credit• my/our having sought advice in relation to existing credit.

(Signed and dated by the parties)

2. Others (e.g. accountants, solicitors or financial advisers)

I/we [names/5] authorise [name of agent] to:

action• act as my/our agent in seeking access to consumer credit information held

by [name of credit provider] about me/us.

limit of authorityThis authority continues until the matter which is the subject of the query

is resolved, or until 1/we otherwise revoke this authority.

This authority only applies to enquiries made by [agent's name] in

connection with:• an application , or proposed application, by me/us for credit• my/our having sought advice in relation to existing credit.

(Signed and slated by the parties.)

72. In the case of credit providers which are retailers, it is anticipated that most requests

for information about an individual's account are made by family members of the

individual concerned, and that the information sought relates to the current balance

of the account and/or the credit limit.

Other disclosures

Commissioner's Note73. A credit provider must not disclose personal information which has any bearing onan individual's credit worthiness unless the disclosure of personal information ispermitted under s.18N of the Act. It is important to note that the type of personalinformation which is referred to as a "report" and subject to the limitation on disclosureunder this section includes:

(a) a credit report; or(b) any other record or information (where it has been prepared by or for a

corporation), whether in a written, oral or other farm, that has any bearing

[5165)

1037 Release 6


on an individual 's credit worthiness, credit standing, credit history or creditcapacity;

but does not include information in which the only personal information relating to

individuals is publicly available information (see s. 18N(9)).

74. Section 18N of the Act governs the limits on disclosure by credit providers of personal

information contained in reports relating to an individuals credit worthiness. Thefollowing disclosures are permitted:

• to a credit reporting agency either to create or to add to information in a creditit formation file maintained by the credit reporting agency about the individual,

• to another credit provider, where the individual concerned has consented to thedisclosure for the particular purpose;

• to a debt collection agency engaged in the collection of overdue consumer credit,provided that the entire credit report obtained from a credit reporting agency is not

disclosed and that disclosure of information derived from a credit report is limitedto identifying information, information about overdue payments , and information

relating to court judgments and bankruptcy orders. (An equivalent provision relates

to debt collectors engaged in the collection of overdue commercial credit, except thatthe disclosure of information derived from a credit report is limited to identifying

information , and information about court judgnzents and bankruptcy orders.

• to a person who has provided a guarantee or security for a loan to the individual,

and:

- the individual has specifically agreed to the disclosure; or-- the guarantee was given before 7 December 1992 and the individual was given

prior notification that such disclosure may take place for the purpose of assessing

the individual 's liability under the guarantee or security . (Notification may besatisfied by writing to the individual's last known address.)

Historyadded in March 1995

• to a person considering whether to act as guarantor for a loan given or proposed tobe given by the credit provider, where the individual concerned has consented to suchdisclosure.

History

added in March 1995

• to the guarantor of a loan provided by the credit provider to the individualconcerned, and for any purpose related to the enforcement of the guarantee;

• to a mortgage insurer for specified purposes connected with the provisions ofmortgage insurance to the credit provider, including for any purpose arising undera contract for mortgage insurance that has been entered into between the creditprovider and the mortgage insurer;

• to a person or body generally recognised in the community as a person or bodyestablished for the purpose of settling disputes between credit providers andindividuals (e.g. the Banking Industry Ombudsman) and is disclosed for the

Release 6 1038

Credit Reporting- Code of Conduct 1996 and Explanatory Notes

purpose of settling a dispute between the credit provider and the individualconcerned;

• to a State or Territory authority whose functions include giving assistance that

facilitates the giving of mortgage credit to individuals and is disclosed for the

purpose of enabling the authority to determine the extent of assistance it will give

in relation to the giving of mortgage credit to the individual concerned;

• to a Minister, Department, or authoity, of a State or "Territory whose functions or

responsibilities include the management or supervision of schemes or arrangements

under which assistance is given (directly or indirectly) that facilitates the giving ofmortgage credit to individuals; and for the purpose of enabling the zAfinister,

Department or annt/zoity to manage or supervise any such sc/wine or arrangement.


• to a person supplying goods or services for the purpose of enabling that person to

decide whether to accept payment by means of credit card or electronic transfer of

funds and does not contain any information derived from a credit report other than

identifying information and information as to whether the individual has a line ofcredit with the reedit provider; or sufficient funds deposited with the credit providerto meet the payment concerned. This refers to the process commonly known as

nzerchcnzt authorisations;

• to persons acting in the capacity of settlement agents, or persons considering taking

an assignment of or discharging on the individual's behalf a debt owed In' the

individual to the credit provider and does not contain any information derived froma credit report other than identifying information and information as to the amornt

of the debt, or the amonnt required to be paid in order to discharge the debt. This£s$3.a refers to the situation Where a pay-out' figure is sought by flue settlement agent from

the credit provider;

• to the individual concerned, or a person other than a credit provider; mortgage

insurer or trade insrner; who has been authorised in writing by the individual to

seek access to the report or information. An example of such a disclosure would be

where the disclosure is to a financial advisor or a debt counsellor who has beenauthorised in writing In the individual to approach the credit provider on the

individual's behalf to obtain information as to the individual's overdue payments

for the purposes of assisting the individual to renegotiate his or her loan with the

credit provider;

• to a corporation that is related to the credit provider, but only where the creditprovider itself is a corporation;

• to a corporation (including the professional legal or professional financial advisers

of that corporation) that proposes to use the report or information for considering

whether to:

• accept an assignment of debt owed to the credit provider• accept a debt owed to the credit provider as security for a loan to the credit

provider• purchase an interest in the credit provider

11

1039 Release 5


and, additionally, for a use in connection with exercising rights arising from any

acceptance or purchase of a kind referred to above;

• to a person who manages loans made by the credit provider for use in managing

those loans;

• where the disclosure is required or authorised by or under latu. This applies to both

statute law and common law. It is not limited to Commonwealth law but applies

also to state law, and laws of other Australian jurisdictions to which credit providersmay be subject. It also includes statutory provisions authorising warrants and other

instruments for searching premises, obtaining information etc.

History

amended in Alarch 1995

• to another credit provider or to a law enforcement authority in connection with a

serious credit infringement which the credit provider believes on reasonable gronuids

the individual has committed.

• to another credit provider where both credit providers have provided mortgage credit

in relation to the same property, and at least one of the mortgagees is 60 days in

arrears, for the purpose of deciding what action to take in respect of the overdue

payments. .

History

added in tllardr 1995

• to a person who is authorised by the individual to operate an account maintainedwith the credit provider and the information is limited to basic transactioninformation , or is consistent with the ordinary operation of the account.

History

added in illarch 1995

2.19 Where a credit provider provides a report about an individual's creditworthiness to an authorised recipient other than a credit provider, the creditprovider should, to the extent practicable, make a record of the disclosure.

Commissioner's Note75. This provision is designed to encourage the keeping of a record of disclosures bycredit providers under s. 18N. In the case of merchant authorisation , the provision In acredit provider of a reference number to the merchant is considered to be adequate tomeet this requirement.

[51701 Access by an individual to a credit report

2.20 A credit provider must ensure that:

Release 5 1040


(a) it has information available to advise individuals about the

procedures by which access can be obtained to credit reports heldby the credit provider; and

(b) adequate facilities are available for responding to requests for accessto credit reports in its possession.

2.21 A credit provider must, when so requested in writing by an individual,

attempt to give that individual access to any of his or her credit reports whichare in the possession of the credit provider within 10 working days, and inany event, must give access within 30 calendar days of receipt of the

individual's request.

2.22 Where an individual has requested access to a credit report which he orshe believes may be in the possession of a credit provider to whom theindividual has applied for credit, and the credit provider no longer possessesthe report, the credit provider must advise the individual to contact the creditreporting agency from which a copy of the credit information file may beobtained.

Commissioner's Note

76. When a credit providergrives an individual access to a credit report in its possession,the credit provider must ddvise the individual that, in order to ensure the or she has

access to the most up-to-date information about him or herself, access should additionally

be obtained to the individual's credit information file or any credit reports relating tothe individual held b-by the credit reporting agenr which issued the credit report being

sought. This is designed to minimise any misunderstandings which may arise when an

individual is provided with access to a credit report which, although accurate at thetime of receipt by the credit provider; may be out-of-date at the time access is given b1•the credit provider to the individual.

Requests for amendment to a credit report [5175]

Commissioner's Note77. Section 18J(1) requires credit providers to take reasonable steps to make appropriateamendments to ensure that personal information contained in credit reports in theirpossession is "accurate , up-to-date, complete and not misleading".

78. Where a credit provider retains a- credit report relating to an individual for thepurposes of building scorecards, the credit provider may retain the credit report in itsoriginal state . Further, where the credit provider- retains a credit report for archivalpurposes only (i . e. not to be referred to for fresh decision-making purposes) the creditprovider may keep the report in its original state. In other cases , where the credit reportis retained for other loan administrative purposes, the credit provider must takereasonable steps to ensure that the credit report is accurate , up-to-date, complete and notmisleading.

1041 Release 5


79. A credit provider may be considered to have taken reasonable steps to amend

personal information contained in credit reports issued by a credit reporting agent'

where the credit provider refers an individual's request for amendment to the credit

reporting agency which issued the credit report.

2.23 Where a credit provider receives a request from an individual for anamendment of, or for the inclusion of a statement in, a credit report issuedby a credit reporting agency, the credit provider should, within 10 workingdays of receipt of the request:

(a) refer the request to the relevant credit reporting agency,incorporating any opinion the credit provider has as to theappropriateness of the amendment sought;

(b) inform the individual, in writing, of the referral, including thename and address of the credit reporting agency; and

(c) include in any credit reports in the possession of the credit providera note to the effect that information on the individual's creditreport is subject to a request for amendment by the individual.

Part 3 - Dispute settling procedures relating to credit

reporting

[51801 General requirements

3.1 Credit reporting agencies and credit providers must handle creditreporting disputes in a fair, efficient and timely manner.

3.2 Credit reporting agencies and credit providers must establish proceduresto deal with a request, in writing, by an individual for resolution of a disputerelating to credit reporting.

Commissioner's Note77B. Credit reporting agencies and credit providers should ensure that adequate

facilities are available to enable them to deal with enquiries, both in writing and overthe telephone and in a face-to-face setting, from the general public about their disputesettling procedures.

78B. Credit reporting agencies and credit providers should nominate an Officer as thefirst point of contact for the handling of disputes. Where the credit reporting agency orcredit provider operates in more than one location, additional contact officers may berequired, or procedures should be in place enabling referral of disputes to the nominatedofficer.

Release 5 1042


79B. A credit provider may be considered to have taken reasonable steps to establish

procedures to deal with a request for dispute resolution concerning the contents of a

credit report where it refers an individual's request to the a-edit reporting agency whichissued the credit report.

3.3 A credit provider should refer to a credit reporting agency for resolutionof a dispute between that credit provider and an individual where the disputeconcerns the contents of a credit report issued by the credit reporting agency.

3.4 In referring a dispute to a credit reporting agency, a credit provider mustinform the individual of the referral and must provide the individual with thename and address of the credit reporting agency.

3.5 Upon receipt, from a credit provider, of a referral of a request for disputeresolution, a credit reporting agency must handle the request as if the requesthad been made directly to the agency by the individual concerned.

3.6 Where a credit reporting agency is unable to clearly establish the nature

of the dispute which has been referred to it for resolution by a credit provider,the agency may write to the individual concerned asking for furtherinformation, before proceeding with the request.

3.7 V\'here a credit reporting agency establishes that it is unable to resolve adispute it must immediately inform the individual concerned that it is unable

to resolve the dispute and that the individual may complain to the PrivacyCommissioner.

Amendment to a credit information file or a credit report [5185)

Commissioner's Note80. Where a credit reporting agency receives a request from an individual for anamendment to personal information contained in his or her credit information file orcredit report, the credit reporting agency should take the following steps:

(a) place a note of the disputed entry on the credit information file or a-editreport until the matter is resolved; and

(b) commence an investigation.

3.8 Where an individual has requested an amendment to personalinformation included in a credit information file or credit report, and thecredit reporting agency establishes that an amendment to personalinformation contained in the credit information file or credit report isnecessary, the credit reporting agency must, as soon as practicable, but in anyevent, within 5 working days, amend the file or report.

1043 Release 5


Commissioner's Note81. Upon being informed that an individual is no longer overdue in making a paymentor that he or she disputes the overdue payment, a credit reporting agency must, inaccordance with s. 18F(4), add to a credit information file a note to that effect. Code

provision 3.9 sets the time-limit for compliance with this requirement

3.9 Where a credit reporting agency is informed that an individual is nolonger overdue in making a payment or that the individual contends that heor she is not overdue in making the payment, the credit reporting agencymust, within 5 working days of being so informed, add to the creditinformation file or credit report a note to that effect.

Commissioner's Note82. Where an amendment to personal identifiers is required, the credit reporting agency

may require evidence from the individual to verify that the proposed amendments are

accurate before staking the amendment.

[5190] Inclusion of statements

3.10 tithere a credit reporting agency does not amend it disputed entry inaccordance with an individual's request, the credit reporting agency must,within 30 days of having received the individual's request, inform the

individual in writing of:(a) the reason (s) for the requested amendment not having been made;

(b) his or her right, under s.18 (2) of the Privacy Act, to have astatement included in his or her credit information file or creditreport, containing details of the amendment sought; and

(c) his or her right to complain to the Privacy Commissioner if

dissatisfied with the action of the credit reporting agency.

3.11 Where a credit reporting agency is provided by an individual with astatement for inclusion in his or her credit information file or credit report,and the credit reporting agency considers the statement unduly long, thecredit reporting agency may, within 30 days, refer the statement to the Privacy

Commissioner for a reduction as considered appropriate.

3.12 In referring the statement, the credit reporting agency may include asuggested shortened version prepared by the credit reporting agency forconsideration by the Privacy Commissioner. A copy of the suggested shortenedversion must, at the same time, be sent to the individual concerned.

3.13 A credit reporting agency must, where so requested by an individual,remove from his or her credit information file or credit report any statementpreviously provided by the individual for inclusion in his or her creditinformation file or credit report.

Release 5 1044

Credit Reporting Code of Conduct 1996 and Explanatory Notes

Commissioner's Note83. Where an individual is not able to provide to the credit reporting agency asufficiently clear written explanation of the amendment sought, the credit reportingagency should offer to assist the individual to provide a written statement of theamendment sought.

Advice of dispute outcome [5195]

3.14 Where an amendment has been made, or a statement provided by theindividual has been included by a credit reporting agency in the individual'scredit information file or credit report, the credit reporting agency shall,within 14 days of having made the amendment or included the statement:

(a) provide the individual with a copy of the amended creditinformation file or credit report; and

(b) advise the individual in writing of his or her right to complain to

the Privacy Commissioner if he or she is dissatisfied with the actiontaken by the credit reporting agency.

3.15 Where, as a result of 'a dispute having been resolved, a credit reporting

agency amends information from a credit information file or credit reportand that information is of a type detailed in sub-paragraphs 18E(1) (b) (i), (v),(vi), (vii), (viii), (ix) or (x) of the Act, the credit reporting agency must,within 14 days of amending the information:

(a) provide the individual with a copy of the amended creditinformation file or credit report;

(b) advise the individual, in writing, that he or she may nominate anyperson:

(1) to whom information from the credit information file orcredit report had been given during the previous threemonths; and

(ii) whom the individual wishes to be notified of the changesmade to the file or report;

(c) notify, within 30 days, such persons in writing of the amendmentmade to the credit information file or credit report; and

(d) advise the individual in writing of his or her right to complain tothe Privacy Commissioner, if dissatisfied with the action taken bythe credit reporting agency.

Other credit reporting disputes [5200]

3.16 Where a credit reporting agency or a credit provider receives a requestin writing from an individual seeking resolution of a dispute concerning anact or practice of the credit reporting agency or credit provider in relation to

1045 Release 5


credit reporting, the credit reporting agency or credit provider should, within30 days of receipt of the request:

(a) investigate the matter;(b) provide the individual with such response, in writing, as considered

appropriate by the credit reporting agency or credit provider; and(c) advise the individual of his or her right to complain to the Privacy

Commissioner if dissatisfied with the action taken by the creditreporting agency or credit provider.

[5205] Maintenance of records

Commissioner's Note

84. Credit reporting agencies and credit providers should maintain records of disputes

handled fry them for at least 12 months after the individual has been notified of theoutcome of the dispute. Such a record should contain:

• correspondence and documentary evidence relating to the dispute

• records of interviews and telephone conversations

• details of the action taken and reasons for the action.

85. Credit reporting agencies and credit providers should maintain statistics in relationto disputes handled to assist the I'rivacy Commissioner in carrying out his auditresponsibilities. The statistics should be provided to the Privacy Coin nnissioner uponrequest.

[5210] Investigation of complaints by the Privacy Commissioner

Commissioner's Note86. Consumers with complaints should take them up in the first instance with thecomplaints section of the bank, finance company or other credit provider with whomthey have dealt. Where appropriate, existing dispute settling procedures within the

relevant industry should be considered before engaging the formal requirements of the

Code of Conduct. For example, where the credit provider is a bank, the Banking IndustryOmbudsman will often be an appropriate first stage of settlement.

87. Similarly, where a complaint involves a credit reporting agency, the consumer should

first take up the complaint with the complaint handling area of the credit reportingagency concerned.

3.17 The Privacy Commissioner may decide not to investigate a complaintabout a credit reporting dispute if the Commissioner considers that:

(a) the dispute should first be dealt with by a credit reporting agencyor credit provider; or

(b) the dispute is being, or has been, dealt with adequately by the creditreporting agency or credit provider.

Release 5 1046


Commissioner's Note88. In addition to the circumstances set out above, section 41 of the Act sets out a range

of other circumstances in which the Commissioner may decide not to investigate a

complaint.


3.18 Where the Privacy Commissioner decides not to investigate anindividual's complaint about a credit reporting dispute, the Commissioner

shall advise the individual of the reasons for his or her decision not to

investigate the complaint.

Part 4 - Other matters

Staff training [5215]

4.1 Credit reporting agencies, credit providers and others lawfully involved inthe handling of personal information contained in credit information filesand credit reports shall take such steps as are reasonable in the circumstancesto inform those staff whose duties involve handling of personal informationincluded in credit information files or credit reports of the requirements of

the Act and the Code of Conduct , and in particular:(a) the circumstances in which personal information included in credit

information files and credit reports may be accessed , used or disclosed:(b) the procedures to be followed in response to a request by an

individual for access to , or amendment of, personal informationincluded in a credit information file or credit report;

(c) the procedures for handling disputes relating to credit reporting; and(d) the circumstances in which personal information relating to an

individual's credit worthiness may be disclosed by a credit provider.

Modifying time limits [5220]

4.2 The time limits set out in Parts 1, 2 and 3 of this Code of Conduct andaffecting acts and practices of credit reporting agencies and credit providersmay be varied with the approval of the Privacy Commissioner where theparties concerned are unable to comply with the specified time limits due tocircumstances such as technological failures or due to other practical orunforeseen difficulties.

1047 Release 5


[5225] Review of the operation of the Code of Conduct

4.3 The Privacy Commissioner shall review the Code of Conduct after 18months of its operation, and may, following consultation with affected parties,make amendments to the Code as considered necessary.

[5230] Terms used in this code

4.4 Where a term used in this Code of Conduct is defined in the Privacy Act,

the term has the meaning given to it by the Privacy Act.

Release 5 1048 The next page is 1055


Amendments to the Credit Reporting Code of Conduct andExplanatory Notes - Reasons for the Amendments

Amendments to the Code of Conduct

Part I - Credit Reporting Agencies

Access by Individuals to their Credit Information File

Paragraphs 1.7 to 1.12 of the original Code contained provisions relating tothe right of access of individuals or their authorised agents to their creditinformation file held by a credit reporting agency. They also includedprovision for credit reporting agencies to be able to charge a fee for accessin certain circumstances.

During the consultation process the chief reporting agency in Australia, theCredit Reference Association of Australia (CRAA), expressed concern aboutwhat it saw as the increasing incidence of individuals seeking access to theircredit information file for purposes unconnected with the provision of credit.As a result , CRAA has been placed under some pressure in meeting its PrivacyAct obligations to provide individuals with access to credit reports . To help

address this problem it was recommended that credit reporting agencies begiven a discretion to refuse or defer access requests made for non-credit

purposes , or charge a fee for such requests , where they have an unreasonableimpact on the agency's ability to process credit related access requests.

Alternatively , the credit reporting agency could charge a fee to offset the

administrative impact of non -credit related access requests.

When considering this issue , I was mindful that individuals ' rights of accessto their information forms one of the central tenets of the credit reportinglaws, which should not be compromised . At the same time, I recognised thatthe operation of credit reporting businesses should not be unduly hamperedin meeting Privacy Act obligations . As such, I have restricted the creditreporting agency's discretion to refuse or defer access , or charge a fee, tolimited circumstances which could be regarded as peripheral to the mainfocus of the credit reference system . For those access requests which relate torefusal of credit or management of the credit relationship , I do not favourprovisions that would have the effect of hindering the individual 's access tohis or her credit information file. An individual who feels unfairly treatedbecause of these arrangements may complain to the Privacy Commissionerwho can order that access be given.

[5300]

1055 Release 5


Part 2 - Credit Providers

[5305] Reporting of Schemes of Arrangement

Prior to its amendment, paragraph 2.10 of the Code of Conduct provided thatwhere a credit provider has reported an overdue payment to a creditreporting agency, and subsequently enters into an arrangement for repaymentof the outstanding amount, a note indicating that this action had been takenwas required to be included in the individual's file held by the credit reportingagency.

In discussions with my Consultative Group, the majority favoured the view thatthe reporting of arrangements to credit reporting agencies should be optionalrather than mandatory. This was because of differing views as to whatconstitutes a scheme of arrangement, and also because the requirements toreport schemes of arrangement was proving to be onerous in some situations.I have amended paragraph 2.10 to give effect to this view, by replacing theword "must" with "mnav".

[5310] Disclosure Between Credit Providers

Paragraph 2.14 of the Code of Conduct requires a credit provider who obtains

a report from another credit provider about an individual's consumer creditworthiness, to make a record of the date on which it was obtained, the name

of the credit provider from whom it was obtained, a brief description of thecontents of the report, and where the individual's agreement to the disclosureis required, the fact that such agreement was obtained.

It was noted that the Code did not prescribe a minimum retention period for

the record made under paragraph 2.14. My Consultative Group stronglyfavoured such a requirement, which would be useful, in the event of a

complaint, to verify that the consent and other requirements relating todisclosures between credit providers have been met. Twelve months was

considered an appropriate retention period because it creates a parallel withsection 41 of the Privacy Act which gives me a discretion not to investigate a

complaint made more than 12 months after the complainant became awareof the act or practice being complained about.

I have therefore amended the Code by adding paragraph 2.14A whichprovides for a minimum retention period of 12 months for records madeunder paragraph 2.14.

Following is a brief summary of amendments made to the Explanatory Notes.

;J.

Release 5 1056


Amendments to the Explanatory Notes

Part 2 - Credit Providers

Refusal of Credit

Paragraph 40 of the Explanatory Notes is amended to make it clear thatnotice of refusal of credit must be in writing.

Background: This amendment was made to ensure consistency in creditproviders' record handling and to provide for better accountability.

Current Credit Provider Status

Paragraph 51(b) of the Explanatory Notes is amended to ensure that a creditProvider ceases to be a current credit provider in relation to an individual incircumstances where the individual's debt is unenforceable by virtue of theStatute of Limitations.

Background: The purpose of this amendment was to broaden the applicationof paragraph 51(b) to debts which are unenforceable. The old paragraph 51(b)referred to debts which have been discharged, which is somewhat narrowerconcept.

Re-listing of Overdue Payments

Paragraph 55A is added to the Explanatory Notes, to ensure that creditprodders do not re-list overdue payment or other information with a credit

It reporting agency after the maximum retention period for that informationhas expired.

Background: This amendment arose out of concern about the practice ofsome credit providers reporting to credit reporting agencies overdue

payments which they had already reported previously, but which had sincebeen deleted from the individual's credit information file followingexpiration of the maximum period under the Act. This practice wasconsidered contrary to the spirit of the Act.

Reporting of Overdue Payments

Paragraphs 55B, 55C and 55D have been added to the Explanatory Notes toprovide guidance on the reporting of overdue payments by credit providersand credit reporting agencies.

Background: This amendment was requested by the industry because ofuncertainty about the requirements associated with the reporting of overduepayments, including the appropriate amount to be reported.

[5315]

[5320]

[5325]

[5330]

1057 Release 5


[5335] Reporting of Schemes of Arrangement

As noted above, the Code of Conduct has been amended to make thereporting of schemes of arrangement by credit providers to credit reportingagencies optional rather than mandatory.

In addition, the Explanatory Notes have been amended to provide guidanceon the meaning of an "arrangement" for the purposes of paragraph 2.10 ofthe Code of Conduct.

Paragraphs 55E, 55F and 55G have been added to the Explanatory Notes toprovide this guidance. They indicate, among other things, that paragraph 2.10is concerned with formal written arrangements involving a substantialrenegotiation of the terms of the loan.

The guidelines also clarify the relationship between the Code provisionsrelating to schemes of arrangement, and other provisions which require creditproviders to notify the credit reporting agency where an individual, previouslylisted as in default, is no longer overdue.

Background: This amendment was requested by members of the industry asa result of confusion concerning the meaning of an "arrangement" and theobligations associated with schemes of arrangement.

[5340] Privacy Act Amendments - December 1992

A number of amendments to Part ILIA of the Privacy Act came into effect on 7

December 1992. They include provisions relating to the disclosure of consumercredit worthiness information by credit providers, and refusal of credit.

Changes made to the Explanatory Notes to reflect the 1992 legislativeamendments, are set out below:

• Paragraph 74 of the Explanatory Notes is amended to take into accountthe following disclosures of credit worthiness information by credit

providers , which are permitted by \irtue of the December 1992 provisions:

• Disclosure to a person who has provided a guarantee or security fora loan to the individual and the individual has agreed to thedisclosure.

• Disclosure to a person considering whether to act as guarantor for aloan given or proposed to be given by the credit provider, and theindividual has consented to the disclosure.

• Disclosure to another credit provider where both credit providershave provided mortgage credit in relation to the same property, andat least one of the mortgagees is 60 days in arrears.

I

Release 5 1058


• Disclosure to a person who is authorised by the individual to operatean account maintained with the credit provider, and the informationis limited to basic transaction information or is consistent with theordinary operation of the account.

• Paragraph 59A is added to the Explanatory Notes, and paragraphs 59 and74 amended, to reflect accurately the restrictions on disclosure of consumercredit worthiness information by credit providers to debt collectionagencies. In particular, they explain the different rules which applydepending on whether the debt collection agency is engaged in thecollection of overdue consumer or commercial credit.

• Paragraph 40A is added to the Explanatory Notes to reflect an additionalrequirement relating to refusal of credit i.e. that a credit provider mustinform an individual in writing if his or her credit application is refusedwholly or partly due to an adverse credit report about a proposedguarantor.

Disclosures Required or Authorised by or Under Law [5345]

Paragraph 74 of the Explanatory Notes is amended to clarify the meaning ofdisclosures "required or authorised by or under law". (Credit providers arepermitted under the Act to disclose consumer credit worthiness informationin circumstances where the disclosure is required or authorised by or under

law.) It includes both statute law and common law, and is not limited toCommonwealth law but extends to other Australian jurisdictions.

Background: This amendment was requested by members of the industry in

order to address the uncertainty surrounding the scope of paragraph 74, andin particular the jurisdictions to which it applies.

Investigation of Complaints [5350]

Paragraph 87A is added to the Explanatory Notes to reflect the full range of

circumstances in which the Privacy Commissioner may (under section 41 ofthe Act) decide not to investigate a complaint.

Background: This amendment was considered necessary because of concernthat the existing provisions in the Code gave the impression that there wereonly two grounds on which the Privacy Commissioner could decide not toinvestigate a complaint relating to a credit reporting dispute.

KEVIN O'CONNORPrivacy Commissioner

March 1995

1059 Release 5

ANNEXURE 4

10. PRIVACY

10.1 Card-issuers are to be guided by the following principles in respect of all EFTservices they offer and in respect of all accounts from which EFT transactions can bemade:

(i) customer records are to be treated in the strictest confidence;

no person other than an employee or agent of the financial institution whichmaintains the account, and the customer or any person authorised by the

customer is to have access through an electronic terminal to information

concerning the customer's account;

(iii) except where it is being operated by an employee or agent of the financial

institution concerned no electronic terminal is to be capable of providing any

information concerning a customer's account unless the request for

information is preceded by the entry of the correct card/PIN combination forthat account; and

except where it is provided pursuant to a legal duty or responsibility, no

information concerning the use of EFT services by a customer is to be

provided by any financial institution, except with the consent of that customer.

10.2 Where cameras may be used to monitor transactions card-issuers are to display ateach automatic teller machine terminal a sign indicating that transactions conducted atthe terminal may be photographed.

ANNEXURE 5

Canadian Standards CAN/CSA-0830-1995Association Mode l Code for the Protection of

Personal Information

Final DraftSeptember 1995 (Rev 95 09 20)Consists of 0 to 17

10 Canadian Standards Association - 1995All rights reserved . No part of this publication may be reproduced in any form, in anelectronic retrieval system or otherwise , without the prior permission of the publisher.

CANICSA-Q830 - September 1995 - Page 0

Model Code for the Protection of Personal Information

Contents

Technical Committee on Privacy ii

Preface 1

Introduction 2

Principles in Summary 3

1. Scope 5

2. Definitions 6

3. General Requirements 7

4. Principles 84.1 Accountability 84.2 Identifying Purposes 84.1 Consent 94 Limiting Collection 114.5 Limiting Use, Disclosure , and Retention 114.6 Accuracy 124.7 Safeguards 124.8 Openness 134.9 Individual Access 134.10 Challenging Compliance 14

Appendix A--Organization for Economic Co-operation and Development , Guidelines on theProtection of Privacy and Transborder Flows of Personal Data 16

September 1995

CANC,SA-0830

Technical Committee on Privacy

D. McKendry Price Waterhouse,Ottawa, Ontario

J. Savary York University.Toronto, OntarioRepresenting Consumers' Association ofCanada

N. Audesse Department of Finance, CanadaOttawa, Ontario

R. Binsell

C. Black

S. Blackwell

A. Cavoukian

P. Chaves

J. Clayton

A. Coles

K. Crow

Ministry of Consumer andCommercial Relations,Toronto, Ontario

Chair

Vice-Chair

Canadian Life & Health Insurance Association,Toronto, Ontario

Canadian Radio-Television andTelecommunications Commission,Hull, Quebec

Associate

Information and Privacy Commissioner / AssociateOntario, Toronto

Unitel Communications Inc.,Toronto, Ontario

Public Works and Government Services AssociateCanada,Hull, Quebec

AGT Limited,Edmonton, Alberta

Information Technology Associationof Canada,Mississauga . Ontario

ll September 1995

Model Code for the Protection of Persona! Information

D. Duncan information and Privacy Commissioner,Toronto, Ontario

Associate

B. Foran

M. Globensky

J. Gustavson

W. Hanrahan

G. Lavallee

P. Lawson

P. Leduc

i. Lightstone

S. Lingard

M. Long

C. Mondello

R. McGarry

0. McInnes

A. Neill

P. Peladeau

Office of the Privacy Commissioner ofCanada,Ottawa, Ontario

Equifax Canada Inc.,Ville d'Anjou, Quebec

Canadian Direct Marketing Association,Don,Mills, Ontario

CBEMA,Washington, D.C., USA

Cable Television Standards Foundation.Ottawa, Ontario

Public Interest Advocacy Centre,Ottawa, Ontario

industry Canada,Ottawa, Ontario

Thompson Lightstone & Co. Ltd.,Toronto, Ontario

Insurance Bureau of CanadaToronto, Ontario

Stentor Telecom Policy inc.,Ottawa, Ontario

Digital Equipment of Canada Ltd.,Nepean, Ontario

Canadian Labour Congress,Ottawa, Ontario

Canadian Bankers Association,Ottawa, Ontario

Department of Justice , Canada,Ottawa , Ontario

Societe Progestacces,Montreal , Quebec

Associate

Associate

Associate

Associate

September 1995 %1t

CAAIICSA-Q830

,S. Perrin

M. Plamondon

P. Racine

B. Robins

E. Rothberg

L Routledge

M.A. Stevens

F. Swedlove

J. Tobin

M. Vallee

K. Webb

D. Mathers

Industry Canada,Ottawa , Ontario

Service d 'Aide au Consommateur,Shawinigan , Quebec

Heritage Canada.Ottawa , Ontario

The Reader's Digest Association(Canada) Ltd..Westmount , Quebec

Associate

Life Underwriters Association of Canada, AssociateDon Mills , Ontario

Canadian Bankers Association,Toronto , Ontario

Treasury Board Secretariat,Ottawa , Ontario

Department of Finance , CanadaOttawa, Ontario

American Express Company,New York, New York, USA

Federation nationale des associationsde consommateurs du Quebec,Montreal, Quebec

Industry Canada,Ottawa , Ontario

Canadian Standards Association,Toronto , Ontario

Associate

Associate

Associate

Administrator

!V September 1995

Model Code for the Protection of Personal information .

Preface

This is the first edition of CSA Standard CAN/CAS 0830, Model Code for the Protection ofPersonal Information.

This Standard was prepared by the CSA Technical Committee on Privacy , under thejurisdiction of the CSA Steering Committee on Business Management Systems , and wasformally approved by the Technical Committee. It is going forward for approval by the CSASteering Committee and for approval as a National Standard of Canada by the StandardsCouncil of Canada.

Notes:(1) Use of the singular does not exclude the plural (and vice versa) when the sense allows.(2) Although the intended primary application of this Standard is stated in its Scope, it is important to note that itremains the responsibility of the users of the Standard to judge its suitability for their particular purpose.(3) This publication was developed by consensus, which is defined by the CSA Regulations Governing -Standardization as 'substantial agreement reached by concerned interests . Consensus includes an attempt toremove all objections and implies much more than the concept of a simple majority, but not necessarilyunanimity.' It is consistent with this definition that a member may be included in the Technical Committee fistan ^t not be in full agreement with all clauses of the publication.(4) .;SA Standards are subject to periodic review, and suggestions for their improvement will be referred to theappropriate committee.(5) All enquiries regarding this Standard including requests for the interpretation of the text in this Standard,should be addressed to Canadian Standards Association. Standards Development, 178 Rexdale Boulevard,Rexdale . Ontario M9W 1R3.

Requests for interpretation should(a) define the problem, making reference to the specific clause:(b) provide an explanation of circumstances surrounding the actual field conditions: and(c) be phrased where possible to permit a specific 'es' or 'no' answer.Interpretations are published in CSA's periodical Info Update. For subscription details , write to CSA Salespromotion , Info Update , at the address given above.

September 1995 1

CAN/CSA-0830

Introduction

Canada is part of a global economy based on the creation , processing , and exchange ofinformation . The technology underlying the information economy provides a number ofbenefits that improve the quality of our fives . This technology also gives rise to concernsabout the protection of privacy rights and the individual 's right to control the use andexchange of personal information . By implementing recognized fair-handling practices forpersonal information , organizations can materially demonstrate their commitment to theprotection of personal information . Organizations should balance their need for personalinformation with an individual 's desire for a certain measure of anonymity.

This document is a voluntary national standard for the protection of personal information.The Standard addresses two broad issues : the way organizations collect, use, disclose, andprotect personal information ; and the right of individuals to have access to personalinformation about themselves , and, if necessary , to have the information corrected. Teninterrelated principles form the basis of the Standard. Each principle is accompanied by acommentary that elaborates on the principle.

A workbook on the implementation df the principles is available to organizations intendingto adopt this Standard . Organizations will be able to tailor specific codes using the workbook as a guide.

This Standard will(a) provide principles for the management of personal information;(b) specify the minimum requirements for the adequate protection of personal informationheld by participating organizations;(c) make the Canadian public aware of how personal information should be protected; and(d) provide standards by which the international community can measure the protection ofpersonal information in Canada.

Canada committed itself to privacy protection in 1984 by signing the Organization forEconomic Co-operation and Development (OECD) Guidelines on the Protection of Privacyand Transborrier Flows of Personal Data. The OECD Guidelines (see Appendix A) wereused as the basis for the development of this Standard . The protection of personalinformation is increasingly important at the international level.

2 September 1995

Model. Code for the Protec4on of Personal Information

Principles in Summary

Ten interrelated principles form the basis of the CSA Model Code for the Protection ofPersonal Information . Each principle must be read in conjunction with the accompanyingcommentary.

1. AccountabilityAn organization is responsible for personal information under its control and shall designatean individual or individuals who are accountable for the organization 's compliance with thefollowing principles.

2. Identifying PurposesThe purposes for which personal information is collected shall be identified by theorganization at or before the time the information is collected.

3. Consent -It

The knowledge and consent of the individual are required for the collection, use, ordisclosure of personal information, except where inappropriate.

4. __imiting CollectionThe collection of personal information shall be limited to that which is necessary for thepurposes identified by the organization. Information shall be collected by fair and lawfulmeans.

5. Limiting Use , Disclosure , and RetentionPersonal information shall not be used or disclosed for purposes other than those for whichit was collected , except with the consent of the individual or as required by law . Personalinformation shall be retained only as long as necessary for the futfilment of those purposes.

6. AccuracyPersonal information shall be as accurate, complete , and up-to-date as is necessary for thepurposes for which it is to be used.

7. SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivityof *he information.

8. OpennessAn organization shall make readily available to individuals specific information about itspolicies and practices relating to the management of personal information.

9. Individual AccessUpon request , an individual shall be informed of the existence . use, and disclosure of his orher personal information , and shall be given access to that information . An individual shallbe able to challenge the accuracy and completeness of the information and have itamended as appropriate.

September 1995 3

C4NICSA-0830

10. Challenging Compliance -- -An individual shall be able to address a challenge concerning compliance with the aboveprinciples to the designated individual or individuals accountable for the organization'scompliance. -

4 September 1995

Model Code for the Pmteron of Personal information

CAN/CSA-Q830Model Code for the Protection of Personal Information

1. Scope

1.1 - - - --- - --l Imodel code describes the minimum requirements for the protection of personal

information . Any applicable legislation must be considered in implementing theserequirements.

1.2This Standard may be applied to all personal information . Provided the minimumrequirements are met , organizations may tailor this Standard to meet their specificcircumstances . For example , policies and practices may vary , depending upon whether thepersonal information relates to members , employees , customers , or other individuals.

1.3The objective of this Standard. is to assist organ izations in developing and implementingpd=-ties and practices to be used when managing personal information.

September 1995 5

CAN/CSA-0830

2. Definitions

2.1The following definitions apply in this Standard:

"Collection"-the act of gathering , acquiring , or obtaining personal information from anysource , including third parties , by any means.

"Consent"--voluntary agreement with what is being done or proposed. Consent can beeither express or implied., Express consent is given explicitly , either orally or in writing.Express consent is unequivocal and does not require any inference on the part of theorganization seeking consent. Implied consent arises where consent may reasonably beinferred from the action or inaction of the individual.

"Disclosure"-making personal information available to others outside the organization.

"Organization"--a term used in'the model code that includes associations, businesses,charitable organizations , dubs, government bodies , institutions , professional practices andunions.

"Personal information"--information about an identifiable individual that is recorded in anyform.

"Use"-refers to the treatment and handling of personal information within an organization.

6 September 1995

Model Code for the Protection of Personal tnformadon

3. General Requirements

3.1The ten principles that make up this Standard are interrelated. Organizations adopting thisStandard shall adhere to the ten principles as a whole.

3.1.1 -Organizations may tailor this Standard to meet their particular circumstances by(a) defining how they subscribe to the ten principles;(b) developing an organization -specific code; and(c) modifying the commentary to provide organization-specific examples.

3.1.2Each of the principles is followed by a commentary on the principle. The commentaries areintended to help individuals and organizations understand the significance and theimplications of the principles. Where there is also a "NOTE" following a principle (seeprinciples 3 and 9). it forms an integral part of the principle.

3.1.3Although the following clauses use prescriptive language ate, the words "shall" or "must").th, iocument is a voluntary standard . Should an organization choose to adopt theprinciples and general practices contained in this Standard , the clauses containingprescriptive language become requirements. The use of the word "should" indicates arecommendation.

September 1995 7

CANJCSA-0830

4. Principles

4.1 Principle 1-AccountabilityAn organaation is responsible for personal islbrmation under its control and shall designate an individual orindividuals who are accountable for the organization 's coa p6ence with the hollowing pnncip1es.

4.1.1Accountability for the organization's compliance with the principles rests with the designatedindividual(s), even though other individuals within the organization may be responsible forthe day-to-day collection and processing of personal information. In addition, otherindividuals within the organization may be delegated to act on behalf of the designatedindividual(s).

4.1.2The identity of the individual(s) designated by the organization to oversee the organization'scompliance with the principles shall be made known upon request.

4.1.3An organization is responsible for personal information in its possession or custody,including information that has been transferred to a third party for processing. Theorganization should use contractual or other means to provide a comparable level ofprotection while the information is being processed by a third party.

4.1.4Organizations shall implement policies and practices to give effect to the principles,including:(a) implementing procedures to protect personal information:(b) establishing procedures to receive and respond to complaints and inquiries;(c) training staff and communicating to staff information about the organization's policiesand practices; and(d) developing information to explain the organization's policies and procedures.

4.2 Principle 2--identifying PurposesThe purposes for which personal information is collected shall be identified by the organization at or before the

time the information is collected.

4.2.1The organization shall document the purposes for which personal information is collected inorder to comply with the Openness principle (Clause 4.8) and the Individual Accessprinciple (Clause 4.9).

4.2.2Identifying the purposes for which personal information is being collected at or before thetime of collection allows organizations to determine the information they need to collect tofulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organizationto collect only that information necessary for the purposes that have been identified.

8 September 1995


4.2.3The identified purposes should be specified at or before the time of collection to theindividual from whom the personal information is being collected . Depending upon the wayin which the information is collected , this can be done orally or in writing . An applicationform, for example , may give notice of the purposes.

4.2.4When personal information that has been collected is to be used for a purpose notpreviously identified, the new purpose shall be identified prior to use. Unless the newpurpose is required by law, the consent of the individual is required before information canbe used for that purpose . For an elaboration on consent, please refer to the Consentprinciple (Clause 4.3).

4.2.5Persons collecting personal information should be able to explain to individuals thepurposes for which the information is being collected.

4.2.6This principle is linked closely , to the Limiting Collection principle (Clause 4.4) and theLimiting Use. Disclosure , and Retention principle (Clause 4.5).

4.3 Principle 3-ConsentThe knowledge and consent of the individual am required for the cofiecticn use, or drsabsute of personalinfomlation, except where inappropriate.Note : In certain a cumstances personal information can be collected, used. or disclosed without the knowledgeand consent of the individual. For example, legal, medical, or security masons may make it impossible orimpractical to seek consent When intonation is being collected for the detection and prevention of fraud or forlaw enforcement seeking the consent of the individual might defeat the purpose of collecting the information.Seeking consent may be knpossible or inappropriate when the individual is a minor, seriously dl. or mentallyincapacitated in addition, organizations that do not have a direct m/ationship with the individual may not alwaysbe able to seek consent For example, seeking consent may be immpractical for a charity or a direct-marketingfirm that wishes to acquire a mailing fist 1lmm another organization . in such cases, the organization providing thefist would be expected to obtain consent before disclosing personal information.

4.3.1Consent is required for the collection of personal information and the subsequent use ordisclosure of this information . Typically , an organization will seek consent for the use ordisclosure of the information at the time of collection . In certain circumstances , consent withresoect to use or disclosure may be sought after the information has been collected butb re use (for example , when an organization wants to use information for a purpose notpreviously identified).

4.3.2The principle requires "knowledge and consent ". Organizations shall make a reasonableeffort to ensure that the individual is advised of the purposes for which the information willbe used . To make the consent meaningful , the purposes must be stated in such a mannerthat the individual can reasonably understand how the information will be used or disclosed.

September 1995 9

CA WCSA-0830

4.3.3An organization may not as a condition of the supply of a product or service , require anindividual to consent to the collection , use, or disclosure of information beyond that requiredto fulfil the explicitly specified , and legitimate purposes.

4.3.4The form of the consent sought by the organization may vary, depending upon thecircumstances and the type of information. In determining the form of consent to use,organizations shall take into account the sensitivity of the information. Although someinformation (for example , medical records and income records) is almost always consideredto be sensitive, any information can be sensitive , depending on the context. For example,the names and addresses of subscribers to a newsmagazine would generally not beconsidered sensitive information . However. the names and addresses of subscribers tosome special-interest magazines might be considered sensitive.

4.3.5In obtaining consent , the reasonable expectations of the individual are also relevant. Forexample . an individual buying a subscription to a magazine should reasonably expect thatthe organization , in addition to using the individual 's name and address for mailing andbilling purposes , would also contact the person to solicit the renewal of the subscription. Inthis case , the organization can assume that the individual's request constitutes consent forspecific purposes . On the other hand , an individual would not reasonably expect thatpersonal information given to a health-care professional would be given to a companyselling health-care products , unless consent was obtained . Consent shall not be obtainedthrough deception.

4.3.6The way in which an organization seeks consent may vary , depending on the circumstancesand the type of information collected . An organization should generally seek expressconsent when the information is likely to be considered sensitive. Implied consent wouldgenerally be appropriate when the information is less sensitive . Consent can also be givenby an authorized representative (such as a legal guardian or a person having power ofattorney).

4.3.7Individuals can give consent in many ways . For example:(a) an application form may be used to seek consent , collect information, and inform theindividual of the use that will be made of the information . By completing and signing theform, the individual is giving consent to the collection and the specified uses;(b) a checkoff box may be used to allow individuals to request that their names andaddresses not be given to other organizations . Individuals who do not check the box areassumed to consent to the transfer of this information to third parties;(c) consent may be given orally when information is collected over the telephone;or(d) consent may be given at the time that they use a product or service.

1 0 September 1995


4.3.8An individual may withdraw consent at any time , subject to legal or contractual restrictionsand reasonable notice. The organization should inform the individual of the implications ofsuch withdrawal.

4.4 Principle 4-limiting CollectionThe collection of personal inlbnnation shaft be knifed to that which is necessary for the purposes identified bythe organization . fnformation shall be collected by fair and lawful means.

4.4.1Organizations shall not collect personal information indiscriminately. Both the amount andthe type of information collected shall be limited to that which is necessary to fulfil thepurposes identified. Organizations should specify the .type of information collected as partof their information-handling policies and practices, in accordance with the opennessprinciple (Clause 4.8).

4.4.2The requirement that personal information be collected by fair and lawful means is intendedto prevent organizations from collecting information by misleading or deceiving individualsabout the purpose for which information is being collected. This requirement implies that

sent with respect to collection must not be obtained through deception.

4.4.3This principle is linked closely to the Identifying Purposes principle (Clause 4.2) and theConsent principle (Clause 4.3).

4.5 Principle 5-limiting Use, Disclosure, and RetentionPersonal information shaft not be used or disclosed 1br purposes other than those for which it was collected.except with the consent of the individual or as required by law. Personal information shall be retained only aslong as necessary for the fulfilment of those purposes.

4.5.1Organizations using personal information for a new purpose shall document this purpose(see Clause 4.2.1).

4.5.2Organizations should develop guidelines and implement procedures with respect to theretention of personal information. These guidelines should include minimum and maximumr ration periods. Personal information that has been used to make a decision about anindividual shall be retained long enough to allow the individual access to the informationafter the decision has been made. An organization may be subject to legislativerequirements with respect to retention periods.

4.5.3Personal information that is no longer required to fulfil the identified purposes should bedestroyed, erased, or made anonymous. Organizations should develop guidelines andimplement procedures to govern the destruction of personal information.

4.5.4This principle is closely linked to the Consent principle (Clause 4.3), the IdentifyingPurposes principle (Clause 4.2), and the Individual Access principle (Clause 4.9).

September 1995 11

C4N CSA-Qa30

4.6 Principle 6-AccuracyPersonal information shad be as ac=ate, carrrplete, and up-o-date as is necessary for the purposes ibr wtticn itis to be used.

4.6.1The extent to which personal information shall be accurate . complete , and up-to-date willdepend upon the use of the information , taking into account the interests of the individual.Information shall be sufficiently accurate , complete , and up-to-date to minimize thepossibility that inappropriate information may be used to make a decision about theindividual.

4.6.2An organization should not routinely update personal information , unless such a process isnecessary to fulfil the purposes for which the information was collected.

4.6.3Personal information that is used .on an on-going basis, including information that isdisclosed to third parties, should generally be accurate and up-o-date unless limits to therequirement for accuracy are dearly set out.

4.7 Principle 7-SafeguardsPersonal information shall be protected by security safeguanis appropriate to the sensitivity of the intbmration.

4.7.1The security safeguards shall protect personal information against loss or theft, as well asunauthorized access , disclosure, copying , use, or modification. Organizations shall protectpersonal information regardless of the format in which it is held.

4.7.2The nature of the safeguards will vary depending on the sensitivity of the information thathas been collected , the amount , distribution and format of the information and the method ofstorage. More sensitive information should be safeguarded by a higher level of protection.The concept of sensitivity is discussed in Clause 4.3.4.

4.7.3The methods of protection should include(a) physical measures , for example, locked filing cabinets and restricted access to offices;(b) organizational measures , for example , security clearances and limiting access on a"need-to-know" basis; and(c) technological measures, for example , the use of passwords and encryption.

4.7.4Organizations shall make their employees aware of the importance of maintaining theconfidentiality of personal information.

4.7.5Care shall be used in the disposal or destruction of personal information , to preventunauthorized parties from gaining access to the information (see Clause 4.5.3).

12 September 1995


4.8 Principle 8-OpennessAn organization shall make madly avalable to rtdividuals specific information about its policies and practicesrelating to the management of personal irnfonnation.

4.8.1Organizations shall be open about their policies and practices with respect to themanagement of personal information . Individuals should be able to acquire informationabout an organization 's policies and practices without unreasonable effort. This informationshall be made available in a form that is generally understandable.

4.8.2The information made available shall include(a) the namettitle and address of the person who is accountable for the organization'spolicies and practices and to whom complaints or inquiries can be forwarded;(b) the means of gaining access to personal information held by the organization:(c) a description of the type of personal information held by the organization, including ageneral account of its use;(d) a copy of any brochures or other information that explains the organization 's policies,standards , or codes; and(e) what personal information is made available to related organizations (eg subsidiaries).

4.8.3An organization may make information on its policies and practices available in a variety ofways . The method chosen depends on the nature of its business and other considerations.For example , an organization may choose to make brochures available in its place ofbusiness , mail information to its customers , provide on-line access , or establish a toll-freetelephone number.

4.9 Principle 9-Individual AccessUpon request. an individual shag be n ormed of the existence. use, and disclosure of his or her personalinformation and shall be given access to that information . An individual shag be able to challenge the accuracyand completeness of the information and have it amended as appropriate.Note : In certain situations, an organization may not be able to provide access to of the personal information itholds about an individual. Exceptions to the access requirement should be limited and specific. The reasons fordenying access should be provided to the individual upon request. Exceptions may include information that isprohibitively costly to provide , information that contains references to other individuals , information that cannotbe disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

4. .Upon request, an organization shall inform an individual whether or not the organizationholds personal information about the individual . Organizations are encouraged to indicatethe source of this information . The organization shall allow the individual access to thisinformation . However, the organization may choose to make sensitive medical informationavailable through a medical practitioner. In addition, the organization should provide anaccount of the use that has been made or is being made of this information and an accountof the third parties to which it has been disclosed.

September 1995 13

CAN/CSA-0830

4.9.2An individual may be required to provide sufficient information to permit an organization toprovide an account of the existence , use, and disclosure of personal information. Theinformation provided shall only be used for this purpose.

4.9.3In providing an account of third parties to which it has disclosed personal information aboutan individual, an organization should attempt to be as specific as possible . When it is notpossible to provide a list of the organizations to which it has actually disclosed informationabout an individual, the organization should provide a list of organizations to which it mayhave disclosed information about the individual.

4.9.4An organization shall respond to an individual 's request within a reasonable time and atminimal or no cost to the individual. The requested information shall be provided or madeavailable in a form that is generally understandable. For example , if the organization usesabbreviations or codes to record information , an explanation shall be provided.

4.9.5When an individual successfully demonstrates the inaccuracy or incompleteness of personalinformation , the organization shall amend the information as required . Depending upon thenature of the information challenged, amendment involves the correction, deletion, oraddition of information . Where appropriate , the amended information shall be transmitted tothird parties having access to the information in question.

4.9.6When a challenge is not resolved to the satisfaction of the individual, the substance of theunresolved challenge should be recorded by the organization. When appropriate, theexistence of the unresolved challenge should be transmitted to third parties having accessto the information in question.

4.10 Principle 10-Challenging ComplianceAn individual shall be able to address a challenge concerning compliance with the above principles to thedesignated individual or individuals accountable for the organization 's compliance.

4.10.1The individual accountable for an organization 's compliance is discussed in Clause 4.1.1.

4.10.2Organizations shall put procedures in place to receive and respond to complaints orinquiries about their policies and practices relating to the handling of personal information.The complaint process should be easily accessible and simple to use.

4.10.3Organizations shall inform individuals who make inquiries or lodge complaints of theexistence of relevant complaint mechanisms . A range of these mechanisms may exist. Forexample, some regulatory bodies accept complaints about the personal-information handlingpractices of the companies they regulate.

r

14 September 1995

Model Code for the Protecton of Personal Information

'4::0.4An organization shall investigate all complaints . If a complaint is found to be justifiedthrough either the internal or external complaint review process , the organization shall takeappropriate measures , including , if necessary . amending its policies and practices.

September 1995 15

C 4N CSA-0830

Appendix AOrganization for Economic Co-operation and Development , Guidelines on the Protection ofPrivacy and Transborder Flows of Personal Data

Note : Canada adhered to these Guidelines in 1984. They weste used as the basis for the development of theCSA Model Code for the Protection of Persona/ tnforma5on.

Collection Limitation PrincipleThere should be limits to the collection of personal data and any such data should beobtained by lawful and fair means and, where appropriate, with the knowledge or consent ofthe data subject.

Data Quality PrinciplePersonal data should be relevant to the purposes for which they are to be used , and, to theextent necessary for those purposes , should be accurate, complete and kept up-to-date.

Purpose Specification PrincipleThe purpose for which personal data are collected should be specified not later than at thetime of data collection and the subsequent use limited to the fulfilment of those purposes orsuch others as are not incompatible with those purposes and as are specified on eachoccasion of change of purpose.

Use Limitation PrinciplePersonal data should not be disclosed, made available or otherwise used for purposes otherthan those specified in accordance with Paragraph 9 (Purpose Specification Principle)except:(a) with the consent of the data subject; or(b) by the authority of law.

Security Safeguards PrinciplePersonal data should be protected by reasonable security safeguards against such risks asloss or unauthorized access, destruction, use, modification or disclosure of data.

Openness PrincipleThere should be a general policy of openness about developments, practices and policieswith respect to personal data. Means should be readily available of establishing theexistence and nature of personal data, and the main purposes of their use, as well as theidentity and usual residence of the data controller.

Individual Participation PrincipleAn individual should have the right:(a) to obtain from a data controller, or otherwise, confirmation of whether or not the datacontroller has data relating to him;(b) to have communicated to him, data relating to him

(i) within a reasonable time;(ii) at a charge , if any , that is not excessive;(iii) in a reasonable manner, and(iv) in a form that is readily intelligible to him;

(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, andto be able to challenge such denial; and

16 September 1995

a / .Model Code for the Protection of Personal Information

(d) to challenge data relating to him and , if the challenge is successful , to have the dataerased , rectified , completed or amended.

Accountability PrincipleA data controller should be accountable for complying with measures which give effect tothe principles stated above.

September 1995 17

ANNEXURE 6

FINANCIAL SYSTEM INQUIRY

FINANCIAL

SYSTEM

INQUIRY

FINAL

REPORT

Chapter 11 : Promoting Increased Efficiency

reducing business costs would also reduce publicly available information on

SMEs. The ASC has scaled back the financial information collected from most

SMEs following recommendations made by the Corporations Law

Simplification Task Force. On the other hand, the Australian Bureau of

Statistics recently expanded its SME statistical collections.37

Recommendation 98: Data collection on SMEs should considerthe needs of rating agencies and fund managers.

The CFSC and Australian Bureau of Statistics should take into account the

specific requirements of credit rating agencies and fund managers when

reviewing SME data collection.

11.6.2 Balancing Privacy Considerations

The collection, storage, retrieval and use of data electronically will increase as

technologies such as electronic commerce, stored value cards and the

Internet generate information about individuals. This information may have

a significant commercial value for businesses seeking to tailor their products

and services or marketing activities to a relevant sector of the Collllllllnity,

and hence also for consumers of these services. Developments in data alining

techniques are enabling more cost-effective access to such information for

purposes such as direct marketing and credit risk analyses.

The public's concerns about privacy, and privacy laws, may restrict

businesses' ability to use such information for commercial purposes. While

the giving of personal details is a part of everyday life, confidentiality-of such

information is an important social issue. Polls on privacy conducted by the

Privacy Commissioner in Australia between 1990 and 1994 show that

individuals are placing increasing importance on maintaining the

confidentiality of their personal information.38

37 The first results from a joint ABS/Productivity Commission longitudinal survey of small

business performance were published in September 1996, ABS Cat. no. 8141.0.

38 Privacy Commissioner 1995, pp. 7-8.

The Privacy Act 1988 is the primary legislation for the protection of the

privacy of individuals. Its scope is limited to the information handling

practices of Commonwealth and ACT government agencies, those who use

and hold tax file numbers, and credit providers and credit reporting

agencies. While there is currently no general application of the Act to the

private sector, the Commonwealth is working in consultation with the States

and Territories to extend the privacy regime more broadly.

The Privacy Act is based on the Information Privacy Principles, which

encompass internationally recognised tenets of privacy protection. These

include the principles that personal information may be used only for the

purpose for which the information was collected ( Principle 9 ) and that an

information keeper may not disclose information relating to an individual

unless the individual concerned has consented to the disclosure

(Principle M.

Such restrictions do, or could increasingly, affect financial institutions' ability

to exploit the benefits of improved information about their customers to

provide financial services more efficiently. The general issue in this area is

how to strike an appropriate balance between the valuable use by the finance

sector of information against individuals ' desire for privacy. More specific

issues are:

whether world class systems to assess consumer credit risk may be

introduced without compromising fundamental privacy principles;

and

under what conditions information sharing among groups within a

conglomerate should be permitted.

Positive Credit Reporting

Currently, credit reporting is restricted to negative reporting relating to

delinquencies. The Privacy Act prevents banks from reporting good credit

behaviour ('positive credit reporting') to credit reference agencies. There is a

delay in obtaining information on delinquencies as negative credit reporting

provides information on credit which is already more than 90 days in arrears.

The absence of positive credit reporting may deny access to finance to

customers who should obtain it.


Positive credit reporting is widely used in the United States and Canada and

is being used increasingly in several European countries. This practice may

contribute to greater competition by enabling consumers with a good record

of meeting their commitments to obtain finance more readily from

institutions with which they do not have an existing banking relationship.

Enabling institutions to assess credit risk more accurately, may reduce the

number of consumers defaulting and reduce interest rates.39

to

IL

fic

be

s.

Information on how positive credit information contributes to credit risk

assessment is limited. American research suggests that positive credit

reporting may make it possible to identify the lower risk customers within

the group who have a negative credit history, thus enabling lenders to

expand the availability of credit to this previously underserviced group.4°

However, positive credit reporting raises privacy concerns. A study by

MasterCard International showed that people were generally most

concerned if organisations had access to information relating to their

finances, particularly information about everyday banking transactions and

major financial transactions.41

As acknowledged by the Privacy Commissioner, the right to privacy is not

absolute as there are other interests that need to be balanced against the

claim to privacy. The question is therefore whether the benefits of positive

credit reporting in terms of efficiency outweigh the costs in terms of privacy.

Parliament decided this issue when it passed the credit reporting

amendments to the Privacy Act in 1990. To alter this arrangement would be

to change the level of information collected on the financial status of

consumers as the credit reporting agency would effectively become a central

clearing house of information about the current financial commitments of all

Australians. The main concern is about the relevance and necessity of this

kind of detailed information being centrally held and reported on. According

to the Privacy Commissioner, the collection of financial profiles of customers

`opens up the potential for a wider range of judgments to be made about a

39 Information assembled by the Credit Reference Association provides some support for the

Association ' s assertion that positive credit reporting could reduce interest rates forconsumer lending by one percentage point.

40 Credit Reference Association of Australia, Supplementary Submission No. 42, p. 3.41 MasterCard International 1996, p. 11. After finances, most concerns related to access to

information on medical history and home address.

Part 2: Key Issues in Regulatory Reform

person's character, history and interests as well as their assets and personal

wealth'.42

The Inquiry was not in a position to assess whether the benefits of positive

credit reporting outweighed the costs, but considers the potential benefits

warrant a complete review of the issue.

Recommendation 99: A working party on positive creditreporting should be established.

The Attorney-General should establish a working party, comprising

representatives of consumer groups, privacy advocates, the financial services

industry and credit reference associations to review the existing credit

provisions of the Priu'ucil Act 7988. The purpose of this review should be to

identify specific restrictions which prevent the adoption of world best

practice techniques for credit assessment, and evaluate the economic loss

associated with these restrictions against the extent to which privacy is

impaired by their removal.

Information Sharing

Financial institutions are increasingly expanding the range of financial

products and services they offer their customers. More and more financial

institutions are becoming financial conglomerates which can offer the

customer banking services, insurance, investment services and advice,

finance or treasury services for business and personal requirements,

superannuation, and stockbroking. In many cases, regulation dictates that

the businesses offering those products to the same individual need to do so

through different corporate entities.

The common law duty of confidentiality prevents entities within a

company's group from sharing information about an individual unless the

individual has provided consent. Even without this duty, the privacy

principles would be likely to prohibit information sharing.

42 Privacy Commissioner, Supplementary Submission No. 85, p. 3.

Chapter 11: Promoting Increased Efficiency

The limitation on information sharing depends on the interpretation of the

word `consent', in particular whether it refers to:

positive consent-where the customer must take some action or

opt in to indicate consent; and

negative or implied consent -where the customer must take some

action to indicate refusal of consent.

The constraints of the obligation of confidentiality on each individual

corporate entity may cause difficulties and additional costs and

inconvenience to the customer and the institution. It is inefficient both for the

customer and for the group if the same information must be collected by

each entity. This process prevents customers from having a single

relationship manager within a group handling all their dealings.

A legislative requirement that each entity separately secure the customer's

positive consent to use personal information to complete the transaction

would be quite restrictive. Advice from ANZ indicates that it is difficult

and/or very costly to induce customers to take an action, such as to complete

a survey, in response to a request.43 This suggests that many individuals

who would not have any objection to, and indeed would benefit from, the

sharing of information within the group may not opt in merely because of

complacency.

It would be impractical for financial service providers to attempt to collect

positive consent in relation to many transactions which are instigated over

the phone, often at short notice. Limitations on the sharing of information

within a group may constrain the development and take up of more efficient

delivery channels. It is claimed that operating efficiencies through

centralisation of services are also constrained without exchanges of customer

information.

The Inquiry recognises the privacy concerns raised by the use of information.

On balance, it considers there would be merit in allowing negative consent

arrangements to be used to satisfy the requirement that customers' consent

be obtained.

43 ANZ 1996.

...521

I

Part 2: Key Issues in Regulatory Reform

Recommendation 100: Information sharing among group entitiesshould be allozved unless the customer withdraws consent.

Extension of the privacy regime and future codes of conduct should

specifically allow the sharing of information among entities within a group

unless the customer has taken some action to indicate refusal of consent.

The opportunity to exercise a right of refusal must be easily and readily

available to consumers.

Form of Privacy Laws

The Inquiry does not intend to make detailed recommendations on the

nature of specific rules in this area. Processes are currently examining this

issue in detail, and recommendations will be made to the Attorney-General

on regulatory changes in this area. However, given that any changes to

privacy laws could have a major effect on the efficiency of the financial

system, the Inquiry had an interest in this matter. A number of principles

should be considered in extending the privacy regime.

Privacy codes should be developed to apply to all those who supply financial

services (ie on a functional basis rather than an institutional basis, given the

trend towards non-financial institutions providing financial services).

Businesses continually develop uses for information which will enable them

to better serve customers' needs, with the objective of retaining customers

and making them increasingly valuable to the business. It would assist if the

information could be collected for more than one purpose. Privacy legislation

should allow general description of purpose.

One consequence of the extension of the privacy regime would be that

customers would be entitled to access personal financial information held by

institutions . Significant changes will be required to financial institutions'

systems and business processes for this information to be efficiently

retrieved. Therefore it is important that adequate time be allowed in which to

implement system and process changes which are necessary for efficient

compliance with any privacy legislation.

t_.:ies

le

'1&is

leral

s :o

lcial

F's

t 2

e..,

ers

I

on

at

ly

it


The European regime recognised practical difficulties in implementation of

the European Directives and allowed 12 years for the implementation of the

articles relating to quality and processing of data with respect to information

maintained in manual filing systems.

It is also vital that any extensions to privacy laws apply only at a national

level. Considerable additional costs and inefficiencies could be imposed on

the financial system if the States and Territories took uncoordinated action in

this field.

The Inquiry considered the question of which agency should administer the

privacy regime in relation to the financial sector - the universal regulator

(ie the Privacy Commissioner) or the agency responsible for consumer

protection in the financial system.

The financial system consumer regulator would bring to bear greater

expertise and understanding of the financial system in applying the privacy

principles. This option would also reduce the number of regulators with

responsibility in the financial system, and hence reduce the scope for

inconsistent approaches to drive up costs of compliance.

Against these considerations, regulation by the Privacy Commissioner

would:

enable an economy wide perspective to be brought to bear in

applying privacy principles, thereby minimising the danger of

regulatory capture;

ensure a level playing field in enforcement and protection was

maintained across all sectors of the economy; and

avoid the problem that with the convergence of financial and

non-financial sectors, possible breaches of privacy regulations may

fall between financial and non-financial aspects.

On balance, the Inquiry supports the administration of privacy laws in the

financial system by the Privacy Commissioner rather than by the financial

system consumer regulator.

ANNEXURE 7

Privacy protection in Australia

Background information from the Federal Privacy Commissioner

April 1997

The Federal Government recently announced that it does not intend to introduce laws to protect theprivacy of personal information held by businesses about their customers and employees. Currentlegislation only protects personal information held by the Federal and ACT Governments, and creditreporting and tax file number information.

I and others who have called for wider coverage for privacy laws have done so for a variety of reasons,and over the last few years a significant consensus has emerged about the desirability of protecting theprivacy of personal information, wherever it is held.

Consumers want to know how the information they give to business will be used, and want to beconfident that their information will be protected against misuse. Businesses want to build loyalty andtrust with their customers by assuring them that their information will be protected; and to be certain thattheir competitors will not either undermine the image of their industry, or put them at a commercialdisadvantage, by misusing personal information. Other businesses want to be able to exchange personalinformation with Europe, New Zealand, Hong Kong and other countries that have laws in place toprotect customer and employee privacy. Businesses wanting to encourage their customers to use rapidlyexpanding new technologies, such as electronic commerce, also want to assure them that their privacywill not be eroded.

To date my office has devoted considerable effort to assisting those business and industry sectors whichhave taken steps to introduce good privacy practices on a voluntary basis. There have been somesuccesses, which I would like to build on. While there are concerns about compliance costs for business,I would like to explore this issue further. There are already companies implementing good privacypractices, both here and overseas, for whom benefits are seen to outweigh any costs incurred.

However, there have been cases in which the results have fallen short of the standards which individualsshould be able to expect. The process has been piecemeal, slow, and resource-intensive, as for each casethere is a need to identify appropriate standards, training requirements and dispute resolutionmechanisms. Concerns also remain about industry-wide compliance with a voluntary code.

My office has, for some years, argued that uniform national privacy legislation is the best way toimplement a scheme of privacy protection which will meet the needs of both business and consumers,and it remains my view that a legislatively based `co-regulatory' approach would best achieve this result.I believe it should be possible to devise a statutory regime which is neither onerous nor costly forbusiness

In the meantime, the most constructive way forward is to work with business and others in thecommunity. I am confident we could develop a voluntary scheme which both achieves adequate privacystandards and minimises red tape for business. We will be reliant on goodwill on all sides to achievethis. While the scheme would be developed for voluntary application and self regulation in the firstinstance, it must, in my view, be of a standard equivalent to international best practice (including beingable to meet the terms of the European Union's Directive), and be able to be given statutory effect if,and when, any of the Australian legislatures decide to pursue this route. This approach would also ensurea level of national consistency which has been requested by business and which is clearly desirable forconsumers.

As a starting point for the development of a voluntary scheme, I want to initiate a range of meetings withboth business and consumer groups. I have in mind to use as the basis for the discussions a set ofprinciples such as those outlined in the National Standard of Canada entitled "Model Code for the

Privacy protection - Background information, 1 April 1997

Protection of Personal Information". This code, issued by the Canadian Standards Association in Marchlast year, is a consensus document developed with the involvement of business groups, community andconsumer groups and government agencies . The Canadian Federal government has subsequentlyproposed that the model code form the basis of a statutory regime. The Canadian Code has also beensuggested as the basis for an international standard.

Why do we want privacy protection in Australia - What are we trying to achieve?

In the information age, we find that we have less and less control over what others know about us -particularly large businesses and bureaucracies that often see us as units rather than as individuals. Moreand more personal information is available, and its value, for both commercial and public interestpurposes, is increasingly recognised. Advances in new technology are making it possible to aggregatedata about individuals in ways that have never before been possible. For example, smart cards can beused to track the spending patterns of consumers. It is clear that many people are concerned about theimplications of this trend for their personal privacy, and want reassurance that adequate protections arein place.

Protecting privacy is more than guaranteeing confidentiality. The aim of privacy protection in Australiashould be to ensure that individuals are informed about what is happening to their information, and areable to participate in decisions about what is collected, who collects it, and why. For Australians to becertain that their privacy is protected , all government agencies , private businesses , non governmentorganisations, community groups and other organisations which handle personal information need to doso fairly and responsibly.

Allowing for some exceptions where there are legitimate business and public interests at issue, fair andresponsible handling of personal information means:

• Collecting only information necessary for specified purposes;• Informing people about why their personal information is being collected and what it is to be used

for;• Allowing people to access information about them which has been collected, and to correct it if it

is inaccurate or out-of-date;• Making sure that the information is securely held and cannot be tampered with, stolen or

improperly used; and• Limiting the use and disclosure of personal information for other purposes without the consent of

the person affected.

It is also important that people whose information is not handled responsibly can do something about it.To earn the confidence of all those affected by a voluntary scheme it will need to be perceived asproviding a workable mechanism for ensuring compliance with the standards it sets out, and forresolution of complaints. Exactly how this is to be achieved will, of course, be a matter for consultationwith both business and industry groups, and consumer organisations.

The way ahead now is to begin these consultations as soon as possible, and seek to provide adequatelevels of privacy protection with minimal red tape.

April 1997

Moira ScollayPrivacy Commissioner02 9284 9610

Privacy protection - Background in rmation, 2 April 1997

PRIVACY INQUIRY - Queensland Parliament

Documents

Transcript of PRIVACY INQUIRY - Queensland Parliament