Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Tuesday, 28 November 2000
Page: 19916

Senator IAN CAMPBELL (Parliamentary Secretary to the Minister for Communications, Information Technology and the Arts) (3:48 PM) —I table a revised explanatory memorandum relating to the bill and move:

That this bill be now read a second time.

I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows


The Privacy Amendment (Private Sector) Bill is the most significant development in the area of privacy law in Australia since the passage of the Privacy Act in 1988.

Based on industry benchmarks—and over twelve months of intensive consultation with Australian business, consumers and privacy advocates—the Bill establishes national standards for the handling of personal information by the private sector.

For the first time, Australians can be confident that information held about them by private sector organisations will be stored, used and disclosed in a fair and appropriate way.

For the first time, Australians will have a right to gain access to that information and a right to correct it if it is wrong.

This Bill is about confidence building.

It is about giving consumers confidence in Australian business practices.

It is about giving business confidence in a more level playing field.

It is about giving the international community confidence that personal information sent to Australia will be stored safely and handled properly.

While some businesses in Australia are leading the way by putting in place codes of practice which commit them to handling personal information in a fair and responsible way, these good business practices are not consistent. The Privacy Amendment (Private Sector) Bill, with its co-regulatory approach, provides a national, consistent and clear set of standards to encourage and support good privacy practices.

Electronic Commerce

The Bill is one element of the Government's strategy to ensure that full advantage is taken of the opportunities presented by electronic commerce and the information economy for Australian business and Australian consumers.

While more and more people are recognising the advantages of using information technology, it is also clear that they are increasingly concerned about privacy issues.

This concern, if not addressed, has the potential to significantly influence consumer choices about whether or not to participate in electronic commerce.

The Bill provides a framework within which Australian business will be able to address these concerns effectively and efficiently.

There is no doubt in my mind that businesses that demonstrate a commitment to protecting the privacy of their customers will gain a competitive advantage.

Addressing privacy concerns is clearly smart business.

International Framework

It is smart business domestically but it is also smart business internationally.

Increasingly, important trading partners are requiring an assurance that information will be given appropriate protection.

This Bill will ensure that Australia is in a position to meet international obligations and concerns and that we are not disadvantaged in the global information market.

The Bill draws on the 1980 OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data, which represent a consensus among our major trading partners on the basic principles that ought to be built into privacy regulation.

It will also implement certain obligations under Article 17 of the International Covenant on Civil and Political Rights.

The Bill is intended to facilitate trade in information between Australian and foreign organisations.

Without such legislative measures, this trade may be adversely affected. The 1995 `European Union Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data' restricts the transfer of personal information from member countries to other countries unless adequate privacy safeguards are in place.

I am confident that this Bill will provide adequate privacy safeguards to facilitate future trade with EU members.

Consultative Process

The real strength of this legislation stems from the highly interactive way in which it has been developed.

The standards in the Bill are based on the National Principles for the Fair Handling of Personal Information, which were developed by the Privacy Commissioner following extensive consultation with business, consumers and other stakeholders.

The National Principles are a set of guidelines for the collection, holding, use, disclosure and transfer of personal information.

The Government's commitment to a fully consultative process continued following the announcement in December 1998 that we would legislate.

A Core Consultative Group was established with a membership drawn from peak business, consumer and privacy groups.

The States and Territories were also represented.

The Group provided an invaluable arena in which to test and develop various legislative models and to examine how each model would operate in practice.

In addition, the Privacy Commissioner was asked to consult with health stakeholders as to how the National Privacy Principles should be modified to deal with health information.

An information paper issued in September last year, followed by a successful series of public consultation meetings in Sydney, Melbourne and Perth, and draft key provisions made public in December attracted a large number of submissions.

Drawing on this input and feedback has allowed us to draft a Bill which, I believe, will establish the best possible scheme for the Australian context.

Amend Existing Privacy Act

The Bill will amend the existing Commonwealth Privacy Act 1988, which currently regulates the handling of personal information by the public sector.

Broad Outline of Provisions

The Bill will require organisations to comply with minimum standards in relation to how they handle personal information.

The standards for handling personal information are contained in ten principles, known as the National Privacy Principles, or NPPs.

The NPPs regulate the collection; use and disclosure; and transfer overseas of personal information.

They require organisations to ensure that the personal information they hold is accurate, up-to-date and complete; and secure.

Organisations are also required to be open about how they manage personal information; provide access and correction rights to individuals; and allow people to deal with them anonymously, if that is legal and practical.

The NPPs also regulate the adoption, use and disclosure of Commonwealth Government identifiers by private sector organisations.

Privacy codes

A key feature of the co-regulatory approach in the Bill is that it enables organisations to develop their own privacy codes.

These codes must be approved by the Privacy Commissioner.

Before approving a code, the Commissioner must be satisfied that it provides at least as much privacy protection as the NPPs.

Private sector organisations are, however, free to adopt higher standards.

The NPPs in the Bill will operate where an organisation chooses not to adopt its own privacy code or does not have a code that has been approved by the Privacy Commissioner.

Complaint handling

The complaint-handling process in the Bill will enable people to have their complaints dealt with simply, quickly, at low cost and without red tape.

It is designed to ensure that most complaints can be resolved through conciliation and mediation, rather than through an adversarial court process.

In the first instance, complaints are to be directed to the organisation concerned.

If matters are not able to be resolved at that level, then an independent person may investigate the complaint.

Where the organisation has a privacy code and a mechanism for handling complaints, the independent investigator will be an adjudicator nominated under the code.

In those instances where an organisation does not have a complaint mechanism, the Privacy Commissioner will handle the complaint.

Review of decisions

If an individual and organisation are unable to reach a satisfactory outcome through mediation or conciliation, the Privacy Commissioner or a code adjudicator may make a determination.

In both cases, the decision making process may be judicially reviewed under the Administrative Decisions (Judicial Review) Act 1977.

A determination made by the Privacy Commissioner or a code adjudicator may be enforced in the Federal Court or the Federal Magistrates Service. While the Bill puts in place a scheme that is intended to support self- regulation, there will be a level of judicial oversight to ensure compliance with decisions of code adjudicators and the Privacy Commissioner.


The Government recognises that Australians consider their personal health information to be particularly sensitive and that they expect all those who come into contact with it to handle it fairly and appropriately.

Following consultation with health stakeholders, it was agreed that the NPPs be modified to accommodate the particular sensitivities surrounding the collection, use and disclosure of personal health information.

The modified Principles are designed to ensure an appropriate balance between privacy interests and other important public interests, such as the promotion of research and the effective planning and delivery of health services.


The balance between the interests of privacy and the need to facilitate medical research was an issue that the Privacy Commissioner and the Government looked at closely.

The Bill provides that where information is collected for research purposes it must be collected with consent or, where this is not practicable, in accordance with strict safeguards set out in the Bill.

In addition, researchers must take reasonable steps to de-identify personal information before the results of research can be disclosed.


It is a fundamental principle of fair information handling that individuals be able to access and correct information about them.

The Bill provides for access to health information, except where legitimate and justifiable grounds exist for refusing access.

Such grounds include situations where providing an individual with access to their health information would pose a serious threat to the life or health of that or any other person.

In providing this right to health consumers, the Bill supports what is already good practice among many health professionals.

The Government acknowledges that the health profession already has a strong respect for the confidentiality of health information about individuals and maintains sound privacy practices in that respect.

The Bill is not intended to interfere with those professional values and standards.


Another area where special issues arise is where Government services involving personal information are outsourced to the private sector.

In these circumstances, it is important to ensure that personal information is given the same level of protection it would receive if it was held by Government and that, in specified circumstances, the contracting Government agency remains ultimately responsible for the acts and practices of its contractors.

Where an organisation provides services under contract to the Commonwealth Government, the legislation makes clear that the contract will be the primary source of a contractor's privacy obligations in respect of the personal information collected or held for the purpose of performing the contract.

The NPPs, or an approved code, will only apply to the extent that they are not inconsistent with the contract.

As an extra safeguard, the Bill provides that a contractor may not use or disclose personal information for direct marketing purposes unless this is required by the contract.

State/Territory Instrumentalities

The Bill is not intended to cover State and Territory public sector agencies, as this is a matter for the States and Territories themselves.

The Bill recognises that State and Territory Government Business Enterprises, or GBEs, take many forms and that the dividing line between the public and private sectors is not always clear.

In order to ensure certainty, the Bill provides that GBEs that are incorporated under the Corporations Law will automatically be covered by the Bill, unless they are prescribed otherwise by regulation.

Those GBEs not incorporated under the Corporations Law, such as statutory corporations, will not be covered by the Bill.

To meet the varying requirements of State and Territory Governments, however, the Bill also provides a flexible opt in/opt out mechanism for prescribing State or Territory instrumentalities.

This will be achieved by regulation and will only be done at the request of the State or Territory Government.

The policy behind this mechanism is to ensure that State and Territory Government functions can continue unaffected by the Bill, whilst allowing for State and Territory GBEs that are performing substantially commercial functions to be treated on a level playing field with other private sector organisations.

State/Territory Law

By introducing this Bill, the Commonwealth intends to establish a single comprehensive national scheme for the protection of personal information by the private sector.

However, State and Territory laws will continue to operate to the extent that they are not directly inconsistent with the terms of the Bill.

The NPPs recognise the operation of State and Territory legislation and the common law.

For example, while the Principles provide for a right of access to personal information held about an individual, they also contemplate a situation in which that access may be denied if this denial is required or authorised by law.

While there may be some situations of direct inconsistency, I expect that, in the majority of cases, existing State and Territory laws will continue unaffected by this Bill.

The existing law will simply be supplemented by the standards contained in the NPPs.


It is widely acknowledged that the right to privacy is not an absolute right. Like all rights, the individual's right to privacy must be balanced against a range of other community and public interests.

The objects clause of the Bill highlights this need for a balanced approach. The structure and principles underlying the legislation, as well as a limited range of express exemptions, ensures there is an appropriate and workable balance.

The Bill does not apply, for example, to information collected for personal, family or household affairs.

Small Business

Similarly, while protecting privacy is an important goal, it must be balanced against the need to avoid unnecessary costs on small business.

For this reason, only small businesses that pose a high risk to privacy will be required to comply with the legislation.

Small business is defined in the legislation.

A business is a small business if its annual turnover for the previous financial year was $3 million or less.

Such businesses will be exempt unless they hold personal health information and provide a health service; trade in personal information; are a Commonwealth contracted service provider; are related to a business that is not a small business; or are prescribed by regulation.

The power to prescribe small businesses, or particular acts or practices of small businesses, provides a flexible way to ensure that other risks to privacy can be brought within the legislation where that is necessary and in the public interest.

In considering whether the circumstances justify bringing small businesses within the regulatory scheme, the Privacy Commissioner must be consulted.

I also intend to consult with the minister responsible for small business before making a decision on such a regulation.

While the Government is saying that small business generally does not have to comply with the legislation, it is not saying that a small business cannot or should not comply.

With increasing demands from consumers and larger business partners for greater respect for privacy, more small businesses are recognising that good privacy practices are good business practices.

The Bill provides a mechanism whereby small businesses can choose to voluntarily opt-in to the privacy regime.

This will allow them to capitalise on the increased consumer and business confidence that results from sound privacy practices.

Employee Records

The Bill also includes an exemption for employee records.

An "employee record" is defined to capture the types of personal information about employees typically held by employers on personnel and other similar files.

While this type of personal information is deserving of privacy protection, it is the Government's view that such protection is more properly a matter for workplace relations legislation.

It should be noted, however, that the exemption is limited to collection, use or disclosure of employee records where this directly relates to the employment relationship.

This is designed to preclude an employer selling personal information contained in an employee record to a direct marketer, for example.


The media in Australia have a unique and important role in keeping the Australian public informed.

In developing the Bill the Government has sought to achieve a balance between the public interest in allowing a free flow of information to the public through the media and the individual's right to privacy.

In order to achieve this balance, the Bill does not apply to acts and practices of media organisations in the course of journalism where the media organisation has publicly committed itself to observing published standards that deal with privacy in a media context.

A range of other provisions in the Bill also recognise the important role of the media in facilitating the free flow of information to the public.

Political Parties

The Bill also includes an exemption for political representatives where acts or practices are related to participation in the political process including referendums and elections at the local, State or Federal level.

Freedom of political communication is vitally important to the democratic process in Australia.

This exemption is designed to encourage that freedom and enhance the operation of the electoral and political process in Australia.

I am confident that it will not unduly impede the effective operation of the legislation.

Transitional Arrangements

In order to allow time for the private sector to develop codes, revise existing codes and put appropriate practices in place, the Bill will only come into operation 12 months after it receives Royal Assent.

In addition, most small businesses will not be subject to the legislation for a further period of 12 months after it comes into force.

The Government appreciates that small business needs to focus on implementing the new tax system.

The extra time given to small business will provide opportunity for them to implement the changes to the tax system before turning to how they will handle personal information.

Small businesses that involve the provision of health services will not, however, receive the benefit of the additional 12 month period.

This is because the Government recognises that information held by health service providers is particularly sensitive and in this situation it is important to have privacy protection in place as soon as possible for the community.

Review by the Privacy Commissioner

This Bill establishes a new approach to the protection and handling of personal information in the private sector.

Because our approach is unique, the Government is committed to assessing the operation of the legislation, to ensure that it is achieving all our goals.

I propose that the Privacy Commissioner conduct a formal review of the operation of the legislation, and of all the exemptions, in consultation with key stakeholders after it has been in operation for two years.


In developing this legislation the Government has drawn extensively on consultation and feedback provided by Australian business, consumers and privacy advocates.

As a result, the Bill will establish a scheme that is responsive to both business and consumer needs and that implements privacy protection in a realistic, balanced and workable way.

It represents the very best of Australian policy development and law making and will help to ensure that Australian business and Australian consumers are in a position to take full and confident advantage of the future in the fast developing information economy.

Debate (on motion by Senator O'Brien) adjourned.