- Parliamentary Business
- Senators and Members
- News & Events
- About Parliament
- Visit Parliament
Privacy Amendment Bill 1998
Bills Digest No. 162 1997-98
Privacy Amendment Bill 1998
This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sourc es should be consulted to determine the subsequent official status of the Bill.
Privacy Amendment Bill 1998
The Privacy Act 1988 (the Principal Act) deals with the gathering, processing and dissemination of information about the individual. It sets down detailed Information Privacy Principles regulating the handling of personal information by Commonwealth Government agencies and ACT Government agencies. The Information Privacy Principles are based on the Organisation for Economic Co-operation and Development Guidelines of 1980 on the protection of privacy, to which Australia is a signatory.
After a pre-election commitment to extend privacy regulation to the private sector the Attorney-General announced in September 1996 that the Government would be legislating to extend the Privacy Act to the private sector.(1) There were some enthusiastic responses to the proposal and a discussion paper was issued.(2) There were also a range of responses to the discussion paper.
In March 1997 the Prime Minister announced that the Government would not legislate to extend the Privacy Act to the private sector and that it had made efforts to dissuade State or Territory Governments from introducing privacy legislation that would impact on the private sector, citing concern for the implications in compliance costs.(3) This announcement attracted quite a degree of community and media attention and some strenuous criticisms.(4) There was also a suggestion that trade with Europe could be affected if Australia's privacy legislation was not sufficiently strengthened.(5) The current Bill will cover some private sector bodies, but only in so far as they are providing services traditionally provided by the public sector.
It has been pointed out that, to the extent that they are concerned with commercial factors, the private sector does not need to be concerned with issues of privacy unless the approach adopted has a significant impact on business.(6) In 1994 the Privacy Commissioner issued Guidelines regarding the need to include appropriate terms and conditions in contracts between Commonwealth agencies and the private sector.(7) The outsourcing of government functions has generally involved such conditions and requirements being placed into contracts. However, this has not necessarily meant that individuals affected have a right of redress since they are not parties to the contract and the private sector bodies have not previously been subject to the specific requirements of the Principal Act. The difficulties of ensuring that contracting bodies comply with the privacy requirements in the contract are significant. The contract laws are a rather 'blunt instrument' when dealing with breaches of the principles of privacy.(8)
There are also questions raised by the Bill as to how access should be provided to information. The inter-relationship between the Principal Act and the Freedom of Information Act 1982 was examined by the Australian Law Reform Commission and Administrative Review Council in 1996.(9) There has yet to be a government response to the Report, but the outsourcing issue has forced a partial response.
The provisions of the Bill seek to ensure that services can be included or excluded by regulation. (This occurs in the proposed subsection 6(1) definition of 'excluded funded service'.) The provisions allowing inclusion or exclusion by regulation rather than legislation may be the source of some controversy on the grounds that it detracts from the role of Parliament in an important policy area.
Item 1 inserts into subsection 6(1) of the Principal Act an extension of the definition of agency which will cover a 'contracted service provider'. Item 4 defines contracted service providers, to include any person under contract to a Commonwealth agency, although there are exceptions established in item 6 ('excluded funded services'). The exceptions include the services specified in Schedule 3 and a mechanism is provided which will allow services to either be added to or subtracted from the list of excluded funded services by regulation ( item 6 ). The services currently listed in Schedule 3 are quite extensive and include a range of health service providers and services provided to members of the public with regard to family relationship by community-based or volunteer organisations. These agencies are currently not subject to the Principal Act and, according to the Explanatory Memorandum, should not be covered because it would be a significant extension of the Act and unrelated to preserving the existing protections it offers.
The definition of a 'contracted service provider' extends to the use of sub-contractors and the provision of services to third parties in connection with the Commonwealth agency's functions ( items 3 & 8 ). Under proposed section 6A the definition of a contracted service provider would also cover 'notional contracts' between Commonwealth agencies.
This means that the Information Privacy Principles will apply to contracted service providers - i.e. the same protections will apply to information held by private sector agencies entering into a contract with the Commonwealth as the protections offered to personal information held by a Commonwealth agency. The new definition of contracted service provider is more expansive than previous itemised coverage and so it subsumes the specific coverage of an eligible case manager, the nominated Australian Government Health Services company and eligible hearing service providers (there are numerous consequential amendments). By using the past tense with respect to the contract the provisions of item 4 ensure that complaints can be taken to the Privacy Commissioner after the completion or termination of the contract.
Item 7 inserts a definition of 'outsourcing agency' into section 6. An outsourcing agency is defined as the Commonwealth agency to which the services are provided under a Commonwealth contract. This definition is then used to deal with the transfer of information between the outsourcing agency and a contracted service provider ( item 22 ) and is used in the sections dealing with the regulation and handling of complaints involving contracted service providers. Item 22 defines the transfer of information between an outsourcing agency and a contracted service provider as a 'use' rather than a disclosure. This means that Information Privacy Principle 10, rather than Information Privacy Principle 11 applies to the transfer and makes the process of transfer less onerous.
Item 9 inserts proposed subsections 6(4A) & 6(4B) to specify that the contracted service provider is only covered in so far as they are providing services under a Commonwealth contract. This ensures that private sector bodies which hold personal information are not generally required to comply with the Principal Act but only when providing a service under a Commonwealth contract. It also means that the personnel records of the service provider are not covered by the Act. Proposed subsection 6(4C) excludes the Australian Capital Territory from the Bill's proposed extension of coverage.
Section 7 of the Act sets out the acts and practices that are covered by the various provisions of the Act. Items 11, 13 and 14 combine to create the new definitions of the acts and practices of a contracted service provider which are covered. There are exempt acts and practices defined by item 18 which give the contracted service provider the same exemptions as the outsourcing agency. A proposed subsection 8(1A) ensures that the acts and practices of someone acting on behalf of the contracted service provider are also covered, even in the absence of an employee relationship or contract.
Item 20 provides for a new section 8A which would attribute the actions of a contracted service provider who is not resident in Australia to the responsible agency. The responsible agency is the body which last made the personal information available to the non-Australian based contracted service provider. This brings responsibility for actions which may be taken overseas within the ambit of Australia's Privacy Act .
Item 23 makes amendments to section 15 which make provisions about when the various Information Privacy Principles come into operation with respect to a contracted service provider. Principles 1, 2 and 3, which deal with the collection of information, apply after commencement of the amendments. Principles 4, 8 and 9, which deal with storage, accuracy and relevance to the use of records, apply to information collected both before and after the amendments.
Principles 10 & 11, which deal with use and disclosure apply differently according to who collected the information. In the case of information collected by a Commonwealth agency the principles apply to information collected both before and after the Bill, however in the case of information collected by the contracted service provider they only apply to information collected after the Bill. The extent to which Principles 10 & 11 can be complied with is affected by the process of collecting the information, however it would still, on occassions, be possible to apply these principles to information collected by the contracted service provider when the process of collection had not been governed by the requirements of the Act.
Principles 5, 6 and 7 are all related to the rights to access information and have alterations made. The Explanatory Memorandum foreshadows amendments to the Freedom of Information Act 1982, which is given as the reason these principles will come into force only once the date, to be determined by these foreshadowed amendments, has been gazetted. Principle 5 has various requirements regarding how the holder of information makes it public what information they are holding. Item 24 makes provisions that would enable the outsourcing agency to take the actions necessary for Principle 5 to be complied with, rather than the contracted service provider. It also makes provisions for the outsourcing agency to be the body which deals with freedom of information requests.
Proposed sections 30(3)(da) & 32(2) require the Privacy Commissioner to give reports regarding a contracted service provider who may not be complying with the Information Privacy Principles to the outsourcing agency as well as the Minister. Similarly, notice must be given to the outsourcing agency of the Commissioner's determinations in a case involving a contracted service provider ( proposed section 53A ).
The proposed amendments to section 36 would ensure that when handling a complaint the Privacy Commissioner can allow the complainant to amend the complaint to specify the contracted service provider as the respondent, instead of the outsourcing agency. This will cater for situations where it might be unclear whether it's the outsourcing agency or the contracted service provider who may have violated the requirements of the Act. The Commissioner is required to inform the outsourcing agency when he or she is investigating a complaint against a contracted service provider. There are also requirements for the outsourcing agency to be informed regarding a discontinued investigation against a contracted service provider.
Proposed sections 50A and 52A would allow the Privacy Commissioner to substitute the outsourcing agency for the contracted service provider if the contracted service provider dies or ceases to exist (or becomes bankupt or insolvent etc.) and a complaint could not be dealt with appropriately otherwise. These provisions would ensure that a complainant was not left without remedy in the case of a breach of the Privacy Principles and that the outsourcing agency retains a degree of responsibility regarding the behaviour of the contracted service provider.
Schedule 2 of the Bill provides for amendments to be made to the Disability Discrimination Act 1992, Racial Discrimination Act 1975, and Sex Discrimination Act 1984 which will prevent the extension being made to the Principal Act from applying to these Acts. The definition of an 'agency' in the discrimination acts is changed to a 'Commonwealth agency'. If private sector bodies were covered by the discrimination acts there would be difficulties with the enforceability of determinations made under these Acts.
The Explanatory Memorandum to the Bill includes the requisite 'Regulation Impact Statement' which considers the costs and benefits of various options for reform to the Government, busines s and the community. With respect to the costs to Government, the statement only considers the costs to individual Departments and agencies of the various options. It does not consider the impact of any of the changes on the Privacy Commissioner's office. The Bill will presumably affect the activities of the Commissioner's office since the Bill will extend the Act to cover previously uncovered organisations. Mr Nigel Waters, a prominent privacy commentator (and former head of the Privacy Branch of the Human Rights and Equal Opportunity Commission), has commented:
Given that there will be an immediate addition to the Commissioner's jurisdiction of a large number of contractors providing a wide variety of services, with thousands more as and when additional services and functions are outsourced, the government's commitment to effective implementation of the amendments must be in doubt….The new jurisdiction will place additional strains on the Commissioner's already depleted staff, following the major cutbacks in the 1997 Federal Budget.(10)
He goes on to point out that no resources appear to have been earmarked for education, complaint investigation or auditing of the many contractors that should be 'seriously facing up to compliance for the first time.' Thes e issues have yet to be addressed by the Government. The Explanatory Memorandum highlights the fact that the Bill is extending to cover bodies previously unregulated by the Principal Act, rather than information previously unregulated by the Principal Act. Hence an argument could be made that the amendments will not significantly increase the Privacy Commissioner's workload. Despite the potential criticisms regarding lack of funding, the Bill, in itself, is likely to be seen as unexceptionable and uncontroversial.
1. Press Release 'Privacy in the Private Sector' by Daryl Williams, MP, 12 Sept 1996.2. 'Proposed legislation designed to extend Privacy Act to cover the private sector is welcomed', ABC's P.M . Thursday, 12 Sept. 1996.
3. Press Release 'Privacy Legislation' by John Howard, MP, 21 March 1997.
4. For instance the Australian Privacy Charter Council, the CPSU and others (see 'Business, community and privacy groups raise concerns over the Government's decision not to extend privacy legisl ation into the private sector: CPSU raises concerns over a plan to outsource information technology of government departments': 7:30 Report , Thursday 3 April 1997).
5. See: 'Analysts debate privacy legislation, focusing on an ultimatum issued by the European Union that it will not trade with countries which do not have strong privacy laws', Lateline , Thursday 17 April 1997, and 'Privacy International threatens to push for the European Union to impose economic sanctions on Australia after Europe's privacy laws come into effect in October' A.M., Thursday 17 April 1997.
6. Nigel Waters, Address to Records Management Association Seminar, Canberra, 11 March 1998.
7. 'Outsourcing and Privacy - Advice for Commonwealth Agencies considering contracting out (outsourcing) information technology and other functions', Privacy Com missioner, August 1994.
8. Waters, op cit.
9. Australian Law Reform Commission/Administrative Review Council, Open Government, A review of the Freedom of Information Act 1982 , January 1996.
- Address to Records Management Association Seminar, Canberra, 11 March 1998.
24 March 1998
Bills Digest Service
Information and Research Services
This paper has been prepared for general distribution to Senators and Members of the Australian Parliament. While great care is taken to ensure that the paper is accurate and balanced, the paper is written using information publicly available at the time of production. The views expressed are those of the author and should not be attributed to the Information and Research Services (IRS). Advice on legislation or legal policy issues contained in this paper is provided for use in parliamentary debate and for related parliamentary purposes. This paper is not professional legal opinion. Readers are reminded that the paper is not an official parliamentary or Australian government document. IRS staff are available to discuss the paper's contents with Senators and Members and their staff but not with members of the public.