Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment Bill 1997

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

Explanatory Memorandum

 

(Circulated by authority of Senator Stott Despoja)

 

 

Privacy Amendment Bill 1997

 

Outline

 

The Privacy Amendment Bill 1997 (the Bill) extends the provisions of the Privacy Act 1988 (the Act) to the private sector, corporations, trading corporations and financial corporations. The proposed scheme will extend the operation of the existing Information Privacy Principles and enable Codes of Practice to be developed by the Privacy Commissioner which may override the operation of particular Information Privacy Principles as they apply to specified persons, classes of persons or identified groupings as determined by the Privacy Commissioner and approved by both Houses of Parliament. The powers to accept complaints, investigate complaints and enforce decisions about complaints will reside with the Privacy Commissioner according to the existing legislation.

 

Financial Impact

 

Unknown, as there are no figures available which show either the cost of compliance with a private sector privacy scheme or the costs associated with the failure to have a private sector privacy scheme. However, a Price Waterhouse survey of 130 large businesses found 70% favoured, 10% were 'neutral' and 20% opposed the introduction of comprehensive national privacy laws.

 

Notes on Clauses

 

Clauses 1 and 2

 

These clauses set out the short title and commencement of the Bill. The Bill is to commence upon Royal Assent.

 

Clause 3

 

This clause provides that the Act is amended as set out in the schedule to the Bill.

 

Schedule

 

Item 1

 

This amendment inserts new sections 5B and 5C which extends the Act by expanding the definition of the term agency . This amendment provides that the following who are not agencies under the existing Act are to be included as if they are agencies under the Act:

 

·       all persons (including unincorporated bodies) who would be covered by the Covenant on Civil and Political Rights and in particular Article 17 of that Covenant;

 

·       corporations; and

 

·       trading corporations and financial corporations.

 

However, acts or practices which are done for personal or family reasons, household affairs or journalistic, literary or artistic purposes are not covered.

 

Item 2

 

This amendment inserts a definition of the term Code of Practice to mean a code of practice issued by the Privacy Commissioner according to the amendments set out in item 11 (section 18BA).

 

Item 3

 

This amendment inserts a definition of the term unique identifier to mean any identifier assigned by the agency which identifies the individual otherwise than by name.

 

Item 4

 

This amendment inserts additional words to ensure the person whose personal information is collected will know the purpose for which that personal information is to be used.

 

Item 5

 

This amendment adds a new paragraph to require the collector to inform the person whose personal information is collected what rights they have with respect to the collected personal information at the time of collection.

 

Item 6

 

This amendment extends the operation of Information Privacy Principle 10 to authorised Codes of Practice. This means that personal information collected for a particular purpose shall not be used for any other purpose unless authorised by a Code of Practice or another of the existing exceptions.

 

Item 7

 

This amendment extends the operation of Information Privacy Principle 11 to authorised Codes of Practice. This means that personal information which is in the possession or control of a record keeper shall not be disclosed to any person, body or agency unless authorised by a Code of Practice or another of the existing exceptions.

 

Item 8

 

This amendment adds new Information Privacy Principles:

 



Principle 12 - Justifiable purpose

 

That systems or practices for managing personal information should not be used or implemented which will endanger the privacy of personal information.

 

Principle 13 - Limit on retention of personal information

 

That personal information should be destroyed or made anonymous when it is no longer useful for the purpose for which it was collected.

 

Principle 14 - No disadvantage

 

The supply of goods or services should not be conditional on the person's consent to the collection, use and disclosure of personal information where that is not a lawful requirement.

 

Principle 15 - Anonymity

 

That a person should be able to remain unidentified in any transaction where identification is not necessary.

 

Principle 16 - Unique identifiers

 

That unique identifiers should not be assigned or required unless that unique identifier is necessary to carry out lawful functions or require an individual to disclose a unique identifier for any purpose other than the purpose for which the unique identifier was assigned.

 

Item 9

 

This amendment inserts a new subsection 15(3) which applies Information Privacy Principles 12 (Justifiable purpose) and 13 (Limit on retention of personal information) to personal information that was collected before or after the commencement of this Bill.

 

Item 10

 

This amendment alters section 16 of the Act to include Codes of Practice to make it a requirement that agencies do not act or engage in a practice that breaches an Information Privacy Principle or a Code of Practice.

 

Item 11

 

This amendment inserts the new provisions relating to Codes of Practice.

 

·       Section 18BA specifies how Codes of Practice are to be issued by the Privacy Commissioner by notice in the Gazette following application by a person who represents a specified grouping, at the direction of the Minister or on the Commissioner's own initiative.

 

·       Section 18BB specifies that a Code of Practice take effect when a resolution of both Houses of Parliament approving the Code of Practice is passed.

 

·       Section 18BC specifies that a Code of Practice may apply to an identified grouping generally, a specified person, a specified class of persons, a specified agency, industry, profession or calling or a specific act or practice.

 

·       Section 18BD specifies that a Code of Practice may modify the operations of the Information Privacy Principles by imposing a more or less stringent standard or specify how the Information Privacy Principles are to be applied or complied with. The Code of Practice may also provide for a review of the Code or the expiry of the Code.

 

·       Section 18BE provides for the notification of intention to issue a Code of Practice by the Privacy Commissioner. The Privacy Commissioner must give public notice of an intention to issue a Code of Practice, do everything reasonably possible to advise those who will be affected by the Code of Practice of the terms of the Code of Practice and the reasons for the Code of Practice as well as give a reasonable opportunity for the Code of Practice to be considered and submissions to be made. This involves providing access to the proposed Code of Practice and an address where submissions may be sent.

 

Item 12

 

This amendment provides that the Privacy Commissioner is to be appointed for a term of 7 years and is not eligible for re-appointment (note Item 19 below).

 

Item 13

 

This amendment modifies paragraph 27(1)(a) of the Act to include in the Privacy Commissioner's functions the investigation of an act or practice that may breach an Information Privacy Principle and any other act or practice that would otherwise adversely affect an individual's privacy.

 

Item 14

 

This amendment inserts new paragraphs after paragraph 27(1)(m) setting out additional functions of the Privacy Commissioner as they relate to promoting the protection of individual privacy; making public statements about privacy, making guidelines about an individual's privacy and providing assistance to those complying with Information Privacy Principle 12.

 

Item 15

 

This amendment inserts a new section 27A which sets out additional functions of the Privacy Commissioner:

 

·       to issue Codes of Practice;

 

·       to investigate possible breaches of Codes of Practice;

 

·       to investigate systems or practices for the collection and storage of personal information;

 

·       to monitor compliance with Codes of Practice; and

 

·       to investigate systems and practices for compliance with Codes of Practice.

 

Item 16

 

This amendment adds the Privacy Commissioner's additional functions to investigate systems or practices for the collection and storage of personal information to those activities or audits which may be reported to the Minister.

 

Item 17

 

This amendment inserts non-government unincorporated bodies as agencies and the principal executive of that agency for the purposes of investigations under the Act.

 

Item 18

 

This amendment inserts a new section 96A which requires an agency to nominate a person employed in or by the agency if requested to do so by the Privacy Commissioner as the person responsible for the agency's compliance with the Act.

 

Item 19

 

The amendment to subsection 20(1) of the Act, which provides that the Privacy Commissioner is to be appointed for a term of 7 years and is not eligible for re-appointment applies only to appointments made after the commencement of the Bill as an Act (note Item 12 above).