House of Representatives

Privacy Amendment Bill 2003

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Honourable Philip Ruddock, MP)

Outline, financial impact statement and notes on clauses

Outline

The Privacy Amendment Bill 2003 makes four amendments to the Privacy Act 1988 to ensure that the protections of the Act are available to all irrespective of nationality, to provide the private sector with greater flexibility in relation to privacy codes, and to correct an unintended limitation on the provision of superannuation services to Commonwealth employees.

Financial impact statement

The proposed amendments are expected to have no significant new financial impact on government. The Privacy Commissioner has been funded to administer the provisions that relate to the private sector.

Notes on clauses

Clause 1 - Short title

This clause is a formal provision that provides for the Bill, when enacted, to be cited as the Privacy Amendment Act 2003.

Clause 2 - Commencement

This clause provides that the Bill, when enacted, will come into operation on the day the Bill receives Royal Assent.

Clause 3 - Schedule(s)

The provisions in the Privacy Act 1988 (hereafter called the Act) are amended or repealed as set out in Schedule 1 of the Bill. Schedule 1 is divided into four parts:

Part 1 - Extra-territorial application of National Privacy Principle 9
Part 2 - Extension of correction rights to non-Australians
Part 3 - Approved privacy codes
Part 4 - Use of government payroll identifiers

Schedule 1 - amendment of the Privacy Act 1988

Part 1 - Extra-territorial application of National Privacy Principle 9

National Privacy Principle 9 provides that a private sector organisation to which the Act applies may transfer personal information about an individual to a foreign country only if one or more conditions are met. Subsection 5B(1) of the Act provides that the private sector provisions of the Act apply to extra-territorial acts and practices only if they affect the personal information of Australians. It is possible that subsection 5B(1) may be seen as limiting the application of National Privacy Principle 9 to the personal information of Australians only.

This amendment is to clarify that the protections provided by National Privacy Principle 9 apply equally to the personal information of non-Australians and the personal information of Australians.

Items 1 and 2

These items amend section 5B of the Act to specify that the Act's extraterritorial limitation to Australian citizens and residents does not apply in relation to National Privacy Principle 9. The note attached to the new subsection says this in plain English.

Item 3

To avoid any doubt about retrospective application, this item specifies that the above amendments have prospective effect only.

Part 2 - Extension of correction rights to non-Australians

Information Privacy Principle 7 provides an individual with rights of access to, and correction of, their recorded personal information held by a Commonwealth agency. National Privacy Principle 6 provides equivalent rights in relation to records held by private sector organisations.

Subsection 41(4) of the Act prevents the Privacy Commissioner from investigating complaints about possible breaches of Information Privacy Principle 7 and National Privacy Principle 6 in relation to correction of personal information or a privacy code with the same content if the complainant is not an Australian citizen or resident.

Subsection 41(4) was enacted to mirror the correction regime then applying under Part V of the Freedom of Information Act 1982. Section 48 of the Freedom of Information Act provides a right to seek correction of personal information in a document held by a Commonwealth agency. As originally enacted, this right was limited to Australian citizens or residents. These limitations were removed by the Freedom of Information Amendment Act 1991.

These amendments are to remove the nationality and residency limitations on the power of the Privacy Commissioner to investigate complaints relating to the correction of personal information.

Item 4

This item repeals subsection 41(4) of the Act.

Item 5

To avoid any doubt about retrospective application, this item specifies that the above repeal has prospective effect only.

Part 3 - Approved privacy codes

These amendments are to remove existing limitations on the matters which may be covered in privacy codes.

Part IIIAA of the Act provides that private sector organisations may create privacy codes in replacement of the National Privacy Principles that would otherwise apply. Privacy codes are binding on organisations which have agreed to be covered by them.

Before a privacy code can take effect it must be approved by the Privacy Commissioner. Privacy codes must offer at least equivalent levels of protection as apply under the National Privacy Principles. These amendments will offer the flexibility to private sector organisations to enhance privacy protection by using privacy codes to tailor the private sector privacy regime to their specific circumstances with the option of covering matters that are otherwise exempt.

A privacy code may be enforced by an independent adjudicator in the first instance and ultimately by the Privacy Commissioner. The Privacy Commissioner may also act as the independent adjudicator.

Subsection 6(1) of the Act defines a privacy code to mean a written code regulating acts and practices that affect privacy. The definition of acts and practices in section 7 of the Act excludes exempt acts and practices. As a result, provisions in a privacy code dealing with exempt acts or practices cannot be the subject of approval by the Privacy Commissioner and that part of a privacy code cannot take effect.

Exempt acts and practices are detailed in section 7B of the Act as acts done, or practices engaged in, by:

individuals in a non-business capacity;
organisations acting under Commonwealth or State or Territory contracts;
organisations in relation to their employee records; and
media organisations in the course of journalism.

These amendments are to provide business and industry with greater flexibility by allowing privacy codes to cover otherwise exempt acts and practices where code creators wish to do so. There is no change to the requirement under paragraph 18BB(2)(a) of the Act that privacy codes either incorporate all the National Privacy Principles or set out obligations that, overall, are at least the equivalent of all the obligations set out in those Principles. Neither is there an obligation on code creators to deal with otherwise exempt acts and practices in their privacy codes.

Item 6

This item inserts a new section which provides that a privacy code may be approved by the Privacy Commissioner even if it covers exempt acts or practices. The note attached to the section sets out the consequences of including coverage of an otherwise exempt act or practice in a privacy code.

Part 4 - Use of government payroll identifiers

National Privacy Principle 7.2 provides that a private sector organisation must not use or disclose an identifier assigned to an individual by a Commonwealth agency, or by an agent or contracted service provider of that agency, unless specified conditions are met. The Principle addresses public concerns raised in the context of the Australia Card debate of the 1980s and is designed to prevent the creation of a de facto universal identity number system.

An unforeseen consequence of National Privacy Principle 7.2 is that it prevents private sector superannuation bodies which provide superannuation services to Commonwealth employees from using or disclosing Commonwealth payroll numbers:

to ensure that Commonwealth employees' salary deductions are correctly directed to their superannuation member's accounts; or
to disclose these payroll numbers to other superannution bodies servicing Commonwealth employees when a member's status changes, including where the member changes superannuation funds.

The Act provides that the Privacy Commissioner can authorise acts or practices that would otherwise be a breach of the National Privacy Principles under a Temporary Public Interest Determination (TPID), and such a TPID is currently in force in relation to private sector superannuation bodies which provide superannuations services to Commonwealth employees. However, a permanent solution is needed.

National Privacy Principle 7.2 (c) does provide that use or disclosure of identifiers in the above circumstances can be authorised if it is by a prescribed organisation of a prescribed identifier in prescribed circumstances. The Regulation making power under the Act, section 100, requires the Minister to consult with affected agency heads and the Privacy Commissioner before making Regulations to create exemptions from NPP 7. However, the present wording of subsection 100(2) does not allow for Regulations to be made to apply to a class of organisation, identifier or circumstance without undertaking these consultations. Additionally, as a practical matter, the Regulations must specify the relevant agencies and organisations. As a result, new Regulations would have to be made whenever there was a machinery of government change.

This amendment is to allow for Regulations to be made to apply to a class of organisation, identifier or circumstance.

Items 7 and 8

These items add a new subsection to section 100. The effect of these items is that the requirements of subsection 100(2) do not apply to Regulations made in relation to the use or disclosure of Commonwealth payroll numbers in the provision of superannuation services by an organisation to Commonwealth employees. That is, in making such Regulations there does not have to be consultation with each individual agency affected. However, the Minister is required to consult with the Privacy Commissioner before making such Regulations.

Item 9

This item amends the note attached to National Privacy Principle 7 to include reference to the new subsection.