Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Review of Australia''s Consumer Policy Framework, Draft Report; Submission to the Productivity Commission (February 2008)

February 2008

Our reference: 2006-082-01 Mr Robert Fitzgerald Presiding Commissioner Productivity Commission PO Box 1428 Canberra City ACT 2616 Dear Mr Fitzgerald

The Office of the Privacy Commissioner (the Office) welcomes this opportunity to make a submission to the Productivity Commission's (the Commission) draft report of its Review of Australia's Consumer Policy Framework (the Draft Report).

The Office observes that a number of matters in the Draft Report raise privacy issues and these are discussed further below.

About the Office

The Office is an independent statutory body whose purpose it is to promote and protect privacy in Australia. The Office has responsibility for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Privacy Act 1988 (the Privacy Act) regulates how these agencies and organisations handle personal information. In addition, the Office has regulatory functions under other Acts, such as the Telecommunications Act 1997 and the Crimes Act 1914. The Office particularly draws the Commission's attention to its regulatory functions in regard to the handling of credit reporting information under Part IIIA of the Privacy Act.

Key considerations and scope of the Commission's Inquiry

The Office notes that in conducting the inquiry the Commission is required, among other things, to have regard to the need for consumers and businesses, including small businesses, not to be burdened by unnecessary regulation or complexity, while recognising the benefits flowing from such regulation occurring. Another key consideration is the importance of promoting certainty and consistency for businesses and consumers in the operation of consumer protection laws and reporting on the scope of avoiding regulatory duplication and inconsistency.

The Office similarly recognises the importance of these considerations in the exercise of its statutory functions.

Privacy regulation and national consistency

The Office notes that there are some key themes which appear to be common to the Commission's Inquiry and the review currently being conducted by the Australian Law Reform Commission into the effectiveness of privacy regulation in Australia. Some of these themes have also been apparent in previous reviews of privacy regulation, including that conducted by this Office in 2006, of the private sector provisions of the Privacy Act.

In this regard, the central concern of the Office is the need for national consistency in privacy regulation. From the Office's perspective, national inconsistency operates on three different levels and has had consequences for business efficiency and poses impediments to awareness of individual privacy. First, an inconsistency within the Privacy Act relating to two sets of privacy principles - one for Australian and ACT Government agencies and another for the private sector. Second, inconsistencies exist with other Commonwealth legislation such as the Telecommunications Act 1997 and the Privacy Act. The regulatory overlap may cause confusion for telecommunications businesses which are covered by both Acts. Third, inconsistencies exist that have arisen between the Privacy Act and state and territory legislation in relation to privacy regulation.

The Office's submission to the Regulatory Taskforce in December 2005 on Reducing the Regulatory Burden on Business canvasses these points. The submission is available on the Office's website at http://www.privacy.gov.au/materials/types/download/8822/6618.

In December 2007, the Office commented on the Australian Law Reform Commission's (ALRC) Review of Australian Privacy Law - Discussion Paper 72 (Discussion Paper) which explores these and other related issues in some detail. One of the important proposals in the ALRC's Discussion Paper is to establish a set of Unified Privacy Principles to replace the existing separate sets of Information Privacy Principles (IPPs) and National Privacy Principles (NPPs). The Office sees benefits in this approach as a single set of principles will encourage greater regulatory consistency and simplicity for agencies, organisations and individuals while at the same time empowering individuals to better understand and exercise their privacy rights. The submission to the ALRC is available at the Office's website at http://www.privacy.gov.au/materials/types/download/9111/6748.

The Draft Report

The Office comments specifically on the following proposals in the Draft Report.

Credit providers As part of the proposal to transfer consumer credit regulation from the states and territories to the Commonwealth it is proposed in the Draft Report that credit providers not subject to licensing arrangements should be subject to registration requirements at the federal level through the Australian Securities and Investments Commission (ASIC).

You may be aware, that credit reporting is regulated by Part IIIA of the Privacy Act and a number of provisions in the Act regulate credit providers. Section 11B of the Act deems certain categories of businesses as credit providers and, additionally, I have issued determinations under section 11B(1)(b)(v)(B) deeming certain classes of corporations as credit providers. These determinations are on the Office's website at http://www.privacy.gov.au/law/act/credit/#cpdq1 .

The ALRC's Discussion Paper proposes that credit reporting should continue to be regulated by the Privacy Act under the proposed Unified Privacy Principles and underpinned by the proposed Privacy (Credit Reporting Information) Regulations (see Proposals 50-1 and 50-2).

If the proposal to licence credit providers by ASIC proceeds, the Office suggests that there needs to be coordination between ASIC and my Office so that the regulation of credit providers by the Privacy Act is not affected by changes to ASIC's registration requirements.

National consumer complaints database It is proposed in the Draft Report that all jurisdictions should participate in the national consumer complaints database (AUZSHARE) by sharing complaints information. One of the key objectives is to gather improved intelligence about the nature of emerging serious complaints.

One of the important ways consumer confidence in the national referral service is likely to be enhanced and the privacy of individuals secured is to ensure that individuals are made aware that their information will be collected in a central database and that their information will be shared by consumer regulators. This awareness is best achieved through the provision of notice and is covered by IPP 2 (and NPP 1.3) in the Privacy Act.

A notice to be given to individuals could be usefully modelled on those provisions in those states that do not have privacy legislation. It should address such matters as the purposes of collection and to whom the information is usually disclosed. Secondly, it will be important to ensure that personal information collected for inclusion in the database is protected by appropriate security safeguards such as electronic audit trails and secured from unauthorised or improper access. Any secondary uses or discloses of an individual's personal information from the database should be related to the primary purpose of collection. There should be appropriate mechanisms in place to ensure that individuals may seek access to their information without charge. Lastly, there should be a system in place for individuals to seek redress if their information is mishandled.

ADR and EDR schemes Alternate Dispute Resolution (ADR) schemes have the potential to improve outcomes for businesses and consumers. The Draft Report proposes that there should be an effective ADR mechanism to deal with consumer complaints not covered by industry specific ombudsmen.

The ALRC's Discussion Paper considered the role of external dispute resolution (EDR) schemes in resolving credit reporting complaints. The Office supported the ALRC's proposal to the extent that credit providers should only be permitted to list overdue payment information with a credit reporting agency where the credit provider is a member of an approved EDR scheme (see proposal 55-6).

Privacy complaints I endorse the statement on page 156 of the Draft Report that there is considerable expertise within the Office on handling complaints about violations of privacy. Maintaining and, wherever possible, improving the efficiency and effectiveness of the Office's complaint handling is a key focus of the Office. The Office supported the ALRC's various proposals in its Discussion Paper to clarify and strengthen our complaint handling powers (see chapter 45).

Privacy and E-commerce In its response to the ALRC's Discussion Paper, the Office supported the Privacy Act continuing to be underpinned by technologically neutral privacy principles as the most effective way to deal with rapidly evolving technology (see chapter 7).

To accommodate particular technologies or types of activity that create privacy risks, including in E-commerce, the Office supported the Privacy Act being amended to provide for the Commissioner to make binding codes that go to certain acts or practices or certain technologies. In our view, this would facilitate timely responses to new technologically specific privacy issues.

Cross border redress and enforcement You may be aware, Ministers of APEC economies have agreed on an APEC Privacy Framework which aims to improve consumer confidence and ensure the growth of electronic commerce while working towards effective privacy protection in member economies. As part of this process, it is intended to put in place cooperative arrangements between relevant enforcement authorities in member economies. The goal is that these arrangements, once in place, will enable the exchange of information between data protection authorities and therefore increase and promote cross-border cooperation in investigation and enforcement. The Office has signed a Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner in 2006 which provides a model for such cooperation.

Privacy policy or disclosure statements The Office agreed with the ALRC's proposal in the Discussion Paper for the Office to encourage and assist agencies and organisations to make available short form privacy notices summarising their personal information handling practices. Short form privacy notices should be seen as supplementing the more detailed information that is required to be made available to individuals under the Privacy Act (see proposal 21-5). In this way it is hoped that the example discussed on page 354 will be averted.

The Office is available to discuss these comments further with the Commission if necessary. The contact officer is Brian Kent or Victoria Mence on telephone (02) 9284 9800.

Yours sincerely

[signed]

Karen Curtis

Privacy Commissioner

15 February 2008