Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Mellor, Kristy --- "Australian Press Council Privacy Standards: do they measure up?" [2003] PrivLawPRpr 24; (2003) 10(2) Privacy Law and Policy Reporter 24

Australian Press Council Privacy Standards: do they measure up?

Kristy Mellor UNIVERSITY OF WOLLONGONG

The Privacy Act 1988 (Cth) was amended by the Privacy Amendment (Private Sector) Act 2000 (Cth) to include privacy obligations for the private sector in addition to those already in place for the public sector.^[1] In general, private organisations in Australia are now subject to the application of the National Privacy Principles (NPPs) which ‘set out minimum standards for the handling of personal information’.^[2] However, s 7B(4) of the amended Privacy Act (the Act) provides exemption for acts or practices engaged in by a media organisation in the course of journalism. To qualify for the exemption the media organisation must be publicly committed to observing standards that deal with privacy in the context of media organisation activities and these standards must be published in writing by the organisation or a person or body representing a class of media organisations. In following the require-ments of the Act, the Australian Press Council (APC) has developed a set of Privacy Standards^[3] to gain the benefit of the exemption for it’s members. But do the APC Privacy Standards measure up to Australian privacy standards? In answering that question this paper considers the APC Privacy Standards as against the NPPs to determine whether the APC Standards meet the current Australian benchmark for privacy protection.

APC Privacy Standards v NPPs

The Act allows organisations that wish to operate under their own code or an industry code to do so if the Privacy Commissioner (PC) approves the code under s 18BB. To approve a code the PC must be satisfied that it incorporates all of the NPPs, or sets out obligations that are at least the equivalent of the NPPs.^[4] If an organisation does not operate under an approved code the NPPs apply by default.^[5] Consequently, the NPPs are the minimum standards for the handling of personal information in Australia.^[6] While the media exemption available under the Act requires public commitment to published privacy standards, there is no requirement that those standards be approved by the PC or even at least meet the minimum standards prescribed by the NPPs.^[7] As a result, a media organisation’s privacy standards can be as like, or unlike, the NPPs as the media organisation chooses and still gain exemption. While this aspect of the media exemption is a serious flaw in the privacy amendment,^[8] it is clear that as far as the Act is concerned the APC Privacy Standards do not need to measure up to any other privacy standards. Despite this, Australia’s current benchmark for privacy protection is the NPPs and they provide a useful tool for evaluating the APC Standards in the context of current Australian privacy culture.

Scope and application

The APC Privacy Standards’ definition of ‘personal information’ is identical to that in s 6 of the Act, except in one respect. The Act concludes its definition with ‘about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion’. The APC omits the words ‘or opinion’ at the end. While it may be a semantic exercise to distinguish on these grounds, the omission begs the question why the definition follows the letter of the Act exactly only until that final point. It is foreseeable that ‘identity apparent or reasonably ascertainable by an opinion’ may not be included in the scope of the APC Standards. The power of the media to use journalistic opinion to flavour an article^[9] makes this omission particularly alarming and suggests that a loophole for such behaviour may have been deliberately included.

‘Public interest’ is defined by the APC Standards but is not defined by the Act. The Standards appear to employ a defamation law conception of ‘public interest’ derived from London Artists v Littler,^[10] which states that a matter is of public interest whenever it ‘is such as to affect people at large, so that they may be legitimately interested in, or concerned at, what is going on, or, what may happen to them or others’. While it may again be a semantic exercise to distinguish, the APC Standards derogate from the London Artists definition in one significant respect, despite an otherwise word for word repetition. The Standards employ ‘capable of affecting’ in place of ‘such as to affect’, which may support a broader interpretation of ‘public interest’ than that employed in defamation law. While this may be of no account to privacy laws, the question ‘where does public interest stop and the right to privacy start?’^[11] arises from this definition. ‘Capable of affecting’ suggests a matter is of public interest if it has the potential to affect people at large, whereas ‘such as to affect’ suggests that a matter is of public interest if it will affect people at large. The possibility of a substantial loophole for ‘public interest’ privacy breaches largely depends upon the construction and interpretation of any limits borne by this definition. While the APC appears to have broadened its scope, the size of the loophole remains to be seen from Council adjudications.

The APC Standards consistently use ‘should’ where the NPPs use ‘must’ to confer a privacy obligation. This suggests that the APC applies a lower threshold for compliance than the NPPs by framing their Standards as more of a recommendation than an obligation. The Standards consistently suggest that compliance is not required as a general rule, yet no indication is given for when non-compliance is acceptable and no limits are placed on ‘should’. This may prove particularly difficult when other competing interests are set against the privacy ‘obligations’ of the Standards. Again, when do the competing interests stop and the privacy rights start? The Standards do not determine this, making it possible for privacy rights to be displaced by any other competing interest.

Standard 1 — Collection of personal information

NPP 1.1 states that an organisation must not collect personal information about an individual unless it is necessary for one or more of its functions or activities. The APC Standards state that journalists should seek personal information only in the public interest. The ‘public interest’ umbrella makes ‘collection’ significantly more indeterminable than what is required by the NPPs. The NPPs limit ‘collection’ to that required for the functions/activities of the organisation collecting and the purpose for collecting must be identified under NPP 1.3(c). Yet the Standards allow ‘collection’ whether or not it is necessary or for an identified purpose. As long as public interest is defined excessively broadly, the limits placed on collection by this Standard are relatively insignificant.

The Standards omit all the notification requirements of NPP 1.3. The Act’s media exemption allows the requisite privacy standards to be drafted ‘in the context of’ a media organisation’s activities, yet while it is may be impractical to require journalists to give all the information required under NPP 1.3, ‘the propensity of journalists to be less than frank about their intentions when conducting interviews’^[12] suggests that at a minimum individuals should be informed as to how their information will be used before it is collected. The surreptitious behaviour condoned by omitting a notification requirement is further emphasised by the exclusion of NPP 1.2 and the framing of para 3 of the Standard. NPP 1.2 provides that personal information must only be collected by lawful and fair means and not in an unreasonably intrusive way. However, para 3 of the Standard leaves open collection by unfair or dishonest means, limiting only publication of that information unless there is an overriding public interest. Again, the public interest concept makes this limitation unnecessarily broad and the derogation from NPP 1.2 to allow the unfair or dishonest collection of personal information is alarmingly invasive. Further in para 3 the Standard goes so far as to preserve the right of the press to act surreptitiously in the gathering of information, which suggests that the APC have drafted this principle to protect the print media’s own privacy invasive behaviours rather than the privacy of individuals.

Finally, the public figure section in para 4 of the Standard is specific to the media context and an addition to the scope of the NPPs. The concluding sentence suggests that ‘public interest’ in relation to ‘public figures’ is limited to ‘their public duties or activities’. This is a welcome limitation to the broad and otherwise largely unrestrained ‘public interest’ qualification, but it is unfortunate that it is the only limit on ‘public interest’ that features in the Standards.

Standard 2 — Use and disclosure of personal information

This Standard states that personal information gathered should only be used for the purpose for which it was intended. ‘Should’ is of particular significance here in that it necessarily suggests that in certain circumstances such information may be used otherwise than as intended, yet no indication is given as to when such circumstances will arise. NPP 2.1 precludes secondary use unless specific exceptions apply, one of which is obtaining the individual’s consent, yet the Standard entirely omits consent and the concept of secondary use despite the fact that ‘should’ foresees uses other than those initially intended.

Paragraph 2 of the Standard provides that an individual supplying personal information should have a reasonable expectation it will be used for the purpose for which it was collected, however the Standards do not require notification and this compounds the inadequacy of the provision. Where notification is not required it is hardly foreseeable that an individual could or would have a reasonable expectation that the information will be used for a purpose where that purpose is not identified. It is also significant that the title of the Standard suggests that ‘disclosure’ is to be regulated here also, yet ‘disclosure’ is confined to disclosure of identifying details and disclosure through the news alone, choosing not to limit or even address disclosures for secondary purposes,^[13] disclosures to direct marketing organisations,^[14] or the disclosures made to other organisations.^[15] As a whole, the Standard appears to place only illusory limits on the use and disclosure of personal information.

Standard 3 — Quality of personal information

NPP 3 requires an organisation to take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date. The Standard again uses ‘should’ where the Act uses ‘must’; however, the significant distinction between the two is the Standard’s omission of ‘uses or discloses’. The Standard’s data quality requirements are limited to the collection of information only, which appears to allow information to be used or disclosed whether or not it is accurate, complete or up to date. The collection limitation is insignificant where information is already held by the organisation prior to its commitment to the Standards or where it is not collected by the organisation. While the extent of the loophole depends largely on interpretation of ‘collect’, it is conceivable that at least some uses or disclosures can occur without collection. It can be argued that the most significant threat a media organisation can pose to an individual’s privacy is the use and disclosure of their personal information through the publication and distribution of the organisation’s product. In addition, the uses and disclosures of print media organisations have the capacity to be widespread, extending across the nation and even into other media such as the internet, and this in turn has the potential to increase and exacerbate the harm caused by privacy breaches. Despite this the APC Standards have left a wide loophole for the use and disclosure of information that is incorrect, inaccurate or out of date. Another concern may exist where information is kept for long periods of time in a media organisation’s archives. With the omission of a personal information destruction principle like NPP 4.2,^[16] extremely limited correction rights under Standard 6^[17] and no access to information rights as in NPP 6,^[18] the potential for information to become incorrect, inaccurate or out of date while kept over time increases, and any use or disclosure of such information is without remedy under the Standards. This is a serious limitation on the scope of the APC Standards despite there being no apparent ‘reason why the media should not be subject to the same obligations as other businesses in relation to data quality’.^[19]

Standard 4 — Security of personal information

NPP 4.1 requires protection for personal information from ‘misuse and loss and from unauthorised access, modification or disclosure’, yet the Standard only ‘recommends’ protection for personal information from ‘misuse, loss or unauthorised access’. By omitting unauthorised ‘modification or disclosure’ the scope of the security and protection provided by the Standard is significantly limited. While ‘unauthorised access’ is restricted it is still conceivable that a person with authorised access could modify or disclose personal information without authorisation to do, yet despite this possibility the Standard seems to allow such practices. Excluding unauthorised modification or disclosure as a security breach becomes particularly serious given the absence of access rights,^[20] the limited correction rights^[21] and the inadequate data quality provisions^[22] in the Standards. Not only is it possible for information to be modified or disclosed without authorisation, it is also possible for that information to be incorrect, inaccurate or out of date and if it is, or becomes so by the unauthorised modification, there is little the individual can do to access or correct it. Unauthorised disclosure of such information would extend the widespread damage already possible through the individual media organisation to whoever has obtained the information without authorisation and to whoever they pass it. As a result, this Standard allows for quite serious security breaches with potentially far reaching and injurious consequences.

Standard 4 also omits an equivalent to NPP 4.2 which obliges an organisation to ‘destroy or permanently de-identify personal information’ that is no longer needed for any purpose. This exclusion means that the APC Standards allow the indefinite retention of personal information whether it is needed or not. In the media activities context it is understandable that a media organisation may wish, or even need, to retain information for use at a future time. Indeed, the APC was keen to point out in its submission to the Attorney-General that press activities cannot be constrained by a notion of immediacy,^[23] often requiring taking into account past events and personal information collected at a previous time. However, this does not prevent a Standard similar to NPP 4.2 where the focus is on information that is no longer necessary. The ability to retain information indefinitely under the Standards again becomes particularly problematic with consideration of the absence of access rights,^[24] limited correction rights^[25] and the inadequate data quality^[26] and security provisions in the Standards. The loophole for communicating inaccurate, incomplete or out of date personal information is amplified through the cumulation of inadequate Standards, which is quite an unsatisfactory result.

Standard 5 — Anonymity of sources

NPP 8 requires an organisation to give individuals the option of dealing anonymously with them where it is lawful and practicable. Standard 5, on the other hand, only states that individuals are entitled to seek anonymity, in which case their identity should not be revealed. Nigel Waters suggests that Standard 5 ‘is about non-disclosure’ rather than allowing individuals to deal anonymously with the media organisation.^[27] The difficulty in the Standard for an individual who does not want their identity revealed is the use of ‘should’ in ‘identity of confidential sources should not be revealed’. Individuals are not given the opportunity of dealing with an media organisation anonymously under the Standard and, while they are entitled to seek anonymity, the strongest reassurance the Standard offers is that their identity ‘should not’ be revealed and any personal information retained by the organisation ‘should not’ identify them. As a result the Standard is not particularly convincing and is no match for the privacy options provided by NPP 8.

Standard 6 — Correction, fairness and balance

The first paragraph of this Standard quite importantly addresses issues specific to the media context that the NPPs do not, requiring fairness and balance in a publication that singles out an individual for criticism. Unfortunately the impact of this provision is again lessened by the use of ‘should’. The possibility of ‘failing’ to provide fairness and balance is actually addressed despite the fact that providing fairness and balance is the requirement of the provision. The ‘failing that’ provision is somewhat vague and may be of limited value. What constitute ‘a reasonable and swift opportunity’, ‘a balancing response’ or ‘the appropriate section of the publication’ are undefined and this becomes particularly problematic when it is considered that the media organisation publishing the response, and not the singled out individual, controls where, when and how the response will be published, if at all. The protection the provision affords depends largely on its interpretation, however it remains an potentially important addition in the media privacy context.

The second paragraph of Standard 6 provides the only correction rights available under the APC Standards, and in comparison to the NPPs access and correction rights they are limited and qualified in a number of respects. There is no equivalent to NPP 6.1 in the Standards, which means that individuals have no rights of access to the personal information held about them by a media organisation. The Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy suggest that the ‘right of individuals to access and challenge personal data is generally regarded as perhaps the most important privacy protection safeguard’^[28] and in this respect, the omission of an access provision in the Standards makes them inadequate in both the Australian and international privacy contexts. The difficulty of having no access provision is of further concern in these Standards given the inadequacies of the data quality and security Standards already discussed. While it may be unreasonable to grant access to specific information or at specific times, like when a story is in preparation, this does not prevent a modified right of access for the media context being included in the Standards.^[29] Since there is no general right of access to information held by a media organisation, the only right of correction in the Standards is where ‘harmfully incorrect’ material has been published, at which point a media organisation should take steps to correct its records ‘so as to avoid a harmful inaccuracy being repeated’. In this sense, the correction right in the Standard only provides protection from a repeat privacy breach, whereas under the NPPs it is enough that the breach has occurred once. The right is further qualified to apply to ‘harmfully incorrect’ material only, whereas NPP 6.1 provides correction rights for inaccurate, incomplete or out of date information, whatever the impact of it being so. As a result, the Standard’s correction rights are dangerously limited to situations where a harmful breach has already occurred, and one might argue, where the damage has already been done.

Under the APC’s pre-existing Statement of Principles, an organisation must print, ‘promptly and with appropriate prominence, such retraction, correction, explanation or apology as will neutralise the damage so far as possible’ of such a breach.^[30] This effectively places control of correction in the hands of the media organisation, further limiting any rights the individual may have. Making amends by ‘retraction’ or ‘explanation’ are options available to the organisation, as well as ‘correction’. However it appears ludicrous to suggest that publication of ‘harmfully inaccurate’ information can be remedied by simple ‘explanation’. What is more, the principle allows a media organisation in control of correcting harmfully inaccurate information published by them to minimise the impact of any blameworthiness by ‘correcting’ in another form. Yet as Jennifer Mullaly suggests ‘privacy, once breached, cannot be restored by more speech — to do so repeats the breach and may compound the harm suffered’.^[31] As a whole, publishing ‘amends’ is in practice an unsatisfactory remedy that protects the privacy invasive interests of the media rather than the privacy of the individual.

Standard 7 — Sensitive personal information

The APC uses the existing ‘sensitive information’ definition in place in Principle 7 of their Statement of Principles for the purposes of the Standards. The Act’s definition of ‘sensitive information’ at s 6 covers a wider range of information, whereas the APC definition appears to define as sensitive only the type of personal information subject to anti-discrimination laws. In this same vein, the Standards employs ‘gratuitous emphasis’ to limit the use of sensitive information. The result is what appears to be a misapplied definition that, while it may satisfy anti-discrimination requirements, applies a high threshold for a breach in relation to sensitive personal information in the privacy context; as Nigel Waters questions, ‘do they really mean that gratuitous emphasis can sometimes be justified?’^[32] What is perhaps even more alarming is that the Standard goes further, allowing gratuitous emphasis on sensitive personal information if it is in the ‘public interest’. While this again begs the question of when the public interest will stop and privacy rights start, it also suggests that the scope of public interest will be broad enough to include circumstances of gratuitous emphasis on sensitive information and this scope may have significant impact on the ‘public interest’ loopholes scattered throughout the Standards.

While NPP 10 regulates the collection of sensitive information, the Standards sensitive information protection only applies at the point of use, and then only gratuitous use. NPP 10.1 also requires consent as the threshold for collecting sensitive information, while the Standards omit any notion of consent at all. In effect, sensitive information is arguably no more regulated under the Standards than ordinary personal information, yet there is no indication as to why this must necessarily be so. The potential for harm as a result of unregulated and far reaching media use of such information suggests that this is simply not adequate.

Paragraph 2 of Standard 7 addresses public concerns about the media’s treatment of sensitive social issues such as suicide and grief^[33] by regulating the privacy of victims and bereaved persons. While this is an important addition to the privacy obligations placed on media organisations, it may be suggested that a right of refusal or termination of an interview should apply to all individuals seeking to protect their privacy, particularly in view of the fact that the NPPs do not distinguish between different categories of individual.

Missing NPPs

The Standards provide no equivalent to the NPP 5 principle of openness, which requires organisations to make personal information management policies available to anyone who asks for them, and on request let individuals know generally what sort of personal information they hold, for what purposes and how that information is collected, held, used and disclosed. There is no reason why a media organisation should not be subject to principles of openness.^[34] It may even be suggested that the APC’s exclusion of openness principles are somewhat hypocritical given that they are strong advocates of freedom of information and the freedom ‘to be informed’.^[35] The unfortunate conclusion to be drawn from this omission is that the APC member media organisations have something to hide as regards their personal information practices, and this clearly is not satisfactory.

NPP 7, which regulates the use of identifiers, has also been omitted from the APC Standards, despite the fact that it is possible for an individual’s identity to be reasonably ascertained by a personal identifier. This may provide a way to bypass any limitation on the use of identifying personal information in the Standards unless identifiers can be included in the interpretation of ‘personal information’.

Finally, there is no NPP 9 equivalent to regulate transborder data flows. This is particularly problematic given that media organisations ‘deal’ in information, much of which is personal, and may conceivably deal in the transfer of information across national borders. This omission significantly limits the Standard’s protection of personal information to collection, uses and disclosures within Australia, despite the possibility that information may be sent out of the country. Further, the European Union directive on personal data protection restricts transfer of personal information to countries providing ‘an adequate level of protection’ for that information.^[36] Media organisations acting under the APC Privacy Standards may also find that information exchanges with European Union Member States is inhibited by the inadequacies of the APC Standards as well as by the absence of a transborder data flow principle.

The media exemption in s 7B(4) of the amended Privacy Act is available to media organisations who are publicly committed to standards that deal with privacy in the context of the activities of a media organisation. In this sense, the Act itself envisages that the media context will result in relative differences between the NPPs and any Privacy Standards drafted for the purposes of gaining exemption. Yet beyond any variation that may be required for media activities, many provisions of the APC Privacy Standards do not measure up to Australian privacy standards or, in some instances, international privacy standards, and often there is no apparent reason why they do not. Many of the individual Standards appear to mesh together, cumulating to provide widened loopholes for the media and the potential for significantly widespread privacy breaches. To some extent, the APC Standards even appear to protect the privacy invasive practices of the media under the guise of privacy protection for individuals, having their ‘cake’ by gaining the media exemption and ‘eating it too’ by maintaining surreptitious privacy invasive practices. However, despite the obvious and sometimes alarming inadequacies of the APC Privacy Standards, the terms of the Act’s exemption does not require approval of the requisite Standards, or even a minimum level of privacy protection. Theoretically the Act permits whatever the media organisation decides to put under the heading of ‘Privacy Standards’ as long as they are publicly committed to them. In this sense the APC has done everything it needs to gain exemption for its members from the Act. l

Kristy Mellor is a final year Law student at the University of Wollongong, with a particular interest in media and entertainment law. She undertook a summer clerkship with Channel 7’s legal department in 2003. She can be contacted at <klm18@uow.edu.au>.

This paper was originally prepared as a research assignment for the Southern Cross University Summer Law School in Byron Bay in December 2002.

Endnotes

[1]. Herman J R ‘New Privacy Act’ (2001) 13(1) Australian Press Council News 1, available at <www.presscouncil. org.au/pcsite/public/feb01/privacy.html>.

[2]. Dixon T ‘Introduction’ Private Sector Privacy Hand Book looseleaf CCH Sydney 2001 p 1102, quoted in Privacy and the Private Sector Readings Vol 1 2002 p 25.

[3]. APC Privacy Standards available at <www.presscouncil.org.au/pcsite/priv_ stand.html>.

[4]. Privacy Act s 18BB(2).

[5]. Dixon, above note 2 at p 1104 (p 27 of the Readings).

[6]. Above note 2.

[7]. Waters N ‘Can the media and privacy ever get on?’ (2002) 8(8) PLPR 151; Brook S ‘Speaking freely — the conflict between privacy and your right to know — the privacy bar’ The Australian 20 December 2001 p B01.

[8]. Above note 7.

[9]. ‘Opinion’ is specifically included in the definition of a ‘media organisation’ found in s 6 of the Privacy Act.

[10]. London Artists Ltd v Littler [1968] 1 WLR 607.

[11]. McLeod C ‘Excessive privacy laws undermine democracy’ (1999) 11(2) Australian Press Council News 1, available at <www.presscouncil.org.au/ pcsite/public/may99/privacy.html>.

[12]. Waters, above note 7 at 153.

[13]. Privacy Act NPP 2.1.

[14]. Privacy Act NPP 2.1.

[15]. Privacy Act NPP 1.3(d).

[16]. Discussed below in relation to Standard 4.

[17]. Discussed below in relation to Standard 6.

[18]. Discussed below in relation to Standard 6.

[19]. Brook, above note 7.

[20]. Discussed below in relation to Standard 6.

[21]. Discussed below in relation to Standard 6.

[22]. Discussed above in relation to Standard 3.

[23]. APC ‘Submission to the Federal Attorney-General in response to the information paper, The Government’s proposed legislation for the protection of privacy in the private sector, September 1999 made on 13 October 1999’ p 4, available at <www.press council.org.au/pcsite/fop/privsect.html>.

[24]. Discussed below in relation to Standard 6.

[25]. Discussed below in relation to Standard 6.

[26]. Discussed above in relation to Standard 3.

[27]. Waters, above note 7 at 153.

[28]. OECD ‘Explanatory Memorandum’ of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 23 September 1980 p 14, available at <www.oecd.org/EN/document/0,,EN-document-0-nodirectorate-no-24-10255-0,00.html>.

[29]. Waters, above note 7 at 153.

[30]. APC Statement of Principles 1, available at <www.presscouncil.org.au/ pcsite/complaints/sop.html>.

[31]. Mullaly J ‘Privacy: are the media a special case?’ (1997) 16(1) Communications Law Bulletin 11.

[32]. Waters, above note 7 at 153.

[33]. Waters, above note 7 at 153; Kirkman D ‘Privacy’ (1999) 11(3) Australian Press Council News available at <www.presscouncil.org.au/ pcsite/public/aug99/privacy.html>.

[34]. Above note 7.

[35]. Above note 30 at 1; above note 23 at 2-3.

[36]. European Union ‘Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ Article 25(1) Official Journal of the European Communities L 281 23 November 1995 at 31 (quoted in the Privacy and the Private Sector Readings Vol 1 2002 p 58).