The Australian Privacy Charter was launched in December 1994. It was developed by a specially-formed group which styled itself the Australian Privacy Charter Council (APCC). This was established in 1992, under the Chairmanship of Justice Michael Kirby, to develop a Privacy Charter comprising principles which would encompass and apply:
- to all forms of privacy and surveillance (i.e. not just information privacy); and
- to both private and public sector organisations and their clients.
APCC comprised 25 invited members with backgrounds in law, business, auditing, information technology, security, privacy, media and politics. The final draft was sent to representatives of other relevant organisations and community groups throughout Australia and privacy advocates in Australia and overseas.
[The Council was wound up in 2002 and the Charter transferred to the Australian Privacy Foundation. The Council’s web site was archived in June 2003 and transferred to https://privacy.org.au/apcc/.]
Australians value privacy. They expect that their rights to privacy be recognised and protected.
People have a right to the privacy of their own body, private space, privacy of communications, information privacy (rights concerning information about a person), and freedom from surveillance.
‘Privacy’ is widely used to refer to a group of related rights which are accepted nationally and internationally. This Charter calls these rights ‘privacy principles’.
Privacy Principles comprise both the rights that each person is entitled to expect and protect, and the obligations of organisations and others to respect those rights.
Personal information is information about an identified person, no matter how it is stored (eg sound, image, data, fingerprints).
A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organisations to intrude on that autonomy.
Privacy is a value which underpins human dignity and other key values such as freedom of association and freedom of speech.
Even those privacy protections and limitations on surveillance that do exist are being progressively undermined by technological and administrative changes. New forms of protection are therefore required.
Privacy is a basic human right and the reasonable expectation of every person. It should not be assumed that a desire for privacy means that a person has ‘something to hide’. People who wish to protect their privacy should not be required to justify their desire to do so.
The maintenance of other social interests (public and private) justifies some interferences with privacy and exceptions to these Principles. The onus is on those who wish to interfere with privacy to justify doing so. The Charter does not attempt to specify where this may occur.
The following Privacy Principles are a general statement of the privacy protection that Australians should expect to see observed by both the public and private sectors. They are intended to act as a benchmark against which the practices of business and government, and the adequacy of legislation and codes, may be measured. They inform Australians of the privacy rights that they are entitled to expect, and should observe.
The Privacy Charter does not attempt to specify the appropriate means of ensuring implementation and observance of the Privacy Principles. It does require that their observance be supported by appropriate means, and that appropriate redress be provided for breaches.
Technologies, administrative systems, commercial services or individual activities with potential to interfere with privacy should not be used or introduced unless the public interest in so doing outweighs any consequent dangers to privacy.
Exceptions to the Principles should be clearly stated, made in accordance with law, proportional to the necessities giving rise to the exception, and compatible with the requirements of a democratic society.
Individual consent justifies exceptions to some Privacy Principles. However, ‘consent’ is meaningless if people are not given full information or have no option but to consent in order to obtain a benefit or service. People have the right to withdraw their consent.
In exceptional situations the use or establishment of a technology or personal data system may be against the public interest even if it is with the consent of the individuals concerned.
An organisation is accountable for its compliance with these Principles. An identifiable person should be responsible for ensuring that the organisation complies with each Principle.
Each Principle should be supported by necessary and sufficient measures (legal, administrative or commercial) to ensure its full observance, and to provide adequate redress for any interferences with privacy resulting from its breach.
There should be a policy of openness about the existence and operation of technologies, administrative systems, services or activities with potential to interfere with privacy.
Openness is needed to facilitate public participation in assessing justifications for technologies, systems or services; to identify purposes of collection; to facilitate access and correction by the individual concerned; and to assist in ensuring the Principles are observed.
People have a right to conduct their affairs free from surveillance or fear of surveillance. ‘Surveillance’ means the systematic observation or recording of one or more people’s behaviour, communications, or personal information.
People who wish to communicate privately, by whatever means, are entitled to respect for privacy, even when communicating in otherwise public places.
People have a right to private space in which to conduct their personal affairs. This right applies not only in a person’s home, but also, to varying degrees, in the workplace, the use of recreational facilities and public places.
Interferences with a person’s privacy such as searches of a person, monitoring of a person’s characteristics or behaviour through bodily samples, physical or psychological measurement, are repugnant and require a very high degree of justification.
People should have the option of not identifying themselves when entering transactions.
The minimum amount of personal information should be collected, by lawful and fair means, and for a lawful and precise purpose specified at the time of collection. Collection should not be surreptitious. Collection should be from the person concerned, if practicable.
At the time of collection, personal information should be relevant to the purpose of collection, accurate, complete and up-to-date.
Personal information should be relevant to each purpose for which it is used or disclosed, and should be accurate, complete and up-to-date at that time.
People should have a right to access personal information about themselves, and to obtain corrections to ensure its information quality.
Organisations should take reasonable measures to make people aware of the existence of personal information held about them, the purposes for which it is held, any legal authority under which it is held, and how it can be accessed and corrected.
Personal information should be protected by security safeguards commensurate with its sensitivity, and adequate to ensure compliance with these Principles.
Personal information should only be used, or disclosed, for the purposes specified at the time of collection, except if used or disclosed for other purposes authorised by law or with the meaningful consent of the person concerned.
Personal information should be kept no longer than is necessary for its lawful uses, and should then be destroyed or made anonymous.
Where personal information is collected under legislation and public access is allowed, these Principles still apply except to the extent required for the purpose for which public access is allowed.
People should not have to pay in order to exercise their rights of privacy described in this Charter (subject to any justifiable exceptions), nor be denied goods or services or offered them on a less preferential basis. The provision of reasonable facilities for the exercise of privacy rights should be a normal operating cost.
See also Dixon T. ‘Privacy Charter sets new benchmark in privacy protection’ PLPR 2, 3 (April 1995) 41