Privacy Matters Autumn 2007

Download PDF

Downlad PDF - Web - 905KB | Downlad PDF - Print - 3.14MB

Privacy Matters - Archived Issues

Volume 1 Issue 3 Autumn 2007

Commissioner's Message

So far, 2007 has been a positive and full year for the Office.

Firstly, there is the Australian Law Reform Commission's (ALRC) review of privacy. The ALRC has been commissioned to review Australia's privacy laws and to make recommendations to ensure the laws continue to provide an effective framework for the protection of privacy in Australia. This Review presents a once in a generation opportunity to influence the shape of privacy law in Australia for many years to come.

Meanwhile, there is an important role for the Office with the development of the Government's proposed Health and Social Services Access Card. The Access Card will affect most of Australia's population. As such it is important that privacy issues are addressed in the design stage.

Work has also been done in other areas which involve privacy issues, including in relation to anti-money laundering legislation, unique health identifiers, and the Do Not Call Register.

As well as continually improving our compliance performance, my Office has been fully engaged as we contribute in constructive and meaningful ways to these initiatives.

Most significantly, we have prepared two major submissions to the ALRC. These submissions examine the state of privacy regulation today, and make recommendations to enhance our privacy framework in the 21st century.

Over the past few months, my Office has also made five submissions on aspects of the Access Card. This series of submissions continues to provide constructive advice and comment to Government to ensure that privacy and security concerns are addressed appropriately as the Access Card proposal is developed.

The feature articles in this Autumn edition of Privacy Matters provide a useful synopsis of my Office's ALRC submissions. This issue also includes other information such as upcoming Office events, initiatives and news.

I am particularly excited about the upcoming Privacy Awareness Week, to be held in late August, and our competition for school students. It is the first time that privacy authorities in Australia, New Zealand, Hong Kong and Korea will co-operate to collectively raise awareness of privacy across the Asia Pacific. This is especially pleasing in the year that Australia is host to APEC.

Karen Curtis

Is Privacy Passé? – the ALRC Privacy Review

In 1983, the Australian Law Reform Commission (ALRC) released a report on privacy. At that time, the ALRC noted that Australian society was expressing concern about loss of privacy and about inadequacies in privacy protection, and was demanding that steps be taken to more effectively protect privacy. The work done by the ALRC culminated in the enactment of the Privacy Act 1988 (Cth).

A great deal has changed since 1988. There have been changes in the way Australians think about privacy, changes to the manner and speed in which personal information is handled, particularly as a result of technological developments, and there has also been the evolution of the internet into a mainstream source of public information and interaction. In the experience of the Office, however, one thing hasn't changed. Australians still deeply value their privacy as a fundamental part of living an
independent, fulfilling and dignified life.

The Office believes that, to date, the Privacy Act has served the community well. The challenge now is to ensure that the legislation operates effectively into the future and continues to best serve the diverse needs of the Australian community.

The ALRC's current review of privacy was commissioned following recommendations made in the Office's review of the private sector provisions of the Privacy Act, which were in turn endorsed by the Senate Legal and Constitutional References Committee Review, that a wider review of privacy regulation be undertaken.

The ALRC review is very timely in that it coincides with reviews in other jurisdictions, such as the:

  • NSW Law Reform Commission's review of privacy, which will consider issues such as the desirability of uniform privacy protection principles across Australia, and the desirability of introducing a tort of privacy in NSW;
  • Victorian Law Reform Commission's inquiry into surveillance in public places; and
  • New Zealand Law Commission's review of privacy laws, which may provide an opportunity for greater harmonisation of trans-Tasman privacy regulation.

The ALRC has released two issues papers: Issues Paper 31 (IP31) - Review of Privacy, and Issues Paper 32 (IP32) - Review of Privacy: Credit Reporting Provisions. In response to IP31, the Office has made a 474-page submission which offers a range of suggestions of ways to address privacy issues in areas as diverse as health, technology, complaint handling and telecommunications. A snapshot of the Office's submission is provided below. For details of the Office's work in relation to IP32, see page 4 of this issue.

Some of the key proposals in the Office's IP31 submission include:

A single set of principles

While the Office is of the view that the existing principles under the Privacy Act are operating well, it believes there would be benefit in introducing a single set of principles to replace the IPPs and NPPs. In the Office's view, a single set of privacy principles would encourage greater regulatory consistency and simplicity, while maintaining or improving existing protections. Regulatory consistency will benefit both businesses and individuals by reducing compliance difficulties for organisations, and empowering individuals to understand and exercise their privacy rights without confusion as to their legal entitlements.

Technological neutrality

The Office believes that a technologically-neutral principles-based approach, along with provision for the Privacy Commissioner to make specific binding codes where a clearly defined privacy risk emerges, is the best way to deal with the impact of rapidly developing technology on information handling.

Addressing systemic privacy issues

Generally, the Office finds that the Privacy Act contains appropriate provisions to support the Office's role as an effective complaint-handling body. However, the Office submits that the strong focus in the Privacy Act on resolving individual complaints should be balanced with improved provisions for dealing with systemic privacy issues. To this end, the Office has suggested various ways to strengthen the Office's capacity to address the causes of interferences with privacy, not only the effects.

In particular the Office suggests that:

  • the relationship between the Office and other dispute resolution bodies be clarified
  • the Privacy Commissioner be given more ways of dealing with systemic issues, such as enforceable remedies following an own motion investigation, and a targeted private sector audit power
  • the Privacy Commissioner be empowered to make binding codes and
  • public sector agencies be required to undertake Privacy Impact Assessments for new projects or legislation that significantly impact on the collection or handling of personal information.

Coverage of private sector health service providers

The Privacy Act's existing provisions have generally met individuals' expectations regarding the handling of their health information, and afforded appropriate regard to the needs of health service delivery and medical research. However, the Office notes that there is a strong need to clarify the application of the Privacy Act regarding private sector health service providers. The Office suggests that the Privacy Act should be amended to make clear that the NPPs ‘cover the field' for the regulation of private sector health service providers. This would address a key source of uncertainty and potential fragmentation in health
privacy regulation in Australia.

Technology

The Office has made a number of suggestions in relation to technology, including that:

  • biometric information be classed as sensitive information under the Privacy Act, and that any small businesses that handle biometric information be brought under the jurisdiction of the Privacy Act
  • the public sector data-matching guidelines be made binding
  • consideration be given to introducing data-matching regulation for the private sector and
  • consideration be given to introducing a requirement into the Privacy Act which makes it mandatory, in certain circumstances, for organisations to report personal information security breaches.

Other proposals

The Office has also put forward a number of other proposals and views, including that:

  • certain privacy principles could be extended to the personal information of deceased persons
  • it generally believes there are several positive arguments for the development of a tort of privacy, and therefore encourages the ALRC to further examine the issue
  • in relation to individuals with a decision-making disability, it believes that certain problems, such as disclosure of information to representatives, can be addressed without legislative amendment e.g. by providing additional guidance and
  • in relation to health and medical research, while the existing regulatory framework does provide appropriate privacy assurances, the enabling provisions for the section 95 and 95A mechanisms could be harmonised.

ALRC Privacy Review - Credit Reporting Provisions

In 1990, when the credit reporting provisions of the Privacy Act were introduced, few of us would have anticipated that we would soon be able to apply for credit online from a home computer. The changes in the consumer credit industry since that time have been wide ranging, with more credit providers now offering a greater range of products and many more of us taking out credit.

Recently, the ALRC published its Issues Paper 32, Review of Privacy - Credit Reporting Provisions (IP32). The Office has welcomed this timely review and has made a submission to IP32, answering the 38 questions posed by the ALRC and making 65 recommendations aimed at improving the credit reporting provisions.

The Office's experience as a regulator and our research into community attitudes to privacy tell us that the protection of personal financial information remains an important privacy concern for the community. This is because of the serious consequences that may arise for individuals through the mishandling of their financial personal information. Although the consumer credit industry has changed greatly since 1990, the purpose of the credit reporting provisions of the Privacy Act to protect the privacy of personal credit information has not.

For this reason, the Office strongly supports retaining the credit reporting provisions in the Privacy Act. However, one of our main recommendations is to replace the current provisions with an enforceable credit code that sits under the Privacy Act. Such a code could operate in concurrence with the National Privacy Principles and would include all the additional, special requirements for the handling of personal credit information.

The Office believes this reform will reduce the complexity of the credit reporting provisions and assist individuals to better understand their rights. It will also help the wide variety of credit providers to understand and comply with their legal obligations.

The Office has suggested to the ALRC that there should be a range of options for dealing with credit reporting breaches that reflect the type or seriousness of the breach, and would achieve the best outcome for individuals. Importantly, the Office believes that the Privacy Commissioner should be given stronger powers to handle systemic issues relating to credit reporting activities and issues arising from industry practice. In addition, taking into account the fact that the current level of penalties for breaches has not changed since 1990, the Office has recommended that these be revised accordingly.

The Office has also responded to the issue of comprehensive (or 'positive') credit reporting discussed by the ALRC in IP32. In its different forms, comprehensive credit reporting allows a much wider range of personal information to be included in an individual's credit file than is currently allowed in Australia. For example, the number, type, limit, balance and age of all credit accounts held by an individual could all be included. The Office does not currently support the introduction of such systems in Australia and has recommended that independent research be undertaken into the impact that comprehensive credit reporting would have in Australia, before any decision is made to introduce it.

Overall, the Office's response to IP32 reflects our continuing commitment to helping Australians retain choice and control over the use of their personal credit information, while balancing the needs of business.

Privacy Commissioner implements new response timeframes

Timeliness in the Office's complaints process is crucial to the speedy and effective administration of the Privacy Act. In response to the recent Complaint Handling Review, the Privacy Commissioner has approved various changes to the Office's procedures to ensure timeliness.

Notably, the Commissioner has reduced the standard timeframe given to respon-dents and complainants to address investigation and preliminary view letters. Our new timeframe now accords with other government and private sector complaint handling bodies. Responses will now be expected within 21 days, not 28 days. In reasonable cir-cumstances, including complex matters, we will agree to respondents and complainants having more time to respond.

The Commissioner has also approved a number of changes to the way the Office deals with unresponsive complainants and respondents. In general, the Office will be clearer with parties about our expectations and powers. More specifically, we will inform the parties about our ability to close matters, make a decision in the absence of a re-sponse from either party, or compel the production of records. We will look to use these powers earlier where appropriate.

To ensure procedural fairness, the parties will be made aware of respective time lim-its for relevant steps before and during the complaint process, and the consequences of failing to respond. Flexibility will be maintained in the new standards in relation to timeli-ness, for example, where a party's circumstances require an extension of time or where they provide acceptable reasons for a delay.

In accordance with another recommendation of the Complaint Handling Review, the Office has reviewed its own timeliness when dealing with complaints and enquiries. We are developing clearer internal standards to ensure we respond to correspondence and complaint matters within specific timeframes.

Privacy Connections breakfast and lunch forums

Photo: Privacy Commissioner, Karen Curtis, Greg Paull, from the Chamber of Commerce and Indusrty Western Australia and Suzanne Pigdon at the Privacy Connections breakfast in Perth on 11 May.
Photo: Privacy Commissioner, Karen Curtis, Greg Paull, from the Chamber of Commerce and Indusrty Western Australia and Suzanne Pigdon at the Privacy Connections breakfast in Perth on 11 May.

The Office, in partnership with Business SA and the Chamber of Commerce and Industry of WA, recently presented two Privacy Connections breakfast forums. They featured presentations by the Privacy Commis-sioner, Karen Curtis, and Suzanne Pigdon, the former Privacy and Customer Advocacy Manager for Coles Myer Group.

The events were held in Adelaide on Thursday 10 May and Perth on Friday 11 May. The breakfasts were the first Privacy Connections events to be held in South Australia and Western Australia, and were very well attended and received. They were the culmination of a successful partnership with the States' respective Chambers of Commerce, and demonstrated the Office's ongoing commitment to working with the business community to promote good privacy practice across the country.

In July, there will be a further series of forums, this time featuring special international guest speaker Pe-ter Cullen (Chief Privacy Strategist - Microsoft). This series includes events in:

  • Brisbane on 2 July 2007 (lunch)
  • Melbourne on 3 July 2007 (breakfast)
  • Canberra on 4 July 2007 (lunch)
  • Sydney on 5 July 2007 (breakfast).

For more details on Office and other privacy events please visit our online events calendar at www.privacy.gov.au/calendar.

For more information on the Privacy Connections network, as well as how to join, see our Privacy Connec-tions webpage at www.privacy.gov.au/business/network.

Comings and Goings

The Office recognises a few notable appointments and resignations that have taken place in the privacy community recently.

Northern Territory Information Commissioner resigns

Peter Shoyer, the Northern Territory Information Commissioner, has resigned effective 9 March 2007. Peter was the Northern Territory's first Information Commissioner, and served the community with distinction in this role since 2003. The Office wishes him well in all his future endeavours.

Taking up the role vacated by Peter is Zoe Marcham, who is now the Acting Information Commissioner.

Victorian Privacy Commissioner appointed

Helen Versey has been appointed by the Victorian Attorney-General as the Victorian Privacy Commissioner, effective 13 March 2007.

Prior to this appointment, Ms Versey had been Acting Privacy Commissioner since 2006, and Deputy Privacy Commissioner since late 2001.

Ms Versey succeeds Paul Chadwick, Victoria's first Privacy Commissioner, whose term expired on 29 July 2006.

UK Information Commissioner reappointed

Richard Thomas has been appointed for a second term as the Information Commissioner for the United Kingdom. He will not, however, serve his full five-year term, instead standing down in June 2009, when he turns 60.

Mr Thomas was appointed as Commissioner in November 2002. His warning in 2004 that the UK was "sleepwalking into a surveillance society" has received widespread coverage.

Do Not Call Register

In response to increasing community concern about the growth in unsolicited telemarketing calls, the Australian Government has establised a Do Not Call Register.

Individuals can have their telephone numbers included on the Register. Subject to certain exemptions, it will generally be against the law for unsolicited telemarketing calls to be made to any number listed on the Register.

For registration information visit the Do Not Call Register website at www.donotcall.gov.au. Telephone registrations are available from 22 May 2007 on 1300 792 958.

Further details are also available on the Australian Communications and Media Authority's website at www.acma.gov.au.

Privacy Awareness Week 26 August - 1 September

Asia Pacific Privacy Authorities

Privacy Competition

The Asia Pacific Privacy Authorities (APPA) are promoting privacy via a

written competition aimed at secondary school students.

Prizes will be awarded during Privacy Awareness Week, 26 August - 1 September 2007.

Prizes include:

Laptop computer and gift vouchers

Entries close:

3 August 2007

Further information:

www.privacyawarenessweek.org

Office bids adieu to Chris Cowper

Photo: (from left) Timothy Pilgrim, Deputy Commissioner, Chris Cowerper, Karen Curtis, Privacy Commissioner, and Mark Hummerston, Assistant Privacy Commissioner, at Chris' farewell.
Photo: (from left) Timothy Pilgrim, Deputy Commissioner, Chris Cowerper, Karen Curtis, Privacy Commissioner, and Mark Hummerston, Assistant Privacy Commissioner, at Chris' farewell.

Current and former members of the Office recently gathered together to bid farewell to Chris Cowper, the Office's long-serving Compliance and former Policy Director. Chris completed her distinguished period of service with the Office on 13 April 2007.

Chris Cowper started in privacy when it was still a part of the Human Rights and Equal Opportunity Commission in April 1991. She has watched the Office grow from the days when it was only a handful of people looking after the IPPs, into the much larger and more diversified operation that it is today. Chris leaves the public service having served the Australian community for 23 years.

We thank Chris for her dedication and commitment to privacy and wish her all the very best for her future career.

Diary Notes

  • Asia Pacific Privacy Authorities (APPA) Forum: 22-23 June 2007, Cairns

  • APEC Data Privacy Seminar: 25-26 June 2007, Cairns (for information on how to register, see www.ag.gov.au/apec_privacy)

  • Privacy Connections forums, featuring Peter Cullen (Chief Privacy Strategist - Microsoft):
    • 2 July 2007, Brisbane (lunch)
    • 3 July 2007,
    • Melbourne (breakfast)
    • 4 July 2007, Canberra (lunch)
    • 5 July 2007, Sydney (breakfast)

  • APPA Privacy Awareness Week privacy competition closing date: 3 August 2007

  • Privacy Awareness Week, presented by APPA: 26 August - 1 September 2007.

For more diary notes or to submit an event please visit our online events calendar: www.privacy.gov.au/calendar

Recent Submissions

In addition to its extensive ALRC submissions (see feature articles in this issue), the Office has also made a significant number of other submissions since the last newsletter, including in relation to the:

  • Access Card Consumer and Privacy Taskforce's Discussion Paper Number 3 on the registration process for the Australian Government Health and Social Services Access Card
  • Administrative Review Council's draft Report into Government Agency Coercive Information-Gathering Powers
  • Access Card Consumer and Privacy Taskforce's Discussion Paper Number 2 on Voluntary Medical and Emergency Information (in relation to the Australian Government Health and Social Services Access Card)
  • Department of Communications, Information Technology and the Arts' draft of Telecommunications Integrated Public Number Database Legislative Instruments 2007
  • National E-Health Transition Authority's consultation on version 1.0 of the Unique Health Identifiers Privacy Blueprint
  • Australian Communications and Media Authority's Telecommunications Integrated Public Number Database Scheme 2007 consultation draft
  • AUSTRAC's Draft Consolidated Anti-Money Laundering & Counter-Terrorism Financing Rules
  • Senate Finance and Public Administration Committee's Inquiry into the Human Services (Enhanced Service Delivery) Bill 2007
  • Senate Legal and Constitutional Affairs Committee's Inquiry into the AusCheck Bill 2006
  • Australian Attorney-General's Department's Exposure Draft of the Telecommunications (Interception and Access) Amendment Bill 2007
  • Australian Attorney-General's Department's Discussion Paper 1 on the Review of the law on Personal Property Securities and
  • Australian Communications and Media Authority's Telecommunications (Do Not Call Register) (Telemarketing and Research Calls) Draft Industry Standard 2006.

To see the Office's submissions go to our website: www.privacy.gov.au/publications/index.html#S

PCO Meetings

Photo: Australian and ACT Government Privacy Contact Officers (PCOs) attending a regular PCO Network meeting in Canberra.
Photo: Australian and ACT Government Privacy Contact Officers (PCOs) attending a regular PCO Network meeting in Canberra.

The Office coordinates a network of Australian and ACT Government Privacy Contact Officers (PCOs), usually organising meetings four times a year to discuss current privacy issues. The Office strongly encourages Australian and ACT Government agencies to have a PCO. The PCO should be the first point of contact for advice on privacy matters related to that agency.

If your agency does not currently have a PCO please contact the Office's Privacy Enquiries line on 1300 363 992 or email pco@privacy.gov.au for more details on how to join the Network.

Return