Privacy Matters Summer Newsletter 2008

Photo: Senator the Hon John Faulkner Special Minister of State and Cabinet Secretary.

Australia has well and truly entered the information age. Technological change has brought exciting possibilities – and new challenges. One of these key challenges is privacy policy.

The way we store, use and think about information has changed dramatically since the Privacy Act 1988: before the development of internet search engines, before computerised customer databases or large-scale data-matching. The question of privacy and social networking sites such as Facebook is just one of many emerging issues driven by accelerating technological change.

The Rudd Labor Government will take a comprehensive approach, encompassing both the citizen’s right to know (FOI) and the citizen’s right to privacy.

Our election policy to introduce a Commissioner with responsibility for FOI issues while preserving the existing role of the Privacy Commissioner reflects the need for a coherent approach to the different aspects of information management in public and private sectors. In our approach to policy in this area we will take careful note of the concerns of business, faced with balancing commercial imperatives with privacy protections, as well as the needs of individuals concerned about the security and release of their personal information.

The Australian Law Reform Commission’s review of Australian privacy laws is due shortly. The Government will consider any recommended reforms with the aim of improving the privacy framework. This will be a year in which the new Rudd Government can start the process of taking up the challenges and opportunities in the field of privacy and information policy.

Senator the Hon John Faulkner Special Minister of State and Cabinet Secretary

Commissioner’s Message

Last year was a constructive and full year for the Office. 2008 promises to be another positive and challenging year as we give effect to the changes in administrative arrangements orders, provide advice to the Government as it responds to the ALRC report on privacy, continue to resolve complaints as expeditiously as possible, undertake an expanded audit program, progress the implementation of the APEC privacy framework, and address the impact of new technologies on privacy.

In December 2007, the Prime Minister announced that privacy issues would move from the Attorney-General’s portfolio to the Prime Minister and Cabinet portfolio. The Government had also announced during the election campaign that it would create an Information Commission which would have the dual functions of administering the Privacy Act and the Freedom of Information Act. As consideration is given to the implementation of that policy during 2008 there will be implications for the Office of the Privacy Commissioner.

I look forward to working closely with Senator the Hon John Faulkner, our new Minister, and the newly elected Government to further improve Australia’s privacy practices and to address the complexity of privacy regulation in Australia.

A major achievement in 2007 was the Office’s submission to the ALRC review of privacy. The ALRC was commissioned in January 2006 to review Australia’s privacy laws and to make recommendations to ensure the laws continue to provide an effective framework for the protection of privacy in Australia.

The review presents a once-in–a-generation opportunity to influence the shape of privacy law in Australia for many years to come and I congratulate my members of staff that were involved in our submission for making such a valuable contribution to protecting the privacy of Australians.

The feature article in this newsletter provides a summary of some of the key positions which my Office submitted to the ALRC.

This issue also includes an article about safeguarding your privacy on social networking sites; a report on the Asia Pacific Privacy Authorities forum held in Wellington; and a synopsis of a presentation made to my Office by Martin Abrams, the Executive Director of a global privacy and information security think tank located in Washington DC.

2008 also marks the 20th anniversary of the Privacy Act. We will be undertaking a number of initiatives to celebrate this milestone, including hosting the inaugural Australian Privacy Awards and the Australian Privacy Medal. The Awards are aimed at recognising, rewarding and encouraging good privacy practice among agencies, businesses and community organisations. The Medal will be given to an individual who has exhibited an outstanding level of achievement in the Australian privacy field. Both the Awards and the Medal will be presented at a gala dinner during Privacy Awareness Week in the last week of August.

OPC and the Privacy Contact Officer network congratulate Joan Savic from Centrelink on receiving the Public Service Medal in the 2008 Australia Day Honours for ‘the promotion and facilitation of best practice in privacy and freedom of information in Centrelink and throughout the Australian Public Service.’

2008 Australia Day Achievement Medallions

On 24 January, the Commissioner announced that twenty staff members had been awarded an Australia Day Achievement Medallion.

The Medallion program is organised by the National Australia Day Council as part of Australia Day celebrations. Through presenting the medallions, heads of government departments and agencies acknowledge their employees’ contributions, either on special projects that have made a significant contribution to the nation or simply outstanding performance for core duties.

At a morning tea for all staff, the Commissioner said “I thought it appropriate given that 2008 is the 20th anniversary of the passage of the Privacy Act that I publicly acknowledge the fine performances of twenty OPC and HREOC staff members who have served the Office of the Privacy Commissioner with distinction.”

Photo: Medal winners left to right: Benseon Apple, Nari Sahukar, Martin O’Reilly, Elise Bates, Andrew Hayne, Chris Rowland, David Richards, Natasha Roberts, Melanie Drayton, Ron McLay, Angelene Falk, Timothy Pilgrim, Fiona Ciceran, Robyn Longhurst, Tricia Smith, Kristy Burford, John Oliva, Mark Hummerston, Andrew Solomon, Peter Giles.

ALRC Review

On 21 December 2007, the Office released its submission to the Australian Law Reform Commission’s (ALRC) Discussion Paper 72: Review of Australian Privacy Law. This submission responds to each of the 301 proposals and 46 questions in the discussion paper. The 786-page submission is summarised at www.privacy.gov.au/publications/submissions/alrc_72/submission_summary.html.

While submitting that the Privacy Act has generally worked well in protecting privacy while allowing appropriate information flows, the Office has strongly endorsed making privacy laws in Australia consistent so that business, government and individuals can easily understand their rights and responsibilities.

The Office has also agreed with the ALRC that it reduce unnecessary complexity by merging the existing two sets of privacy principles into one that would apply equally to Australian Government agencies and private sector organisations (see chapter 3). The submission also supports:

Maintaining a principles-based and technology neutral approach

The Office has supported this approach because of the flexibility and responsiveness to change it permits in privacy regulation. Avoiding rigid and prescriptive regulation allows organisations to develop their own solutions as to how they can meet their privacy obligations in a way that matches their circumstances. It also ensures that the privacy principles do not become outdated by focusing on specific technologies (Part B).

Creating codes on specific privacy concerns

The Office believes that, to the greatest extent possible, privacy regulation should derive from a single source – the Privacy Act. This approach helps to reduce fragmentation and complexity in privacy law (this is discussed variously throughout the submission, including in chapters 3, 7 and 56). Exceptions to this should be limited to where there is clear justification, such as for the regulation of credit reporting information.

Another area where the Office has supported the potential use of other instruments is in supporting the proposal for a code making power to respond to new and clearly defined privacy risks, such as with emerging technologies that might have characteristics not easily addressed by general privacy principles (chapters 7 and 44).

Minimising exemptions

The Office generally supports the ALRC proposals to remove exemptions, except where there appears to be a reasonable public interest supporting their retention, such as for small businesses, acts or practices of journalism and some matters of national security (these are discussed in chapters 35, 38 and 31 respectively).

Data breach notification

The Office supports the introduction of data breach notification obligations, though such a requirement should be proportional to the severity of the breach. This would provide organisations with a strong market incentive to adequately secure their databases (chapter 47).

Health information

The Privacy Act should “cover the field” for the regulation of private sector health service providers. The Act should be amended to clarify that it operates to the exclusion of any state laws that might regulate the same matters. This would help to reduce uncertainty for providers and consumers as to their respective obligations and rights (chapters 4 and 56).

Further health-related proposals include those to enhance access provisions, such as to health records when a practice closes (chapter 57). The Office has also suggested that the health information of deceased people should be afforded some privacy protections, though not to the same extent as living people (chapter 3).

To address concerns of medical researchers, the Office has made proposals to simplify the existing regulatory arrangements for the non-consensual handling of health information for research purposes (chapter 58).

However, the Office is concerned by some of the discussion paper’s proposals which would significantly expand the non-consensual handling of personal information for research, while lowering threshold tests justifying such practices.

Credit reporting

There is need for simplification of existing complexity in the regulation of credit reporting information (chapter 50). At the same time, the Office believes that further independent research on comprehensive (or positive) credit reporting is required to assess whether or not it would be beneficial (chapter 51).

The Office believes that any reforms to Australia’s regulatory regime for credit reporting should not weaken existing privacy protections. The Office does not support the proposed expansion of the permitted uses and disclosures of credit reporting information from a specified list of circumstances to allowing use and disclosure for a related secondary purpose (chapter 53).

The practices of using the credit reporting system for direct marketing and the ‘pre-screening’ of potential credit applicants are raised in the discussion paper, and the Office has expressed concern about using credit information for such purposes (chapter 53).

Audits

The Office has supported a qualified audit power that would allow it to conduct privacy performance assessments of private sector organisations for compliance in certain circumstances (chapter 46).

Other

Where to next?

The Office looks forward to considering the ALRC’s report when it becomes available and assisting the Australian Government in formulating its response to the report’s recommendations. As reflected in its submission, the Office remains committed to promoting privacy regulation that gives due regard to the interests of all stakeholders and which continues to foster an Australian culture that respects and values privacy.

Complaint Snapshots

A member of the public advised the Privacy Commissioner that a bankruptcy trustee firm was publishing on its website personal information belonging to bankrupts whose estates it was administering. The trustee firm argued that the information it published was taken from publicly available sections of the bankrupt’s Statement of Affairs and from the National Personal Insolvency Index (NPII).

The Commissioner conducted an ‘own motion investigation’, where it was found that some, but not all the information on the trustee’s website, was information that was already publicly available from the NPII. That said, she noted that in this instance it did not necessarily exempt the records held by the trustee firm from the application of the Privacy Act. The Commissioner formed the view that the trustee firm had interfered with the privacy of the bankrupts listed on the website, as it had not taken steps to limit the access to and disclosure of the personal information on their website. The Commissioner recommended that the firm take steps to prevent general internet users from browsing bankruptcy files.

The complainant alleged that an insurance company breached their privacy by failing to update their details when they took out new membership. The insurance company conducted an internal investigation and found that a computer systems error had occurred in that old membership information remained linked to the new membership. The Commissioner found that by failing to fully upgrade the computer system, the respondent had failed to take reasonable steps to ensure that the complainant’s personal information was accurate. The respondent apologised, took steps to rectify the system, offered compensation, and provided the complainant with three years’ worth of free service. The complainant accepted this offer and the Commissioner closed the matter as having been adequately dealt with.

Martin Abrams Visit

Photo: Center for Information Policy Leadership Executive Director, Martin Abrams, with Privacy Commissioner, Karen Curtis.

Mr Abrams is the Executive Director of the Washington DC based Center for Information Policy Leadership, a privacy think tank and consulting practice associated with the global legal firm of Hunton & Williams. The Center provides strategic consulting services and helps clients develop global privacy and data security strategies for the digital age.

With nearly 30 years experience in policy relating to privacy and security, the staff of the Office had the benefit of listening to Mr Abrams’ experiences regarding the development of multi-layered privacy notices.

Mr Abrams originated the multi-layered privacy notices that were endorsed by the international commissioners at the Data Protection and Privacy Commissioners International Conference in 2003. Additionally, layered privacy notices have also been adopted by the European community, leading companies and various government agencies, and are expected to be adopted by APEC and the OECD. This Office’s website uses a layered privacy policy, which can be found at: www.privacy.gov.au/policy/cprivacy_policy.pdf.

Mr Abrams also shared his views on the future direction of information use and handling in a global context. He touched on many important issues that will be faced by business, consumers and governments in the near future and how rapid technological changes will impact the concept of privacy and the use of personal information globally.

Useful Weblink:

Information about how to go about producing a multi-layered privacy policy can be found in the “10 steps to develop a multilayered privacy policy” from The Center for Information Policy Leadership.

Scam Awareness Campaign

During the period 25 February to 7 March 2008, the Office will be supporting the anti-scams campaign initiated by the Australasian Consumer Fraud Taskforce. Entitled, ‘Scams target you! Protect yourself!’, the campaign will focus on the ‘too good to be true’ type of scam (eg lottery wins, prizes, etc.) in its first week, while the second week will address identity fraud scams (eg phishing).

The Government’s consumer fraud prevention portal can be viewed at www.scamwatch.gov.au. Relevant materials produced by the Office on countering identity theft include the Frequently Asked Questions on ID Scanning and Social Networking Websites at www.privacy.gov.au/faqs/ypr/index.html.

Government Privacy Contact Officer Network Steering Committee

Each Australian and ACT Government agency is expected to appoint a Privacy Contact Officer (PCO). Generally, the PCO should be the first point of contact both internally and externally for advice on privacy related matters affecting that agency.

The PCO Steering Committee, made up of PCOs from a variety of government agencies, met earlier this year to discuss ways of improving the Network. A popular suggestion was to invite speakers who could offer insight into the ‘behind-the-scenes’ thought process of new government initiatives. If you would like to make a suggestion to the Government PCO Network Coordinator, please send an email to privacy@privacy.gov.au. More information on the Government PCO Network can be found at www.privacy.gov.au/government/officers/news/index.html.

Protect your privacy on social networking sites

Social networking sites seem to be ever-increasing in popularity. People of all ages are going online, creating a virtual identity for themselves, and interacting with ‘friends’ who can view personal information which may include names, addresses and dates of birth.

Commonly used social networking sites include MySpace, Facebook, Bebo and Friendster.

Recognising growing community concerns about the potential privacy risks associated with social networking websites, the Office has issued advice to Australians – especially teenagers – about protecting their personal information on these sites.

The release of these FAQs is a reminder that people are readily posting photos and personal details of themselves and their friends on social networking sites without necessarily thinking about who else may obtain access to the personal information.

Personal information on a social networking site can spread at a rapid pace. This was recently demonstrated when a Melbourne teenager posted details about a house party on his MySpace page. Reports in the media claim that over 500 people were in attendance and the police were called to end the near-riot. The teenager was taken into custody, highlighting a severe unintended consequence of revealing personal details on a social networking site.

The FAQs offer four main steps people can take to minimise the potential privacy risks associated with social networking sites:

28th Asia Pacific Privacy Authorities Forum

The 28th Asia Pacific Privacy Authorities (APPA) Forum was held in Wellington, New Zealand on Friday, 30 November and Saturday, 1 December 2007.

In attendance were representatives of the privacy authorities from Australia, Canada, Hong Kong, Korea, New South Wales, New Zealand, Northern Territory and Victoria and, as an observer, the UK. Several New Zealand officials and a representative from the South Australian Privacy Committee participated in the open session of the meeting.

The forum received reports on developments in the various jurisdictions and held discussions on a range of privacy topics including new uses for global positioning systems (GPS) and radio-frequency identification (RFID), children’s online privacy, privacy law reform in Australia and New Zealand, and international developments in security breach notification.

Privacy initiatives taken at international level during the last six months were reviewed, in particular, the APEC Pathfinder Project on cross-border privacy rules and OECD work focusing on the future of the internet economy.

APPA was pleased to announce that the Privacy Commissioner of Canada had accepted an invitation to join, broadening the forum’s membership from eight authorities to nine. All members will jointly participate in Privacy Awareness Week, to be held from 24 to 30 August 2008.

The Office offered to undertake the role of secretariat for the APPA forum for the next year and will assist in the organisation of the next meeting to be held in Seoul, South Korea on 19-20 June 2008. Further information about the APPA Forum, including the communiqué of the 28th APPA meeting, is available at www.privacy.gov.au/international/appa/wellington-communique.html.

Coming soon:

Five new Private Sector Information Sheets on health information handling issues and revised s135AA guidelines. You can subscribe to our RSS feed for new postings on our website at www.privacy.gov.au/contact/rss.html.

Conciliation of Privacy Complaints

A function of the Office is to investigate and, where appropriate, endeavour to conciliate complaints that allege an interference with privacy. The Office has recently released an information sheet to assist parties in engaging in the conciliation process.

The Office uses a number of methods to facilitate the resolution of privacy complaints through discussion and negotiation. The Office can assist parties to settle matters by sending written proposals and responses in a shuttle style negotiation, phone shuttle or real time conference calling. More recently the Office has conducted face to face conciliation conferences where both parties and the Office conciliator are present.

Conciliation provides an opportunity for parties to actively decide how a complaint is resolved in a confidential environment. In conciliation only the parties can decide the outcome.

Our experience is that parties may resolve a complaint in a number of ways which include issuing an apology or acknowledgement, making changes to practices and procedures, or paying expenses or other payments in recognition of non-financial loss.

In some cases a respondent may take steps to address the matter, for example, by providing access to the complainant’s personal information. In other cases, discussion reveals that the respondent has reasonable procedures or policies in place for the handling of personal information. In this way the complainant may develop a better understanding of the circumstances of their complaint by discussing the matter with the respondent party.

The Office is adept at alternative dispute resolution of privacy complaints. However conciliation also requires a willingness by both parties to resolve the matter. Our experience is that agreement is more often reached when the parties are flexible in what they are prepared to offer and accept.

APEC Update

On 6 February 2008, Privacy Commissioner Karen Curtis addressed the APEC Data Privacy Pathfinder Seminar for Australian business and consumer stakeholders in Sydney.

Opened by Joan Sheedy, Assistant Secretary, Department of Prime Minister and Cabinet, the seminar also heard from Colin Minihan, Chair of the APEC Data Privacy Sub-Group, and from Professor Les McCrimmon from the ALRC. He spoke about future options for transborder data-flow regulation.

These presentations were followed by a panel discussion with key business and consumer stakeholders about how to implement the APEC Privacy Framework.

The APEC Electronic Commerce Steering Group next meets in Lima, Peru in late February. For more information about the APEC Privacy Framework visit www.privacy.gov.au/international/index.html#a.

Australian Privacy Awards and Privacy Medal 2008

These Awards aim to acknowledge, reward and encourage agencies and organisations that engage in good privacy practice. The Medal will be presented to an individual who has exhibited an outstanding level of achievement in advancing privacy in Australia.

Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary, will be launching the Awards and the Medal at a corporate breakfast to be held on 9 April in Sydney.

Awards will be given in four categories – Corporate and Large Business, Medium-Small Business, Government and Community – with a Grand Award presented to the most outstanding entrant. Individuals will also be encouraged to nominate for the Medal. The Awards and Medal will be presented at a Gala Presentation Dinner to be held in the last week of August 2008 (during Privacy Awareness Week).

Further details of the Awards and Medal, including how to nominate, will appear in the next edition of Privacy Matters. Information will also be available from early April at www.privacy.gov.au.

Workplace surveillance – the Commissioner’s view

A recent media report about a proposed technology development that would allow employers to directly monitor their staff using physical indicators highlights the need for careful consideration of surveillance in the workplace. It was reported that this monitoring might include brain signals, breathing, heart rate, blood pressure and facial expressions.

While the Privacy Act does not generally cover the personal information of employees in private sector organisations, the view of the Privacy Commissioner is that organisations should nevertheless adopt good privacy practices for the personal information they collect about their staff. This is particularly the case for health information. For example a surveillance system which collects health information may reveal underlying medical conditions unrelated to the employee’s job.

Necessity – in some contexts, detailed surveillance or monitoring may be reasonable, such as for airline pilots. Yet, in other workplaces such surveillance may not be appropriate. There should be a demonstrable reason why detailed information including health information needs to be collected. Organisations should carefully consider whether the collection of sensitive information is really necessary. It should be noted that the employee record exemption only applies to practices directly related to the employment relationship – if information is collected that is not necessary for the job, then the Privacy Act may apply.

Proportionality – surveillance should be a proportional response to an issue. For example, close monitoring of operators of heavy machinery where there has been a history of accidents might be reasonable, but using the same close monitoring techniques for office workers may not.

Transparency – organisations should be transparent about what they are doing. They should tell staff what monitoring is taking place and why, and what will be done with the information gathered. They should also have a clear monitoring policy and a fair and transparent dispute resolution process.

The issue of employee privacy is an important one. The Office has suggested, in its submission to the ALRC review of privacy, that the employee records exemption to the Privacy Act should be removed to bring the treatment of private sector employees in line with Australian Government employees.