Download PDF

Privacy Matters - Archived Issues

Volume 1 Issue 4 Winter 2007

Commissioner's Message

When you ask yourself the question "What is privacy?", it doesn't take too long to realise that privacy is far from being a "one size fits all" concept. Privacy, as a community-held value, means very different things to different people.

As a privacy regulator, it is an integral part of my Office's role to maintain a broad understanding of the Australian community's attitudes to privacy. For my Office to effectively reflect public opinion, it needs to keep up with the community's attitudes to privacy, and how they may be evolving in our modern technological environment.

It is for this reason that I have again commissioned a national survey of Australians to assess their attitudes towards privacy-related matters. This 2007 research continues the work of similar studies carried out by my Office since 1990.

The research, which consisted of telephone interviews with 1500 Australian households, was undertaken from 11 July - 7 August 2007. It investigated people's views about the way their personal information is handled in a wide range of areas, including health, work, business, and government. It also asked respondents about some current privacy topics, such as ID theft and CCTV.

The results of this survey have just been released as a part of Privacy Awareness Week 2007, which is being celebrated as this Winter edition of Privacy Matters goes to press. The survey is a centrepiece of this year's PAW program. The survey results will provide my Office with an up-to-date and invaluable resource, which will help to inform our thinking on policy, compliance and communications work. They will also contribute to my Office's response to the Australian Law Reform Commission's privacy review discussion paper which is due in September.

This edition of Privacy Matters features a snapshot of some of the survey's key findings.

The newsletter also provides lots of other news coming out of Privacy Awareness Week 2007, including details of the winner of the International Secondary Schools Privacy Writing competition, an initiative of the Asia Pacific Privacy Authorities.

There are a range of activities planned to take place during the week. They include the:

• release of an information sheet on ID scanning by businesses and FAQs about ID scanning;
• publication of the Office's latest case notes;
• release of a plain English bookmark summarising the Information and National Privacy Principles;
• distribution of a 'privacy please' door hanger;
• distribution of a 'privacy is your business' desktop background/log-on screen; and
• distribution of a Privacy Awareness Week poster.

Privacy Survey Shows New Attitudes and Trends

The Office has undertaken a major study into Australians'' attitudes towards privacy-related issues and developments. Released today, the survey shows that there have been significant changes since the last study in 2004. As the synopsis below reveals, people have become more concerned about various aspects of privacy in their everyday lives, such as providing personal information online and identity theft. At the same time they have become more trusting of certain things, such as their dealings with government agencies and health service providers.

The survey follows the Office''s similar studies in the early 1990s and most recently in 2001 and 2004. The 2007 study was conducted by the Wallis Consulting Group and consisted of telephone interviews with a representative sample of 1500 Australians nationwide. The survey''s 47 questions covered the following areas: attitudes to providing personal information; levels of trust in organisations handling personal information; knowledge of the Privacy Act and the Privacy Commissioner; the handling of personal information by business and government departments; health information and privacy; employee privacy; the Internet; ID theft; and CCTV.

This article presents a synopsis of a selection of the survey''s findings.

Concerns about providing personal information on the Internet are high

• 50% of Australians are more concerned about giving personal information over the Internet than they were two years ago. 31% remain as concerned as they were two years ago, while 11% are less concerned than before.
• 25% of Australians claim they provide false information in online forms as a way of protecting their privacy.

One in ten Australians have been victims of identity theft

• 9% of Australians claim to have been victims of identity theft, and 17% know someone else who has been a victim. 60% are concerned about becoming a victim of identity theft.
• Australians believe identity theft is likely to occur most easily as a result of using the Internet (45%), and losing or having identity documents physically stolen (22%).

Few people believe their ID should be scanned in pubs and clubs

• Only 18% of Australians believe that it is acceptable for their ID to be copied or scanned when entering licensed premises, but 80% believe it is acceptable to show ID.

Significant numbers of people would not deal with a business because of privacy concerns

• In 2001, 42% of Australians would not deal with a company or charity because of concerns over the organisation''s protection or use of their personal information. This figure dropped to 33% in 2004. 2007 saw an increase to 36%.

More people trust health service providers with their personal information

• 91% of Australians rate health service providers as trustworthy, up from 89% in 2004, 84% in 2001 and 70% in 1994.
• 60% of Australians think that health professionals should be allowed to discuss their personal medical details with other health professionals without their consent, the same proportion as in 2004 and up from 53% in 2001.
• 55% of Australians believe that a person should be told of a relative who has a genetic illness, even without the consent of the relative.

Employees support workplace monitoring,but want access to their records

• 86% of Australians think that employees should have access to information that employers keep about them. Most also believe that employers should be entitled to monitor employees in the workplace in certain situations.

Most people are concerned about businesses sending their information overseas

• The majority of Australians (90%) are concerned about businesses sending their personal information overseas and 63% say they are ''very concerned''.

Increased trust in government departments

• 73% of Australians consider government departments to be trustworthy, an increase from 64% in 2004 and 58% in 2001.
• Australians'' support for government departments being able to share information has increased from 71% in 2004 to 80%. The majority believe that information should be shared, but only for some purposes, such as for crime prevention (77%) and to update contact details (67%).

Knowledge of privacy laws has increased

• 69% of Australians are aware that federal privacy laws exist, compared to 60% in 2004, 43% in 2001 and 36% in 1994.
• A majority of Australians are aware that the Privacy Act covers the activities of Commonwealth Government departments (94%) and large businesses (72%) and charities (72%). However,some also believe incorrectly that the Act covers State government departments (87%), and businesses based overseas (35%).
• 45% of Australians are aware of the existence of the Privacy Commissioner, compared to 34% in 2004 and 36% in 2001.

The study was only conducted a few weeks ago and the Office has yet to assess the full implications of the results in terms of its priorities and focus. However, the results are likely to feed into the Office''s response to the Australian Law Reform Commission''s forthcoming Discussion Paper on its review into privacy law. The results will also assist in informing thinking on various issues as part of the Office''s policy development and compliance role. In addition, they will allow the Office to identify issues and audiences that require a focussed response or level of pro-activity in terms of its educational work.

Privacy Awareness Week

The Office is promoting Privacy Awareness Week from 26 August to 1 September 2007 as a way of raising awareness of the importance of protecting privacy.

This year, for the first time, Privacy Awareness Week is being jointly promoted by the Asia Pacific Privacy Authorities (APPA) Forum, including Australia, NSW, Victoria, Northern Territory, Hong Kong, New Zealand and Korea. There will be a series of activities held across these regions.

A major Privacy Awareness Week promotion, undertaken by the APPA members, is the International Privacy Competition for secondary school students.The competition required students to submit a written piece of work based on the 2007 Privacy Awareness Week theme, ''privacy is your business.''

The competition closed on 3 August 2007 and the Office is pleased to report that over three hundred entries were received from students across Australia, New Zealand and Hong Kong. The entries came in various forms such as essays, short stories and editorials, and gave insight into the way that today''s youth view privacy.

The international winner of the competition is Erica Hei-Yuan Chan, a 16-year old student at the Carey Baptist Grammar School in Kew, Victoria. Ms Hei-Yuan Chan will be awarded a laptop computer and will fly to Sydney with a guardian during Privacy Awareness Week to meet with the Attorney-General, the Hon Philip Ruddock MP, the Australian Privacy Commissioner, Ms Karen Curtis, the NSW Privacy Commissioner, Mr John Dickie, and a representative from Privacy Victoria.

In addition to the joint activities being undertaken across APPA, the Office has a number of Privacy Awareness Week promotional items available as well as a list of suggestions on what you can do to promote the week.

Privacy Awareness Week is an opportunity for you to consider your privacy rights and responsibilities. For further information visit www.privacyawarenessweek. org/paw/australia.html. To view the winning entry in the APPA International Privacy Competition, go to www.privacyawarenessweek.org.

View the Australian Privacy Commissioner''s video message encouraging involvement in Privacy Awareness Week at: www.privacyawarenessweek.org/paw/australiapromo.html.

Asia Pacific Privacy Authorities discuss initiatives in Cairns

The Office hosted the 27th Asia Pacific Privacy Authorities (APPA) Forum in Cairns, on 22-23 June 2007. The Forum immediately preceded the APEC Seniors Officials'' Meeting and Seminar in Cairns, allowing participants to attend both events.

In attendance were the Privacy Commissioners and representatives of Australia, Canada, Hong Kong, Korea, New South Wales, New Zealand, Northern Territory, and Victoria. Representatives from privacy authorities in other jurisdictions also attended, including Mexico, the Australian Capital Territory, Queensland, South Australia, and Western Australia.

Jurisdictional reports were delivered by member authorities and sessions were held on privacy developments in various countries, including presentations on the Queensland smartcard driver''s licence, biometric privacy concerns, Internet leakage, statutory cause of action, anti-money laundering, and reviews into privacy law in Australia and New Zealand.

The cross-border enforcement aspects of the APEC Privacy Framework and the potential role for APPA and its members in the implementation of the Framework were also discussed. The Forum heard about similar cross-border developments in the OECD.

Hong Kong, New Zealand, Australia, New South Wales, Victoria and the ACT agreed to establish a Working Party to look at the possibility of developing guidelines for the protection of privacy rights in relation to the use of biometrics.

The Office is also pleased to announce that during the two day meeting APPA broadened its membership from seven authorities to eight, welcoming the Information and Privacy Commissioner of British Columbia.

The next meeting of the Forum will be held in New Zealand on 30 November and 1 December 2007.

Further information about the APPA Forum, including the communiqué of the 27th APPA meeting, is available at www.privacy.gov.au/aboutus/international/appa/.

Approach to Regulating

Generally Australian regulators operate to encourage compliance and work cooperatively with those they regulate. The Office of the Privacy Commissioner adheres to this approach which is also consistent with our legislative framework.

We operate in a society where ''privacy'' is not an absolute right. It is a right to be balanced with other interests - a good example is the public interest in openness and transparency in government administration.

The Privacy Act sets out principles to be applied, rather than prescriptive regulation. Applying principles, to be effective, requires balance and objectivity. As a regulator we seek to achieve that balance.

Old style regulators largely applied the ''one size fits all'' solution to problems. Our view is that a one dimensional approach by a regulator is fraught with difficulties, and destined to failure. There is no doubt that a multi-faceted approach to an issue is almost always required in order to bring about sustained change and improvement in behaviours, particularly organisational behaviours.

Organisational culture is hard to change - yet that is what often we seek to do in promoting a respect for privacy within organisations. We cannot rely on investigation alone. The effective regulator has to adopt a range of techniques to bring about lasting change. Conciliation, education, prevention techniques, audits, guidelines, policy advice, investigations, determinations - all of these and more comprise the tool box of the modern-day regulator.

Our approach must be guided by fairness. Our role is to help an individual and an agency or organisation focus on dealing with the issue of concern. Fairness must go hand-in-hand with objectivity. The primary objective of the regulator, in carrying out an investigation, is to seek out the facts and establish the truth. As a regulator we must not only react, we must also be proactive - working with organisations and agencies to prevent or minimise problems. This means our role is also to ''win their hearts and minds'' about respecting and protecting privacy.

To do that, we must approach privacy as part of the suite of good governance attributes. This requires building trust and earning cooperation. We need to help agencies and organisations bring about change in their systems, practices and culture.

As a regulator we need to bring balance, proportionality and fairness to the protection of privacy. We do not live in a vacuum - there are competing interests: the right to privacy and the public interest, the demands of a complex society.

This is an edited extract of a speech by Mark Hummerston, Assistant Privacy Commissioner to the ''Interpreting Privacy Principles Symposium'', 3 July 2007. The full text is available at www.privacy.gov.au/materials/types/speeches?sortby=60.

APEC Privacy Update

Australia hosted a seminar on the Implementation of the APEC Privacy Framework in Cairns on 25-26 June. The focus of the seminar was ''Cooperation and Cross-Border Privacy Rules''. Presenters spoke about the existing and developing international arrangements for cross-border cooperation.

During her presentation, the Australian Privacy Commissioner referred to the APPA Forum as an example of an existing group that fostered cooperation among regulators. Similarly, the MOU between the Privacy Commissioners of Australia and New Zealand was put forward as a potential model for cooperative arrangements between Economies.

Business leaders and overseas ''trustmark'' operators spoke about ''trustmarks'' or privacy web seals already in the US and several of the Asian Economies. Under these schemes, businesses can undergo a review and certification process and become accredited to display a ''trustmark'' or seal on their website.

The seminar also provided an overview of the current capabilities and limitations to international cooperation between regulators and focused on the next steps for implementing crossborder privacy rules.

After the seminar the APEC E-Commerce Steering Group Data Privacy Subgroup met. It discussed the project work plan, referred to as the APEC Data Privacy Pathfinder, which outlined the objectives for progressing the development and implementation of an accountable crossborder privacy rules system within APEC Economies. Twelve Economies agreed to participate in the Pathfinder. It is anticipated that the Pathfinder will be formally endorsed by Economies at the September APEC meetings. Once formally endorsed, volunteers from various Economies will work on the Pathfinder projects.

The next APEC Data Privacy Seminar will be held in Canada on 22-23 September before further work begins in 2008, when Peru will be the host nation. For more information see the following links: APEC Electronic Commerce Steering Group website: www.apec.org/apec/apec_groups/som_special_task_groups/electronic_commerce.html; AttorneyGeneral''s Department website: www.ag.gov.au/www/agd/agd.nsf/AllDocs/8B53BF31ED5073F6CA2571F30081E094?OpenDocument.

Access Card Exposure Draft Submission

On 21 August 2007 the Office made a submission to the Department of Human Services on its second exposure draft of the Human Services (Enhanced Service Delivery) Bill 2007 (the exposure draft Bill).

The Office acknowledged that the exposure draft Bill progresses the privacy protections for the proposed Health and Social Services Access Card.

The exposure draft provides protections for confidentiality and information integrity which adds to the first Bill. However, the Office has suggested that there are still a number of steps that can be taken to enhance the Access Card''s privacy safeguards:

The Office welcomed the following aspects of the Bill:

The full submission is available at: www.privacy.gov.au/materials/types/download/9118/6759.

World Renowned Privacy Thinker at Privacy Connections Forum

The Office partnered with Microsoft in hosting a series of forums in Brisbane, Melbourne, Canberra and Sydney during the first week in July, featuring Microsoft''s Peter Cullen as the keynote speaker. Mr Cullen is the US-based Chief Privacy Strategist and Senior Director, Trustworthy Computing, for Microsoft, the former Corporate Privacy Officer for the Royal Bank of Canada, and one of the world''s pre-eminent privacy practitioners and thinkers.

Mr Cullen provided the large audiences in the four cities with insights into the global privacy landscape, particularly within an information technology context. He outlined the approaches of Microsoft in addressing privacy issues, examined the various data governance technologies, and explored tools that can be employed to enhance levels of privacy trust.

Other speakers included the Attorney-General, the Hon Philip Ruddock MP, who addressed the Sydney forum, and the Privacy Commissioner, Karen Curtis, who spoke at all four events. The Attorney-General discussed the outcomes of the recent APEC Seminar and meeting of the APEC Data Privacy Sub-Group, as well as the approach taken by the ALRC as part of its Review of Privacy Law. In her speech, the Commissioner outlined the role played by privacy in enhancing business success and the key steps organisations can take to ensure that privacy becomes embedded in business practices.

The forums were part of the Office''s Privacy Connections network for corporate sector privacy professionals.

The network offers opportunities for members to stay informed of local and global privacy developments, to meet and engage with the Privacy Commissioner and other privacy leaders, and to network with other privacy professionals.

For information on Privacy Connections, log onto www.privacy.gov.au/business/privacyconnections/.

When Privacy meets Technology

When I consider how the digital age has impacted on our personal lives, one of the most significant shifts that strikes me is the increased electronic handling of information, particularly personal information.

Across the Internet, in electronic databases, through mobile telephones, by email, credit cards, e and m commerce, and even via interaction with online maps and global positioning systems, we now leave snail trails of information about ourselves like never before.

But not everything has changed.

As living, breathing human beings, I''m not so sure whether the digital age has fundamentally changed us all that much. In many ways, people are still the same complex, multi-faceted creatures that we always were.

We all continue to have a range of aspects to ourselves by which we like to define ourselves, and by which we are defined.

From something as simple as our name, through to our likes and dislikes, our relationships with others, our roles in society, and our actions and behaviours, we put forward to the world a range of aspects to our identity which say many things about us.

We are known by others in many ways: a book lover; a regular customer; a traveller; a co-worker; and so on. Part of privacy is about being able to control when and where we reveal these different aspects of our identities to others.

What the digital age has done is to change the environment in which we negotiate these different aspects of our identity. It has meant that much of the information about us is now able to be more easily captured, aggregated and much more widely distributed and viewed, than ever before.

The digital age has also created a more facilitative environment, where it is much easier for others to obtain information about us, ''know'' things about us or, worse still, make inaccurate judgments about us by pulling information out of context.

We might be the same people we always were, but the digital age has made it much more difficult for us to manage and control the information we choose to reveal, or sometimes inadvertently reveal, about ourselves.

And once our personal information is out there, it is very difficult to recoup it and regain control.

Technology is not, however, the enemy of privacy. Privacy and technology are not polar opposites. To value one''s privacy is not to repudiate technology.

If technology is sophisticated enough to recognise my thumbprint, send data across the world in seconds and land on Mars, then it is sophisticated enough to be developed in a way that enhances and protects privacy.

There are many examples of technology initiatives designed to enhance privacy, such as encryption, public key infrastructure, programs that allow for anonymity, and so on.

Ann Cavoukian, the Information and Privacy Commissioner of Ontario Canada, recently proposed a framework for responding to the challenges raised by the digital age with her ''Seven Privacy-embedded Laws of Identity''.

These Laws are a privacy-extended version of the original ''Seven Laws of Identity'', formulated on an open blog by a global community of identity management experts. The Privacy-embedded Laws seek to incorporate some fundamental privacy principles into the digital infrastructure. These principles include goals such as:

• individual control
• consent
• reduced amounts of data
• ''need-to-know'' access
• plain language and
• the sometimes problematic twin requirements for systems to be interoperable and yet segregated.

Even in an ever-changing world, these basic privacy principles have a remarkable ability to transcend the rapidly changing technological environment in which they are operating, and stay relevant. This could be because the principles go to the heart of what we, as humans, value as privacy.

This is an edited extract of a presentation given by Karen Curtis, the Privacy Commissioner, to the Govtech Summit on 19 July 2007. The full text is available at www.privacy.gov.au/materials/types/speeches?sortby=60.

Steps to Reconciliation

The Office has developed a ''Reconciliation Action Plan'' (RAP) to identify and develop business practices in organisations to contribute to the wellbeing and quality of life of Indigenous Australians.

The RAP initiative, coordinated by Reconciliation Australia, coincides with the 40th anniversary of the 1967 referendum when more than 90 percent of Australians voted to include Indigenous Australians in the census, and to amend the constitution to allow the Australian Government to make specific laws with respect to Aboriginal peoples.

The Office''s draft RAP has five Key Reconciliation Result Areas:

1. Establishing dialogue with Indigenous stakeholders on privacy issues
2. Improving awareness of privacy rights in the Indigenous community
3. Developing guidance material for agencies and organisations on protecting and respecting the privacy of Indigenous Australians
4. Improving and applying cultural awareness and knowledge within the Office
5. Creating employment and development opportunities.

The Office''s draft RAP will shortly be available on our website at www.privacy.gov.au.

In the spirit of the Office''s RAP, the Office held events to commemorate National Reconciliation Week (27 May-3 June) and NAIDOC Week (8-14 July).

The Office screened a documentary to mark the 40th anniversary of the 1967 referendum, and hosted a commemorative afternoon tea for staff where the Privacy Commissioner spoke about Reconciliation and the Office''s draft RAP.

The Director of the Social Justice Unit at the Human Rights and Equal Opportunity Commission (HREOC), Mr Darren Dick, then spoke about his attendance at the One Future Forum 2007 on Reconciliation.

For NAIDOC Week the Office joined with HREOC to host an information stall at a NAIDOC event in Sydney.

Diary Notes

• Privacy Awareness Week, presented by the Asia Pacific Privacy Authorities: 26 August-1 September 2007
• APEC Data Privacy Seminar, 22-23 September 2007, Vancouver, Canada
• Privacy Horizons - Terra Incognita - the 29th International Conference of Data Protection and Privacy Commissioners: 25-29 September 2007, Montreal, Canada
• Asia Pacific Privacy Authorities Forum: 30 November-1 December 2007, Wellington, New Zealand

For more diary notes or to submit an event please visit our online events news/calendar: www.privacy.gov.au/news/calendar