Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Corporate information
 

Privacy Matters Spring Newsletter 2007

document icon pdf (392.78 KB)


<!-- .style1 { font-size: 18px; font-weight: bold; color: #FF0000; } .style2 {color: #666666} --> Download PDF-Web Version

Downloads: PDF - Web, PDF - Print

Privacy Matters - Archived Issues

 

Volume 2 Issue 1 Spring 2007

Commissioner's Message

Education and promotion are key elements of our strategic plan in supporting our vision of an Australian community in which privacy is valued and respected. Privacy Awareness Week (PAW), an initiative to help raise awareness and get people involved and interested in privacy issues, was held this year from 26 August to 1 September.

PAW was a great success, with promotion across many government agencies and some businesses and an impressive take-up of our plain English bookmarks explaining the Information Privacy Principles and National Privacy Principles. We hosted jointly with Privacy New South Wales a successful PAW cocktail function on 30 August. At the function we congratulated the winner of the International Privacy Competition, 16-year-old Erica Hei-Yuan Chan from Victoria, and presented her with a laptop computer for her prize-winning essay.

PAW also saw the release of the results of the 2007 Community Attitudes to Privacy survey, publication of new case notes illustrating the types of cases dealt with by this Office, and the compilation of a list of ''essentials'' for privacy law reform drawn from our submission to the Australian Law Reform Commission''s review of privacy laws. All in all, it was a very busy and productive week, and we look forward to doing it all again next year. We are also pleased to announce that Canada will join Australia, New Zealand and Hong Kong in holding a Privacy Awareness Week in 2008.

The 29th International Conference of Data Protection and Privacy Commissioners was held in Montreal from 25-28 September. The conference was an excellent opportunity to gain more insight into privacy issues across a variety of countries and organisations, including concerns about threats to privacy from emerging technologies. It was also timely for Commissioners to consider such matters as passenger name information, the development of global privacy standards and communicating the privacy message.

Anti-Money Laundering / Counter-Terrorism Financing (AML/CTF) legislation brings changes which will come into effect on 12 December 2007. In addition to large financial organisations which are already covered by the Privacy Act, the AML/CTF legislation will require some small businesses, which previously may not have been covered by the Privacy Act, to now be subject to it for AML/CTF purposes. Accordingly, all businesses that have requirements under the AML/CTF legislation will be required to collect, store, use and disclose the personal information they collect in compliance with the Privacy Act. This Office has produced a number of guidelines and related materials to help explain these changes and how they will affect individuals and organisations. I suggest a look at our guidance material on our website or contacting our enquiries line on 1300 363 992 for more information.

Karen Curtis Privacy Commissioner

 

 

International Privacy Commissioners'' Conference

The theme of the 29th International Conference of Data Protection and Privacy Commissioners was ''Privacy Horizons: Terra Incognita'', suggesting the challenges that lay ahead for privacy in the uncharted waters of the new world of technology and terrorism. Challenges were addressed in plenary sessions and covered:

  • Public Safety
  • Globalisation
  • Law Meets Technology
  • Ubiquitous Computing
  • The Next Generation
  • The Body as Data

The four-day conference was held in Montreal, Canada in late September. The Australian Privacy Commissioner, Karen Curtis, and the Deputy Commissioner, Timothy Pilgrim, both attended and were joined by 600 other delegates from around the world. Other Australian representatives were from the Federal Attorney-General''s Department, the Victorian and NSW Privacy Offices, business, academia and privacy advocates. The conference had closed sessions for attendance by Commissioners and then a wider public conference. The conference also marked the accreditation of three new data protection authorities from Slovenia, the Former Yugoslav Republic of Macedonia, and Newfoundland and Labrador.

In their closed sessions, the Commissioners discussed a wide range of topics from communicating the privacy message to airline passenger data, to moves for the development of global privacy standards.

The first resolution agreed by the Commissioners concerned the issue of safeguarding passenger data. ''The very nature of international travel warrants an international approach to establishing standards that safeguard passenger data,'' stated the Canadian Privacy Commissioner, Jennifer Stoddart.

In the current global climate with governments using passenger information for law enforcement, terrorism prevention and border security purposes, there is a need to properly safeguard passenger data. The conference resolved that governments using such information must ensure that the use is for a clearly defined and stated purpose and conducted in a transparent and properly reviewed manner.

The second resolution was about the creation of global privacy standards. A newly established working group in the International Organisation for Standardisation (ISO) will be seeking to establish a set of standards for identity management, biometrics and privacy. The Commissioners expressed support for this initiative.

The third and final major resolution of the conference was on the need for greater international cooperation on privacy matters. The Commissioners resolved to support greater cooperation between Commissioners and organisations, while still respecting varied approaches to privacy protection. The resolution also encouraged the promotion of privacy through initiatives such as the Asia Pacific Privacy Authorities'' Privacy Awareness Week.

The Commissioners also agreed to continue their work on conference arrangements to ensure there is a record of resolutions, a smooth handover to conference organisers, transparency in host selection and greater use of electronic communications.

In addition to these resolutions were presentations by a number of world experts in data protection, exploring the important questions of how best to safeguard and protect privacy rights in the face of ever more sophisticated technological developments.

Representatives from a range of consumer and advocacy groups signed a declaration on the need for stronger protection for privacy rights by the attendant Data Protection Commissioners. This was presented to Commissioners later in the week.

The next Conference will be held in Strasbourg, France from 8-10 October 2008, and will be jointly hosted by the French and German data protection agencies.

There were also a number of privacy meetings and events held in Canada to coincide with the Conference.

In Vancouver, the Office of the Information and Privacy Commissioner for British Columbia hosted a two day conference, ''Private Sector Privacy in a Changing World'' where Karen Curtis provided the keynote address on the top 10 privacy issues. The speech is available to download at www.privacy.gov.au.

This was followed by an APEC seminar, details of which are available at www.apec.org/webapps/events_news/calendar/events_news/calendar.php.

In Montreal, the EU, OECD, APEC and APPA representatives discussed the APEC privacy framework, and in Ottawa, the Deputy Privacy Commissioner, Timothy Pilgrim, attended the OECD Working Party on Information Security and Privacy.

The meeting focussed on ways to enhance cross- border cooperation to meet the challenges posed by threats to the online environment such as Malware and SPAM. As well, the meeting examined the complex issues related to identity management online and looked at the potential impact emerging technologies such as RFIDs could have as a means of collecting personal information.

In terms of privacy, the working party discussed proposals to continue its work on cross-border cooperation in areas of enforcement of privacy investigations and processes that could assist in that work, such as establishing contact points in member countries and developing online support tools.

 

 

APEC Logo

APEC Update

In June, the APEC E-Commerce Steering Group Data Privacy Subgroup met in Cairns. Economies considered a proposed project work plan, referred to as the APEC Data Privacy Pathfinder, which outlined the objectives for progressing the development and implementation of an accountable cross-border privacy rules system within APEC Economies.

With the Pathfinder formally endorsed by the APEC Ministers at their meeting in Sydney in September, Economies are now working on an implementation work plan and considering which of the Pathfinder projects they can become involved in. Currently, 13 Economies have indicated a willingness to participate in Pathfinder projects.

In September, the Commissioner and Deputy Commissioner attended an APEC Data Privacy Seminar in Vancouver, Canada. At this seminar, Privacy Commissioner Karen Curtis chaired a session on the question of: ''How Can Government and Other Regulation Mechanisms work in the same Economy?'' and Deputy Privacy Commissioner Timothy Pilgrim participated in a panel session on ''Other Compliance Models - EU, Asia-Pacific and Beyond.''

At this meeting the Office also volunteered to lead three of the Pathfinder projects. These projects involve the development of templates for cooperation arrangements between privacy regulators and cross-border complaint handling, and the creation of a directory of relevant privacy contacts in the APEC economies.

For further information about APEC Data Privacy initiatives, please see the following links:

APEC Electronic Commerce Steering Group website: www.apec.org.

Attorney‑General''s Department website: www.ag.gov.au/apec_privacy.

The next APEC seminar will be held in Lima, Peru in mid-February 2008 and it is expected a second seminar will be held in August 2008.

 

 

Photo: International essay competition winner in Sydney during Privacy Awareness Week 2007 Photo: L-R: Mrs Sarah Chan, competition winner Erica Hei-Yuan Chan, Attorney-General, the Hon Philip Ruddock MP, Mr Arthur Chan and Timothy Chan at the presentation of a laptop computer to the international essay competition winner in Sydney during Privacy Awareness Week 2007.

Privacy Awareness Week 2007

During the week of 26 August - 1 September 2007, the Office worked with most members of the Asia Pacific Privacy Authorities (APPA) to promote privacy as part of the annual Privacy Awareness Week initiative.

Together with its APPA partners the Office ran a writing competition for secondary school students, which was aimed at encouraging youth to think about privacy. Over 300 entries were received from students throughout the Asia Pacific region, with the winning entry coming from 16-year old Victorian student Erica Hei-Yuan Chan. Ms Hei-Yuen Chan and her family met with the Federal Attorney-General, Philip Ruddock MP, the Australian and NSW Privacy Commissioners and a representative from Privacy Victoria for afternoon tea where she was presented with a laptop computer for her winning entry. Ms Hei-Yuan Chan was also guest of honour at a function held during the week in Sydney hosted by the Office and Privacy NSW. In attendance was the NSW Attorney-General and Minister for Justice, the Hon John Hatzistergos.

"The Office would like to thank everyone who supported Privacy Awareness Week 2007 and made it such a great success!"

To promote the Week the Office sent out over 50,000 materials to individuals, businesses, and government agencies across Australia. The Office has received positive feedback about the materials, with many people utilising them at privacy training sessions and seminars held during the Week.

An important aspect of this year''s promotion was the Privacy Awareness Week website. Launched this year, the website received a good response from users. Developed by the Office, the site displays the Week''s key materials and activities of participating APPA members.

Arrangements for Privacy Awareness Week 2008 are already underway. The Office of the Privacy Commissioner of Canada, and the Office of the Information and Privacy Commissioner, British Columbia, will both be participating, enhancing the international nature of the initiative.

To find out more about this year''s activities and the Office''s plans for Privacy Awareness Week 2008, visit: www.privacyawarenessweek.org.

 

 

Privacy Contact Officers'' Network

The Office of the Privacy Commissioner has long recognised the importance of maintaining a strong network of Contact Officers throughout Federal and ACT departments and agencies to assist government in fulfilling its wide-ranging obligations under the Privacy Act.

To help achieve this, the Office hosts Privacy Contact Officer (PCO) Network meetings quarterly to provide an opportunity for PCOs to liaise with other Contact Officers as well as OPC staff and discuss a variety of privacy issues relevant to their roles.

Attendees at the most recent PCO Meeting in Canberra on 31 August 2007 were welcomed by Privacy Commissioner, Karen Curtis, who discussed a number of topical privacy issues. These included the Office''s recent work on ID scanning and the success of Privacy Awareness Week (26 August - 1 September 2007). Ms Robin Banks, Chief Executive of the Public Interest Advocacy Centre, was then invited to present to the forum.

During her presentation, Ms Banks, who is also a member of the Privacy Advisory Committee, discussed the need to enhance community awareness of and engagement with government over matters such as privacy, and the promotion and enhancement of transparency and accountability throughout government administration. It was interesting to listen to Ms Banks'' own experience with privacy matters in the community and her views on where privacy legislation should be heading in the future.

Prior to the completion of the day''s proceedings, John Peters and Angela MacMillan, Compliance Officers from the Office, presented a practical exercise on complaint handling. Based on a real case, they asked the PCOs to place themselves in the role of a Compliance Officer and discussed the stages and steps undertaken in an actual investigation. PCOs were given information from both complainant and respondent parties and asked to apply the relevant legislation to determine whether a breach may have occurred.

The exercise proved to be extremely rewarding for all involved, with the Office staff being impressed by the level of thought and understanding displayed by the group. Following the exercise, a Q&A session enabled the PCOs to raise a number of issues related to the case study and their individual work roles, and to have their questions answered by two experienced Compliance Officers.

Feedback from the PCO meeting highlighted that such meetings are very valuable to those who attend. In particular, the case study proved to be popular and the Office is looking to conduct similar practical sessions again in the future. In the meantime, the Privacy Commissioner will continue to encourage active participation by PCOs within the network. The next PCO meeting is to be held in Canberra on 7 December 2007.

 

 

We need your help!

Please take a few moments to complete our survey to assist us in planning the future direction of this newsletter. All responses will remain anonymous.

The survey can be viewed at www.privacy.gov.au/news/privacymatters/survey.php

 

 

Anti-Money Laundering and Counter-Terrorism Financing

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) came into effect on 12 December 2006. This legislation was introduced with the intention of bringing Australia into line with international best practice1 and is part of a reform process that aims to protect industry, business and individuals by deterring money laundering and terrorism financing.

The AML/CTF Act prescribes that organisations and individuals that perform certain designated services will become reporting entities for the purposes of the AML/CTF Act. The implementation of AML/CTF obligations has been staggered over a two year period with identification and reporting requirements commencing for reporting entities in the financial, gaming and remittance sectors on 12 December 2007, with other industry sectors to be brought in from 12 December 2008.

The AML/CTF Act imposes a number of obligations on reporting entities including:

  • customer identification and verification of identity
  • record-keeping
  • establishing and maintaining an AML/CTF program
  • ongoing customer due diligence and reporting (suspicious matters, threshold transactions and international funds transfer instructions).2

As part of the AML/CTF reform package, the Privacy Act has been amended to provide that small businesses that will be reporting entities for the purposes of AML/CTF, will also be subject to the Privacy Act in regard to their obligations under the AML/CTF Act. This includes small businesses that may be exempt from obligations under the Privacy Act in terms of other business activities they undertake. A reporting entity must apply the Privacy Act, including the NPPs, to personal information collected or handled in relation to activities undertaken to comply with the AML/CTF Act.

AML/CTF requires reporting entities to check a number of boxes to meet their reporting obligations and asking reporting entities to add privacy obligations to these requirements might seem onerous. However the Office believes that compliance across both AML/CTF and privacy obligations can be achieved by reporting entities embedding privacy into their AML/CTF program.

Complying with your AML/CTF responsibilities and privacy obligations can often come down to reporting entities asking, on a regular basis, a few key questions about their business practices - questions such as:

  • Do you actually need to collect all of the person''s personal information? If you don''t need more than the minimum Know Your Customer (KYC) personal information, don''t collect it.
  • If you do need it, tell people what you need it for. Give them a privacy notice and seek their consent where necessary.
  • Once you''ve collected it:
    • Stick to your word - only use it for what you say you''re going to use it for
    • Don''t give it to anyone else unless you have the person''s permission
    • Keep it accurate, up-to-date and secure
    • Give your customers access to it if they ask.
  • When you don''t need it anymore, destroy it securely.
  • And, most importantly, remember that it is their personal information, not yours.

This list is not exhaustive and there are some exceptions. But it should give you the right idea - that compliance can quite often come down to getting the common sense basics of privacy right.

If you would like to know more about your privacy responsibilities and how they interact with AML/CTF, please contact the Office of the Privacy Commissioner on 1300 363 992 or visit the website at www.privacy.gov.au. Information about AML/CTF requirements for reporting entities is available at www.austrac.gov.au or by contacting the AUSTRAC Help Desk on 1300 021 037.

Individuals can find out more about AML/CTF by visiting the Attorney General''s Department website at www.ag.gov.au/aml or by sending an email enquiry to aml.reform@ag.gov.au.

 

 

Complaints Snapshots

An individual alleged that a health care provider contracted to a government agency improperly disclosed their personal information to their employer without their consent. The agency conceded that there were no lawful grounds for the disclosure, and offered to settle the matter by way of a charitable donation, a written apology, a review of its existing confidentiality policy and greater accessibility by all staff to the policy. The complainant accepted this offer and the Commissioner closed the matter as having been adequately dealt with.

---------------------------------------------------

The complainant participated in a medical examination by the respondent medical practitioner, as part of a worker''s compensation claim and subsequent tribunal case. After the case was heard, the individual requested a copy of the medical records held by the respondent. The individual was denied access to clinical notes taken during the medical examination, as the respondent claimed ''medico-legal'' professional privilege. As the clinical notes were presented to the tribunal and were accessible during the compensation case, the Commissioner decided that the respondent could not claim legal privilege and must provide the individual with full access to the medical records.

---------------------------------------------------

After the complainant did not pay for an accounting service, the respondent accounting firm forwarded the complainant''s details to a debt collection agency and a legal firm, including the complainant''s tax file number (TFN). The Commissioner decided the disclosure was not authorised by the relevant legislation, and constituted a breach of TFN Guidelines. The respondent offered the complainant compensation and satisfied that this was an adequate response to the complaint, the Commissioner closed the matter.

 

 

Law Reform Commissions'' Privacy Work Update . . .

Australian Law Reform Commission

The Australian Law Reform Commission (www.alrc.gov.au) has released ''Discussion Paper 72 - Review of Australian Privacy Law''. In drafting the Discussion Paper, the ALRC examined submissions made in response to its Issues Paper 31 and Issues Paper 32.

The Discussion Paper considers many issues in its 1983 pages. It contains 301 proposals for reform and 46 further questions. The issues addressed include national consistency, the redrafting of the Privacy Act and Privacy Principles, health privacy, reforms to the credit reporting provisions and Telecommunications Act, and the relevance of a statutory cause of action for invasion of privacy.

The Office is currently drafting a submission to the discussion paper. Submissions are due on 7 December. The ALRC will submit its final report to government by 31 March 2008.

NSW Law Reform Commission

In April 2007, the NSW Law Reform Commission (NSWLRC) received terms of reference for an inquiry into whether existing legislation in New South Wales provides an effective framework for the protection of the privacy of an individual. The inquiry focuses on national consistency and the desirability of a statutory cause of action for the invasion of privacy in NSW.

The Office made a submission to the NSWLRC''s Consultation Paper 1 ''Invasion of Privacy'' supporting the development of a statutory cause of action for invasion of privacy as an important step in the recognition of privacy protection within Australia. This submission is available at www.privacy.gov.au/materials/types/submissions/view/6695.

The NSWLRC website can be found at: www.lawlink.nsw.gov.au/lrc.

Victorian Law Reform Commission

The Victorian Law Reform Commission (www.lawreform.vic.gov.au) has received a reference to inquire and report on the potential benefits and risks posed by the use of surveillance and other privacy invasive technologies in the workplace and places of public resort.

In the first phase of this inquiry, a consultation paper on Workplace Privacy - Options for Reform (the Consultation Paper) was released in July 2007. The paper included a number of proposals which aim to establish appropriate measures for the protection of workers'' privacy.

The Office''s August 2007 submission supported further monitoring and data collection by relevant regulators to enable informed decisions to be made about workers'' privacy issues.

New Zealand Law Commission

The New Zealand Law Commission (www.lawcom.govt.nz) is currently in the process of conducting a four stage review of privacy values, changes in technology, international trends, and their implications for New Zealand civil, criminal and statute law.

On 13 September 2007, the Commission released an issues paper on the law relating to public registers. The paper considers whether the law relating to public registers requires systematic alteration as a result of privacy considerations and emerging technology. The Office will be making a submission on this issues paper.

 

 

Diary Notes

  • Asia Pacific Privacy Authorities Forum

    28th APPA Meeting Wellington, New Zealand 30 November - 1 December 2007

    For information contact: Linda.Williams@privacy.org.nz

  • Australian and ACT Government Privacy Contact Officers'' Meeting

    Canberra Friday 7 December 2007 9.00 am - 12 noon

  • APEC Data Privacy Seminar

    Lima, Peru Mid-February 2008

For more diary notes or to submit an event please visit our online events news/calendar: www.privacy.gov.au/news/calendar.

 

 

1 See Anti-Money Laundering and Counter-Terrorism Financing Bill, Explanatory Memorandum 2006, available at www.austlii.edu.au/au/legis/cth/bill_em/alacfb2006532/memo_0.html.

2 See www.austrac.gov.au/aml_ctf.html.