Speech by Andrew Hayne, Director (A/g), Policy, Canberra, 11 February 2008, Sydney, 13 February 2008, and Clare Vinecombe, Deputy Director (A/g), Compliance, Melbourne, 12 February 2008, Brisbane, 14 February 2008 to the Securitypoint 2008 seminar series, Privacy - Today and Tomorrow.

Introduction

I would like to begin by thanking InTechnology for its kind invitation to present at Security Point 2008. This series of seminars represents a valuable opportunity to engage directly with information management executives so as clarify the obligations of organisations under the Privacy Act as well as to give a sense of the role of the Office of the Privacy and what may lie ahead for privacy regulation.

In the time available, I will provide a brief overview of federal information privacy regulation, discuss issues relating to the impact of new technologies on information security and privacy, and outline what the Office believes to be the most essential areas for privacy law reform.

Our office believes that this is a dynamic time in privacy, driven by increased awareness of rights and risks, and new opportunities and challenges posed by technology.

In addition, as you may be aware, the Australian Law Reform Commission (ALRC) is currently conducting a major review of privacy law in Australia.  Together with similar reviews being conducted in NSW, Victoria and New Zealand, there is a clear sense that governments recognise privacy as a important right, and that laws must be kept up to date and relevant to ensure its proper protection in the 21st century.  

In terms of community expectations, the Office recently released a study of community attitudes towards privacy as a follow-up to similar studies we have conducted in 2001 and 2004. The responses to the survey confirm that privacy is an issue of increasing concern to the community.[1]

For example, the research found that 50 per cent of respondents have become more concerned about providing information online than they were three years ago.  Generally speaking, the community is more concerned about providing information over the internet than in hard copy format or over the telephone; and, notably, 67% of respondents said that they provide false information over the internet in order to protect their privacy.  An overwhelming 96% of respondents considered that organisations monitoring activity on the internet (that is recording information on the sites you visit without your knowledge) is a misuse of personal information.  There were also increased levels of concern relating to ID document scanning, which you may have experienced in the practice of pubs and clubs scanning drivers' licences, as well as identity theft.

ROLE OF THE OFFICE

Before turning to the substance of current obligations and potential reforms, it may be useful to provide you with a brief overview of the current Privacy Act and the role played by the Office.

The Office of the Privacy Commissioner is an independent statutory body which has responsibilities under the Commonwealth Privacy Act 1988.  Since the election of the new government, the Office sits within the portfolio of the Department of Prime Minister & Cabinet, a move from the Attorney-General's Department.

The Office is primarily a regulator, with our core business being the assessment of the 1,100 or so complaints we receive each year - though it also has policy advice and education functions, including in response to the 17,000 or so telephone and email enquiries we receive.

As articulated in our strategic plan, the Office's purpose is to promote and protect privacy so as to achieve its vision of an Australian culture that values and respects privacy.  In achieving this, wherever possible, the Office encourages agencies and organisations to work toward good privacy practice, including where that may go beyond their minimum compliance obligations.  For agencies and organisations, this approach offers the potential to enhance community and consumer trust and confidence. 

At the same time, the Office recognises that the right to privacy is not absolute, but must be pursued with regard to other important and sometimes competing rights and interests. 

The Office takes a facilitative approach to its regulatory role, whereby emphasis is placed on working with agencies and organisations to encourage  voluntary compliance with the Privacy Act.  Our approach to resolving complaints focuses on attempting, wherever possible, to conciliate an outcome; where an outcome cannot be conciliated, the Commissioner may make a determination.[2] Conciliation can lead to the resolution of complaints in such ways as facilitating an apology, agreeing to provide access to or, where necessary, correct personal information, or in some cases the payment of compensation.

OVERVIEW OF THE PRIVACY ACT

Principle-based and technology neutral

An important starting point in understanding privacy regulation in Australia is to recognise that the federal Privacy Act provides principle-based and technology neutral regulation. 

The intention of principle-based law is to provide general rules aimed to advancing the objectives of the law rather than prescribing in great detail what the regulated party may do.  Principle based law seeks to encourage organisations to understand the policy underpinning the law and adapt their practices accordingly; not just to prevent intervention from the regulator, but because they recognise the purpose and intent of the law, and the potential value of privacy to their business as a source of competitive advantage.  This permits organisations and agencies the flexibility to develop their own solutions according to their own circumstances.

Technological neutrality is intended to recognise the inherent difficulty of keeping statute law up to date with and able to respond to dynamic technological development and emerging technologies; accordingly, the Privacy Act does not generally specify distinct types of technology to which it applies.

Coverage of the Privacy Act

In regard to the coverage of the Privacy Act, the legislation provides protection for personal information that is handled by federal and ACT Government agencies, private sector organisations which have an annual turnover of more than $3 million, and all health service providers (regardless of turnover). In addition, the Act regulates credit worthiness information held by credit reporting agencies and credit providers as well as individual's tax file numbers. Significantly, the Privacy Act does not regulate state or Northern Territory government agencies.[3]

Generally, small businesses are exempt from the current Act; however, there are several exceptions to this which are important to note as they may be relevant to your organisation.  A small business is bound by the Act if:

• It is related to another business that has an annual turnover of more than $3 million; or
• It is a contracted service provider to a Commonwealth Government agency; or
• It trades in personal information.

Meaning of 'personal information'

It is important to recognise that the Privacy Act focuses its regulatory functions on information privacy as opposed, for example, to bodily or territorial privacy.[4] In turn, the scope of information privacy is determined by the meaning of 'personal information'.

The statutory definition of personal information is contextual, in that it refers to information or opinion about an individual whose identity is apparent or can be reasonably ascertained. Clearly, whether an identity can be reasonably ascertained will be determined by the context in which that information is held, including the availability of technologies that may reasonably re-identify information that is putatively de-identified.

For example, Robert Gelman, in his public Public Record Usage in the United States,[5] cites research that reveals:

"... the Cambridge, Massachusetts voter registration list has 55,000 voters. Twelve percent of voters have unique birthdates. So if a person of voting age lives in Cambridge, the voter might be identified just from the birthdate on the voter list.  With birthdate and gender, 20% of voters are unique.  With birthdate and five-digit zip code, 69% are unique.  With birthdate and nine-digit zip code, 97% are unique.  More broadly, 87% of Americans can be identified just by birthdate, five digit zip code, and gender."

More recently, the Office notes the widely publicised case whereby 20 million putatively de-identified internet search records on 650,000 AOL users were made publicly available.  By examining linkages between different searches, a New York Times journalist found that:

 "It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga".[6]

When contacted by the journalist, Ms Arnold explained:

"My goodness, it's my whole personal life," she said. "I had no idea somebody was looking over my shoulder."

As is clear from these examples, it is important to be mindful that information can sometimes identify an individual without having mentioned their name.

In the view of the Office, this contextual element is one of the strengths of the definition, allowing it to respond to change and technological advance, as well as the particulars of a given context.

The National Privacy Principles

Since 2001, the Privacy Act has included ten National Privacy Principles (NPPs) which regulate the way private sector organisations handle personal information including practices regarding collection, use and disclosure, security and destruction, as well as giving individuals rights to access personal information and where necessary to have it corrected.

The NPPs recognises that some personal information, such as health related information and information about religious beliefs and racial and ethnic origin, is considered 'sensitive' and such information is afforded a higher level of protection.  An organisation can usually only collect sensitive information with consent and there are tighter restrictions on use and disclosure.

The Privacy Act has, since its inception, also prescribed 11 Information Privacy Principles for Federal  and ACT Government agencies.  These principles are similar, though not identical to, the NPPs.  Notably, they don't include obligations regarding transborder dataflows or data retention, nor do they provide specific regulation of sensitive information.

The Privacy Act and Information Security

The National Privacy Principles and data security

I anticipate that issues relating to data security are likely to be of particular interest to this audience.  However, in focusing on data security it is essential to recognise that while security is an important part of privacy, privacy is not limited to security - security is necessary, though not sufficient for good privacy.  For example, the Privacy Act deals with matters such as collection, disclosure and access.  I will return to this shortly.

Under NPP 4.1 an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.  A similar obligation is created for agencies under IPP 4, which refers to taking 'security safeguards' as are 'reasonable in the circumstances'.

As the Privacy Act does not provide prescriptive regulation,  'Reasonable steps' is assessed in each circumstance; there are no specific levels of encryption or other particular security measures mandated by the Act.  Relevant factors to consider include:

• the sensitivity of the personal information being held;
• the harm that is likely to result to people if there is a breach of security;
• how the organisation stores, processes and transmits the personal information it holds (for example, paper-based or electronic records); and
• the size of the organisation (the larger the organisation, the greater the level of security likely to be needed).

Organisations and agencies need to assess their security risks and take appropriate measures to protect the personal information that they hold. 

As I noted earlier, while data security is an important element of privacy, it is only one element.  Every organisation needs to think carefully about what personal information they collect and whether or not it is actually necessary to collect this information.  Under NPP 1, an organisation must not collect personal information unless it is necessary for one of its functions or activities.  It would not ordinarily be acceptable for an organisation to collect personal information on the off chance that it may become necessary for one of its functions or activities in the future. 

Not collecting information is the strongest form of privacy protection - if you don't have it, nothing can go wrong with how it's handled.

Generally speaking, under the Act, organisations and agencies may only use or disclose personal information about an individual for the main reason for which it was initially collected (NPP 2).  There are some exceptions to this, for example:

• where the individual consents to the secondary use or disclosure;
• where it is required or authorised by law; and
• where the secondary purpose is related to the primary purpose for which it was collected, and the individual would reasonably expect this to happen.

As potential data custodians, this is something that you might want to be mindful of if you get a request from within your organisation to use personal data that is held in databases, where the use may be for a different purpose than that for which it was collected.

It is also important to note that individuals have a general right to access personal information about them that is held by an organisation.  In addition, if the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information.

This concept of 'reasonable' is a recurring theme and highlights the principle based approach of the regulation.

An organisation must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for a permitted purpose (NPP 4.2).  Notably, there is no equivalent obligation impose on government agencies, though various obligations under the Archives Act may be relevant.

The Privacy Act also establishes requirements regarding transfer of information overseas, which generally seeks to ensure that the information is subject to similar protections through comparable laws or contractual terms.  This is particularly worth noting given individual's concerns regarding international call centres and other contracted service providers.  There is no equivalent provision imposed on agencies.

New technologies and privacy

The current principles under the Privacy Act are based on the OECD data protection guidelines that were developed almost thirty years ago. 

New information technologies often greatly enhance the speed, efficiency and scope of information flows within and between organisations and agencies, as well as in society generally.  New technologies may permit the collection of ever greater amounts of information and make it far easier to copy, manipulate and distribute that information to a large number of recipients.  Technology can provide new ways to protect personal information, such as password protection and audit trails, but it also creates new challenges for privacy protection.

In the Office's view, technology is neither inherently good nor bad for privacy - rather, it depends on how it is used.  

For example, biometrics have the potential to work as a privacy enhancing technology or a privacy intrusive technology - if used simply to authenticate that an individual has presented their biometric for the right purpose, without being linked to any identifying details, biometrics can offer robust security and access control.   For example, my laptopasks for my fingerprint to provide access - this provides robust protection to the personal information stored on the machine, though the access mechanism never needs to know my actual identity, merely that that person, presenting that finger, has access rights.

A critical success factor to promoting privacy enhancing technologies includes whether privacy is built in from the early design stages, rather than trying to retrofit privacy - as the Privacy Commissioner often describes it, "build in, don't bolt on".

One way that is increasingly being used to identify, assess and avoid the privacy risks associated with large scale projects involving new technologies is to conduct privacy impact assessments. 

The Office has developed privacy impact assessment guidelines, which are available to view on our website.  These are targeted at agencies, but may provide a base from which your organisation can tailor the process.  The Office is intending to develop additional guidance specifically for organisations in this field.

A challenge for privacy regulation is to recognise the benefits of a principle-based, technology-neutral approach, while ensuring it is relevant and has capacity for flexibility.  This is a key challenge and opportunity for privacy regulation.

Privacy Law Reform

Turning to the future of privacy regulation, in January 2006, the Australian Law Reform Commission (ALRC) received terms of reference from the former Australian Attorney-General for an inquiry into the extent to which the Privacy Act 1988 and related laws continue to provide an effective framework for the protection of privacy in Australia.  

The Privacy Commissioner has recognised that the ALRC's current review presents a "once in a generation" opportunity to influence the shape of privacy law in Australia.  For almost 20 years the Privacy Act has generally served Australia well.  However, in a time of rapidly changing technology and community expectations an assessment of the effectiveness of privacy laws is necessary to ensure they continue to meet the diverse needs of the Australian community.

The ALRC has consulted in two stages:

• firstly, by publishing two issues papers in December 2006;[7] ; and
• secondly, by publishing a more detailed three-volume discussion paper in September 2007, which sets out 301 proposals and 46 questions relating to privacy law reform;

The Office has recently made the last of three submissions to the Inquiry.  The submission, which comprises close to 800 pages, covers the broad range of issues and proposals canvassed by the ALRC in Discussion Paper 72, including issues relating to new technologies.  This submission outlines the Privacy Commissioner's views on what privacy regulation should look like in the future.

In regard to the process for law reform, any subsequent legislative changes will follow the Government's response to the ALRC's final report, which is expected in the coming months.  Consistent with its statutory functions, the Office looks forward to assisting the Government in forming this response and in progressing any decisions that might ultimately be made regarding privacy law reform.  While I am happy to discuss some of the Privacy Commissioner's views on possibilities for law reform, it is important to recognise that any changes to the law are ultimately a matter for the Government and Parliament.

Key Issues for privacy law reform

In regard to the key issues raised by the review, the time available today provides opportunity to highlight only a handful of those that may be of greater importance or interest.

Overall, the Office's suggestions for privacy reform focus on achieving greater consistency, simplicity and clarity in privacy regulation in Australia, whilst ensuring that existing privacy protections are not weakened.

One set of principles

One way that regulatory complexity can be reduced is through the creation of a single set of privacy principles in the Privacy Act.   The fact that we have two sets of privacy principles - the Information Privacy Principles (IPPs) for the federal and ACT public sectors, and the National Privacy Principles for the private sector - is a result of the way in which the Act developed and evolved.  However, there appears to be no compelling rationale to maintain this dual approach.

Having two sets of principles has led to confusion and overlap.  For example, currently under the IPPs, there is no rule related to trans-border data flows as there is under the NPPs.  The Office considers that trans-border data flow requirements should apply to both public sector agencies and organisations in a unified set of privacy principles.

In its discussion paper, the ALRC indicates that it is also of the view that the IPPs and NPPs should be brought together into a single set of 11 principles, tentatively called the 'Unified Privacy Principles', that would generally apply to both agencies and organisations. [8]  The creation of a single set of privacy principles will reduce compliance difficulties, particularly for those businesses that interact as contractors to agencies, or where projects involve participants from both the public and private sector.  Increased regulatory consistency and simplicity will also empower individuals to understand and exercise their privacy rights.

It should be noted that the ALRC has not proposed, and nor has the Office called for, states government agencies to the covered by the Privacy Act - the ALRC has proposed a cooperative federal-state approach whereby the amended Privacy Act would form the basis for privacy legislation at the state and territory level.

Maintaining a principles-based and technology neutral approach - to provide flexibility and responsiveness to change

On an additional matter of note, and as already explained earlier, the Office believes that it is important that the Privacy Act continue to be principles-based.  A principles-based approach to regulation not only encourages organisations and agencies to understand the objectives behind the law, but it is also better at accommodating technological change. 

In addition to a principles-based approach, the Office has argued for the continuing technological neutrality of the Privacy Act, and the ALRC has agreed with this idea in its discussion paper.[9]

Technological neutrality does not however mean ignoring or being unresponsive to technological change.  It is our opinion that we can have technological neutrality of privacy laws while still having laws that are technologically relevant. 

The Office believes that a technologically-neutral principles-based approach, coupled with provision for the Privacy Commissioner to make specific binding codes where a clearly defined privacy risk emerges, is the best way to deal with the impact of rapidly developing technology on information handling.

Creating codes where specific privacy concerns emerge - to apply in addition to the uniform principles

The ALRC has proposed, and the Office agrees, that the Commissioner should be empowered to make binding codes that go to certain industries, practices or technologies that may raise heightened privacy risks.

At present, the Privacy Act allows organisations to develop privacy codes that are specific to an organisation, industry or type of activity.  Once approved by the Commissioner, these codes, which must be at least the equivalent of the statutory privacy principles, bind those organisations to the code, and effectively replace the NPPs.  The ALRC's proposal is that codes would be in addition to the proposed Unified Privacy Principles, and go to matters of detail relating to specific technologies.

The Office believes that providing the Privacy Commissioner with the power to make binding codes would provide an effective means of proactively addressing privacy issues within a particular sector and thereby create a more level playing field among organisations, and ensure that conscientious organisations are not commercially disadvantaged.

It would also facilitate more timely responses to new and emerging privacy issues, including those that relate to new technologies.  Binding codes might be appropriate for issues such as CCTV and face recognition technology, or Radio Frequency Identification.  These codes would be subject to mandatory consultation periods and to the scrutiny and disallowance of Parliament.

Audits

Currently, the Privacy Commissioner has powers to conduct audits of federal and ACT government agencies, credit providers and credit reporting agencies under the Privacy Act.  The ALRC has proposed that the Commissioner also be empowered to conduct audits of private sector organisations.[10]

The Office supports this proposal in part, but has suggested the introduction of a qualified audit power, which would allow the Office to audit private sector organisations for compliance where the Commissioner has reasonable grounds to believe that the organisation is engaging in practices that contravene the privacy principles in the Act or pose new and significant risks to personal information they hold.

The Office has also proposed that this activity be termed 'privacy performance assessments', rather than 'audits', the latter of which may not accurately reflect the cooperative approach that the Office seeks to take.

This approach would allow pro-active assistance to be provided to organisations seeking to introduce new technologies or projects, as well as providing the power to appropriately react when the Office is made aware of situations where particular risks or practices of concern have been identified.

Minimising exemptions

Exemptions to the Privacy Act are another key issue for possible law reform.

The list of organisations and agencies currently exempt from the Act is not insubstantial and includes most small businesses, media organisations in the performance of journalism and employee records held by organisations.  A range of national security, intelligence and other bodies are also exempt from the Act.

The Office believes that to achieve uniformity and consistency of application of the privacy legislation, exemptions to the Privacy Act should be minimised and only established where there are clear and compelling policy reasons for doing so.  

For example, the Office believes that there is clear potential to remove the employee records exemption.  Employers can often hold significant amounts of personal information about their staff, which may include sensitive information. 

Removing this exemption is likely to accord with many people's expectations of how this information should be handled.

The absence of protection for sensitive information contained in employee records seems particularly inconsistent with the recognition and protection that is afforded sensitive information throughout the Privacy Act.  While the Office has supported the removal of the employee records exemption, we understand that many businesses already handle these records as if they are already covered by the Privacy Act.  The removal of this exemption is likely to be consistent with good employee relations practices.

After careful consideration, the Office believes that the small business and journalism exemptions should be retained.  In regard to the SBO exemption, the Office was concerned that removing the exemption may impose a regulatory burden that was disproportionate to the privacy risks - it should be noted in this regard that SBOs can fall within jurisdiction if they trade in personal information, as well as there being  a particular regulation making power available to bring them within coverage. 

Where exemptions are retained, organisations should still be encouraged to implement good information handling practices.  This is the approach used by the Office in relation to the current exemptions.

Data breach notification

In the wake of recent major data breaches in the United Kingdom, the Office has reiterated its call for compulsory notification of significant data breaches by organisations or agencies. 

As you may be aware from media reports, in November of last year, two CDs containing twenty-five million records of people claiming or receiving child benefits were lost in transit.  The personal information lost included national insurance numbers and bank account details.  The incident led the British Prime Minister to promise additional powers for the United Kingdom Information Commissioner - the importance of which was possibly underscored by the more recent loss of two UK Defence Department CDs containing the details of 600,000 defence force applicants.[11]

These are perhaps two of the highest profile of many data breaches that have occurred through out the world - for example, the US based Identity Theft Research Centre compiled a list of 448 publicly reported breaches in 2007, potentially affecting almost 128 million individuals.[12]

Data breach notification requirements are becoming more prevalent overseas, particularly in jurisdictions within the United States, in light of the increasing risk of identity fraud.

By notifying people in a timely manner, organisations give people an opportunity to take any necessary steps to protect their personal information.  A requirement to notify significant data breaches would also encourage organisations and agencies to take adequate steps in the first place to secure the personal data that they hold.

The ALRC has supported the idea of a data breach notification requirement.[13]  However, as with all things, it is the detail of how such a

requirement is established that will be crucial, so as to ensure that it neither imposes an unreasonable burden for agencies and organisations, nor results in unnecessary or alarmist notifications to individuals.

The Office considers that notification should be limited to circumstances where a breach is assessed as giving rise to a real potential for serious harm to an individual.  Serious harm is not limited to identity theft or fraud but could, for example, include discrimination or significant embarrassment if sensitive medical information was released.

I can also tell you that the Office is currently developing draft voluntary data breach notification guidelines and we hope to have them released in the near future for consultation.  These are a response to requests from advice from stakeholders as how they should manage such breaches.  They will of course be made available on our website and we would welcome the views of all stakeholders.

Removing uncertainty around privacy regulation in the private health sector

The handling of health information has been a significant focus of the review process.

Currently, there is particular confusion resulting from regulatory overlap in the area of health information. 

At the national level, the handling of health information is regulated by the Privacy Act.  In addition though, some states and territories have developed privacy legislation for their public sectors, with Victoria, NSW, and the ACT also enacting laws to regulate the handling of health information in the private sector.

In order to avoid the potential confusion for health service providers and consumers arising from overlapping legislation, the Office considers that it would be preferable if the Privacy Act were the single instrument regulating how people's personal information is handled by all private sector health providers to the exclusion of state or territory legislation.  The ALRC appears to agree that federal privacy law should override state and territory legislation in relation to private sector health providers, [14] though has not gone as far as to propose federal regulation of how state government agencies handle health information.

On-line verification of age and capacity

The ability to verify a person's age and capacity to consent in an online environment is an important and challenging issue.  In particular, this issue arises when an organisation must be confident that an individual understands the context and consequences of providing information, or agreeing to its use or disclosure.

Currently, the Privacy Act does not make explicit substantive reference to children and young people.  Rather, the Act operates on the basis that children and young people have the same rights to privacy as adults. In practice, the responsibility for exercising a child or young person's rights under the Privacy Act falls to a parent or guardian until the child reaches a level of maturity where they are able to make decisions independently.

The Office believes that, wherever practicable, capacity of young people should continue be assessed on an individual basis, rather than upon attaining a prescribed age.  Whether children can make decisions about their personal information should be determined by whether they are mature enough and informed enough to make such decisions.

The Office recognises that in some contexts it may not be practicable to undertake an individual assessment of capacity, particularly in an online environment.  We therefore agree with the ALRC's proposal that where it is not practicable to undertake an individual assessment there should be a presumption that young people aged 15 and over have the capacity to make their own decisions under the Privacy Act (and those under this age do not).  However, it is worth noting that this proposal is to establish a presumption, which can be negated by actual knowledge to the contrary to take into account particular situations.  

There are, however, logistical challenges in trying to authenticate attributes such as age and capacity in an online environment.  Many existing forms of age verification are unreliable in an online environment.  For example, the provision of credit card details only verifies that an individual has sourced a valid credit card number - it does not verify that the individual entering the data is a given age.  Similarly, systems which request individuals to enter their age or dates of birth are inherently unreliable as individuals can simply misrepresent their true details.

The Office is aware of various developments in online authentication in other countries, which stem from the need to authenticate identity in an online context.[15] At least some of these systems are premised on a single trusted third-party providing authentication to individuals, who are then issued with digital certificates for use in an online environment. 

Being able to verify that a person has capacity to consent in an online environment is important and the Office hopes to progress this through working in collaboration with industry, government and other stakeholders.  If you have any suggestions or ideas that you would like to feed through to the Office, we would welcome industry input, particularly with regard to practical solutions.

CONCLUSION

In the time available I have only been able to touch on some of the areas that the Office believes are most important in privacy law reform.  I encourage you to have a look at the full submissions made by the Office, which are available on our website at: http://www.privacy.gov.au/publications - I have also provided Mark with copies on CD.

Ultimately, good privacy practice is good business, contributing to consumer confidence and trust, particularly in online environments and where sensitivity information may be handled.

Given the impact that any amendments to the Privacy Act may have in coming years to your organisation, our Office encourages you to watch developments closely, engage in consultations and discussions on potential law reform, and to prepare well in advance for any necessary changes in your organisation's information handling practices.  

I would reiterate my introductory comment that our Office remains open and keen to engage in dialogue with stakeholders on important privacy issues - the forthcoming consultation draft of the Office's voluntary data breach guidelines will provide an important opportunity for such engagement and I encourage you to let us know your views.

[1]  Available at: http://www.privacy.gov.au/materials/types/download/8820/6616

[2] Common resolutions after the investigation proceeds to conciliation include: apologies to complainants; changes to database systems; correction of records; provision of access to records; and amounts of compensation ranging from less than $500 to $20 000.

[3] For more on coverage of the Privacy Act, see our Information Sheet 12 available at   http://www.privacy.gov.au/materials/types/infosheets/view/6544.

[4] A well established typology of different forms of 'privacy' is:

• Information privacy - involving rules for the handling of personal data
• Bodily privacy - protection of our physical selves against invasive procedures
• Privacy of communications - security and privacy of mail, telephones etc
• Territorial privacy - setting limits on intrusions into domestic and other environments.

See Banisar D, 2000, Privacy and Human rights: an international survey of privacy laws and developments, Electronic Privacy Information Center, Washington DC. Available at www.privacyinternational.org/survey/..

[5] Available at http://www.cnil.fr/conference2001/eng/contribution/gellman_contrib.html.

[6] M Barbaro and T Zeller (2006) "A Face Is Exposed for AOL Searcher No. 4417749" New York Times 9 August available at: http://www.nytimes.com/2006/08/09/technology/09aol.html?ei=5087&en=fc3fb3310bf58bd7&ex=1171771200&excamp=mkt_at1&pagewanted=all

[7] Issues Paper 31 - Review of Privacy in October 2006 and Issues Paper 32 - Review of Privacy: Credit Reporting Provisions

[8] Proposal 3-2 , Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[9] Proposal 7-1, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[10] Proposal 44-6, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[11] It has been reported that "The stolen data includes passport details, national insurance numbers, family details and doctors' addresses for people who submitted an application to the forces, the ministry said. The laptop also contained bank details for at least 3,500 people." See, ComputerworldUK, 20 January 2008 available at http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=7088.

[12] See, http://idtheftmostwanted.org/ITRC%20Breach%20Report%202007.pdf.

[13] Proposal 47-1, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[14] Proposal 4-1, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[15] See, for example, AGIMO Discussion Paper No. 12, 'Managing Privacy in Identity

Management - The Way Forward - Distributed and Federated Identity', available at

http://www.agimo.gov.au/publications/2004/05/egovt_challenges/privacy/identity/distributed