Speech by Karen Curtis, Privacy Commissioner, to the Clayton Utz Breakfast Seminar, Parkes, Canberra 8 November 2007

Introduction

Today I am going to talk to you about the essentials of privacy law reform and to have a connection with the day, the 8th of November, I'm going to outline 8 sensible areas for reform.

Why we've been pushing for reform

I, like many of you here today, well remember the days before the desktop PC became commonplace.  And I'm sure that all of us remember what life was like before 1992 when the Internet became commercialised.  The desktop computer and the Internet, together with a host of other technologies, not to mention the globalisation of communication, and other social, political and economic developments - particularly post 9/11 - have all impacted upon our attitudes towards privacy and our privacy expectations.

In Australia, 1988 and 2000 were watershed years in the privacy protection field. 1988 saw the introduction of the Privacy Act and 2000 saw the extension of the Act to cover a large slice of the private sector.

However, even since 2000, Australians' knowledge of privacy issues and their privacy expectations and awareness have moved on.  For example, a recent study commissioned by my Office on attitudes towards privacy found that 50% of Australians have become more concerned about providing information online than they were two years ago.  The study also found that, in the past three years, 10% more Australians have become aware of Australia's privacy laws.

New technological developments such as the increased use of surveillance, the growth in use of mobile phones, the introduction of biometric scanning, and so on have also led to new areas of concern.

The pace of such developments and the rate at which people's privacy expectations have evolved, led my Office to recommend in its Review of the Private Sector Provisions of the Privacy Act, completed in March 2005, that a more wide-reaching review of privacy law be undertaken.

Australia's privacy laws, while having served the community well, are based on guidelines prepared by the OECD some 30 years ago. They are primarily about the way personal information is collected, used stored and disclosed.  A review of the Privacy Act and the privacy landscape generally allows us to assess to what extent the Act continues to meet the needs of Australians and to address their rights and their concerns.

As many of you will know, as a result of my Office's recommendation and a recommendation made by the Senate Legal and Constitutional Affairs Committee, last year the Australian Law Reform Commission received terms of reference from the Attorney-General to conduct a review of Australia's privacy laws.

It's interesting that, following on from the ALRC's commencement of its review, the New Zealand Law Commission and the NSW Law Reform Commission have also launched inquiries into their jurisdictions' privacy laws.  The Victorian Law Reform Commission is also currently undertaking a review of privacy issues related to surveillance in public places, having already completed a review of work-related privacy issues.

So privacy law reform is really the flavour of the month.

What we're pushing for & what we believe is the most important

My Office has made two substantial submissions to the ALRC since last year.  Our first submission in response to the ALRC's Issues Paper 31 was over 470 pages long and included over 250 suggestions for the ALRC's consideration. 

The second submission in response to the ALRC's Issues Paper 32 addressed the credit reporting provisions of the Privacy Act.  I'm not going to go into the details about each of the 250 positions put forward by my Office, but I do want to outline some of our key positions that we believe are crucial to ensure the continuing relevance of the Privacy Act over coming years.

I should make clear though that our ''essential' suggestions for privacy law reform do not in any way weaken existing privacy protections.  To the contrary, our suggestions seek to enhance existing protections.

I think privacy law should be about commonsense, courtesy and respect.  It should be an enabler and enhancer and not seen as burden for business and governments. There should always be a balance between the rights of the community and the rights of the individual.

Keep principles-based and technology neutral privacy law

My Office takes the view that it is vital that the Privacy Act continue to be principles-based.  A principles-based approach to regulation not only encourages organisations and agencies to understand the objectives behind the law, but it is also better at accommodating technological change.

Principles allow those with obligations to get to know the law and its underlying objectives, and to establish how to best apply it to their organisation or agency.  Principles allow the law to be applied to differing organisations in various industries, across a range of economic environments.

In addition to a principles-based approach, there is the need to keep the Privacy Act technologically neutral.  Technological neutrality ensures that the general principles in the law can be applied to new technological developments.  

If, for example, the law was to include references to current technologies like CCTV, spyware, cookies, radio frequency identification, GPS, and ID scanners, such references could quickly become outdated as new technologies are created and receive widespread acceptance.  It is therefore essential that the Privacy Act remain neutral in its phrasing to allow it to maintain its relevance where the tools of information handling are changing rapidly.

Technological neutrality does not however mean sticking our heads in the sand when it comes to technological change.

At present, the Privacy Actallows organisations to develop privacy codes that are specific to an organisation, industry or type of activity.  Once approved by my Office, these codes, which must be at least the equivalent of the privacy principles, bind those organisations signed on to the code.  In order to accommodate particular technologies that create privacy risks which fall outside the scope of the Privacy Act, my Office proposes that it be able to make binding codes covering certain acts or practices or certain technologies.  This would facilitate timely responses to new technologically-specific privacy issues.  These codes would be subject to mandatory consultation periods and to the scrutiny and disallowance of Parliament.

Create a single set of principles

A second essential in privacy law reform is the combining of the Act's two sets of principles into one.

The existence of two sets of privacy principles - the Information Privacy Principles for the public sector, and the National Privacy Principles for the private sector - is a result of the way in which the Act developed and evolved.  However, there appears to be no good rationale now for maintaining this dual approach.

The two sets of principles has led to confusion and overlap.  For example, currently under the IPPs, there is no rule related to trans-border data flows as there is under the NPPs.  In our proposed set of unified principles, trans-border data flow requirements would apply to public sector agencies as well.

An example of the difficulties arising from having two sets of principles is the situation where a public sector agency undertakes commercial activities.  In such a case the agency could have obligations under both the public and private sector principles and the agency would need to invest significant time and effort in ensuring that its activities meet the requirements of the appropriate set of principles depending on which activity it is engaging in.

Likewise where a private sector organisation is contracted to undertake work for a public agency, it needs to comply with both sets of principles.

A single set of principles would not only make things simpler for organisations and agencies and lessen administrative and cost burdens in seeking to meet privacy obligations, but it would also empower individuals to better understand and exercise their privacy rights.

Foster national consistency of privacy regulation

The third essential privacy reform is fostering national consistency in privacy regulation.  The current national framework of privacy regulation is prone to inconsistencies, including:

1.      differing state public sector principles and possible overlap with state and territory laws; and

2.      inconsistencies with other Commonwealth legislation, such as with the Telecommunications Act 1997.

National consistency with other Commonwealth and State laws would minimise government and private sector compliance burdens and allow individuals to have their privacy rights met without confusion or difficulty.

I should mention that the desirability of privacy protection principles being uniform across Australia is also a key term of reference for the NSW Law Reform Commission's review of privacy.

There are a number of ways that current privacy regulations could be harmonised. These solutions include:

1.      ensuring that privacy protections in state and territory jurisdictions are consistent with, and at least equivalent to, the Privacy Act;

2.      adopting a single set of privacy principles - as mentioned above - to replace the IPPs and NPPs, which can be uniformly adopted across federal, state and territory jurisdictions;

3.      providing greater guidance on the operation of existing laws, and how they relate to other regulations; and

4.      enhancing powers to enable regulators, including my Office, to cooperate more effectively.

Remove uncertainty around privacy regulation in the private health sector

There is particular confusion resulting from regulatory overlap in the area of health.

At the national level, the handling of health information is regulated through the Privacy Act.  Some states and territories have developed privacy legislation for their public sector, and Victoria and NSW have also enacted laws to regulate the handling of health information in the private sector too.  Western Australia is currently considering a Bill which, if enacted, would regulate the handling of personal information by the state public sector, as well as the handling of health information by both the WA public and private sectors.

Examples of the confusion that arises as a result of the overlap in laws were outlined in submissions made to my 2005 Review of the Private Sector Provisions of the Privacy Act.

A submission from an organisation that operates as a medication service via a call centre said they had to read different statements to obtain consent depending on the location of the individual and the law that applies in that jurisdiction.  Insurance companies also cited differing laws that applied to the same piece of information.

It is not unimaginable that a situation could even arise where a resident of Wodonga, Victoria, who visits a medical practitioner in neighbouring Albury, NSW, would potentially be covered by Commonwealth, Victorian and NSW health privacy laws.  Without national consistency, if the patient had a privacy-related complaint against the medical practitioner, it's not clear who they would complain to.  Would it be to my Office or to the Victorian or NSW privacy or health agencies?

To avoid all this confusion, it would be preferable if Privacy Act were the single instrument regulating how people's personal information is handled by all private sector health service providers, to the exclusion of state or territory legislation.  This would not affect the states' ability to regulate their own public health sectors, although if the states were to enact complementary legislation for their public sectors, that would be ideal.

Simplify credit provisions

The fourth essential for privacy reform is the repealing of the credit reporting provisions of the Privacy Act and replacing them with the proposed unified set of privacy principles, which would operate in tandem with a binding code for credit reporters and providers.

The credit reporting provisions came into operation in 1991, well before the introduction of the NPPs and they are quite prescriptive.

As you may be aware, the credit reporting provisions cover the collection of people's financial information by credit providers and credit reporting agencies, as well as the use of that information, disclosure, security, data accuracy, and giving notice.

The provisions are complicated and difficult to understand, and there are some gaps - some provisions, for example, only apply to credit providers, others apply only to credit reporting agencies.

We believe that it would be simpler to regulate the credit industry via a combination of the proposed uniform privacy principles and a binding industry code.

Credit is a specialised area and the code would allow for extra prescription given the specific concerns Australians have about the handling of credit-related data.

Minimal exemptions to the Privacy Act

The fifth essential element of privacy reform is ensuring there are minimal exemptions to the Privacy Act. This will help to achieve uniformity and consistent application of privacy legislation.  I also believe that where exemptions exist there should be a clear public interest to support them.

At present there employee records in the public and private sectors are treated differently with public sector employee records covered and private sector records exempt. Arguably, if we have one set of principles then the consistent application of those principles would be enhanced by the employee records exemption for the private sector being removed. Employee records should be treated the same way whether an individual works in the government or private sector.

With regard to media, the exemption is not a blanket exemption and this should be clarified.  The term used in the Act, ''in the course of journalism', should be defined and the term, ''media organisation', clarified.

There is currently an exemption from the Act for various defence and intelligence agencies.  We believe this exemption is appropriate.  Other legislation and ministerial directions do impose some privacy-related requirements on these agencies.  However, despite their exemption, intelligence agencies should still be encouraged to implement good information handling practices under the guidance and oversight of the Inspector-General of Intelligence and Security.

In relation to the exemption relating to registered political parties and political acts and practices, my Office receives very few complaints or inquiries. We therefore feel that the Privacy Act may currently provide an appropriate balance, however, if the political exemption is retained, one option could be to allow political organisations to voluntarily opt-in to coverage by the Privacy Act.

Another option could be partial coverage of political parties by the NPPs or the proposed set of unified principles.  This would require political parties to comply with a few key principles, such as openness, access and correction, and to have some limits placed on their disclosure of personal information.

At present, many small businesses with a turnover of less than $3 million are exempt from the Act.  If this exemption is retained, we believe it should be expressed in terms of the ABS definition of 20 employees or less, rather than annual turnover.

Some industry sectors handle more personal information than others. We believe small businesses in sectors handling large quantities of personal information should be brought in under the Privacy Act. Therefore, we propose that small businesses in the telecommunications sector, such as ISPs, and childcare centres should have obligations under the Privacy Act.

In addition, all organisations exempt from the Act should be able to choose to be covered by the Act.  Currently, this option only exists for small businesses.

Of course, whether exempt from the Privacy Act or not, all organisations should build in good practices when handling personal information.

We see ultimately that the way data is handled will enhance competitiveness in the marketplace and foster trust amongst customers so it will become increasingly an important business driver.

Data matching

The sixth privacy law reform essential relates to data matching. As you may know, much of the data that agencies and organisations bring together from different sources aims to identify people for further action or investigation.  For example, records from different departments are often compared to identify people who are being paid benefits to which they are not entitled or people who are not paying the right amount of tax.  Data-matching may pose a particular threat to personal privacy because it involves analysing information about large numbers of people without prior cause for suspicion.

Government agencies that undertake data matching by use of the Tax File Number are currently subject to the requirements of the Data Matching Program Act and guidelines issued by my Office.

For agencies conducting data matching that does not include Tax File Numbers, my Office has issued non-binding guidelines. In light of the expanding technological capacity and ease in conducting widescale data matching, we have recommended that consideration be given to making the voluntary public sector data matching guidelines mandatory.

There is no specific data matching regulation for the private sector, however, any collection, use or disclosure would be regulated by the privacy principles for those organisations that fall within the Privacy Act's jurisdiction.  As the necessary technology becomes widely available, there is likely to be significant potential for increased data matching in the private sector. We have therefore argued that private sector data matching activity might be best dealt with by allowing my Office to make binding codes.

Biometrics as sensitive information

Biometrics is the seventh privacy law reform essential. Biometric technologies such as fingerprint or iris scans have the potential to create major challenges to privacy as they record unique physical human traits for the purposes of identification or authentication of an individual. The privacy challenges of biometrics include:

1.     The difficulty of re-securing biometric information once it has been breached.  For example, it is possible to re-issue a credit card number if something goes wrong, but it is much more difficult to issue a replacement fingerprint.

2.     The capacity for covert collection and monitoring of biometrics.  For example, as face recognition technology enables faces to be identified at a distance from the individual, it can be undertaken without the person's knowledge.

3.     As biometrics allows information to be sourced from a person's physical or behavioural features, this could reveal more information than is necessary for a transaction.  For example, face scans may reveal information about a person's emotions, iris recognition and retinal scans may reveal information about a person's health, and raw biometric information may include information about a person's race or ethnicity.

My Office suggests that consideration be given to including biometric information within the definition of 'sensitive information' under the Privacy Act.  The Act currently distinguishes between general personal information and ''sensitive information'.  The only types of personal information that are deemed to be ''sensitive' under the Act are those relating to a person's race, political affiliations, religious or philosophical beliefs, trade or union membership, sexual preference, whether they have a criminal record, and their health.  These types of information are ''sensitive' given that people rightly consider such details as particularly intimate and they would be especially concerned if such information was to be made public.  By amending the Privacy Act to include biometric information within the scope of ''sensitive information', this would ensure that it is afforded a higher level of privacy protection than other forms of personal information.

My Office also proposes that all organisations - including small businesses - that handle biometric information should be covered by the Privacy Act for the purposes of how they handle that information. This would require, among other things, that all organisations would need to provide notice and seek consent to the collection of biometric information, as well as ensuring that it is handled securely, is accurate, and is generally only used or disclosed for the purpose for which it was collected.

Move towards data security breach notification

The final privacy reform essential is one that has been the subject of discussion in the media in recent months, that of mandatory data security breach notification.

My Office supports the introduction of compulsory notification of data security breaches in certain circumstances.  We believe that such an obligation should be proportional to the severity of the impact of the breach.

Mandatory reporting already exists in some forty different U.S. states, and various other jurisdictions are currently considering breach notification models, including Canada, the UK, New Zealand and the European Union.

By notifying people when a breach occurs, organisations give them an opportunity to take any necessary steps to protect their personal information.

Mandatory reporting also provides a strong market incentive to organisations to adequately secure databases and information repositories to avoid the potential brand damage arising from negative publicity.

Mandatory reporting laws have made a significant impact on the privacy landscape in the US.  For example, the Massachusetts-based retailer, TJX Companies, suffered a major data breach over a 17-month span that affected 94 million accounts in Canada, the United States, Puerto Rico, the UK and Ireland.  The full extent of the breach is only now coming to light as court proceedings against the company continue.  Last month, an enquiry by the Canadian Privacy Commissioner criticised the company for collecting too much data and using inadequate means of protecting it.  The sheer nature and scale of the breach is of course shocking, but it was thanks to mandatory reporting disclosure laws that the TJX breach became public.

However, mandatory reporting regulation is still a relatively new and evolving concept that requires further research.  It will be important to analyse the different breach notification models in order to assess the appropriate formula for the Australian context.

Key issues that will need to be addressed include:

1.     How will the provisions respond effectively to different levels of security breach?  For example, should a technical failure that involves a momentary and minor 'blip' in the overall security of a system require the same notification response as a breach involving the disclosure of a large number of credit card numbers and expiry dates?  After all, organisations and their customers could become desensitised if notified of every single breach, no matter how small.

2.     To whom will agencies or organisations be required to report?  Should there be levels of notification ranging from advising my Office, to advising effected customers, to making an announcement in a public forum?  Where notification of individual customers is overly costly, should there be alternative methods of notification available?

The ALRC's view

On 12 September the ALRC released Discussion Paper 72, which sets out the ALRC's proposals for privacy reform in some detail.  The ALRC's final report and recommendations are due to be submitted to the Attorney-General at the end of March next year.

The Discussion Paper by and large takes up the majority of the essential privacy reform elements that my Office has recommended.

For example, the ALRC supports national consistency, where states and territories would adopt a single set of principles in the Commonwealth Privacy Act. One of these principles would be anonymity - which the IPPs currently do not have.  The combined set of principles would also offer more explicit rules covering the handling of sensitive information which, again, the IPPs do not have.  In addition, currently, only private sector organisations have rules covering the sending of personal information overseas; the new set of principles would extend these rules to the public sector.

There are various other issues that the ALRC has commented on that are of interest.

''         The ALRC has, for example, proposed that my Office should have the power to require an agency or organisation to prepare a privacy impact assessment for a new project or development where it may have a significant impact on the handling of personal information. This approach would encourage agencies and organisations to take responsibility for assessing privacy issues and allow my Office to step in where this does not occur.

''         Another proposal by the ALRC would see stronger safeguards to reduce the risk of identity theft. My Office, in its recent survey, found that 9% of Australians claim to have been victims of identity theft, and 60% are concerned about becoming a victim in the next 12 months. The ALRC proposes to allow an individual to report to a credit reporting agency that they have been a victim of identity theft so that this information is available to any potential credit providers.

''         The ALRC has proposed that there be a separate review of the Telecommunications Act, particularly given that it deals with aspects of privacy. The ALRC additionally proposes that telecommunications companies should be prohibited to charge for an unlisted phone number.

''         Another proposal of interest that has received quite a bit of media coverage is the issue of comprehensive or ''positive' credit reporting. At present, the Privacy Act only allows specific information to be listed on a person's credit file that might detract from the person's credit worthiness, which is sometimes called ''negative' credit reporting. The ALRC has proposed that the type of information in a credit file be extended to include:

-                The type of credit account opened - such as a mortgage, personal loan, or credit card.

-                The date on which the credit account was opened.

-                The limit of each credit account.

-                The date on which each credit account was closed.

It has been suggested that this information would allow credit providers a better range of factors to take into account when deciding whether to provide a person with credit, and it may encourage more responsible lending practices and reduce the cost of credit. It is also suggested this could assist a person who has defaulted in the past to improve their chances of obtaining credit by allowing information showing subsequent good financial management. 

Conclusion

I've outlined eight areas of reform today and they really amount to a sensible approach, and indeed they do:

S   is for ''one set of principles'

E   is for ''minimal exemptions'

N   is for ''technology neutrality and notification of breaches'

S   is for ''simplification of credit'

I     is for ''instructive but not intrusive data matching' 

B   is for ''sensitive biometrics'

L    is for ''leave it principles based'

E   is for ''enabling and enhancing'

My Office continues to play a role in the ALRC's review process and we will be contributing a further submission in response to the ALRC's Discussion Paper 72 which contains 301 proposals and 46 questions.

The review presents a once in a generation opportunity to influence the shape of privacy law in Australia and I encourage you all to look at our website - www.privacy.gov.au - and that of the ALRC - www.alrc.gov.au - and to make your thoughts known.

After all, you or your organisation may in fact disagree with some of the privacy reform proposals that I have put forward today.  And you may have identified other areas of concern that you believe are not adequately addressed by privacy law and you feel should be.

Given the impact that any amendments to the Privacy Act may have in coming years to your organisation, I also encourage you to watch developments closely and to prepare well in advance for any necessary changes in your organisation's information handling practices.

We live in interesting times!