Privacy Law Reform
View printable version of this page
Speech by Karen Curtis, Privacy Commissioner, to the
Clayton Utz Breakfast Seminar, Parkes, Canberra 8 November 2007
Introduction
Today I am going to talk to you about the essentials of privacy law reform
and to have a connection with the day, the 8th of November, I'm going
to outline 8 sensible areas for reform.
Why we've been pushing for reform
I, like many of you here today, well remember the days before the desktop PC
became commonplace. And I'm sure that all of us remember what life was
like before 1992 when the Internet became commercialised. The desktop
computer and the Internet, together with a host of other technologies, not to
mention the globalisation of communication, and other social, political and
economic developments - particularly post 9/11 - have all impacted upon our
attitudes towards privacy and our privacy expectations.
In Australia, 1988 and 2000 were watershed years in the privacy protection
field. 1988 saw the introduction of the Privacy Act and 2000 saw the extension
of the Act to cover a large slice of the private sector.
However, even since 2000, Australians' knowledge of privacy issues and their
privacy expectations and awareness have moved on. For example, a recent
study commissioned by my Office on attitudes towards privacy found that 50% of
Australians have become more concerned about providing information online than
they were two years ago. The study also found that, in the past three
years, 10% more Australians have become aware of Australia's privacy laws.
New technological developments such as the increased use of surveillance, the
growth in use of mobile phones, the introduction of biometric scanning, and so
on have also led to new areas of concern.
The pace of such developments and the rate at which people's privacy
expectations have evolved, led my Office to recommend in its Review of the
Private Sector Provisions of the Privacy Act, completed in March 2005, that a
more wide-reaching review of privacy law be undertaken.
Australia's privacy laws, while having served the community
well, are based on guidelines prepared by the OECD some 30 years ago. They
are primarily about the way personal information is collected, used stored and
disclosed. A review of the Privacy Act and the privacy landscape
generally allows us to assess to what extent the Act continues to meet the needs
of Australians and to address their rights and their concerns.
As many of you will know, as a result of my Office's recommendation and a
recommendation made by the Senate Legal and Constitutional Affairs Committee,
last year the Australian Law Reform Commission received terms of reference from
the Attorney-General to conduct a review of Australia's privacy laws.
It's interesting that, following on from the ALRC's commencement of its
review, the New Zealand Law Commission and the NSW Law Reform Commission have
also launched inquiries into their jurisdictions' privacy laws. The
Victorian Law Reform Commission is also currently undertaking a review of
privacy issues related to surveillance in public places, having already
completed a review of work-related privacy issues.
So privacy law reform is really the flavour of the month.
What we're pushing for & what we believe is the most
important
My Office has made two substantial submissions to the ALRC since last year.
Our first submission in response to the ALRC's Issues Paper 31 was over
470 pages long and included over 250 suggestions for the ALRC's
consideration.
The second submission in response to the ALRC's Issues Paper 32 addressed the
credit reporting provisions of the Privacy Act. I'm not going to go into
the details about each of the 250 positions put forward by my Office, but I do
want to outline some of our key positions that we believe are crucial to ensure
the continuing relevance of the Privacy Act over coming years.
I should make clear though that our ‘essential' suggestions for privacy law
reform do not in any way weaken existing privacy protections. To the
contrary, our suggestions seek to enhance existing protections.
I think privacy law should be about commonsense, courtesy and respect.
It should be an enabler and enhancer and not seen as burden for business and
governments. There should always be a balance between the rights of the
community and the rights of the individual.
Keep principles-based and technology neutral privacy law
My Office takes the view that it is vital that the Privacy Act continue to be
principles-based. A principles-based approach to regulation not only
encourages organisations and agencies to understand the objectives behind the
law, but it is also better at accommodating technological change.
Principles allow those with obligations to get to know the law and its
underlying objectives, and to establish how to best apply it to their
organisation or agency. Principles allow the law to be applied to
differing organisations in various industries, across a range of economic
environments.
In addition to a principles-based approach, there is the need to keep the
Privacy Act technologically neutral. Technological neutrality ensures that
the general principles in the law can be applied to new technological
developments.
If, for example, the law was to include references to current technologies
like CCTV, spyware, cookies, radio frequency identification, GPS, and ID
scanners, such references could quickly become outdated as new technologies are
created and receive widespread acceptance. It is therefore essential that
the Privacy Act remain neutral in its phrasing to allow it to maintain its
relevance where the tools of information handling are changing rapidly.
Technological neutrality does not however mean sticking our heads in the sand
when it comes to technological change.
At present, the Privacy Act allows organisations to develop privacy
codes that are specific to an organisation, industry or type of activity.
Once approved by my Office, these codes, which must be at least the equivalent
of the privacy principles, bind those organisations signed on to the code.
In order to accommodate particular technologies that create privacy risks which
fall outside the scope of the Privacy Act, my Office proposes that it be able to
make binding codes covering certain acts or practices or certain
technologies. This would facilitate timely responses to new
technologically-specific privacy issues. These codes would be subject to
mandatory consultation periods and to the scrutiny and disallowance of
Parliament.
Create a single set of principles
A second essential in privacy law reform is the combining of the Act's two
sets of principles into one.
The existence of two sets of privacy principles - the Information Privacy
Principles for the public sector, and the National Privacy Principles for the
private sector - is a result of the way in which the Act developed and evolved.
However, there appears to be no good rationale now for maintaining this
dual approach.
The two sets of principles has led to confusion and overlap. For
example, currently under the IPPs, there is no rule related to trans-border data
flows as there is under the NPPs. In our proposed set of unified
principles, trans-border data flow requirements would apply to public sector
agencies as well.
An example of the difficulties arising from having two sets of principles is
the situation where a public sector agency undertakes commercial activities.
In such a case the agency could have obligations under both the public and
private sector principles and the agency would need to invest significant time
and effort in ensuring that its activities meet the requirements of the
appropriate set of principles depending on which activity it is engaging in.
Likewise where a private sector organisation is contracted to undertake work
for a public agency, it needs to comply with both sets of principles.
A single set of principles would not only make things simpler for
organisations and agencies and lessen administrative and cost burdens in seeking
to meet privacy obligations, but it would also empower individuals to better
understand and exercise their privacy rights.
Foster national consistency of privacy regulation
The third essential privacy reform is fostering national consistency in
privacy regulation. The current national framework of privacy regulation
is prone to inconsistencies, including:
1. differing state public sector principles and
possible overlap with state and territory laws; and
2. inconsistencies with other Commonwealth
legislation, such as with the Telecommunications Act 1997.
National consistency with other Commonwealth and State laws would minimise
government and private sector compliance burdens and allow individuals to have
their privacy rights met without confusion or difficulty.
I should mention that the desirability of privacy protection principles being
uniform across Australia is also a key term of reference for the NSW Law Reform
Commission's review of privacy.
There are a number of ways that current privacy regulations could be
harmonised. These solutions include:
1. ensuring that privacy protections in state
and territory jurisdictions are consistent with, and at least equivalent to, the
Privacy Act;
2. adopting a single set of privacy principles
- as mentioned above - to replace the IPPs and NPPs, which can be uniformly
adopted across federal, state and territory jurisdictions;
3. providing greater guidance on the operation
of existing laws, and how they relate to other regulations; and
4. enhancing powers to enable regulators,
including my Office, to cooperate more effectively.
Remove uncertainty around privacy regulation in the private health
sector
There is particular confusion resulting from regulatory overlap in the area
of health.
At the national level, the handling of health information is regulated
through the Privacy Act. Some states and territories have developed
privacy legislation for their public sector, and Victoria and NSW have also
enacted laws to regulate the handling of health information in the private
sector too. Western Australia is currently considering a Bill which, if
enacted, would regulate the handling of personal information by the state public
sector, as well as the handling of health information by both the WA public and
private sectors.
Examples of the confusion that arises as a result of the overlap in laws were
outlined in submissions made to my 2005 Review of the Private Sector Provisions
of the Privacy Act.
A submission from an organisation that operates as a medication service via a
call centre said they had to read different statements to obtain consent
depending on the location of the individual and the law that applies in that
jurisdiction. Insurance companies also cited differing laws that applied
to the same piece of information.
It is not unimaginable that a situation could even arise where a resident of
Wodonga, Victoria, who visits a medical practitioner in neighbouring Albury,
NSW, would potentially be covered by Commonwealth, Victorian and NSW health
privacy laws. Without national consistency, if the patient had a
privacy-related complaint against the medical practitioner, it's not clear who
they would complain to. Would it be to my Office or to the Victorian or
NSW privacy or health agencies?
To avoid all this confusion, it would be preferable if Privacy Act were the
single instrument regulating how people's personal information is handled by all
private sector health service providers, to the exclusion of state or territory
legislation. This would not affect the states' ability to regulate their
own public health sectors, although if the states were to enact complementary
legislation for their public sectors, that would be ideal.
Simplify credit provisions
The fourth essential for privacy reform is the repealing of the credit
reporting provisions of the Privacy Act and replacing them with the proposed
unified set of privacy principles, which would operate in tandem with a binding
code for credit reporters and providers.
The credit reporting provisions came into operation in 1991, well before the
introduction of the NPPs and they are quite prescriptive.
As you may be aware, the credit reporting provisions cover the collection of
people's financial information by credit providers and credit reporting
agencies, as well as the use of that information, disclosure, security, data
accuracy, and giving notice.
The provisions are complicated and difficult to understand, and there are
some gaps - some provisions, for example, only apply to credit providers, others
apply only to credit reporting agencies.
We believe that it would be simpler to regulate the credit industry via a
combination of the proposed uniform privacy principles and a binding industry
code.
Credit is a specialised area and the code would allow for extra prescription
given the specific concerns Australians have about the handling of
credit-related data.
Minimal exemptions to the Privacy Act
The fifth essential element of privacy reform is ensuring there are minimal
exemptions to the Privacy Act. This will help to achieve uniformity and
consistent application of privacy legislation. I also believe that where
exemptions exist there should be a clear public interest to support them.
At present there employee records in the public and private sectors are
treated differently with public sector employee records covered and private
sector records exempt. Arguably, if we have one set of principles then the
consistent application of those principles would be enhanced by the employee
records exemption for the private sector being removed. Employee records should
be treated the same way whether an individual works in the government or
private sector.
With regard to media, the exemption is not a blanket exemption and this
should be clarified. The term used in the Act, ‘in the course of
journalism', should be defined and the term, ‘media organisation', clarified.
There is currently an exemption from the Act for various defence and
intelligence agencies. We believe this exemption is appropriate.
Other legislation and ministerial directions do impose some privacy-related
requirements on these agencies. However, despite their exemption,
intelligence agencies should still be encouraged to implement good information
handling practices under the guidance and oversight of the Inspector-General of
Intelligence and Security.
In relation to the exemption relating to registered political parties and
political acts and practices, my Office receives very few complaints or
inquiries. We therefore feel that the Privacy Act may currently provide an
appropriate balance, however, if the political exemption is retained, one option
could be to allow political organisations to voluntarily opt-in to coverage by
the Privacy Act.
Another option could be partial coverage of political parties by the NPPs or
the proposed set of unified principles. This would require political
parties to comply with a few key principles, such as openness, access and
correction, and to have some limits placed on their disclosure of personal
information.
At present, many small businesses with a turnover of less than $3 million are
exempt from the Act. If this exemption is retained, we believe it should
be expressed in terms of the ABS definition of 20 employees or less, rather than
annual turnover.
Some industry sectors handle more personal information than others. We
believe small businesses in sectors handling large quantities of personal
information should be brought in under the Privacy Act. Therefore, we propose
that small businesses in the telecommunications sector, such as ISPs, and
childcare centres should have obligations under the Privacy Act.
In addition, all organisations exempt from the Act should be able to choose
to be covered by the Act. Currently, this option only exists for small
businesses.
Of course, whether exempt from the Privacy Act or not, all organisations
should build in good practices when handling personal information.
We see ultimately that the way data is handled will enhance competitiveness
in the marketplace and foster trust amongst customers so it will become
increasingly an important business driver.
Data matching
The sixth privacy law reform essential relates to data matching. As you may
know, much of the data that agencies and organisations bring together from
different sources aims to identify people for further action or investigation.
For example, records from different departments are often compared to
identify people who are being paid benefits to which they are not entitled or
people who are not paying the right amount of tax. Data-matching may pose
a particular threat to personal privacy because it involves analysing
information about large numbers of people without prior cause for suspicion.
Government agencies that undertake data matching by use of the Tax File
Number are currently subject to the requirements of the Data Matching
Program Act and guidelines issued by my Office.
For agencies conducting data matching that does not include Tax File Numbers,
my Office has issued non-binding guidelines. In light of the expanding
technological capacity and ease in conducting widescale data matching, we have
recommended that consideration be given to making the voluntary public sector
data matching guidelines mandatory.
There is no specific data matching regulation for the private sector,
however, any collection, use or disclosure would be regulated by the privacy
principles for those organisations that fall within the Privacy Act's
jurisdiction. As the necessary technology becomes widely available, there
is likely to be significant potential for increased data matching in the private
sector. We have therefore argued that private sector data matching activity
might be best dealt with by allowing my Office to make binding codes.
Biometrics as sensitive information
Biometrics is the seventh privacy law reform essential. Biometric
technologies such as fingerprint or iris scans have the potential to create
major challenges to privacy as they record unique physical human traits for the
purposes of identification or authentication of an individual. The privacy
challenges of biometrics include:
1. The difficulty of re-securing
biometric information once it has been breached. For example, it is
possible to re-issue a credit card number if something goes wrong, but it is
much more difficult to issue a replacement fingerprint.
2. The capacity for covert collection and
monitoring of biometrics. For example, as face recognition
technology enables faces to be identified at a distance from the individual, it
can be undertaken without the person's knowledge.
3. As biometrics allows information to be sourced
from a person's physical or behavioural features, this could reveal more
information than is necessary for a transaction. For example, face scans
may reveal information about a person's emotions, iris recognition and retinal
scans may reveal information about a person's health, and raw biometric
information may include information about a person's race or ethnicity.
My Office suggests that consideration be given to including biometric
information within the definition of 'sensitive information' under the Privacy
Act. The Act currently distinguishes between general personal information
and ‘sensitive information'. The only types of personal information that
are deemed to be ‘sensitive' under the Act are those relating to a person's
race, political affiliations, religious or philosophical beliefs, trade or union
membership, sexual preference, whether they have a criminal record, and their
health. These types of information are ‘sensitive' given that people
rightly consider such details as particularly intimate and they would be
especially concerned if such information was to be made public. By
amending the Privacy Act to include biometric information within the scope of
‘sensitive information', this would ensure that it is afforded a higher level of
privacy protection than other forms of personal information.
My Office also proposes that all organisations - including small businesses -
that handle biometric information should be covered by the Privacy Act for the
purposes of how they handle that information. This would require, among other
things, that all organisations would need to provide notice and seek consent to
the collection of biometric information, as well as ensuring that it is handled
securely, is accurate, and is generally only used or disclosed for the purpose
for which it was collected.
Move towards data security breach notification
The final privacy reform essential is one that has been the subject of
discussion in the media in recent months, that of mandatory data security breach
notification.
My Office supports the introduction of compulsory notification of data
security breaches in certain circumstances. We believe that such an
obligation should be proportional to the severity of the impact of the breach.
Mandatory reporting already exists in some forty different U.S. states, and
various other jurisdictions are currently considering breach notification
models, including Canada, the UK, New Zealand and the European Union.
By notifying people when a breach occurs, organisations give them an
opportunity to take any necessary steps to protect their personal information.
Mandatory reporting also provides a strong market incentive to organisations
to adequately secure databases and information repositories to avoid the
potential brand damage arising from negative publicity.
Mandatory reporting laws have made a significant impact on the privacy
landscape in the US. For example, the Massachusetts-based retailer, TJX
Companies, suffered a major data breach over a 17-month span that affected 94
million accounts in Canada, the United States, Puerto Rico, the UK and
Ireland. The full extent of the breach is only now coming to light as
court proceedings against the company continue. Last month, an enquiry by
the Canadian Privacy Commissioner criticised the company for collecting too much
data and using inadequate means of protecting it. The sheer nature and
scale of the breach is of course shocking, but it was thanks to mandatory
reporting disclosure laws that the TJX breach became public.
However, mandatory reporting regulation is still a relatively new and
evolving concept that requires further research. It will be important to
analyse the different breach notification models in order to assess the
appropriate formula for the Australian context.
Key issues that will need to be addressed include:
1. How will the provisions respond effectively to
different levels of security breach? For example, should a technical
failure that involves a momentary and minor 'blip' in the overall security of a
system require the same notification response as a breach involving the
disclosure of a large number of credit card numbers and expiry dates?
After all, organisations and their customers could become desensitised if
notified of every single breach, no matter how small.
2. To whom will agencies or organisations be required
to report? Should there be levels of notification ranging from advising my
Office, to advising effected customers, to making an announcement in a public
forum? Where notification of individual customers is overly costly, should
there be alternative methods of notification available?
The ALRC's view
On 12 September the ALRC released Discussion Paper 72, which sets out the
ALRC's proposals for privacy reform in some detail. The ALRC's final
report and recommendations are due to be submitted to the Attorney-General at
the end of March next year.
The Discussion Paper by and large takes up the majority of the essential
privacy reform elements that my Office has recommended.
For example, the ALRC supports national consistency, where states and
territories would adopt a single set of principles in the Commonwealth Privacy
Act. One of these principles would be anonymity - which the IPPs currently do
not have. The combined set of principles would also offer more explicit
rules covering the handling of sensitive information which, again, the IPPs do
not have. In addition, currently, only private sector organisations have
rules covering the sending of personal information overseas; the new set of
principles would extend these rules to the public sector.
There are various other issues that the ALRC has commented on that are of
interest.
• The ALRC has, for example,
proposed that my Office should have the power to require an agency or
organisation to prepare a privacy impact assessment for a new project or
development where it may have a significant impact on the handling of personal
information. This approach would encourage agencies and organisations to take
responsibility for assessing privacy issues and allow my Office to step in where
this does not occur.
• Another proposal by the
ALRC would see stronger safeguards to reduce the risk of identity theft. My
Office, in its recent survey, found that 9% of Australians claim to have been
victims of identity theft, and 60% are concerned about becoming a victim in the
next 12 months. The ALRC proposes to allow an individual to report to a credit
reporting agency that they have been a victim of identity theft so that this
information is available to any potential credit providers.
• The ALRC has proposed that
there be a separate review of the Telecommunications Act, particularly given
that it deals with aspects of privacy. The ALRC additionally proposes that
telecommunications companies should be prohibited to charge for an unlisted
phone number.
• Another proposal of
interest that has received quite a bit of media coverage is the issue of
comprehensive or ‘positive' credit reporting. At present, the Privacy Act only
allows specific information to be listed on a person's credit file that might
detract from the person's credit worthiness, which is sometimes called
‘negative' credit reporting. The ALRC has proposed that the type of information
in a credit file be extended to include:
-
The type of credit account opened - such as a mortgage, personal loan, or credit
card.
-
The date on which the credit account was opened.
-
The limit of each credit account.
-
The date on which each credit account was closed.
It has been suggested that this information would allow credit providers a
better range of factors to take into account when deciding whether to provide a
person with credit, and it may encourage more responsible lending practices and
reduce the cost of credit. It is also suggested this could assist a person who
has defaulted in the past to improve their chances of obtaining credit by
allowing information showing subsequent good financial management.
Conclusion
I've outlined eight areas of reform today and they really amount to a
sensible approach, and indeed they do:
S is for ‘one set of principles'
E is for ‘minimal exemptions'
N is for ‘technology neutrality and notification of
breaches'
S is for ‘simplification of credit'
I is for ‘instructive but not intrusive
data matching'
B is for ‘sensitive biometrics'
L is for ‘leave it principles based'
E is for ‘enabling and enhancing'
My Office continues to play a role in the ALRC's review process and we will
be contributing a further submission in response to the ALRC's Discussion Paper
72 which contains 301 proposals and 46 questions.
The review presents a once in a generation opportunity to influence the shape
of privacy law in Australia and I encourage you all to look at our website - www.privacy.gov.au - and that of the ALRC
- www.alrc.gov.au - and to make your
thoughts known.
After all, you or your organisation may in fact disagree with some of the
privacy reform proposals that I have put forward today. And you may have
identified other areas of concern that you believe are not adequately addressed
by privacy law and you feel should be.
Given the impact that any amendments to the Privacy Act may have in coming
years to your organisation, I also encourage you to watch developments closely
and to prepare well in advance for any necessary changes in your organisation's
information handling practices.
We live in interesting times!
|
HOME > Media and Speeches > Privacy Law Reform
