|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. The Office recognises the importance of ensuring that the Privacy Act remains relevant to new technological developments.
2. It is the view of the Office that the most effective strategy for the protection of privacy in the context of ever developing technologies will be multi-faceted involving554:
principle based legislation to regulate information handling operations of Australian organisations and agencies. Principle-based and technologically neutral legislation would likely provide sufficient regulatory flexibility to accommodate technological change. Guidance material explaining the application of this regulation to new technologies would also be important.
Where specific technologies raise privacy impacts requiring unique regulatory interventions, then these may best be dealt with through binding guidelines (Binding guidelines discussed in response to question 11-4 below, and in Chapter 6).
end user empowerment through education to ensure that individuals are able to make informed privacy decisions when interacting with technology and are capable of managing potentially privacy-invasive technologies such as spyware.
technology solutions harnessing privacy enhancing technologies (PETs) such as anti-spyware; systems that allow pseudonymous transacting; and privacy-friendly identity management systems.555
international agreements between jurisdictions to respond to the international nature of cyberspace and the flow of personal information across regulatory jurisdictions.
3. The Office believes that a technologically-neutral principles-based approach, coupled with provision for the Privacy Commissioner to make specific binding codes where a clearly defined privacy risk emerges, is the best way to deal with the impact of rapidly developing technology on information handling.
4. The Office has commented on technology and privacy issues previously in Chapter 8 of its Private Sector Review. The Office's response to Chapter 11 of IP31 draws on recommendations made in that review including that the:
5. In responding below to question 11-4, the Office notes that the inherent nature of new or emerging technologies can make it problematic to attempt to forecast how they may impact on information handling practices and privacy more broadly. In many cases, even where emerging technologies are anticipated, new uses may be later found for them that were not envisaged during their development.
6. In examining new information technologies, a key recognition is that they will often greatly enhance the speed, efficiency and scope of information flows within and between organisations and agencies, as well as in society generally. New technologies may permit the collection of ever greater amounts of information and make it far easier to copy, manipulate and distribute that information to a large number of recipients.
7. In general though, it is noted that the underlying stages of the information lifecycle may remain the same: that is, information will be collected, stored, used, disclosed, corrected where necessary and, at some stage, destroyed.
8. Accordingly, it can be argued that the broad principle-based approach of the Privacy Act remains relevant to many new technologies. The challenge is to ensure that the manner in which the principles are applied gives appropriate regard to the characteristics of new and emerging technologies. For example, where obligations include tests of 'reasonable measures', the availability and use of different types of technology may influence what is reasonable in a given context.
9. The Office is of the view that the pervasiveness of the electronic medium means that a regulatory framework for the handling of personal information should be underpinned by the assumption that information will be handled in electronic form. This assumption is supported by a study undertaken by the University of California, Berkeley, which indicated that of all the new information produced in the year of 2002, only 0.01 percent was paper based; the vast majority of new information instead being produced in magnetic media such as hard discs.557
10. IP31 points to a number of areas where individuals' personal information may be collected, used and disclosed in the course of interacting online.
11. The international nature of the internet means that national regulations are not always adequate to protect the privacy of internet users.
12. Education and PET solutions together will be crucial for dealing with the international nature of the internet and for ensuring that individuals are able to exercise appropriate control of their personal information when its handling falls outside of the national jurisdiction of Australian privacy law.
13. The Office also supports Australia's involvement in international forums to coordinate data protection schemes.558
14. Transborder data protection issues are discussed in Chapter 13.
15. Online transactions raise a number of identity management issues that may impact on privacy. Identity management refers to the systems used to identify individuals or, in other words, ways of linking specific information with a particular person. Good identity management will allow identification of an individual only to the extent necessary for the transaction in a way that does not facilitate inappropriate or unnecessary data linkage. Bad identity management will be overly and unnecessarily intrusive to the individual, minimise the individual's control over their personal information and possibly facilitate identity theft.
16. Where transactions are undertaken online, additional identity management issues arise. Some issues may include:
17. Many of the privacy solutions for identity management over the internet are technological solutions where PETs are developed in coordination with multiple jurisdictions.560 The Office supports Australia's participation in such initiatives and their implementation in domestic information handling operations.
18. Education of individuals who use the internet will also be important if individuals are to be proactive in protecting their privacy and managing their identities online. The Office submits that there may be merit in more clearly recognising the importance of this function by including express reference in s 27 of the Privacy Act (possibly in either or both of sub-sections 27(1)(c) and (m)).
19. As outlined in IP31 (paragraph 11.46), biometric technology has the potential to create major challenges to the maintenance of privacy. Biometric technology records unique physical human traits for the purposes of later recognition, identification or authentication of an individual. The unique nature of the information collected by biometric technologies, particularly its indivisibility from the individual, generates a number of risks for privacy including:
20. The privacy risks associated with the use of biometric technology tend to arise from the diminished control an individual may have over the use of their biometric information. Without knowledge that their information has been collected or is being monitored using biometric technology, an individual has little control over the boundaries of their privacy. Similarly, data linking and function creep may significantly reduce individual control over the use of their biometric information.
21. The Office has previously noted561 that another privacy risk from biometric technologies may emerge where information sourced from a person's physical or behavioural features reveals more information than is necessary for a transaction. Some of this may include sensitive information. For example, voice can reveal emotions; the face may reveal information about a person's emotions and health. Iris recognition and retinal scans may also reveal information about a person's health. Most obviously, raw biometric information may include information relating to an individual's race or ethnicity.
22. The Office also notes that the commonly presumed accuracy of biometric technologies may raise other privacy issues, such as where individuals are incorrectly identified (either by technologies returning false-positives or false-negatives). In many cases, the consequences for an individual of being misidentified can be significant, particularly where an excessive degree of confidence is invested in the presumed infallibility of the technology. Technologies may also fail due to system or human error. Recently, the NSW Ombudsman has found that, between 2000 and 2004, at least 13 criminal cases were affected by DNA samples being associated with the wrong individual.562
23. Furthermore, the capacity for some biometric technologies (including face, voice and gait recognition) to monitor or identify individuals covertly impinges upon the ability of individuals to be anonymous; an important aspect of privacy.
24. At the same time, it should be recognised that biometrics can be implemented in privacy enhancing ways. For example, the Biometrics Institute Privacy Code, approved by the Privacy Commissioner on 27 July 2006, identifies a number of ways that privacy protections can be enhanced for biometric information. Some of these include that biometric information is de-identified where practicable, only stored in encrypted form and stored in a manner not conducive to matching with other personal information.563
25. Further, a biometrics system that merely authenticates (rather than identifies) that an individual has an entitlement or authorisation (whether that entitlement be to goods or services, or is authorised to access a building or computer), but which does not hold any further personal information, can afford individuals with a substantial degree of control over their interactions.
26. The Office notes that, there is also potential to reduce the possible privacy risks of biometric technology by implementing such solutions as reducing the interoperability of biometric systems and supporting encryption of biometric information as an industry norm. For example, in its submission to the Office of Access Card Consumer and Privacy Taskforce,564 the Office noted concerns that a centralised biometric database could be linked to closed circuit television (CCTV)-enabled face recognition technology. The Office submitted that to avoid any risk of mass-surveillance, biometrics used in the access card system should be generated in such a way that they cannot be used for other applications. This could be achieved by using encryption software that ensured that comparisons between biometric templates could only be made within the access card system itself (for example, to prevent multiple registrations), and not across different applications.
27. The Office submits that there are also several ways that biometric information can be afforded better protection under the Privacy Act.
28. Firstly, consideration could be given to including biometric information within the definition of 'sensitive information' under s 6 of the Privacy Act. Such an amendment would ensure that it is afforded a higher level of privacy protection than other forms of personal information, including the general requirement that consent is obtained for its collection (see, NPP 10). By including biometric information under the definition of sensitive information, the Privacy Act would enhance the level of individual control over their biometric information (See response to question 11-3(c) below).
29. Care would be required to ensure that a distinction is drawn between 'raw' biometric information (such as a photograph of someone) and information that is collected expressly for the purpose of generating a digital representation that would identify an individual.
30. Secondly, all organisations (including small businesses) that handle biometric information should be covered by the Privacy Act for the purposes of how they handle that information. This would require, among other things, that all organisations would need to provide notice and seek consent to the collection of biometric information, as well as ensuring that it is handled securely, is accurate, and is generally only used or disclosed for the purpose for which it was collected. (For further information see response to question 11-2(b) below).
31. Finally, for the purposes of NPP 7, or the equivalent in a single set of principles, the meaning of 'identifier' should be clarified to include government issued biometric identifiers. (See response to question 11-3, Chapter 3 and Chapter 12)
32. Technological advances in the area of data mining and data matching continue to enhance capacity for the analysis and synthesis of large amounts of information.
33. Two aspects of new technologies are the capacity to link disparate sources of personal information to profile individuals (including where collected in different contexts and for different purposes), as well as the ability to link datasets of previously anonymous information to re-identify the individual to whom they relate. These characteristics lead to a form of 'identity creep' whereby richer representations of an individual can be obtained than has previously been the case.
34. Aggregation of personal information almost always means shifting information to a different context. Some of the greatest risks to privacy can occur when personal information is taken out of context.565 For example, a person might have appeared in court but been acquitted. When taken out of context of the full outcome of the proceedings, a small excerpt of the court record may suggest that the person had committed a crime, or at the least that they had engaged in behaviour that may bring their character into disrepute.
35. The Office notes in this regard a case reported in the New York Times in August 2006 whereby the internet service provider, AOL, released the 20 million internet search queries from 600 thousand individuals.566 In this case, search histories were released in anonymous form, though linked by an identifier. By examining individual search histories, journalists were able to deduce the identity related to some of the histories, effectively re-identifying the data and potentially revealing other information (whether accurate or not) about the person.
36. Data matching and mining may reduce the ability of individuals to maintain different legitimate identities in different contexts. The different identities an individual operates under may include professional identity, a community identity, a personal identity, a citizen identity and so on. In each case, it is only necessary for an organisation or agency to know personal information about the individual that is necessary for the context in which they interact.
37. Regulation of data matching using the Tax File Number (TFN) currently resides in the Data Matching Program (Assistance and Taxation) Act 1990 Cth and Guidelines made by the Privacy Commissioner. This regulation is limited to the Australian Government public sector. The adequacy of existing arrangements for regulation the TFN are discussed in Chapter 12.
38. In addition, the Privacy Commissioner has made non-binding guidelines for agencies conducting data matching that does not include the TFN.
39. In light of the expanding capacity to conduct widescale data manipulation in timely and cost effective ways, the Office recommends that consideration be given to making the voluntary public sector data matching guidelines mandatory. In making the guidelines enforceable, the Office notes that they may require reviewing to bring them in line with current practices and new technologies.
40. There is no specific data matching regulation for the private sector, however any collection, use or disclosure would be regulated by the NPPs for those organisations that fall within jurisdiction. The Office submits, that because of the increasing privacy risks posed by data matching or similar activities, there may be merit in affording additional regulatory measures in addition to the NPPs. In particular, it is unclear the degree to which organisations could rely on exceptions under NPP 2 to conduct data matching, linking and mining.
41. For example, it is arguable that NPP 2 may permit uses or disclosures of personal information for data matching or mining where the purpose is related to the primary purpose and within individual's reasonable expectations. In this regard, it should be noted that while individuals may reasonably expect such a practice to occur, they may still be uncomfortable with it and may not consent if asked. Further, individuals could be asked to consent to data matching as part of 'consent' arrangements established by organisations. However, this could lead to complex consent arrangements and the Office has previously expressed its concerns around the practice of bundled consent, including that it may diminish an individual's freedom of choice by asking individuals to consent to a number of unrelated, potentially intrusive, information handling practices as a condition of receiving a service.567
42. The Office acknowledges that, as the necessary technology becomes widely available, there is likely to be significant potential for increased data matching in the private sector. In the Office's view, private sector data matching activity might be an area best dealt with under a binding code making power for the Privacy Commissioner (See response to question 11-4 below for further information. See also the response to question 6-20 in Chapter 6).
43. Data matching is also addressed in Chapter 7 under question 7-6(h).
44. The Office observes that convergent technologies such as voice over internet protocol (VoIP) and electronic number mapping (ENUM) can have impacts on privacy. These impacts are described in IP31 at paragraphs 11.25 to 11.28 and at paragraph 11.105.
45. The Office notes that frequently privacy risks arise due to convergent technologies falling outside of existing regulatory frameworks. For example, VoIP services are usually classified as carriage service providers for the purposes of the Telecommunications Act 1997 and are therefore covered by Part 13 of that Act. However, as noted in IP31 at paragraph 11.28, if Australians access VoIP services outside Australia, Australian regulation may not apply.
46. Other privacy-related issues such as calling number display may arise due to VoIP and other technologies falling outside the jurisdiction of industry codes which place restrictions on the display of calling numbers.568 The Office understands that there are some circumstances where VoIP cannot block call number display when calls are relayed between users of the same network. Another issue relates to the compilation of VoIP and ENUM directories (such as the 'Who Is' database) which may not allow for user control over whether their information is included or how it is searched.
47. The Office would welcome further consideration of these issues and reiterates its recommendation that the Australian Government initiate discussions through appropriate international forums about how to deal with the major jurisdictional issues arising from the global reach of technologies such as VoIP.569
48. The Office also considers that it would be useful for collaboration between the telecommunications and internet sectors to identify and manage gaps in privacy protection that arise in relation to convergent technologies.
49. A characteristic of certain new technologies is that they can be harnessed by individuals in a manner that impinges upon others' privacy. The internet alone allows for the wide circulation of information by an individual with little recourse for another individual impacted by the public circulation of that information.
50. As technologies become more widely available and inexpensive, they will become increasingly accessible to individuals acting in a personal capacity. Camera phones, recording devices and spyware, for instance, can be employed by individuals to create major impacts on the privacy of others. When coupled with the mass circulatory powers of the internet, information collected by these technologies can do enormous harm to privacy.
51. Currently the Privacy Act does not cover the acts or practices of individuals relating to their personal, family or household affairs.
52. While acknowledging the increasing capacity for individuals to harness technology for personal use in ways that may have significant impacts on the privacy of others, the Office believes the Privacy Act is not the right instrument for regulating acts and practices of individuals relating to their personal, family or household affairs.570
53. The Office believes that the Privacy Act has been specifically tailored to regulate agencies and organisations and as such is ill-suited to the regulation of individuals in their personal capacity. For instance, it would be difficult and undesirable to require individuals to give notice or seek consent for collection of personal information. Also, applying data quality and data security principles to an individual's address book could be inappropriate. Moreover, such obligations would be difficult, and in some cases impossible, to enforce.
54. However, the Office notes that a tort of privacy may go some way to providing individuals with an avenue for redress in the event that their privacy was interfered with by an individual acting in a personal capacity. (The possible development of a tort of privacy is discussed in Chapter 1 in the response to question 1-2.)
55. As recommended in the Office's Private Sector Review, the Office would support the making of regulations under section 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector including Internet Service Providers (ISPs) and Public Number Directory Producers (PNDPs).
56. Both PNDPs and ISPs handle large amounts of personal information. PNDPs are authorised under the Telecommunications Act to access the Integrated Public Number Database which contains all listed and unlisted telephone numbers as well as corresponding names and addresses. ISPs generally have access to username, password, billing details, online purchase information, 'surfing' habits, websites visited and email content of their customers.571
57. In the Office's Private Sector review the Office found that approximately 25 percent of ISPs would be likely to fall under the small business exemption to the Privacy Act. Furthermore, in the financial year of 2005-06, of the complaints made to the Office concerning the telecommunications sector, 10 to 15 percent concerned ISPs.
58. Toll roads, often operated under state public and private sector partnerships, now involve the collection of large amounts of personal information due to use of e-tags and radio frequency identification (RFID) technology. This information may include billing and address details, vehicle information, and records of movement and location of vehicles.
59. Under section 7B of the Privacy Act, organisations acting under state contract are exempt from the Privacy Act. The Office would support an amendment to the Privacy Act in order to remove this exemption for private sector toll road operators, to the extent that they are not covered by privacy regulation established by the relevant state or territory Parliament. This would ensure, firstly, that all toll road operators in partnerships with state or territory governments were covered by privacy regulation. Secondly, removal of this exemption may enhance the national consistency of privacy regulation for toll road operators and therefore facilitate their operations across state borders.
60. The application of the Privacy Act to state and territory government contractors is also discussed in Chapters 5 and 7.
61. The Office would support the coverage by the Privacy Act of all organisations which handle biometric information.
62. As discussed in IP31 (paragraph 11.46) and in the response to question 11-1 misuse of biometric information may have significant consequences for individuals. In order that privacy protection is proportionate to the sensitivity of this information, the Office believes that small businesses which handle biometric personal information should be covered by the Privacy Act.
63. Exemptions are discussed further in Chapter 5.
64. Currently the definition of identifier in the Privacy Act is prescribed in NPP 7 in the following terms:
includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation's operations. However, an individual's name or ABN [...] is not an identifier.572
As IP31 points out, this definition does not describe what an identifier is, only what it includes.
65. The Office believes that NPP 7 should cover Australian Government issued biometric identifiers. An example of an Australian Government issued biometric identifier is likely to include the new e-passport, which contains a digital photograph of the individual and can be used in conjunction with a face recognition technology to identify individuals passing into Australia. The Australian Government has also announced that the proposed health and human services access card will record biometric photographs of cardholders.
66. As discussed above in the response to question 11-1 the sensitivity of biometric information warrants strict protections. In the Office's view, an identifier derived from biometric information can be assigned to an individual by an agency to uniquely identify the individual in the same way as a unique number and should therefore receive the same protections.
67. The Office takes the view that, as it stands, the definition of identifier would likely cover biometric identifiers but should be clarified to remove any doubt. Currently the definition only specifically excludes an individual's name or ABN from the meaning of identifier and therefore allows that other unspecified identifiers may be included within the definition such as biometric identifiers.
68. A clarification of the definition may involve amending the wording to take into account that an identifier may not only be a number. While biometric templates may be stored, analysed and encrypted in a numbered form, a digital photograph or signature (readable by biometric technologies) might colloquially be understood to be an image rather than a number, yet may be equally effective as a unique identifier. As noted in IP31, the Victorian Information Privacy Act 2000 defines 'unique identifier' as
'an identifier (usually a number) assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation [...]' 573
69. This definition suggests that an identifier is usually but not always a number. In the Ontario Freedom of Information and Protection of Privacy Act 1990, the definition of personal information includes
'any identifiable number, symbol or other particular assigned to the individual.'574
70. This form of definition may be useful for the drafting of a definition for identifier where an identifier is defined as 'a number, symbol or other particular assigned to an individual to identify uniquely the individual for the purposes of the organisation's operations.'
71. In addition, the Office discusses in Chapter 12 whether further consideration should be given to regulating how organisations may use state and territory identifiers. Any discussion of this issue may usefully extend to state and territory biometric identifiers.
72. See also Chapter 3, Chapter 12 and the response to questions 4-26 to 4-28 in Chapter 4.
73. IP31 seeks views on whether the Privacy Act should be amended to require the logging of uses and disclosures by agencies and organisations for purposes other than the primary purpose of collection (that is, for 'secondary purposes'. (See, also, Chapter 4, question 4-10)
74. In its response to question 4-10 in Chapter 4, the Office explores the idea of logging of disclosures in further detail.
75. The Office notes, however, that a technological angle of this issue is the suggestion that disclosures be logged when information is disclosed in an electronic format. As is noted elsewhere in this chapter electronic records have different properties to paper records and therefore different and sometimes greater implications for privacy. Accordingly, it could be argued that the disclosure of electronic records should have greater oversight mechanisms placed on it.
76. While the Office sees merit in this idea, the Office would encourage a technologically neutral approach. One such approach might be to add a 'where practicable test' to a logging requirement. The Office considers that this would capture electronic records as it is likely to be 'practicable' to set up an automated logging system for electronic disclosures.
77. However, the Office notes that the are further concerns related to the logging of disclosures and these are discussed in Chapter 4 in the response to question 4-10.
78. Both the IPPs and NPPs give individuals a general right to access information held about them.
79. IP31 notes that with advances in technology, personal information may be stored in a form that is difficult to decipher or understand, such as in binary or hexadecimal form. IP31 suggests that an option for amendment might be to specify that when access to personal information is requested, the personal information be communicated to the individual in 'intelligible form'.575
80. The Office believes that a change which allowed for information to be presented in a comprehensible form would enhance individuals' access rights. The Office notes however that there will be occasions where it may be extremely difficult for information to be presented in an intelligible form. As with the example of biometric information, it may be the case that the only information held by the organisation is a biometric template of the individual which exists as a set of numbers and cannot be converted into an image or more meaningful product. Indeed, the Biometrics Institute privacy code requires that 'biometric information is encrypted immediately after collection, that the original biometric information is destroyed after encryption and that biometric information is stored only in encrypted form.'576 The Office recognises that such measures may often be privacy enhancing, as they limit the extent to which 'raw' biometric information from multiple sources could be linked and combined.
81. For this reason, the Office believes that personal information should be made accessible in an intelligible form where practicable. Where it is impracticable for the information to be presented in an intelligible form, an individual should have access to information explaining for instance that the organisation holds a template of one of his or her biometrics and what that template refers to (for example, the face or left index finger).
82. Both the IPPs and NPPs contain principles that set standards for the accuracy and currency of personal information held by agencies and organisations.
83. IP31 notes that it may be unclear whether the existing privacy principles provide adequate protections to ensure that the technologies employed by agencies and organisations ensure accurate and reliable processing of personal information.
84. The Office is of the opinion that the Privacy Act contains adequate coverage of data accuracy issues under the data quality principles of the IPPs and NPPs. Personal information collected, used or disclosed about an individual is protected by the data quality principles in the Privacy Act regardless of whether the are retained in paper-based or electronic form. Significantly, the 'reasonable steps' prescribed in IPP 8 and NPP 3 provides scope to require more or less rigorous oversight of accuracy depending on the circumstances at hand. In some circumstances, such as where sensitive information is held on large numbers of people, the type of technology employed in handling the information may have an influence on determining whether an agency or organisation has taken reasonable steps to ensure data quality.
85. A further issue raised by IP31 at paragraph 11.138 is where decisions about an individual are made based on automated /electronic processes, individuals have the right to request human checking of results. An example of this procedure already in operation is the SmartGate system which refers individuals to an airport officer in the event that the automated passport processing terminal declines the verification request.
86. The Office supports a requirement for agencies and organisations to have in place adequate review mechanisms for automated decisions, especially where those decisions may have an adverse effect on the individual. Currently, individuals are offered some protections through data quality and access and correction principles. However, the Office would support the clarification of the privacy principles to ensure that review mechanisms for automated decisions are a requirement under the Privacy Act.
87. The Office notes that sometimes review mechanisms will involve the human checking of automated decisions but believes that there may be occasions where a review of a decision will include further automated processes or a combination of human and automated processes. The Office takes the view that, in the interests of technological neutrality, it will important for the Privacy Act both to support fair and reasonable review mechanisms and allow for technological development which enables effective review via automated systems.
88. Technology has impacted upon individuals' ability to interact anonymously with agencies and organisations. When using the internet, for example, an individual's anonymity may be curtailed by the 'digital footsteps' they leave behind. Voice recognition technology may limit an individual's ability to make enquiries anonymously with an organisation.
89. IP31 notes that organisations that implement systems which do not enable anonymous transacting with individuals generally will not be required to comply with NPP 8 because it would not be 'practicable' to alter such a system to allow for anonymity (IP31 paragraph 11.135).
90. IP31 suggests that the NPP 8 could be amended to require organisations to design systems that will comply with the anonymity principle or provide individuals with the opportunity of transacting 'pseudonymously' if anonymity is impractical or unlawful.
91. The Office supports individuals having the option to interact anonymously. Accordingly, organisations should be encouraged to design systems that allow for anonymity, where this is lawful and practicable. The Office welcomes further consideration of the issue.
92. The anonymity principle may be further strengthened by making anonymity the first principle rather that the eighth so that the principles embody the idea that the lifecycle of information begins before collection, when organisations and agencies should consider the fundamental question of whether they need to collect personal information at all (Cross ref to chap 4, questions 4-29 and 4-30).
93. The anonymity principle could also be changed to clarify that where an individual has an existing relationship with an organisation, that individual is still entitled to transact anonymously with that organisation where lawful or practicable (For further discussion of this issue see Chapter 4, questions 4-29 and 4-30).
94. The Office notes that technology allows ever greater amounts of information to be produced and stored in far more cost effective ways than has traditionally been the case with cumbersome and voluminous paper archives.
95. The growing sophistication of data matching and mining technologies have enhanced the ability to make use of large amounts of data, which in turn may create pressures for organisations and agencies to find further value in adding secondary uses for personal information.
96. Currently only the NPPs specify that an organisation must destroy or permanently de-identify personal information when no longer needed.
97. The Office would support the provision of data destruction in a single set of privacy principles. The Office recognises that in the case of government agencies, for public accountability purposes, data destruction provisions must necessarily accord with the National Archives Act and other applicable laws to allow for instances where agencies are legally obligated to retain information.
98. The Office also sees value in the development of guidance material to assist agencies and organisations in understanding obligations to destroy or permanently delete personal information.
99. Currently, both sets of principles require that collection be necessary for a purpose, though both leave open the degree to which the purpose itself is legitimate. This is noted in IP31 at paragraph 11.126, where it is pointed out that neither set of principles require the legitimacy of the collection of personal information to be determined objectively. Generally, this is less problematic in the case of agencies, which have purposes defined in their enabling law.
100. The legitimacy of collection might be strengthened by the introduction of a 'reasonable person test' to the collection principle, as applied in the Alberta Personal Information Protection Act S.A 2003. In this way the collection principle might specify that an organisation may only collect personal information for purposes that are reasonable where 'reasonable' means 'what a reasonable person would consider appropriate under the circumstances'. 577 Such a measure may reduce the degree to which organisations employ advanced technologies to collect personal information for functions that may not ordinarily be considered legitimate when approached objectively.
101. IP31 seeks views on whether agencies or organisations that use certain technologies to collect personal information should be required to comply with any additional notice requirements. For example, whether agencies or organisations using RFID technology be required to inform individuals how to remove or deactivate an RFID tag. Another question is whether agencies or organisations using biometric systems should be required to inform individuals of error rates, and steps that can be taken by an individual wishing to challenge the system's results.
102. The Office sees value in educating individuals about new technologies and how they can take steps to protect their privacy when interacting with them. Such an educative function could be usefully prescribed in s 27 of the Privacy Act.
103. The Office notes that technology specific notices may enhance individuals' control over their personal information. However, the Office takes the view that the principles in the Privacy Act are not the appropriate instrument for implementing new technology-specific notice requirements for agencies and organisations. Technology-specific notice requirements are likely to be prescriptive and therefore at odds with the concept of principles-based law. Furthermore, added notice requirements for certain technologies may not accord with the technological neutrality of the Privacy Act.
104. If a future compelling public interest is identified in responding to privacy issues raised by specific technologies, such as RFID, then notice requirements for new technologies may be best dealt with by technologically-specific binding guidelines and industry codes (see response to question 11-4 below).
105. IP31 raises the issue of collection without consent or knowledge in a number of contexts including: smartcards (paragraph11.34), biometrics (paragraph 11.46) and RFID (paragraph 11.63). The principles based approach of the Privacy Act requires notice to be given when personal information is collected; NPP 1.3 requires notice be given (NPP 10 requires consent for collection of sensitive information) and similarly, IPP 2 requires notice be provided.
106. The Office notes the privacy concerns raised in IP31 (paragraphs 11.32 to 11.34) around the use of smartcard technology. The Office submits that the Privacy Act as it stands will offer some protections to individuals who participate in smartcard systems but emphasises that privacy protection will be most effective when it is built into system design. In particular, smartcard systems should:
107. The Office believes that there is value in agencies and organisations doing Privacy Impact Assessments (PIAs) when developing smartcard systems to ensure that these aspects of design are built in.
108. In Chapter 6 of this submission, the Office recommends the introduction of a statutory requirement that public sector agencies undertake PIAs for new projects and/or legislation that may impact on privacy. For further information see the Office's response to questions 6-6 and 6-7.
109. The Office refers the ALRC to two of the Office's submissions which discuss the privacy impacts of smartcard technology in more detail:
110. Collection and use of biometric information is discussed in the response to questions 11-1 and 11-3 (c) below.
111. RFID may help businesses improve the way they manage the supply of their products and so save consumers money. But they also have equal potential to invade personal privacy if deployed wrongly.
112. The Office submits that all the basic principles of privacy law should be adopted when designing, implementing and using RFID technology. In summary, the Office believes that:
113. The Office would welcome further consideration of the privacy impacts of RFID technology by the ALRC.
114. An area that may require added protections is CCTV, especially where it is combined with face recognition technology. In its submission to the Office of Access Card Consumer and Privacy Taskforce,580 the Office noted privacy risks of potential future interaction between a possible central database of facial biometrics and CCTV. The Office believes that such risks should also be considered in the context of the momentum that has emerged favouring greater use of CCTV and greater standardisation in its application and technology.581
115. The concern here is that CCTV networks may be used to employ face-recognition technology as 'face in a crowd' applications, whereby the faces of large groups of people are scanned and compared to databases. Such applications can be highly privacy-invasive applications due to their capacity to operate at some distance from the individual. Potentially, an individual's face can be scanned and compared against the database without their consent, or even knowledge. It is reported that law enforcement authorities in Victoria are proposing to take advantage of this application in relation to drivers license photographs.582 The Office also notes initiatives being conducted overseas linking centralised databases of face biometrics to street CCTV cameras.583
116. Such technologies may permit the personal information of large numbers of individuals who are not the subject of investigation and about whom there is no cause for suspicion, to be collected indiscriminately and without their knowledge. Such an outcome sits uncomfortably with the notion of necessary collection. Where there is a compelling public interest in such measures being undertaken, there will often be merit in them being accompanied by specific privacy protections and oversight arrangements.
117. Optical surveillance should also only be pursued where necessary to achieve a clear objective and where such measures constitute a proportional response to a defined threat or problem. In general, the Office suggests that such measures be pursued only where they have been subject to scrutiny from a parliament.
118. The Office does not believe that consent should be required for collection of personal information via certain technologies as this would compromise the technological neutrality of the Privacy Act. It is likely that, considering the speed of technological change, consent provisions for particular collection technologies would quickly become outdated and superseded by new technologies (For further information on technological neutrality, see Office response to question 11-4, below)
119. A way of adding greater privacy protections through consent provisions may be to increase protections for particular types of information rather than particular types of technology. For example, as noted in our response to question 11-3 (c) below, biometric information might be included in the definition of sensitive information and in this way achieve added consent requirements.
120. Biometric information has a number of specific attributes which set it apart from other forms of personal information in terms of its sensitivity to the individual. These attributes are outlined above in the response to question 11-1.
121. For this reason, the Office supports a change to the Privacy Act to allow for the inclusion of biometric information in the definition of sensitive information. Sensitive information has added protections under the Privacy Act. For example, organisations generally require consent to collect sensitive information. There are also restrictions in the Privacy Act on the use and disclosure of sensitive information by organisations.
122. Where sensitive information provisions in the Privacy Act are extended to cover biometric information, it will be important to clarify what form of biometric information is classified as sensitive information.
123. The Office notes a general distinction between a biometric sample and a biometric template. A biometric sample may be a fingerprint, photograph, signature, iris scan and so on. Biometric technology allows for a biometric sample to be analysed and converted into a biometric template which, when combined with an algorithm, can be used to re-identify the biometric sample. There are a small number of biometric systems, such as voice recognition which can operate without using templates.
124. The Office believes that all biometric template information should be covered by the stricter provisions in the Privacy Act for sensitive information. However, it may be impractical and undesirable for all biometric samples to be included under the definition of sensitive information, especially where there is no intention to use the sample for biometric matching or identification. For example, it would be difficult and overly burdensome to require consent every time a photograph of a person (technically a biometric sample) is taken.
125. The Office takes the view that sensitive information provisions should only apply to: (a) biometric samples collected for the purpose of biometric matching or biometric identification; and (b) biometric template information.
126. The Office notes however that biometric samples - if they were to fall outside this definition of sensitive information - may still be covered by the Privacy Act as personal information and therefore achieve legislative protections. Furthermore, as noted in IP31 (at IP31 paragraph 11.46) there may be instances where a biometric sample reveals sensitive information about an individual such as health information and will thus be defined as sensitive information under the Privacy Act.584
127. The Office generally supports consideration of the addition of provisions to the Privacy Act to require agencies and organisations to advise affected individuals of a breach to their personal information in certain circumstances. Notification in a timely manner would enable individuals to take any necessary steps to protect their personal information.
128. Such a change to the Privacy Act to require the reporting of information security breaches would provide a strong market incentive to organisations to adequately secure databases and information repositories to avoid the potential brand damage arising from negative publicity.
129. However, the Office notes that 'mandatory reporting' legislation remains a new and evolving concept that requires further research. Different jurisdictions around the world have enacted such laws to different effect. It will be important to analyse these different approaches in order to assess the appropriate formation of mandatory reporting provisions for the Australian context.
130. California was the first of many states in the US to enact security breach notification laws. The California Law on Notice of Security Breach was enacted in 2002 to deal with the growing problem of identity theft in the US.585 It specifically covers unauthorised acquisition of computerised data that compromises the security, confidentiality or integrity of personal information.586 The legislation takes a prescriptive approach specifying the exact type of information that triggers a notice requirement when breached.587 The law is also restricted to coverage of 'computerised data' therefore operating in a technologically-specific context.
131. The key features of the Californian legislation - its technological specificity and the prescriptive nature of its provisions - place it at odds with the intention and principles-based format of the Privacy Act. Moreover, it is important to note that in California (and other US states) mandatory notification laws exist in the absence of other privacy legislation. The differing circumstances in Australia will influence the shape of mandatory notification of security breach provisions for the Privacy Act.
132. Canada is exploring options for the introduction of security breach notification law. In January the Canadian Internet Policy and Public Interest Clinic released a 'White Paper' on 'Approaches to Security Breach Notification.'588
133. The EU has also proposed notification of security breach provisions. In its 2006 'Review of the EU Regulatory Framework for electronic communications networks and services', the Commission of the European Communities recommended that providers of electronic communications networks and services be required to: 'notify the national regulatory authority of any breach of security that led to the loss of personal data' (with the regulator having the discretion to inform the public if they considered it in the public interest) and 'notify their customers of any breach leading to the loss, modification or destruction of, or unauthorised access to, personal customer data.'589
134. When considering options for the introduction to the Privacy Act of provisions to mandate the reporting of security breaches, some key issues will need to be addressed including:
135. The Office believes that the Privacy Act should continue to be technologically neutral. In the context of rapid technological change, it is extremely difficult to envisage how technology will evolve (or even what new technologies may arrive) in the future. It would therefore be extremely difficult to respond effectively to a large field of specific technologies with statute based law.
136. In general, submissions to the Office's private sector provisions review supported the idea of maintaining the technologically neutrality of the Privacy Act.591
137. However, there is a view by some that the push for 'technological neutrality' is a useful excuse for avoiding confrontation with the major privacy challenges that have arisen from new technologies.592 The Office believes that technological neutrality should not be at the cost of having a Privacy Act that is technologically 'out of touch' or irrelevant.
138. The Office believes that whilst being technologically neutral, the Privacy Act should also be technologically relevant. As outlined throughout this chapter, there are a number of ways that the Privacy Act may be amended to better deal with new information handling conditions engendered by technological change.
139. The Office sees merit in maintaining a broad principle based approach to privacy regulation, albeit subject to refinement, as the most effective way to deal with rapidly evolving technology.
140. To accommodate particular technologies that create privacy risks which fall outside the scope of privacy legislation, the Privacy Act should provide for the Commissioner to make binding codes that go to certain acts or practices or certain technologies (as per the Section 135AA and TFN guidelines for example). This would facilitate timely responses to new technologically specific privacy issues.
141. Expanding the Privacy Commissioner's powers to include the making of binding codes is discussed further in chapter 6 in the response to question 6-20.
142. 'Public space' on the internet creates a new set of conditions for the management and protection of personal information in comparison to equivalent public spaces in real space.
143. The Office recognises that paper and electronic records have different implications for individual privacy. It would be reductive to view electronic records and paper records as essentially the same thing. (See IP31 paragraphs 11.102 to 11.103)
144. Paper records, while they may be publicly available, are generally protected from wide consumption by their localised storage. This means that members of the public must attend a particular library or courthouse to access public records. In this way, the records attain a degree of 'practical obscurity' and de facto privacy protection.
145. Electronic records, on the other hand, can be searched comprehensively and quickly without prior knowledge of the existence of information. Data from electronic records can be retrieved, matched and aggregated with relative ease. When publicly available information is aggregated from a number of different sources it makes it possible to draw inferences about matters that an individual may prefer to keep private.593 Electronic records can be broadly disseminated via the internet and once downloaded by other internet users, they can be difficult to retrieve or correct.
146. These new conditions under which public records may now be made public create challenges for the maintenance of privacy.
147. The electronic publication of court records in particular may
148. Currently courts are partly covered by the Privacy Act. Generally speaking a 'federal court' is an 'agency' and under the Privacy Act, Commonwealth agencies must comply with the Information Privacy Principles or 'IPPs'.
149. However, under s 7(1) (b) of the Privacy Act, an act or practice of a federal court is subject to the IPPs only if it is 'in respect of a matter of an administrative nature'. Therefore, the Court is subject to the Privacy Act only in limited circumstances.
150. Generally the information-handling acts or practices of a federal court that are covered by the IPPs are those which relate to the management or organisation of the court and its staff. This might involve, for example, the collection of personal information regarding court staff, their remuneration and other employment matters.
151. In general terms, the acts and practices of the Court, in respect of personal information collected either directly or incidentally in the course of the exercise of the Court's judicial functions, are exempt from coverage under the IPPs. State and territory courts are not 'organisations' or 'agencies' for the purposes of the Privacy Act and are therefore also exempt.
152. Some solutions to reduce the privacy impact of electronic court records on individuals participating in the judicial system might be to
153. The Office supports the further exploration of options for the protection of personal information contained in public records in the context of electronic publication.
154. However, it is the opinion of the Office that the Privacy Act is not the appropriate instrument for implementing changes to protect the personal information contained in court records.
155. The Office believes that changes to court record publication are best dealt with through procedural directives or guidelines rather than through legislative intervention.
156. Moreover, the Privacy Act does not cover state and territory courts. Therefore a coordinated approach between the states and territories and Commonwealth would provide a more consistent framework for the electronic publication of court records.
157. The Office recommends that the matter be referred to the Standing Committee of Attorney's General (SCAG) as recommended by the ALRC in its report Keeping Secrets: The Protection of Classified and Security Sensitive Information (see IP31 paragraph 5.61). Specifically, the Office believes attention should be given to the online publication of court records. The SCAG has already initiated work in this area, establishing a working party which released an issues paper entitled 'Online dissemination of Criminal History Information'.596
554 See for example Joel Reidenberg 'Privacy Protection and the Interdependence of Law, Technology and Self-regulation' 1999, available at http://reidenberg.home.sprynet.com/Interdependence.htm. The Australian Communications and Media Authority (ACMA) takes a multifaceted approach to regulating internet content which includes industry self-regulation; community awareness; codes and standards; and legislation. See, www.acma.gov.au
555 See for example Ministry of the Interior and Kingdom Relations, the Netherlands, Privacy Enhancing Technologies White Paper for Decision Makers, 2004.
556 Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, (Office's Private Sector Review) 2005, p 257.
557 Peter Lyman and Hal R. Varian, How Much Information? 2003 www.sims.berkeley.edu/how-much-info-2003
558 See for example Organisation for Economic Cooperation and Development 'Report on the Cross-Border Enforcement of Privacy Laws' 2006, available at http://www.oecd.org/dataoecd/17/43/37558845.pdf.
559 'Phishing' for example involves criminals directing individuals to websites which imitate the websites of organisations that the individual may trust in order to collect personal information for criminal purposes.
560 See for example work done by Information and Privacy Commissioner of Ontario on a proposal for a universal identity meta-system for the internet: 7 Laws of Identity: The Case for Privacy Embedded Laws of Identity in the Digital Age, 2006, available at http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdf. See also Ministry of the Interior and Kingdom Relations, the Netherlands, Privacy Enhancing Technologies White Paper for Decision Makers, 2004.
561 Office of the Privacy Commissioner Privacy and Biometrics; The End of The World as We Know It or The White Knight of Privacy?, 2002 available at http://www.privacy.gov.au/news/speeches/sp80notes.htm.
562 NSW Ombudsman, DNA sampling and other forensic procedures conducted on suspects and volunteers under the Crime (Forensic Procedures) Act 2000, October 2006 p 229.
563 See Biometrics Institute, Biometrics Institute Privacy Code, 2006
564 See, Submission to the Department of Human Services: Access Card Consumer and Privacy Taskforce Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 1 available at http://www.privacy.gov.au/publications/accesscard_sub_082006.html#mozTocId731167.
565 Office of the Privacy Commissioner, Under the Gaze: Privacy, Identity and New Technology, 2002, p4, available at http://www.privacy.gov.au/news/speeches/sp104notes.pdf.
566 Barbaro M and Zeller T (2006) 'A face is exposed for AOL searcher No. 4417749' New York Times 9 August, available at http://www.nytimes.com/2006/08/09/technology/09aol.html?ei=5087&en=fc3fb3310bf58bd7&ex=1171771200&excamp=mkt_at1&pagewanted=all.
567 Bundled consent and the Privacy Act, available at http://www.privacy.gov.au/news/media/02_8.html.
568 See Australian Communications Industry Forum 522 Call Number Display, 2003.
569 Office's Private Sector Review, Recommendation 70.
570 This issue was raised in the Office's Private Sector Review. The Office found that there did not appear to be a great deal of support from submissions or in consultations for changing the Privacy Act so that it covers the activities of private individuals. See Office's Private Sector Review, p246.
571 Justin Milne, 'OzEmail - an ISP's approach to privacy', in Privacy Law and Policy Reporter, 26, 2000 available at
572 Privacy Act 1988 (Cth), NPP 7.3, Schedule 3, .
573 Information Privacy Act, 2000 (Vic) Sch 1.
574 Ontario Freedom of Information and Protection of Privacy Act, 1990, Section 2.1.
575 As noted in Privacy Act 1988 (Cth) IP31, this is a requirement of the EU Directive. See Directive 94/46/EC, art. 12(a)
576 Biometrics Institute Privacy Code, 2006, principle 11.1
577 Privacy Act 1988 (Cth) ss 2, 3, and 11.
578 For the Access Card submission visit http://www.privacy.gov.au/publications/accesscard_sub_082006.doc and for the Smartcard Framework Submission visit http://www.privacy.gov.au/publications/Smartcardsub020506.doc
579 This is in line with a resolution made at the 2003 Conference of Data Protection and Privacy Commissioners.
580 See, Submission to the Department of Human Services: Access Card Consumer and Privacy Taskforce Consultation on the Australian Government Health and Social Services Access Card - Discussion Paper Number 1 available at http://www.privacy.gov.au/publications/accesscard_sub_082006.html#mozTocId731167. http://www.privacy.gov.au/publications/accesscard_sub_082006.html#mozTocId731167
581 Note Council of Australian Governments (2006), A National Approach to Closed Circuit Television: National Code of Practice for CCTV Systems for the Mass Passenger Transport Sector for Counter-Terrorism at 25. Available at http://www.coag.gov.au/meetings/140706/docs/cctv_code_practice.pdf.
582 'Police ID Puts You in the Frame', Herald Sun, 19 Jun 2006. Available at http://www.heraldsun.news.com.au/common/story_page/0,5478,19511544%255E661,00.html
583 See, for example, proposals in the UK - The Guardian Unlimited 'Robo cop' at http://www.guardian.co.uk/Archive/Article/0,4273,4432506,00.html.
584 See also Office of the Privacy Commissioner, 'Biometrics and privacy: The End of The World as We Know It or The White Knight of Privacy?', 2002, pp16-17 http://www.privacy.gov.au/news/speeches/sp80notes.pdf
585 Notice of data security breach laws in the US lead to disclosures of major breaches by ChoicePoint, LexisNexis and CardSystems. CardSystems for example sustained the largest data security breach on record in 2005 with 40 million credit card numbers, names and expiry dates exposed to misuse. The company was forced to disclose the breach under various US state security breach notification laws (Reuters; 'CardSystems says it faces imminent extinction', 22 July 2005).
586 State of California Dept of Consumer Affairs, 'Recommended Practices on Notice of Security Breach Involving Personal Information', April 2006, p7 available at http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf
587 Notification is required where there is a breach to unencrypted computerised data involving a name and either a social security number, drivers licence or California ID number, or financial account number, ibid. p7.
588 Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper, 9 January 2007 available at http://www.cippic.ca/en/bulletin/BreachNotification_9jan07-print.pdf
589 Commission of the European Communities, Review of the EU Regulatory Framework for electronic communications networks and services', June 2006, p30, available at http://europa.eu.int/information_society/policy/ecomm/doc/info_centre/public_consult/review/staffworkingdocument_final.pdf
590 State of California Department of Consumer Affairs, Recommended Practices, op.cit., p7.
591 Office's Private Sector Review. pp 242-243.
592 See for example Roger Clarke, Submission to Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988, 2005, Clark quoted p18.
593 Prof Marcia Neave International regulation of the publication of publicly accessible personal information, speech to International Conference of Data Protection and Privacy Commissioners, 2003, pp2-3.
594 Office of the Privacy Commissioner, Access and Privacy: Getting the Balance Right, speech to Australian Court Administrators Group, 2005, available at http://www.privacy.gov.au/news/speeches/sp12_05.pdf
595 See Justice Debra Mullins, Judicial Writing in Electronic Age 2004 available at http://www.courts.qld.gov.au/publications/articles/speeches/2004/mullins211204.pdf
596 SCAG work in this area is discussed in Mullins ibid., p 4.