Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography
1. In chapter 6 of DP 72, the ALRC considers how developments in technology have influenced discussions about privacy and the development of information privacy laws.
2. While no specific proposals flow from this Chapter, the Office agrees with the ALRC's assessment of developing technologies that impact on privacy, particularly the need to manage new technology such as Radio Frequency Identification (RFID).
3. This is in accordance with the Office's submission to IP 31.[82]
4. The Office addresses the specific proposals around technology in chapter 7. The Office has no further comment on technologies that should be added to the list of technologies compiled by the ALRC.
1. The Office agrees with proposal 7-1.
2. The proposal is consistent with the Office's response to question 11-4(i) of the ALRC's Issues Paper 31 (IP 31).[83]
3. The Office supports the idea of specific regulation being applied to new technologies that raise significant privacy risks. However, the Office is unsure whether or not proposal 7-2 is the most effective way to implement such regulation.
4. The Office believes that mandating privacy and security standards, developed by standards and industry bodies, might in some circumstances be consistent with the multi-faceted approach to protecting privacy in the context of new technologies. This multifaceted approach incorporates:
5. The Office also has noted that, under this multifaceted approach, ‘where specific technologies raise privacy impacts requiring unique regulatory interventions, then these may best be dealt with through binding guidelines'.[85]
6. Proposal 7-2 could be seen as one way of giving effect to the idea that specific protections, in this case as enumerated in industry standards, may be required for specific technologies.
7. As noted in DP 72, such industry standards can provide ‘...proactive privacy protection in a ‘light-touch' regulatory regime'.[86] However, DP 72 also notes ‘...there may not be adequate incentive for agencies and organisations to comply with standards because of a lack of adequate enforcement mechanisms.'[87] Accordingly, DP 72 has proposed that:
8. While the Office supports the policy intent of the proposal to create a mechanism to make mandatory standards, there would appear to a number of matters on which clarification would be required before the Office could support the proposal in its entirety.
9. Firstly, it is not clear whether the standards being subject to Ministerial discretion is necessary. The Office has expressed support in its previous submission for the use of binding codes to address high risk technologies. Relevantly, ALRC DP 72 has proposed a ‘three step' binding code process, which provides for binding codes to be developed at the initiative of an organisation, or where necessary, at the request of the Privacy Commissioner. Where a binding code is deemed necessary, as a final step the Privacy Commissioner may develop and impose a binding code.[89]
10. Accordingly, rather than establish another type of instrument, and thus potentially add to fragmentation and complexity, the Office suggests that it may be preferable for the power referred to in proposal 7-2 to rest with the Privacy Commissioner as a power to make a binding code. While the proposed binding code powers are focused on designated agencies or organisations, it would not seem difficult to introduce a category that provided for specific technologies. Such a code would still be a legislative instrument, and thus subject to parliamentary scrutiny.
11. Drawing on the proposed binding code power to make mandatory standards would also seem consistent with the objective that such codes ‘...are a form of co-regulation that ‘fills in the gaps' between the outcome set by a privacy principle and the application of, or compliance with, that principle'.[90]
12. In addition, it is unclear from the proposal whether a legislative instrument could derogate from the proposed Unified Privacy Principles (UPPs), either in regard to reducing overall protections or protections afforded by a specific principle.
13. Clarifying the relationship between this proposed instrument and other forms of regulation, such as the principles, as well as the two sets of proposed regulations and any binding codes that may be made, would also be helpful.
14. In addition, there may be occasion where it is not appropriate for all the matters dealt with in an industry standard to be included in privacy regulation. This might include, for example, where an element of the standard would derogate from a UPP, or where a standard dealt with a matter that would be beyond the scope of the Privacy Act 1988 (Cth). It is unclear whether the proposal would provide for only specific elements of the standards to be included in the legislative instrument, or whether the Privacy Commissioner could advise the Minister to exclude certain matters.
15. Further detail would also be required regarding the proposed mechanisms or responsible party for monitoring or enforcing compliance with mandatory standards.
16. The Office agrees with proposal 7-3.
17. The proposal is consistent with the Office's position in its submission to IP 31 at question 11-1.[91]
18. The Office agrees with proposal 7-4.
19. The Office reiterates its position that in the context of developing technologies, consideration should be given to clearly recognising the importance of the Office's education function by including express reference to it in s 27 of the Privacy Act in either or both of sub-subsections 27(1)(c) and (m).[92]
20. The Office agrees with proposal 7-5 (a).[93]
21. The Office agrees in principle with proposal 7-5 (b).
22. In its submission to IP 31 at question 4.35, the Office proposed that a separate notice principle be created to promote openness and choice for individuals. However, consistent with its response to question 11.3(a) of IP 31, the Office submitted that the notice principle itself should remain technology neutral.
23. The Office considers that technology-specific notices may enhance individuals' control over their personal information but suggests that this should be limited to situations where there is a demonstrated need for technology-specific notice requirements. This is because technology-specific notice requirements are likely to be prescriptive and therefore at odds with the concept of principles-based law. Furthermore, added notice requirements for certain technologies may not accord with the technological neutrality of the Privacy Act.
24. The Office submits that where there is a demonstrated technology specific need to provide guidance, that requirements for new technologies be incorporated in technologically specific binding guidelines and industry codes.
25. The Office agrees with the intent of proposal 7-5(c) but not necessarily the specific examples, (such as how to remove a Radio Frequency Identification (RDIF) tag).
26. The proposal is generally consistent with the Office's position in its submission to IP 31.[94] However, the Office resubmits that all the basic principles of privacy law should be adopted when designing, implementing and using RFID technology. These basic principles might include:
27. The Office will seek opportunities to provide guidance around the use of RFID technology as the use of this technology expands in Australia.
28. The Office does not agree that the proposed Access and Correction principle necessarily implies that access to personal information be given in an intelligible form where practicable.
29. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (‘OECD Guidelines')[96] state that ‘an individual should have the right to have communicated to him, data relating to him in a form that is readily intelligible to him.'
30. This Office believes that a change which allowed for information to be presented in a comprehensible form would enhance individuals' access rights. The Office is aware that there will be occasions where it may be extremely difficult for information to be presented in an intelligible form. For this reason, the Office submits that personal information should be made accessible in an intelligible form where practicable. It should also be kept in mind that organisations have a discretion to charge a reasonable fee to provide access. If an individual sought information in an ‘intelligible form' which imposed a significant burden on the organisation, then the organisation could, if it chose, impose a reasonable fee for the provision of this access.
31. The Office supports the practice of human review of decisions made by automated means, as stated in the Office's position in its submission to IP 31.[97]
32. The Office reiterates the view that it may be useful for legislative amendment to be made requiring agencies and organisations to have in place adequate review mechanisms for automated decisions, especially where those decisions may have an adverse effect on the individual.
33. In April 2007, the Administrative Review Council (ARC) launched the Automated Assistance in Administrative Decision-Making Better Practice Guide (‘the Guide').[98] The Guide currently endorses a voluntary commitment to the review and quality control of automated decisions, with the capacity for manual checking and review. The current proposal for the Office to provide guidance on automated decisions will be a reiteration of the ARC's guidelines rather than an enforceable mechanism.
34. The Office recognises that sometimes review mechanisms will involve the human checking of automated decisions, but believes that there may be occasions where a review of a decision will include further automated processes or a combination of human and automated processes. The Office takes the view that, in the interests of technological neutrality, it will be important for the Privacy Act both to support fair and reasonable review mechanisms and allow for technological development which enables effective review via automated systems.
35. While noting the potential benefits of data-matching activities, the Office has also previously pointed to the privacy risks posed by large scale, routine data matching. These include:
36. The Office agrees that these risks may be mitigated by providing guidance to organisations. To educate the private sector on the risks associated with data-matching, the Office is committed to issuing guidelines on best practice for data-matching activities. The Office expects the guidance could take a similar approach to the guide produced by the ARC on automated assistance in administrative decision-making.[100] It is anticipated that guidance on data-matching would be well received by organisations that currently engage in these practices.
37. At the same time, given the potential significance of these risks, the Office suggests that a power be available for the creation of a binding code where certain data-matching (including data-linking and data-mining) activities heighten privacy concerns.
Application of binding datamatching rules to agencies
38. The Office proposed in its submission on IP 31 that consideration be given to making the current voluntary public sector data-matching guidelines mandatory to enhance data-matching regulation. While not making a proposal on the matter, DP 72 has decided against such a position,[101] though leaving it open that such regulation be pursued through a binding code.[102] The Office remains of the view that agency data-matching, particularly where it involved very large numbers of records or highly sensitive information, should be subject to mandatory regulation. If the binding code making power does not extend to such activities, then the Office reiterates the view expressed in its previous submission that the voluntary guidelines, in revised form to reflect their change status, be made mandatory.
39. Further, in the Office's view, private sector data-matching activity might be an area best dealt with under a code made by a sector and registered using the Privacy Commissioner's proposed code making powers. The Office envisages that the code making power would take the form of a code developed at industry's initiative and to be used on an industry specific basis only.
1. Online technology has radically altered the way society communicates, educates and operates commercially and socially. Online content has the potential to empower, affect, influence and educate. However, it also has the potential to put at risk members of the community, and to that end, the Office acknowledges the considerable public interest in the range and diversity of online content.
2. Depending on the circumstances, some sectors of the community, such as children and young people, may be more vulnerable to online risks than others.
3. Given the broad variation in and use of online content, the Office considers that a separate, widespread, public consultation of community standards and views should be undertaken in any discussion related to take down notices and content that may constitute an invasion of an individual's privacy.
4. Such public consultation could also canvass community opinion on what criteria should be used to determine when a take down notice should be issued. It is important to ensure that any expansion in the ability to issue take down notices accords with community expectations.
5. The Office notes that what might constitute an invasion of individual privacy, online or otherwise, may be largely dependent on a number of factors including context, intent and the individuals concerned.
6. In the view of the Office, the range of content that may constitute an invasion of an individual's privacy could include information that is sensitive, revealing information about an individual's health, racial or ethnic origin, sexual preferences or practices, political opinions or membership of a political organisation or trade union.
7. The Office considers that as well as legislative measures that may be considered, education has a key role in raising public awareness as to what constitutes appropriate online content in the context of individual privacy.
8. Where offensive or illegal content is accessible via the internet the Office notes that the Australian Communications and Media Authority (ACMA) can investigate complaints about content. While recognising that in some circumstances online users have the ability to cause harm or offence of some kind to another individual by publishing inappropriate or thoughtless material, the Office believes the Privacy Act 1988 (Cth) (‘Privacy Act') is unlikely to be the best means to regulate such behaviours.
9. The Office does not believe that it is best placed to issue take down notices or deal with a complaint about such matters.
Effect of online content
10. How individuals behave online or how online content affects or impacts upon individuals, varies from user to user and may be influenced by factors such as gender or age.
11. For example, in the Community Attitudes Survey conducted by the Office in 2007,[103] 54% of women said they were more concerned about providing information over the internet than two years prior, compared to 46% of men. Younger participants (aged 18-24) were less concerned about providingpersonal information on the web than those aged over 35. Younger respondents also provided false information at a higher rate (58%) comparedwith 8% of those aged over 50.
12. Research conducted by the London School of Economics and Political Science in 2004[104] showed that around 90% of the 9-19 year olds surveyed used the internet for homework and 72% for e-mail. Among those surveyed, 57% of these had come into contact with pornography online and one third had received ‘unwanted sexual or nasty comments'.
13. For many teenagers and young adults, sharing their lives and innermost thoughts on the internet through the medium of Facebook and MySpace may pose few if any individual privacy concerns. USA Today reported, for example, that for one young person such technology is ‘just a way for me to reach more people with who I am. It's the age of information; I'm used to giving and receiving tons.'[105]
14. Conversely, a report by Pew Internet and American Life Project,[106] which examined how teenagers protected their information online, found that,
15. Information that individuals post online about themselves or others may have other ongoing affect. The National Association of Colleges and Employers recently warned that more than 60% of employers who reviewed information about candidates in online social networks found that it ‘has at least some influence on their hiring decisions'.[107]
16. Research conducted by the UK Information Commissioner's Office (ICO) has found that more 71% of young people in the UK ‘would not want a college, university or potential employer to conduct an internet search on them unless they could first remove content from social networking sites ... and almost six in ten had never considered that what they put online now might be permanent and could be accessed years into the future.'[108]
17. Sharing experiences on the ICO site, one young person noted that
Children and young people
18. The Office notes that in November 2005, it made a submission to a Standing Committee of Attorneys-General (SCAG) discussion paper on privacy issues surrounding unauthorised photographs. The Office argued that criminal sanctions for individuals who inappropriately take, use or disclose photographs of children or young people may be more appropriate than dealing with the issue through the Privacy Act.[110]
19. In the Office's view, the unreasonable, inappropriate and potentially criminal taking of photos of children and young people should be addressed by mechanisms other than the Privacy Act.[111]
20. The Office noted that these circumstances would generally involve the actions of an individual, rather than an organisation or an agency. As such, the Office took the view that a legislative response was likely to be most effective if it was implemented in legislation with broader coverage than the Privacy Act.
Education
21. The Office's submission to the SCAG discussion paper noted that this problem may be best addressed through a combination of mechanisms, including education campaigns as well as legislative options.[112]
22. The Office also suggests in chapter 59 of this submission that:
...available evidence suggests that more effort needs to be directed to ensuring young people gain the skills needed to make sensible decisions around privacy and to understand their rights and obligations under privacy legislation. Results from the Office's 2007 Community Attitudes Survey suggested that while awareness of privacy issues has increased overall in comparison to 2004, younger respondents (in this case, aged 18-24) continue to be less aware of their privacy rights than older respondents.[113] This may correspond with levels of awareness of legal rights more generally.
23. The Office is considering ways in which young people may best be educated about privacy pitfalls online.
Regulating individual privacy
24. The Privacy Act contains principles that set standards and regulate the personal information held by agencies and organisations. In its submission to the ALRC's Issues Paper 31 (IP 31),[114]the Office noted that while the increasing capacity for individuals to harness technology for personal use may have significant impacts on the privacy of others, the Office believes the Privacy Act is not the right instrument for regulating acts and practices of individuals relating to their personal, family or household affairs.[115]
25. The Office believes that the Privacy Act has been specifically tailored to regulate agencies and organisations and as such is ill-suited to the regulation of individuals in their personal capacity. For instance, it would be difficult and undesirable to require individuals to give notice or seek consent for collection of personal information. Also, applying data quality and data security principles to an individual's address book could be inappropriate. Such obligations would be difficult, and in some cases impossible, to enforce.
26. However, the Office notes that a statutory cause of action may go some way to providing individuals with an avenue for redress in the event that their privacy was interfered with by an individual acting in a personal capacity.
27. Statutory causes of action are discussed further at chapter 5 of this submission.
28. Children, young people and privacy is further discussed in chapter 59 of this submission.
29. The Office generally agrees with proposal 8-1.
30. The proposal is line with the Office's position in its submission to IP 31.[116]
31. However, the Office reiterates its view[117] that as the Privacy Act does not cover state and territory courts, a coordinated approach between the states, territories and the Commonwealth would provide a more consistent framework for the electronic publication of court records. Such an approach might most usefully be pursued through SCAG.
1. In chapter 9 of Discussion Paper 72 (DP 72), the ALRC considers the ways in which privacy laws can assist in preventing identity theft and minimise the harm caused by it when it does occur. While no specific proposals flow from this chapter, the chapter considers proposed options for reform of privacy laws that may have the additional benefit of addressing the problem of identity theft.
2. The Office agrees with the ALRC's view that many of the proposed unified privacy principles would assist in preventing identity theft by precluding the improper dissemination of information and assist in minimising the harm caused by identity theft by placing accuracy obligations on organisations and agencies.
3. As the Office found in its 2007 community attitudes research, identity theft is a significant and growing concern for many Australians.[119] The Office's view is that identity theft constitutes a serious interference with individuals' privacy, and the Office has provided guidance on the steps to take to protect identity.[120] Most recently, the Office has released an information sheet on the privacy risks of scanning identity documents, with identity theft featuring prominently.[121]
4. In regard to the options for reform the Office is generally supportive of the proposed amendments to the Privacy Act 1988 (Cth) to include a part on data breach notification,[122] and the regulation of unique multi-purpose identifiers.[123] The Office agrees that these proposals may have the additional benefit of addressing the problem of identity theft.
5. However, the Office has some concerns regarding the regulation of credit reporting information about minors[124] and the expansion of the online content regulation scheme set out in the Broadcasting Services Act 1992 (Cth) to include content which may constitute an interference with an individual's privacy.[125] In the Office's view the proposed reforms are not consistent with the policy intentions of the Privacy Act and detract from an individuals privacy rights. Therefore, the Office does not support this as a method to address identity crime.
[82] See chapter 11, question 11-1, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#L24414.
[83] See chapter 11, paragraphs 135-141 at page 444. Available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#L25052.
[84] This is presented in chapter 11 of the Office's submission on IP 31, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html
[85] See paragraph 2 of chapter 11, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html.
[86] Paragraph 7.64.
[87] Paragraph 7.64.
[88] Paragraph 7.65.
[89] This ‘three-step' process is discussed in ALRC DP 72 at paragraphs 44.154 to 44.158.
[90] ALRC DP 72 para 44.159.
[91] See the Office's submission at chapter 11, paragraphs 2, 12 and 17, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#Introducti10.
[92] The Office's position 11-1(ii) is available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#Question217.
[93] The Office stressed the general importance of education and end-user empowerment in responding to chapter 11 of IP 31, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html.
[94] See, for example, chapter 11, paragraph 112, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#RFID.
[95] This is in line with a resolution made at the 2003 Conference of Data Protection and Privacy Commissioners.
[96] Guideline 13(b) of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).
[97] See, chapter 11, question 11-3, paragraphs 85-87, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#Data1.
[98] The Automated Assistance in Administrative Decision-Making Better Practice Guide seeks to ensure that agencies using computer systems for administrative decision-making purposes adhere to administrative law values when developing and operating such systems. The Guide is available on the Commonwealth Ombudsman's website - http://www.ombudsman.gov.au/
[99] Office of the Privacy Commissioner, Under the Gaze: Privacy, Identity and New Technology, 2002, p4, available at http://www.privacy.gov.au/news/speeches/sp104notes.pdf.
[100] See question 7-5(e) above.
[101] DP 72, paragraph 7.122.
[102] DP 72, paragraph 7.124.
[103] Office of the Privacy Commissioner, Community Attitudes Survey 2007, available at http://www.privacy.gov.au/business/research/index.html#1b.
[104] London School of Economics and Political Science, UKChildren Go Online, April 2005. http://personal.lse.ac.uk/bober/UKCGOfinalReport.pdf
[105] USAToday. October 2007. http://www.usatoday.com/tech/webguide/internetlife/2007-10-22-online-privacy_N.htm
[106], Pew Internet and American Life Project, Teens, Privacy and Online Social Networks April 2007. http://www.pewinternet.org/press_release.asp?r=139
[107] NACEWeb, One in 10 Employers Will Use Social Networking Sites to Review Job Candidate Information, 2006. http://www.naceweb.org/press/display.asp?year=2006&prid=244
[108] Information Commissioners Office, UK. 4.5 million young Brits' futures could be compromised by their electronic footprints, November 2007 http://www.ico.gov.uk/upload/documents/pressreleases/2007/social_networking_press_release.pdf
[109] http://www.ico.gov.uk/Youth/section2/other_peoples_stories.aspx
[110] Office of the Privacy Commissioner, ‘Submission to the Standing Committee of Attorneys-General on the Unauthorised Photographs on the Internet and Ancillary Privacy Issues: Discussion Paper', November 2005, available at http://www.privacy.gov.au/publications/photosub.pdf.
[111] For example, the Office notes an incident reported by the media in November 2006, where an individual was charged with possession of child pornography and behaving in an offensive manner in or near a public place or school.
[112] Office of the Privacy Commissioner, ‘Submission to the Standing Committee of Attorneys-General on the Unauthorised Photographs on the Internet and Ancillary Privacy Issues: Discussion Paper', November 2005, pp 6-7, available at http://www.privacy.gov.au/publications/photosub.pdf.
[113] See http://www.privacy.gov.au/publications/rcommunity07.pdf
[114] Office's submission to the ALRC's IP 31, chapter 11, question 11.2(a)
[115] This issue was raised in the Office's Private Sector Review. The Office found that there did not appear to be a great deal of support from submissions or in consultations for changing the Privacy Act so that it covers the activities of private individuals. See the Office's Private Sector Review, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, page 246.
[116] Question 11-5, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.doc.
[117] See Office submission, ALRC IP 31, Chapter 11, question 11-5.
[118] ALRC Report, Keeping Secrets: The Protection of Classified and Security Sensitive Information, April 2003.http://www.alrc.gov.au/inquiries/title/alrc98/index.html
[119] See, Media Announcement: ID theft, ID scanning and online privacy concerns are on the rise, 28 August 2007, available at http://www.privacy.gov.au/news/media/2007_15.html.
[120] Media Announcement: Privacy Commissioner supports ID theft awareness campaign 26 March 2007, available at http://www.privacy.gov.au/news/07_02.html.
[121] Information Sheet 20 - Scanning ‘Proof of Identity' Documents, August 2007, available at http://www.privacy.gov.au/publications/IS20_07.html.
[122] Discussed in chapter 47 of this submission on ‘Data breach notification'
[123] See the Office's position 27-5 in chapter 27 ‘Regulation of Unique multi-purpose identifiers' of this submission.
[124] Office position in response to proposal 52-8 of this submission.
[125] Office position in response to proposal 8-1 of this submission.
Back to top