The Federal Privacy Commissioner released a set of national principles for the fair handling of personal information on 20 February 1998 (1). In the media release accompanying the report (2) they said:
"Consumers are very concerned about how their personal information will be protected, particularly prompted by the explosion of information technology. Business needs to take seriously these fears of their customers."
From this it is clear that the commissioner sees privacy as necessary for business, or at least the lack of privacy as an impediment to business. The Australian Law Council has argued that the principles need to be compulsory (3) , not a voluntary code.
The Privacy Commissioner's role has been to oversee privacy issues with information kept by federal government agencies (4). In March 1997 the Prime Minister offered the services of the commission (5) to help Australian businesses to develop voluntary codes of conduct to meet privacy standards.
The Commissioner issued a consultation paper in August 1997 (6) , which appears to have attracted little attention. What weight the Commissioner gave to any submissions can only be a matter of speculation. The final document does not include a list of who made submissions, what they said, or what the commissioner thought of them. This is a serious omission from a report on such an important topic.
The "small government" approach of the current Federal Government meant that the Commissioner was limited to looking at self-regulation. There is some attempt to get around this constraint with mention of legislation in the states or territories. However, this will not solve the dilemma of an acknowledged need for national consistency in privacy standards and a federal government which doesn't want to legislate privacy standards.
A two stage approach has been adopted by the Commissioner, with principles in this first report and implementation issues to follow some time later. This is a reasonable approach, but puts off the hard work of details. Just about everyone will agree privacy is a "good thing", up until details of implementation are proposed.
The OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (7) defines eight principles of data protection: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability.
The OECD principles imply obligations on an organisation in how it handles information and would then require an investigation and enforcement mechanism. Those obligations and enforcement mechanisms are detailed in legislation covering the Australian Public Service. The issue comes with how to implement the same principles in the private sector.
An organisation needs to be able to show that personal information is only collected for a legitimate activities. Information should only be obtained by lawful means and collection not be intrusive. A person should be told who is collecting information about them, why, who will get it and what happens if they refuse to provide it. The information shouldn't be used for something the person wasn't told about and should be looked after properly.
There are reasonable exceptions to personal privacy rules, such as when a doctor urgently needs information to treat an unconscious patient or a police officer for legitimate law enforcement. However, as well as doctors and the police, the Privacy Commissioner provides an exemption for direct marketing companies, from some of the principles: "2.1 An organisation should only use or disclose personal information for a purpose other than the primary purpose of collection (a ‘secondary purpose’) if:... (c)(i) the organisation uses the information for the purpose of direct marketing; ..."
If a company requires client details for direct marketing, or to sell to another company for direct marketing, it should say so. Few people may give permission for this form of marketing, but it is not the Privacy Commissioner's job to protect questionable business practices.
While some of the ideas of privacy may seem esoteric, the current impetus for action in Australia is a real, commercial one. Western countries, particularly in Europe, have adopted privacy laws. Those laws not only govern internal handling of personal information in the country, but export of information. The European Union Data Protection Directive (9) comes into force 24 October 1998. Australian organisations will not be able to participate in global business unless the Australian government adopts comparable laws.
In November 1996 I represented Australia at a meeting in the UK of the heads of national computing societies to discuss issues of global electronic operations (8). Our host for the event, the British Computer Society, arranged a presentation on British data privacy legislation. After a detailed and, at times legalistic overview, the simple conclusion was that the laws were reasonable and workable (10). .
Paradoxically privacy might been best thought of as a "public good". Like other public goods, privacy is something which is needed, but cannot be provided by a market system. Privacy requires action by governments. Australians will not use the Internet for business if they do not believe their privacy is being protected.
Australia requires privacy laws to prevent us becoming an outcast in international on-line trade. The Federal Government should re-task the Privacy Commissioner to develop the legislative framework to meet privacy standards, in consultation with the states. The alternative of piecemeal implementation by state governments, would be expensive.