Australian Computer SocietyThe primary aim of this paper is to provide a detailed discussion of privacy issues for a Parlimentary inquiry into the Privacy Amendment Bill 1998 (Senate 1998). It also provides references to key documents on privacy for ACS membrs and others interested in the issue of privacy and IT systems.
This paper does not discuss every aspect of privacy, nor all issues to be addressed by the inquiry. The ACS has previously looked at issues of government use of personal information (ACS 1990) and protection of information generally by IT professionals (ACS 1995). This paper concentrates on the need for Commonwealth privacy legislation to be extended to the private sector to meet relevant international standards and obligations. It argues that the any privacy scheme that does not have legislatively-backed complaints, investigation and enforcement mechanisms will have limited effectiveness.
The National Principles for the Fair Handling of Personal Information, as produced by the Privacy Commissioner, are not seen as a suitable basis for protection of public privacy in the private sector.
While some of the ideas of privacy may seem esoteric, the current impetus for action in Australia is a real, commercial one. Western countries, particularly in Europe, have adopted privacy laws. Those laws not only govern internal handling of personal information in the country, but export of information. The European Union Data Protection Directive (OECD 1995) comes into force 24 October 1998. Some sectors of Australian industry could be severely disadvantaged by the lack of complementary legislation.
In November 1996 the ACS took part in an international meeting in the UK, of the heads of national computing societies to discuss issues of global electronic operations (ACS 1996). The British Computer Society, as host for the event, arranged a presentation on British data privacy legislation. The conclusion presented in that forum was that the UK privacy laws applying to private companies were reasonable and workable (UK Registrar 1998). .
The OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Privacy Commission 19??) defines eight principles of data protection: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability.
The OECD principles imply obligations on an organisation in how it handles information and would then require an investigation and enforcement mechanism. Those obligations and enforcement mechanisms are detailed in legislation covering the Australian Public Service. The issue comes with how to implement the same principles in the private sector.
An organisation needs to be able to show that personal information is only collected for a legitimate activities. Information should only be obtained by lawful means and collection not be intrusive. A person should be told who is collecting information about them, why, who will get it and what happens if they refuse to provide it. The information shouldn't be used for something the person wasn't told about and should be looked after properly.
The Privacy Commissioner's role has been to oversee privacy issues with information kept by federal government agencies (Commonwealth 1998). In March 1997 the Prime Minister offered the services of the commission (PM 1997) to help Australian businesses to develop voluntary codes of conduct to meet privacy standards.
The Commissioner issued a consultation paper in August 1997 (Privacy Commissioner 1997) , which appears to have attracted little attention. What weight the Commissioner gave to any submissions can only be a matter of speculation. The final document does not include a list of who made submissions, what they said, or what the commissioner thought of them. This is a serious omission from a report on such an important topic.
The "small government" approach of the current Federal Government meant that the Commissioner was limited to looking at self-regulation. There is some attempt to get around this constraint with mention of legislation in the states or territories. However, this will not solve the dilemma of an acknowledged need for national consistency in privacy standards and a federal government which doesn't want to legislate privacy standards.
A two stage approach has been adopted by the Commissioner, with principles in this first report and implementation issues to follow some time later. This is a reasonable approach, but puts off the hard work of details. Just about everyone will agree privacy is a "good thing", up until details of implementation are proposed.
The Federal Privacy Commissioner released a set of national principles for the fair handling of personal information on 20 February 1998 (Privacy Commissioner 1998). In the media release accompanying the report (Privacy Commissioner 1998b) they said:
"Consumers are very concerned about how their personal information will be protected, particularly prompted by the explosion of information technology. Business needs to take seriously these fears of their customers."
From this it is clear that the commissioner sees privacy as necessary for business, or at least the lack of privacy as an impediment to business. The Australian Law Council has argued that the principles need to be compulsory (ABC 1998) , not a voluntary code.
The OECD principles have reasonable exceptions to personal privacy rules, such as when a doctor urgently needs information to treat an unconscious patient or a police officer for legitimate law enforcement. However, as well as doctors and the police, the Privacy Commissioner proposes an exemption for direct marketing companies, from some of the principles:
"2.1 An organisation should only use or disclose personal information for a purpose other than the primary purpose of collection (a ‘secondary purpose’) if:... (c)(i) the organisation uses the information for the purpose of direct marketing; ..."
If a company requires client details for direct marketing, or to sell to another company for direct marketing, it should say so. Few people may give permission for this form of marketing, but it is not the Privacy Commissioner's job to protect questionable business practices.
Paradoxically privacy might been best thought of as a "public good". Like other public goods, privacy is something which is needed, but cannot be provided by a market system. Privacy requires action by governments. Australians will not use the Internet for business if they do not believe their privacy is being protected.
Australia requires privacy laws to prevent some sectors of Australian industry, particularly those involved in on-line trade, being severely disadvantaged in international commerce. The Federal Government should re-task the Privacy Commissioner to develop the legislative framework to meet privacy standards, in consultation with the states. The alternative of piecemeal implementation by state governments, would be expensive and quite unworkable.
This document was prepared by Tom Worthington, Immediate Past President of the Australian Computer Society, using material drawn from his article Privacy - a Public Good, published in Australian Communications, April 1998.