- Need for Commonwealth Privacy Legislation
- Relevant International Standards and Obligations
- Appropriateness of National Principles for the Fair Handling of Personal Information
In early 1998, the editor of Australian Communications magazine asked me to write a one-page opinion piece on privacy issues in networking (Worthington 1998). With impeccable timing, the Senate then invited submission on the subject and the article formed the basis of the ACS submission, presented here (ACS 1998). It argues for Commonwealth privacy legislation to be extended to the private sector to meet relevant international standards and obligations.
While some of the ideas of privacy may seem esoteric, the current impetus for action in Australia is a real, commercial one. Western countries, particularly in Europe, have adopted privacy laws. Those laws not only govern internal handling of personal information in the country, but export of information. The European Union Data Protection Directive (OECD 1995) comes into force 24 October 1998. Some sectors of Australian industry could be severely disadvantaged by the lack of complementary legislation.
In November 1996, the ACS took part in an international meeting in the UK, of the heads of national computing societies to discuss issues of global electronic operations (ACS 1996). The British Computer Society, as host for the event (see the chapter Cambridge live from a Double Decker Bus), arranged a presentation on British data privacy legislation. The conclusion presented in that forum was that the UK privacy laws applying to private companies were reasonable and workable (UK Registrar 1998).
The OECD's Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (Privacy Commission 1980) defines eight principles of data protection: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability.
The OECD principles imply obligations on an organisation in how it handles information and would then require an investigation and enforcement mechanism. Those obligations and enforcement mechanisms are detailed in legislation covering the Australian Public Service. The issue comes with how to implement the same principles in the private sector.
An organisation needs to be able to show that personal information is only collected for legitimate activities. Information should only be obtained by lawful means and collection should not be intrusive. A person should be told who is collecting information about them, why, who will get it and what happens if they refuse to provide it. The information should not be used for something the person was not told about and should be looked after properly.
The Privacy Commissioner's role has been to oversee privacy issues with information kept by federal government agencies (Commonwealth 1998). In March 1997, the Prime Minister offered the services of the commission (PM 1997) to help Australian businesses to develop voluntary codes of conduct to meet privacy standards.
The Commissioner issued a consultation paper in August 1997 (Privacy Commissioner 1997), which appears to have attracted little attention. What weight the Commissioner gave to any submissions can only be a matter of speculation. The final document does not include a list of who made submissions, what they said, or what the Commissioner thought of them. This is a serious omission from a report on such an important topic.
The small government approach of the current Federal Government meant that the Commissioner was limited to looking at self-regulation. There is some attempt to get around this constraint with mention of legislation in the states or territories. However, this will not solve the dilemma of an acknowledged need for national consistency in privacy standards and a federal government that does not want to legislate privacy standards.
A two-stage approach has been adopted by the Commissioner, with principles in this first report and implementation issues to follow some time later. This is a reasonable approach, but puts off the hard work of details. Just about everyone will agree privacy is a ``good thing'', up until details of implementation are proposed.
The Federal Privacy Commissioner released a set of national principles for the fair handling of personal information on 20 February 1998 (Privacy Commissioner 1998). In the media release accompanying the report (Privacy Commissioner 1998b) they said:
``Consumers are very concerned about how their personal information will be protected, particularly prompted by the explosion of information technology. Business needs to take seriously these fears of their customers.''
From this, it is clear that the Commissioner sees privacy as necessary for business or at least the lack of privacy as an impediment to business. The Australian Law Council has argued that the principles need to be compulsory (ABC 1998), not a voluntary code.
The OECD principles have reasonable exceptions to personal privacy rules, such as when a doctor urgently needs information to treat an unconscious patient or a police officer for legitimate law enforcement. However, as well as doctors and the police, the Privacy Commissioner proposes an exemption for direct marketing companies, from some of the principles:
``2.1 An organisation should only use or disclose personal information for a purpose other than the primary purpose of collection (a 'secondary purpose') if:...(c)(i) the organisation uses the information for the purpose of direct marketing; ...''
If a company requires client details for direct marketing, or to sell to another company, it should say so. Few people may give permission for this form of marketing, but it is not the Privacy Commissioner's job to protect questionable business practices.
Paradoxically privacy might been best thought of as a ``public good''. Like other public goods, privacy is something that is needed, but cannot be provided by a market system. Privacy requires action by governments. Australians will not use the Internet for business if they do not believe their privacy is being protected.
Australia requires privacy laws to prevent some sectors of Australian industry, particularly those involved in on-line trade, being severely disadvantaged in international commerce. The Federal Government should re-task the Privacy Commissioner to develop the legislative framework to meet privacy standards, in consultation with the states. The alternative of piecemeal implementation by state governments would be expensive and quite unworkable.
- What did the Senate Legal and Constitutional References Committee report about the Privacy Amendment Bill? What was implemented?
- ABC (1998) Privacy guidelines should be compulsory: Law Council, Saturday 21 February, 1998 (9:55am AEDT), ABC News, URL
- ACS (1990) Position Paper # 8 - Information Privacy Implications of Information Technology, Australian Computer Society, November 1990
- ACS (1995) Code of Professional Conduct and Professional Practice, Australian Computer Society, August 1995, URL
- ACS (1996) ACS Meets With World's IT Societies on Internet Coordination, Media Release, Australian Computer Society, 15 November 1996, URL
- ACS. (1998) Australian Computer Society on Privacy, Australian Computer Society, URL
- Commonwealth (1998) Privacy Act 1998, Commonwealth of Australia, 1998
- OECD (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, No 95/46/EC, 24 October 1995, Official Journal of the European Communities L281, Volume 38, 23 November 1995, ISSN 0378-6978. Unoffical text by ECSC-EC-EAEC, 1996, URL
- PM (1997) Privacy Legislation, Prime Minister's Press Release, 21 March 1997, URL
- Privacy Commission (1980) Protection of Privacy and Transborder Flows of Personal Data, OECD, 1980, extract by Privacy Commissioner, Human Rights Australia, URL
- Privacy Commissioner (1997) Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector, Privacy Commissioner, August 1997, URL
- Privacy Commissioner (1998) National Principles for the Fair Handling of Personal Information, Office of the Privacy Commissioner, Australia, February 1998, URL
- Privacy Commissioner (1998b) National Privacy Principles for the fair handling of personal information, Media Release, Office of the Privacy Commissioner, 20 February 1998, URL
- Senate (1998) Terms of reference - Senate Legal and Constitutional References Committee - Privacy Amendment Bill 1998, Hansard, Australian Senate, 14 May 1998, URL
- UK Registrar (1998) Home Page, Office of the Data Protection Registrar, UK, 23 February 1998, URL
- Worthington, T. (1998) Privacy - a Public Good, Australian Communications, April, URL
- Next: Cambridge live from a Double Decker Bus
- Previous: To The USS Blue Ridge by Helicopter
- Order Your Copy Now
- About the author
Copyright © Tom Worthington 1999 (ISBN 0 909925 77 1).