Roger Clarke
Australian National University
Version of 25 June 1989
Companion Pages are:
a short personal summary of the Act an unofficial short form of the Information Privacy Principles
an interpretation and annotations (abstract only)
Abstract
In 1980, the Organisation for Economic Cooperation and Development (OECD) issued a set of Guidelines for data protection. Australia, an OECD member, had no significant data protection laws at that time. Subsequent proposals for Australian data protection law have been claimed to draw on the OECD Guidelines. The Australian Law Reform Commission completed a Report on Privacy in 1983, including a Draft Bill. The Australian government introduced a Privacy Bill in 1986, closely coupled with a Bill to introduce a national identification scheme. It lapsed.
A significantly revised Bill was introduced in late 1988, and following amendments in the House, passed into law in December of that year. This paper assesses the Privacy Act 1988 against the international guidelines. It concludes that the Act falls short of the OECD requirements in a number of very important respects.
This research was partly funded by the Faculties Research Fund of the Australian National University. The assistance of James Graham and Louise Macauley is gratefully acknowledged.
1. INTRODUCTION .................................. 4
2. THE DEVELOPMENT OF DATA PROTECTION LAWS .....................4
3. THE OECD GUIDELINES .................................. 5
3.1 Background 5
3.2 Description 6
4. FACTORS AFFECTING NATIONAL IMPLEMENTATION ...............8
Geographic, Economic and Cultural Factors 8
Attitudes to Individual Freedoms and Social Control 9
Degree of Computerisation 9
Constitutional Factors 9
A Common Law Country 10
Legal and Administrative Mechanisms 10
Existing Data Protection Laws 10
The Law Reform Process 10
5. AUSTRALIAN PROPOSALS FOR PRIVACY PROTECTION ...........11
6. GLOBAL ASPECTS OF THE PRIVACY ACT .................................. 13
6.1 Who Is To Be Regulated .................................. 14
Public Sector Organisations 14
Private Sector Organisations 15
The Data Controller, Collector and/or Keeper 15
6.2 Whose Data Is Protected .................................. 17
Natural Persons 17
Legal Persons 18
6.3 The Object of the Regulatory Scheme .................................. 18
Documents, Files, Records, Data or Information 18
Computerised Versus Manual Systems 20
Restrictions Based on Recording Media 20
Identifiability of Individuals 21
Generally Available Material 21
Sensitive Data 22
6.4 Exemptions .................................. 22
FOI Exemptions 23
Intelligence-Related Agencies 23
Records Received from Intelligence-Related Agencies 24
Non-Administrative' Acts 24
Pre-Existing Data 24
Mechanism for Creating Further Exemptions 25
NHMRC Guidelines 25
6.5 Reasons for Adverse Decisions .................................. 25
6.6 Conflict of Laws .................................. 26
7. THE PRIVACY ACT PRINCIPLES .................................. 27
7.1 Collection Limitation Principle .................................. 28
(a) What is Collected 28
(b) The Means of Collection 30
(c) From Whom The Data Is Collected 30
(d) Knowledge or Consent of the Data Subject 30
(e) General Applicability of the Collection Principle 32
7.2 Data Quality .................................. 33
Collection 35
Storage 36
Use and Disclosure 36
Destruction 36
7.3 Purpose Specification .................................. 37
7.4 Use Limitation .................................. 38
(a) Control Against Original Purposes 39
(b) Exceptions 40
Consent 42
Authority of Law 42
Emergency Use 42
Enforcement of the Criminal Law 42
Pecuniary Penalties 43
Protection of the Public Revenue 43
Medical Research 44
Usual Practice 44
(c) The Mechanism of Disclosure 45
7.5 Security Safeguards .................................. 45
7.6 Openness .................................. 47
7.7 Individual Participation .................................. 50
(a) The Right of Subject Knowledge of the Existence of Data 50
(b) The Right of Subject Access to Data 51
(c) The Mechanism of Subject Access 52
(d) Subject Challenge to Data 53
7.8 Accountability .................................. 56
8. TWO ADDITIONAL, FUNDAMENTAL WEAKNESSES ....................57
8.1 Controls Over System Purposes 57
8.2 Restriction of Key Principles to 'Solicited' Information 58
9. ENFORCEMENT AND REGULATION MECHANISMS ....................60
9.1 The Machinery - The Regulatory Agency 60
9.2 The Machinery - Dispute Resolution 61
9.3 Enforceability 63
10. CONCLUSIONS .................................. 64
Bibliography .................................. 68
Navigation
Go to Roger's Home Page.
Go to the contents-page for this segment.
Last Amended: 5 May 1996
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax Consultancy Pty
Ltd, ACN: 002 360 456
78 Sidaway St Tel: +61 6 288 6916 Fax: +61 6 288 1472
|