PRIVACY PROTECTION in the PRIVATE SECTOR
Commonwealth Attorney-General's A Discussion Paper
September 1996

INITIAL REACTIONS

Roger Clarke

Version of 17 September 1996

© Xamax Consultancy Pty Ltd, 1996

Introduction

[For background on the current Australian scene, see an earlier piece; for general reference material, see my data surveillance and privacy pages]

On 12 September 1996, the Commonwealth Attorney-General, Darryl Williams, announced the direction of the Government's reform agenda for privacy in the private sector. A A Discussion Paper has been published, as a basis for consultation between September and the end of November 1996.

Very briefly, the Government envisages a 'co-regulatory' approach, along the lines of what has been referred to recently as 'the New Zealand model', whereby a set of Principles (related to those in the present Act) would be enacted, and the Privacy Commissioner empowered to promulgate detailed Codes for particular industries. These Codes would be negotiated with industry associations, with public participation in the development process. The Privacy Commissioner would have a complaints investigation and resolution function, but as a conciliator only. The Federal Court would have an arbitrative function. The Government is seeking a unified and national approach, to avoid imposing undue difficulties on business.

This document provides personal reactions to the document. I reserve the right to amend, delete and add to these comments once I have had longer to ponder!

Broadly speaking, the document provides a firm foundation for progress, reflecting both the privacy interest and the need for a practicable, inexpensive framework and procedures, which (with a couple of qualifications) will not wrap companies up in 'red tape', nor necessitate a tribe of additional government clerical staff. My reactions are accordingly highly positive; but this document, of necessity, addresses areas of concern, some of them serious.

The matters are raised in the sequence in which they arise in the Discussion Paper. The asterisked items are those which appear to have particular relevance to the deliberations of the Victorian Data Protection Advisory Council.

1. Limitations on the Scope of the Regime's Application (pp.4-5) **

Clarke (1989) analysed a number of significant problems with definitions used in the Privacy Act 1988, and which are repeated in this Discussion Paper, including:

2. Limitations on the Regime's Jurisdictional Scope (pp.5) **

It is highly desirable that the constitutional basis and limitations be examined in a publicly available document.

One important reason is that State Governments must assess whether there is a need for supplementary and/or complementary legislation to ensure consistent application of the privacy protection regime across all sectors. For example, although it appears likely that the Commonwealth can legislate in respect of incorporated companies, its powers may be less clear in respect of unincorporated enterprises (including partnerships and sole traders), incorporated associations, and State government, semi-government and local government entities of all kinds.

3. Definitions of the Privacy Dimensions (p.5, 6)

Precisely what aspects of privacy are and are not being addressed could be clarified by reference to the dimensions of privacy, which I define in various places, e.g. Clarke (1996), as:

"With the close coupling that has occurred between computing and communications during the last 15 years, the last two aspects have become closely linked, and are commonly referred to as 'information privacy'".

I understand the proposal to be:

4. The Unsuitability of the Existing Privacy Act IPPs (p.6) **

Clarke (1989) analysed the manifold deficiencies of the Information Privacy Principles (IPPs) contained within the Privacy Act 1988. They are yet more problematical when read in the context of the private sector. The areas of weakness include:

5. Delays in Implementation (p.12-13) **

In addition to the delays foreseen as being appropriate for some Principles, I believe that enforcement of the Access and the Storage and Security Principles may also need to be subject to some delay or some other form of mitigation; otherwise there is a risk of undue costs and difficulties for companies and professionals to adapt their existing procedures, software, files and databases to comply with the requirements.

Advisers and software providers need time to learn their way into the new scheme, and user-organisations need time to implement changes in their procedures and to install new, compliant versions of software and file-layouts.

This matter needs to be juxtaposed against the mooted exemptions to access and correction rights discussed at para. 9 below. The public interest is much better served by having a long lead-in period than by implementing a scheme that risks being seen as unnecessarily expensive, or which embodies unnecessary loopholes.

6. Modification of the Principles by a Code (p.14-15, 22) **

It is mooted that a Code would be able to modify the Principles, as distinct from merely expressing the manner of their implementation in a particular context. This is a highly dangerous provision. The powerful lobbyists are organisations, not individuals; and hence such modifications will inevitably result in the undermining of the Principles and hence of the whole privacy-protective regime.

My strong preference is that no such mechanism be permitted. The means are available to industry associations to lobby for legislation to provide express statutory authority for particular exceptions if they believe they are justified. The Privacy Commissioner has the power to submit to the Minister and to publish reports which recommend such measures, if he or she sees fit.

If such a loophole were to be embodied in the legislation, then it would need to be subject to very significant controls, much more than the limited requirements of consultation that apply to normal Code development activities.

7. Failure to Comply with a Code to be a Breach of the IPPs (p.14)

The phrasing of the second bullet point is such that particularly careful wording of Codes would be necessary. Some mitigation is needed (e.g. "material failure to comply"), to ensure that elements within Codes that are intended as examples, suggestions or alternatives are not misinterpreted as fixed requirements.

This is more important than it might seem, because of the risk that companies and industry associations may be nervous about being subject to 'letter of the law' rather than 'spirit of the law' regulation.

8. Public Interest Determinations (p.16)

It is important that provision be made for public notice, public availability of information, and consultation.

9. Mooted Exemptions to Access and Correction Rights (p.16-17) **

A long list of exemptions is mooted to the access and correction rights under IPPs 6 and 7. These represent a most serious compromise to the stated intention of providing Australians with privacy protections, because public confidence in the fairness of personal data systems is entirely dependent on the preparedness of institutions and professionals to be honest about the data they hold.

The following observations are made:

10. Correction cf. Alteration of Data (p.16-17)

It is highly desirable that confrontational relationships be avoided wherever practicable. For this reason, it is preferable that changes to data be referred to as 'alteration' rather than 'correction'.

This matter is particularly important in the case of incomplete data (e.g. a request by a data subject that the documents have added to them information about the period during which the data subject was in a hospital in a coma, and hence unable to, for example, attend to periodic payments such as rental, leases and mortgage repayments).

11. Subject Access Requests, Costs and Decisions on Requests (p.17-18)

The requirement that all requests be in writing is bureaucratic, expensive, and, particularly in the case of simple matters, impractical and unnecessary. Mitigation of the responsibility to respond to requests could be provided relating to "requests that the data subject unreasonably declines to express in writing".

The provisions relating to charges are not reasonable: like environmental standards and occupational health and safety, subject access is a cost of doing business, and should be gratis to the data subject. Mitigation of the responsibility could be provided relating to "unreasonably frequent accesses by a data subject", along the lines of the p.17 proposal. Generally, second and subsequent accesses per year would probably be "unreasonably frequent"; but not where, for example, the data subject had grounds for suspecting errors in the handling of subsequent transactions.

No provision appears to be made at present for failure by the data-holder to make a decision whether or not to grant access, or whether or not to agree to correct data. Such failure should be interpreted as a denial, thereby enabling the provisions relating to complaints to be invoked.

12. Trans-Border Data Flows (p.20-21)

It is not clear that the current formulation satisfies the need. (This is in part because a key paragraph contains a 90-word sentence and ambiguous syntax).

The need is that an Australian company must bind in contract any overseas organisation to which it may provide personal data, in order to impose on that company equivalent responsibilities to those of the principal, unless that company is subject to law that has been recognised under Australian law as being effectively equivalent to privacy protections in Australia.

13. Law Enforcement Exemptions (p.21) **

The second-last bullet carries over from the existing Privacy Act the "enforcement of the ... law" exemption of the existing IPPs 10 and 11. As discussed in Clarke (1989), these are very serious inadequacies in the existing law.

Even if these gross exemptions were appropriate in their existing context, they are entirely inappropriate in this one. Non-governmental organisations have no business making decisions of this nature, and Parliaments should not impose such responsibilities on them. Appropriate mechanisms such as judicially-issued search warrants are available, or should be made available by the Parliament, to address such needs.

14. Privacy Commissioner's Power to Issue Guidelines (p.22)

The Guidelines power (third bullet) is presently constrained (to "the avoidance of acts ot practices ... that ... would have an adverse effect on the privacy of individuals"). It would be much better to leave the Guidelines power unfettered, e.g. by inserting a qualifier before the above words, such as "Guidelines in relation to any matter, including ...".

15. Privacy Information Digest (p.22) **

The existing Privacy Information Digest is a huge, unnecessary and wasteful exercise. To extend it to more than one hundred thousand non-governmental organisations (last bullet on the page) would risk discrediting the entire initiative. As discussed above, IPP 5 (3) provides little value in return for high costs, and should be dispensed with.

The phrasing of the Public Access Principle (currently approximated by IPP 5 (1)) needs to be such that organisations have a clear responsibility to provide the kinds of data needed to enable a member of the public to understand the nature of the organisation's personal data holdings; but whether the information is maintained on a permanent basis is a decision for the organisation itself.

16. Examination of Proposals (p.23)

The examinations power (first bullet on the page) is limited to data-linkage and data-matching. The power should be generalised to "examine proposals for advanced applications of information technology ...", with data-linkage and data-matching as examples.

17. Privacy Officers Within Non-Government Organisations (p.24) **

It would be counter-productive to enshrine this provision in legislation. It is unnecessary, especially for the vast numbers of small organisations, and would tend to bring the initiative into disrepute. It would, however, be valuable for the Privacy Commissioner to issue a Guideline containing this kind of information, together with a kit that would enable a Privacy Officer to perform the intended function.

References

Clarke R. (1989) 'The Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines', Working Paper, Department of Commerce, Australian National University, 25 June 1989, Abstract at:

http://www.anu.edu.au/people/Roger.Clarke/DV/AbstractPActOECD.html

Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy', Proc. EDPAC'96, Perth, May 1996, at:

http://www.anu.edu.au/people/Roger.Clarke/DV/PStrat.html


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Last Amended: 18 September 1996


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472