Serious Flaws in the National Privacy Principles

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 3 April 1998

© Xamax Consultancy Pty Ltd, 1998

This paper was prepared for Privacy Law & Policy Reporter 4, 9 (March 1998)

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/NPPFlaws.html


Abstract

The Privacy Commissioner's National Principles of February 1998 contain some serious flaws, and in any case fail to advance the debate beyond the late 1970s.


Contents

1. Introduction

2. Defects in the Content

3. Defects in the Political Process

4. The Long Term View

5. Conclusions

References


1. Introduction

On 20 February 1998, the Australian Privacy Commissioner released a document entitled 'National Principles for the Fair Handling of Personal Information' (hereafter NPP).

The Principles are, at least at this stage, no more than that. It is entirely unclear to what extent they will be even nominally adopted by companies, and to what extent even the loosest of industry association complaints and compliance mechanisms will be established. The Government's present policy is to not provide any form of legally enforceable complaints or compliance mechanism. On the evidence of other 'self-regulatory' arrangements, the most reasonable assumption is that the Principles will be honoured only in the breach. This paper accordingly views the NPP as an empty statement.

It is, nonetheless, worth analysing. This is because it joins only a small number of such statements that are directly relevant to the Australian debate, namely the OECD Guidelines, the Privacy Act IPPs, the Australian Privacy Charter, and the EU Directive.

This paper commences with specific criticisms of particular aspects of the NPP's contents. Further observations are made about the political process that led to its publication. Finally, it is silhouetted against the broad sweep of change in the privacy protection arena.


2. Defects in the Content

At present, the private sector in Australia is subject to only very limited privacy regulation, much of it accidental, or incidental to other purposes. Many aspects of the NPP could represent a significant improvement on the present parlous situation, if only there were grounds for believing that the principles will actually be effectively applied.

The NPP contains, however, some flaws so serious as to demand active opposition from the privacy advocacy lobby. This paper focuses exclusively on NPP's key weaknesses, without reference to its many positive elements.

2.1 Privacy of Personal Data is Only Part of the Need

Focus on data protection to the exclusion of the other dimensions of privacy is too limited ( Clarke 1997-).

The Australian Privacy Charter expressly set out to address that deficiency. See Dixon (1995) at PLPR 2, 3 (April 1995) 41-43. It has provided a valuable framework for discussions since its publication in 1994. See, for example, PLPR 3, 9 (1997) 171-2. It is therefore a great pity that the NPP failed to apply, or even refer to, the Charter.

As a result, the NPP fails to address the questions of:

2.2 Missing Personal Data Principles

NPP does adopt one of the additional principles identified in the Charter, namely that which relates to anonymity ( NPP8). Unfortunately it fails to even mention pseudonymity as an option, which would have been entirely feasible in the Guidance Notes, if not in the Principle itself. See Clarke (1996d).

NPP entirely fails, however, to address two other very important needs:

2.3 Workplace Privacy

The Introduction leaves entirely open the question as to whether employment data is within the NPP's scope. This is a serious weakness. In the 1970s, it was excusable to tread carefully in this area, because of the substantial amount of existing law, policy and practice, and the sensitivities involved. A quarter-century later, the framework, the policies and the practices in this area are much better understood. They should be codified, and they should be codified within the context of (an appropriate set of) national principles.

See Nolan (1995), at PLPR 2, 1 (February 1995) 1-5, 18 and PLPR 2, 2 (March 1995) 27-29.

2.4 Use and Disclosure

The Use and Disclosure Principle ( NPP2) is a rabbit's warren of special pleadings accepted and promulgated.

(1) The Direct Marketing Industry

Direct Marketing has been a battlefield for years. It is currently a battlefield, with so-called 'outbound tele-marketing' reaching epidemic proportions, and Calling Number Display (CND) recently imposed by Telstra using its market power, with the connivance of a Government intent on reaping a rich dividend from the sale of the corporation. See PLPR Special Issue 4, 6 (November 1997) and PLPR 4, 7 (January 1988) 128-129. Moreover, it will be a battlefield for years to come, with marketer privacy intrusions on the Internet already a very serious problem ( Clarke 1997b).

Privacy apects of Direct Marketing are examined in Clarke (1998), which was in preparation at the same time as NPP was being written.

It is astonishing to find that NPP2.1(c) purports to legitimise the direct marketing industry's existing, hitherto unauthorised practices. This represents not just de facto, but arguably de jure, approval, not just for unsolicited mail, but also for unsolicited telephone calls, and even for unsolicited Internet communications. The Privacy Commissioner and staff received a bid for special treatment put to them by a special interest group, failed to undertake appropriate research, and aligned themselves with the big battalions.

Evidencing the hurried manner in which the clause was drafted, NPP 2.1(c) fails to even go so far as to require organisations to actually take any notice of a person's request to have their details inserted on the envisaged off-list! Such detailed matters were to have been the subject of detailed industry codes negotiated among all parties, not deals done between an industry association and the Privacy Commissioner.

The credit reporting industry was subject to lengthy investigation over a period of 15 years (1975-89). Once the nature of the business was understood, it was authorised to do much of what it had been doing, but subject to regulatory measures. Much the same must happen in respect of the direct marketing industry, except that the urgency of regulation is much greater, and the evidence supporting many of the practices is much less strong than was the case with credit reporting.

(2) Law Enforcement Exemption

The Principles attempt to enshrine criminal law, pecuniary penalty and public revenue exceptions (NPP2.1(g)). These would authorise every organisation to provide almost any personal data to any policeman under virtually any circumstances.

This represents the legitimisation of practices that are uncontrolled, and demand justification. The Guidance Notes recognise that there is no obligation "to release information without the exercise of a formal power", and that the matter is contentious; yet the Privacy Commissioner has legitimated voluntary provision, in an uncontrolled manner, without regard to prior research and complaints experience, and without consultation concerning the impacts such a measure would have.

(3) National Security Exemption

The Principles also seek to enshrine a national security exemption (NPP2.1(h); see also 6.1(j)). The Privacy Act provides absolutely no controls over such organisations, because they are entirely exempt. In the post-Cold War era, it is appalling to discover that the Privacy Commissioner remains in the thrall of the national security sacred cow.

The appropriate position for the Privacy Commissioner to take is to demand measures to bring the national security and law enforcement communities within the privacy regulatory regime. It is clear that some special provisions are needed, because high levels of security are involved. It is impossible to believe, however, that some appropriate balancing of powers cannot be constructed involving interaction between the Privacy Commissioner and other statutory appointees and agencies such as the Inspector-General of Security.

(4) Logging of Disclosures

The Principles fail to require conformance with the standard expectation that disclosures under exigencies such as emergencies involving threat to human life should be logged, to ensure that a trace of the activities of privacy-abusers is retained (NPP2.1(d), 2.2).

2.5 Multiple Use of Identifiers

A great deal of research has been conducted into the risks involved in multiple use of identifiers, and a substantial literature exists. The preclusion of multiple use of identifiers is a fundamental protection against widespread data surveillance and the emergence of a 'dossier society' ( Clarke 1994). Reflecting this, there is an express statutory prohibition on unauthorised uses of the Tax File Number.

It is very pleasing that the Privacy Commissioner has included requirements that would limit the use of government identifiers in the private sector ( NPP 7).

Unfortunately, this Principle incorporates serious loopholes created in the Use and Disclosure Principle ( NPP2). In any case, it falls far short of the real need, which is the freedom to adopt multiple, uncorrelated identities to reflect multiple roles ( Clarke 1997c).


3. Defects in the Political Process

In their platforms for the March 1996 election, both the Labor Party and the Coalition committed to legislate privacy protective regulation for the private sector. The Coalition's promise, which was sensibly described as 'co-regulatory' in nature, was enlarged upon in September 1996. See Clarke (1996b) and Clarke (1996c). Public submissions arising from that Discussion Paper were published in PLPR 3, 9 (January 1997).

It transpired, however, that the undertaking was a 'non-core promise', and it was duly reneged on in March 1997, by Prime Ministerial fiat. See PLPR 4, 1 (April 1997) 1-5.

Instead, the Privacy Commissioner, who is a statutory appointee under s.19 of the Privacy Act 1988, was told by the Prime Minister to offer her services to help Australian businesses to develop voluntary codes of conduct to meet privacy standards. This instruction followed a 40% reduction in the budget for her Office, and was not accompanied by any offer of targeted funding.

I may be readily charged with political naiveté, but I do not believe that the Privacy Commissioner should have accepted the proposition, at least in the form in which it was addressed to her. The Privacy Commissioner's functions include "to undertake educational programs" ( s.27(m)), and "to encourage corporations to develop programs for the handling of records of personal information that are consistent with the [OECD Guidelines]" ( s.27(n)). They do not extend to diverting a substantial segment of a substantially reduced budget to work of this nature.

Nonetheless, the Privacy Commissioner commenced a consultative process. The privacy advocacy lobby at first declined to participate, on the grounds that voluntary guidelines are not an adequate mechanism, and the promised 'co-regulatory' model, including legislative backing, was what was needed and wanted by the private sector and the public alike.

After representations from the Privacy Commissioner, advocates agreed to take part in the development of a set of principles, provided that they were designed in such a manner that they were capable of being supported by legislation at the earliest opportunity. The Privacy Commissioner has failed to reflect in the document that important aspect of the consultative process that preceded her promulgation of the Principles. Moreover, the document is structured in such a manner that there is absolutely no momentum provided towards a mechanism that will have regulatory teeth behind such corporation and industry-association layers as may come into existence.

A further concern is that the consultative process was characterised by imbalance between the weight given to submissions from government agencies and industry associations, in comparison to those from representatives of the public interest. Exceptions that were embodied in the final version reflected a series of special pleadings from vested interests, including some submitted behind closed doors, and some submitted after the mainstream consultative processes had been completed.

The Privacy Commissioner's capitulation is all the more disappointing in view of the significant momentum that exists towards legislation, including large numbers of corporations and associations that recognise the benefits of an appropriate statutory framework for privacy protections, and the Government's own acknowledgement that the outsourcing of government data processing requires the imposition of regulation on contractors, and has embodied this in a Government Bill introduced in April 1998.


4. The Long Term View

In 1967, American academic Alan Westin proposed that a limited official response was sufficient to address privacy concerns. Administrative convenience and efficiency were the paramount concerns. The legislation of the 1970s, and its codification in the OECD's 1980 Guidelines, reflected the Westin model, which has come to be known as the 'Fair Information Practices' approach.

The Privacy Act 1988 was a late addition to the pool of such laws. Its great weaknesses were catalogued in Clarke (1997a). Technology and administrative practices have both greatly developed during the last 30 years. A near-future paper will argue the urgency of moving well beyond the Fair Information Practices model.

The Australian Privacy Commissioner's 1998 'National Principles' document is merely a very late addition to the substantial pool of 1970s documents. A document based on 30-year-old precepts, and which contains additional exemptions based on special pleading, is utterly inadequate as a means of addressing the ever-growing public concerns about the privacy invasiveness of business practices.


5. Conclusions

The result of a flawed process is a flawed document. The 'National Principles' have many mainstream and worthwhile features, but contain carefully crafted loopholes that seriously undermine some of its most important features. In particular, the exceptions to the use and disclosure principle essentially gut the critical protections that this principle is supposed to provide. They attempt to legitimise practices that demand public justification.

Far from being greeted with any kind of celebration, the document should be regarded as an attempt by the Federal Government, exploiting the Privacy Commissioner's limited resources, to divert attention away from its failure to deliver what the country demands, which is effective privacy protections. It is merely a stage in a process, not an outcome.

State Governments are seeking to ensure public confidence in the use of electronic commerce and electronic services delivery. If the Federal Government persists in its failure to act, those governments will be forced to enact legislation binding corporations operating within their States.

Moreover, the private sector recognises the harbingers of change, and the public demand for effective privacy protections ( Clarke 1996a). The 'National Privacy Principles' document is not what the private sector needs if it is to gain public confidence in the manner in which it handles personal data.


References

Attorney-General (1996) 'Discussion Paper: Privacy Protection in the Private Sector, Attorney-General's Department, September 1996, at http://www.agps.gov.au/customer/agd/clrc/privacy.htm, accessed 3 April 1998

Australian Privacy Charter (1994), at http://www.anu.edu.au/people/Roger.Clarke/DV/PrivacyCharter.html

Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues', Information Technology & People 7,4 (December 1994) 6-37, at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html

Clarke R. (1996a) 'Privacy and Dataveillance, and Organisational Strategy', Proc. Conf. I.S. Audit & Control Association (EDPAC'96), May 1996, at http://www.anu.edu.au/people/Roger.Clarke/DV/PStrat.html

Clarke R. (1996b) 'Federal Privacy Legislation in Australia', at http://www.anu.edu.au/people/Roger.Clarke/DV/FedLeg.html

Clarke R. (1996c) 'Privacy Protection in the Private Sector: Commonwealth Attorney-General's Discussion Paper of September 1996 - Initial Reactions', at http://www.anu.edu.au/people/Roger.Clarke/DV/ClthPte.html

Clarke R. (1996d) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue', Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996', at http://www.anu.edu.au/people/Roger.Clarke/DV/AnonPsPol.html

Clarke R. (1997-) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms', at http://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html

Clarke R. (1997a) 'Flaws in the Glass; Gashes in the Fabric', Proc. Symp. 'The New Privacy Laws', February 1997, at http://www.anu.edu.au/people/Roger.Clarke/DV/Flaws.html

Clarke R. (1997b) 'Privacy On the Internet: Threats, Countermeasures and Policy', Proc. Seminar on 'Consumer Protection on the Internet', May 1997 ; revised version at Proc. IBC 1997 Australian Privacy Forum, October 1997, at http://www.anu.edu.au/people/Roger.Clarke/DV/Internet.html

Clarke R. (1997c) 'Public Interests on the Electronic Frontier : Their Relevance to Policy-Formation for I.T. Security', Proc. IIR Conf. IT Security '97, August 1997, Rydges Canberra ', at http://www.anu.edu.au/people/Roger.Clarke/II/IIRSecy97.html

Clarke R. (1998) 'Direct Marketing and Privacy', Proc. AIC Conf. Direct Distribution of Financial Services, February 1998 ', at http://www.anu.edu.au/people/Roger.Clarke/DV/DirectMkting.html

Dixon T. (1995) 'Privacy Charter sets new benchmark in privacy protection', PLPR 2, 3 (April 1995) 41-43, at http://www.austlii.edu.au/au/other/plpr/Vol2No03/v02n03a.htm, accessed 3 April 1998

EU (1995) 'Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data', European Union, at http://europa.eu.int/comm/dg15/en/media/dataprot/dir9546.htm, accessed 3 April 1998

Nolan J. (1995) 'Privacy in the workplace', PLPR 2, 1 (February 1995) 1-5, 18 and PLPR 2, 2 (March 1995) 27-29, at http://www.austlii.edu.au/au/other/plpr/Vol2No01/v02n01a.htm and http://www.austlii.edu.au/au/other/plpr/Vol2No02/v02n02d.htm, accessed 3 April 1998

NPP (1998) 'National Principles for the Fair Handling of Personal Information', Office of the Privacy Commissioner, February 1998, at http://www.hreoc.gov.au/privacy/natprinc.htm, accessed 3 April 1998

OECD (1980) 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data', Organisation for Economic Cooperation and Development, Paris, 1980, at http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM, accessed 3 April 1998

Privacy Act, 1988, at http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/, accessed 3 April 1998

Whittle R. (1996-) 'Calling Number Display - CND', at http://www.ozemail.com.au/~firstpr/cnd/, accessed 3 April 1998


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 2 April 1998

Last Amended: 3 April 1998


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472