A History of Privacy in Australia: Current Developments

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 29 August 1999 (16 December 1999, re Telecommunications, and the Queensland Private Member's Bill; 19 February 2002 re the Clth and Victorian legislation of 2000)

© Xamax Consultancy Pty Ltd, 1998, 1999

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/OzCurrent.html


This document is designed to function both as a living resource, and as the final chapter of my paper 'A History of Privacy in Australia'. Of necessity, it requires continual updating. I'd greatly appreciate corrections, suggestions for improvement, and notifications of additional sources.


Introduction

This document assumes that the reader is familiar with privacy generally. If not, see (Clarke 1997-).

It also assumes that the reader is familiar with the situation in relation to privacy in Australia at the end of 1998. If not, see Clarke (1998).

In addition, it would be beneficial for the reader to be aware of the history of privacy in Australia, for which see Clarke (1998).

The segments within this document are:


Commonwealth

This segment picks up where the rendition of recent history left off. The biggest story is the emergent Privacy Amendment (Private Sector) Bill, whose origins and content are documented at the end of this section.

* Regulation of Outsourcing Providers

Here is an exposition of the serious dangers in the Commonwealth Government's Current Outsourcing Policy (July 1997). This arose from a Government report that I had previously criticised in 'Clients First or Clients Last? The Commonwealth Government's IT Review' (May 1995, in Privacy Law & Policy Reporter ).

The Privacy Amendment Bill (1998) lapsed when Parliament was prorogued for the October 1998 election (shortly before the Senate Committee was due to table its report). This left outsourcing providers who handle personal data on behalf of Commonwealth and A.C.T. government agencies bound by, at most, limited contractual provisions.

The Bill was not revived during the first session of the new Parliament, but initial indications were provided that it would be in early 1999.

On 3 December, the Committee received the Senate's approval to continue with its reference, and to table its report. It did so in March 1999, accepting to a considerable degree the submissions of privacy advocates ('Privacy and the Private Sector: Inquiry into Privacy Issues, including the Privacy Amendment Bill 1998, Senate Legal and Constitutional Committee, March 1999).

During mid-1999, it became apparent that the Government would not reintroduce the Bill. It may, or may not, reflect the provisions of the Bill in the more general private sector legislation that it accepted in December 1998 was indeed needed. (The turnaround in government policy, and the new Bill, are addressed below). Government outsourcing is proceeding apace. It is a serious concern that privacy protections that have been in place since 1988 are being routinely undermined, because data subjects are being reduced to a dependence on contracts to which they are not a party, and over whose terms they have no control.

* Genetic Privacy Bill 1998

In March 1999, the Senate Legal and Constitutional Committee tabled a report on the Stott-Despoja Genetic Privacy and Non-discrimination Bill 1998. This addressed collection, use and disclosure issues relating to measures of human DNA. As is the case with virtually all Bills that are not initiated by the Government-of-the-day, the Bill did not proceed.

* Telecommunications

During late 1998 / early 1999, Telstra ran an appalling campaign designed to mislead the public into unblocking their lines for Caller-ID. (Presumably their commercial clients were complaining about the percentage of callers who blocked their number from being viewed by the callee). Despite a clear breach of any reasonable advertising standards (i.e. they lied), no regulatory body was prepared to consider whether they had breached any law or even any voluntary code of conduct.

Meanwhile, a few reports arose about some ISPs declining to do business with customers who turned off Caller-ID, on the grounds that disputes about whether someone else is using the account can be avoided if calls are only accepted from pre-registered telephone-numbers.

The the Australian Communications Industry Forum (ACIF) continued to be used as a means of holding consumer and privacy advocates at very long arm's length, and thereby avoiding constraints being placed on the sale-value of the next tranche of Telstra shares. Privacy protections are very limited in this area, and abuses abound.

However, in November 1999, ACIF finalised an Industry Code for the 'Protection of Personal Informaiton of Customers of Telecommunications Providers' after a public comment period in July. It claimed that this drew heavily on the Privacy Commissioner's 'National Principles for the Fair Handling of Information'. After approval by the ACIF Board, the Code is expected to go to the ACA for registration in early 2000. However, whether the industry will sign up is another matter - at the end of 1999, only four codes had attracted any signatories. Telstra had only signed one Code after two and a half years of self-regulation.

If and when that code or a revision of it is registered by the Australian Communications Authority (ACA), then the ACA would gain powers under Part 6 of the Telecommunications Act to give warnings and directions, and impose civil penalties for failure to comply. The business enterprises that would be subject to the Code are not only 'carriers' (in particular Telstra, Optus), and 'carriage service providers' (i.e. Internet access providers), but also 'content service providers' (a term whose meaning is unclear, and could be very broad).

Hence some sanctions might someday come into existence for some kinds of abuses of personal data in the telecommunications sector. In the meantime, codes of practice of particular industry associations may be of some relevance in the telecommunications arena. The insurance industry leads, the Internet industry is active, the information technology industry may develop something, and the banking industry will probably continue to pretend that it's already got one.

Meanwhile the ACIF went round in circles on Caller ID. Telstra refused to support a code which exposed it to any risk of conducting any public awareness activities for CND, arguing that it was only responsible for its own customers, it could put information in bills and occasional information brochures, and it had already spent a lot of money on the campaign. Never mind that it had never given any balanced information about why people might want to keep their number private.

ACIF is also rapidly advancing a standard that is extraordinarily privacy-invasive, but is being considered as nothing more than a technical exercise. This is the enhancement of cellular telephony to support precise location of the handset. It goes under the name 'Mobile Location Indicator For Emergency Services' (MoLI), and the pretext for the creation of this particular surveillance technology is support for emergenecy services. For a much more sceptical interpretation, see Clarke (1999). The draft was issued in June 1999, and the 5-week period for public comment closed in July 1999.

White Pages Directories used to be organised by city or town. When it was launched, the electronic service overcame some of the incidental privacy protections afforded by location-based directories. It not only enabled searches across 'Other Areas within the State', but also precluded searching within particular towns.

During the third quarter of 1999, Telstra saw an opportunity to use the heart-tugging potential of get-togethers associated with the 50th anniversary of the Snowy Mountains Scheme to continue its campaign to extend the interpretation of the White Pages' purposes. The sub-text of the advertisements and sponsored TV show was that the White Pages are how people find one another.

The intention of these extensions of usage is presumably to prepare the ground for a launch of a publicly accessible 'reverse White Pages'. If this were mainstreamed, it would be a potentially vast money-spinner, enabling Telstra to compete with list-sellers (by letting telemarketers dial random numbers, yet have subscriber-name and address up on their screen when they call). It would also be a substantial reduction in telephone subscriber privacy.

In August 1999, a Telecommunications Interception Policy Review reported that the existing arrangements were working well and no changes were needed. If privacy concerns were taken seriously by the government, this conclusion would have looked like staggering complacency.

* CrimTrac

During the period 1990-92, a Law Enforcement Access Network (LEAN) had been mooted (Clarke 1992). It foundered on the altar of State jealousy and distrust of the Commonwealth.

In mid-1998, a proposal of a similar nature, referred to as CrimTrac, emerged from the office of the Minister for Justice. Clearly, technology needs to be harnessed in the support of law enforcement. See also Sue Bushell's article in PCWorld of 26 November 1998. Equally clearly, however, great care needs to be taken to ensure that such measures are not intrusive in ways, or to such an extent, that they undermine the public's confidence. It does not appear that there was any privacy or civil rights advocacy representation on the working party that developed the proposal.

A Request for Tenders was released in July 1999. It demonstrated no appreciation whatsoever of the very substantial privacy concerns that the proposal raises.

Some dissension among the States and Territories was reported in the press, particularly in relation to the very seriously invasive DNA database proposals. These were the subject of a report by the Attorney-General's Department ('Model Forensic Procedures Bill and the Proposed National DNA Database' of May 1999). Law enforcement agencies, aided and abetted by the Minister, are seeking to empower themselves by overriding all manner of privacy protections.

* Other Intrusive Initiatives by Government Agencies

A great many other initiatives are in train in various agencies, which have potentially or actually highly privacy-intrusive features. It's hard work keeping up with them all, and in few cases are there serious attempts to involve privacy and consumer advocates.

An abuse of particularly serious concern has been the merger of operations previously performed by multiple agencies into Centrelink. Quite apart from the lowering of services to benefits recipients, the data from each of the various systems is now routinely available to operational staff. Consolidation of personal data from multiple sources appears to have been achieved, without any public evaluation of the privacy impacts and implications, or adjustments to protections. For the first two years, the agency appears to have operated in breach of at least undertakings by the Minister to Parliament, in that no protocol for the handling of personal data existed. If this represented a breach of the law, then it should be publicised and prosecuted; and if it did not, then it demonstrates what a travesty the Privacy Act really is ...

In April 1999, the Australian Security Intelligence Organisation (ASIO)'s bid for enhanced powers (including the right to hack computers, and new access to financial records held by AUSTRAC) became the subject of a Parliamentary Joint Committee. Submissions were made by several public interest groups. The report, published in May 1999, more or less gave them what they wanted, privacy abuses notwithstanding.

A further example of an initiative that embodies vast scope for serious harm to privacy interests, and which was, at least initially, pursued without due regard for its public policy aspects, is the Government Public Key Infrastructure project, called Gatekeeper, being managed by the GPKA within the Office for Government Online (OGO).

* The Privacy Commissioner

During 1997-98, the Privacy Commissioner continued to seek some progress, as instructed by the Prime Minister, through self-regulation. She was hamstrung by inadequacies in the NPFHI, by the boycott of the process being maintained by privacy advocates, and by special pleadings by such groups as law enforcement agencies and the direct marketing lobby, reinforced by the Prime Minister's staff.

The Privacy Commissioner since the beginning of 1997, Moira Scollay, resigned with effect from January 1999 (three years short of her 5-year term), and took up another senior position elsewhere in the Commonwealth public service. The new Privacy Commissioner, Malcolm Crompton, took up his post in April 1999.

One of Ms Scollay's last acts was to declare that the Federal Government's GST mail-out to pensioners "was not authorised under the Social Security Act, and the database should not have been used", but that it was only a "technical breach". Rather than egg on the Minister for Social Security's face, if not her resignation, this appears to have resulted in no other outcomes than a newspaper article in 'The Canberra Times'.

* Industry Codes of Conduct

A number of industry associations have declared that they are preparing or upgrading codes of conduct. Their import is much less than it could be, because of the absence of legislative sanctions. Moreover, some of them are being prepared without the involvement of privacy advocates and representatives of the relevant stakeholders, and will therefore be largely ineffective, in terms of their actual content, and hence of their public credibility.

* Health Care Sector

In mid-1999, the Privacy Commissioner's Office performed a rapid review of the application of the Commissioner's Fair Principles ...' document to the health care sector. A consultation paper was issued in May, for public comment by June.

* The ADMA Code

An application was made by the Australian Direct Marketing Association (ADMA) for the imprimatur of the Australian Competition and Consumer Commission (ACCC) for a code that reflected several previous documents that had been negotiated between ADMA and government agencies, but which had not involved any meaningful consultations with consumer or privacy advocates. This became public knowledge in October 1998, when ACCC sought public comment.

More than a dozen consumer and privacy advocacy organisations submitted very forcefully to ACCC that the ADMA code did not satisfy the public interest test. See the submissions of Robin Whittle in relation to the telemarketing aspects, and of other individuals and organisations, stored on Robin's site. See also my own submissions of 21 October 1998 and 15 December 1999, and the ACS response of 15 December 1998 (Clarke 1998).

After a succession of delays, and extension of the publication date from December 1998 until August 1999, the ACCC approved an amended document. Privacy advocates were uniformly appalled at the ACCC's incapacity to withstand the pressure of segments of industry and the Prime Minister's office. As veteran advocate Robin Whittle put it: "ADMA got exactly what they wanted: Government approval of a code with minimal consumer protections, not just in their field of direct mail, but also in telemarketing and electronic commerce".

* Passage of the Bill

Between 1996 and 2000, the Government had privacy on and off the agenda several times. Eventually they introduced a dreadful Bill - not merely the world's worst privacy legislation but a downright anti-privacy statute. For detailed critique and submissions, see Submission to the Commonwealth Attorney-General (January 2000), 'Privacy Bill needs much more work' (February 2000), Submission to the House of Reps. Inquiry (May 2000), and Submission to the Senate Inquiry (September 2000).

The Labor Opposition (never a friend of privacy) let it through with minimal changes.

For the gory history, see the accompanying history document, and 'Beyond the Alligators of 21/12/2001, There's a Public Policy Swamp' (October 2001).

The resulting statute is at Privacy Amendment (Private Sector) Act 2000. It became [in]effective on 21 December 2001.

The consolidated 243 pp. of verbiage is at Privacy Act 1988 - complete but unofficial. That consolidation includes the amendments of December 2000, but is not official. Eventually, the official consolidated version is likely to appear at Privacy Act 1988 - official (but currently inadequate).


N.S.W.

This segment picks up where the rendition of recent history left off.

The Privacy and Personal Information Protection Bill 1998 was introduced in October 1998, briefly debated and negotiated in the upper house, the Legislative Council (where the Attorney-General has his seat), and then in the lower house, the Legislative Assembly, with agreed amendments being passed by the Legislative Council. The Bill was assented to on 1 December 1998, and regulates (some of) the N.S.W. public sector with effect from December 1999. (Its passage occurred in the shadows of Parliament rising for Christmas, with the place in uproar over the Treasurer being banned indefinitely by the - non-Government controlled - upper house, and with an election due in early 1999). Here is the statute.

The original document was quite possibly the worst Government Bill ever submitted to any Parliament anywhere in the world. Even after some improvements were made, the Act is seriously deficient, in a number of different respects. Graham Greenleaf has provided a detailed review.

In addition, the Workplace Video Surveillance Act 1998 was passed, apparently as long ago as July 1998. (In N.S.W., it can be hard work getting information about matters like this ...). This appears at first blush to be a more reasonably balanced statute than long-time observers are used to seeing emanate from N.S.W. Governments.


Victoria

This segment picks up where the rendition of recent history left off.

The Government had stated that it intended tabling its Data Protection Bill before the end of 1998. As a result of the federal election, sittings of the Victorian Parliament were curtailed, and the tabling of the Bill deferred.

On 4 December 1998, exposure drafts of Victoria's proposed data protection and electronic commerce legislation were made available at Multimedia Victoria (under publications), and at Minister Stockdale's site (under 'What's New') and at the government's site (also under 'What's New'). The closing date for submissions was mid-February 1999. A revised version was subsequently published, and the Bill tabled in May 1999 (see the Department of Permier and Cabinet site, under Bills.

It appears to be a fairly sensible implementation of the co-regulatory approach, although there remain a couple of areas of concern. Graham Greenleaf has provided a detailed review.

The Victorian government, especially through MMV, is a leader in information technology applications, especially electronic services delivery; hence its concern to implement meaningful privacy protections and thus earn public confidence. As a result, it is conducting a number of projects that have potentially substantial privacy implications. An example of such an initiative, which has, from the outset, involved privacy and consumer advocates, is a trial of smart cards in health.

The Surveillance Devices Act was introduced and passed by the Victorian Parliament during 1999. It replaces the Listening Devices Act 1969, and regulates not only listening devices, but also optical surveillance devices, tracking devices (defined as electronic devices the primary purpose of which is to determine the geographical location of a person or an object) and data surveillance devices.

The Liberal Government was surprisingly defeated in an election in 1999, and the Data Protection Bill lapsed. The new Labor Government acted fairly quickly, however, along fairly similar lines, resulting in the Information Privacy Act 2000. This is also a conventional statute, imposing a degree of regulation on the public sector, broadly in line with OECD norms, and including a wide array of exemptions and exceptions.


Australian Capital Territory

This segment picks up where the rendition of recent history left off.

In mid-1999, the A.C.T. Government spearheaded a Request for Information for an Operating Platform for Multiple Application Smartcards. The release was preceded by the hiring of a privacy consultant to coordinate comments from privacy advocates on the RFI. Changes were made as a result. The RFI closed in mid-August 1999.

It does not appear that much else is afoot in the Territory at present (although it has adopted a leadership role in such matters as its arrangements with the Commonwalth Privacy Commissioner, and patient access to medical records; so it will be worth watching to see if other initiatives arise).


Queensland

This segment picks up where the rendition of recent history left off.

In late 1999, a private member's Bill was tabled by Jack Paff of Pauline Hanson's One Nation Party. The Information Privacy Bill 1999 includes a basic version of information privacy principles, but without any machinery or institutions. It and appears to be designed to implement the 1998 recommendations of the Parliamentary Committee.

In January 2000, Queensland's Criminal Justice Commission (CJC) announced it will conduct a public inquiry into the misuse of the Queensland Police database.


Northern Territory

On 22 April 1999, the Chief Minister of the Northern Territory issued a Ministerial Statement to the Legislative Assembly on Access to Information and Privacy. It said that he intended to introduce 'light touch' legislation to cover the Territory's public sector, and thereby complement the Commonwealth legislation.


Other States

This segment picks up where the rendition of recent history left off.

It does not appear that much is afoot elsewhere in Australia.


International

This segment picks up where the rendition of recent history left off.

A small number of international documents are influential in discussions about regulation by Australian governments:

A review of the state of play in a wide variety of countries is provided in GILC (1998a). For a sub-set of that document relating to Asian countries, see also PLPR (1998).

The New Zealand Privacy Act 1993 included a requirement for review by the Privacy Commissioner. This was completed and published in December 1998. In addition to the printed, 437-page full report (NZPC 1998a, available for $NZ130), a 40-page highlights document was also made available, in printed and HTML forms (NZPC 1998b). Reviews are provided in a series of articles in PLPR (1998b).

During 1998-99, the United States Federal Trade Commission conducted reviews of corporations' privacy policies, as evidenced by statements on their web-sites. In common with other such reviews (EPIC 1997, EPIC1998) and Culnan 1999), it concluded that the standard was extremely poor. After some sabre-rattling, it decided that business had taken notice of it, and that it needed to do nothing whatsoever. It provides a guide for the public which reflects the country's preference to let corporations dominate consumers; but provides no guidance to corporations as to what they are expected to do. In short, Stateside, the farcical game continues.


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 10 October 1998

Last Amended: 29 August 1999 (16 December 1999, re Telecommunications, and the Queensland Private Member's Bill; 19 February 2001 re Clth and Victorian legislation, both of 2000)


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916