Journal of Law, Information and Science
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Journal of Law, Information and Science |
|
EUGENE CLARK & GEORGE CHO[1]
One of the most important issues in e-business is the protection of privacy. Consumers are worried that businesses and other may invade their privacy or cause them harm by such conduct as identity theft. Businesses, too, are worried about unscrupulous parties who seek to defraud them. Citizens fear the spectre of ‘big brother’ and a powerful government that can use such information to control or restrict the freedom of its citizenry. This paper charts the Australian laws regulating privacy, including recent amendments to the Commonwealth Privacy Act that extend privacy provisions to the private sector.
In a real sense, when it comes to privacy, the tension between the individual and the society is a theme that has been played out in various political, social, moral, economic and legal contexts for much of this century. The prevalence and power of modern technology lead many citizens to be concerned that the internet environment presents a clear and present danger to privacy. This is especially so in matters related to credit and the need for safeguards to ensure that information maintained on individuals is accurate. The prevalent use and potential for misuse of personal information in a world of information technology has exacerbated these concerns. For example, most readers would be aware of the problem with cookies and the unethical practice of not telling a user that you have placed cookies on their system thus enabling you to track their internet usage. Now, new Web bugs or 1-pixel GIFs are here. A GIF is a new form of bug able to track computer usage and chart a user’s surfing habits. These new bugs are the subject of growing consumer concerns and litigation in the US. Web bugs act like a beacon going off every time you use your computer. Unfortunately, anti-cookie devices will not stop these new bugs.[2]
Sometimes groups get a little carried away and speak of privacy in terms of an ‘absolute’ good. Other groups warn of an Orwellian nightmare in which big brother/sister will watch over us all and usurp individual freedom. However, a more realistic and workable notion is to seek a balance. This recognises that businesses are just as concerned about privacy as consumers are. Legitimate businesses realise that unless consumers are confident in the electronic medium, its potential will never be realised. Governments, too, while acknowledging the legitimate concerns of private citizens, also must be able to collect information and data on citizens so that legitimate government interests can be pursued for the benefit of its citizenry. For example, health databases enable research to be conducted about the population at large. To the extent that such databases detect fraud, they ensure that taxes remain as low as possible and that benefits are received by those truly entitled to them.
This article explores some of the major privacy issues raised by information technology. Its central theme is that consumer pressure for privacy protection and the need for Australia to comply with international obligations, eg the European Union Directive on Database Protection, will ensure that privacy is on the e-business agenda for a long time to come. The task for Australia and the international community is to achieve the appropriate balance between privacy protection and business efficacy - a policy goal that is as old as the struggle to accommodate the needs of the individual and the needs of the group.
Privacy matters are particularly prominent when dealing in an electronic environment where the information can be transferred across national borders, or intercepted and verification of whom you are dealing can be very difficult. In this section, we raise just a few of the issues relevant to this new environment.
That much work remains to be done in regard to privacy protection is clear. Several studies have been conducted in the US and Australia, all concluding that privacy via the internet is not generally well protected.
An Australian study by Macklin[3] found that only 6 per cent of Australia’s most accessed websites have an adequate privacy policy. He conducted a survey in April and May of 1999. An ‘adequate’ policy was defined as one that:
\• encompassed the essential elements of the NPPs
• provided at least some notice of the information practices of the organisation
• provided the user with some degree of choice with respect to the use of the personal information
• provided the user with access to his or her information to ensure accuracy; and
• had security procedures to limit access to the information by unintended parties.
Of those sites that offered goods or services for sale via the Internet, 87 per cent had offered a secure transmission between the user and the trader. However only 3 per cent of these sites had an adequate privacy policy.
The Australian law firm of Freehill Hollingdale & Page[4] surveyed approximately 400 companies with a response rate of 17 per cent. The findings showed that:
• 80 per cent of respondents adopted either an industry based or other recognised privacy protection code
• 97 per cent do not disclose personal information obtained through their websites to other organisations
• 77 per cent offered electronic payments via a secure (encrypted) transmission of personal data.
• 53 per cent use personal information collected through their websites for marketing related functions, including contacting visitors, developing and maintaining visitor profiles and monitoring the effectiveness of marketing campaigns
• only 18 per cent gave their website visitors options to protect users’ privacy
• only 12 per cent have a privacy statement accessible from their website
• only 6 per cent utilise independent external auditors to monitor their compliance with privacy standards.
In the US, readers should note the report of the Information Infrastructure Task Force Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (June 6 1995) http://www.iitf.nist.cov/ipc/ipc/ipcpubpubs/niiprivprin_final.html
This important report argues that the National Information Infrastructure can only flourish if all the participants respect information privacy. This means that individuals are able to control the terms under which their personal information is acquired, disclosed and used. Sometimes information can be protected via contract. However, where there are unequal bargaining positions, there should be a level of privacy users should be able to respect in any event and which should be ensured.
The Report sets forth three general principles.
Information Privacy Principle. Personal information should be acquired, disclosed and used only in ways that respect an individual’s privacy.
Information Integrity Principle. This means that personal information contained on the National Information Infrastructure should be accurate, timely, complete and relevant for the purpose for which it is provided and used. This principle sets forth the following acquisitions principles:
1. Information users should assess the impact on privacy in deciding whether to acquire, disclose, or use personal information.
2. Information users should acquire and keep only information reasonably expected to support current or planned activities.
The Notice Principle provides that information users who collect personal information directly from the individual should provide adequate, relevant information about:
1. Why they are collecting the information
2. For what the information will be used
3. What steps will be taken to protect its confidentiality, integrity and quality
4. The consequences of providing or withholding information; and
5. Any rights of redress.
In 1988 the Federal Parliament passed the Privacy Act that provided for the establishment of a Privacy Commissioner and the protection of individual privacy, both in relation to information held by Commonwealth Agencies and in relation to their tax file numbers. A major factor in the passage of the Act was the announcement by the Credit Reference Association of Australia, in March 1989, that it intended to create a national, centralised, privately operated, computer databank incorporating store personal loan and credit records on most Australians.[5] Like the government’s Australia Card proposal, this private venture, caused alarm amongst consumer groups, libertarians and others.
The Privacy Act 1988 (Cth) was passed in order to comply with Australia’s obligations under Article 17 of the International Covenant on Civil and Political Rights 1966. Australia was also influenced by regional and international privacy developments. These included the Organisation for Economic Cooperation and Development’s (OECD) Privacy Guidelines in 1980. These guidelines articulate eight basic privacy principles to protect personal data. They also urged member states to pass legislation to encourage and support self-regulation. Also influential were various European developments and the passage by the United Nations of Guidelines for the Regulation of Computerised Personal Data Files.
The 1988 Privacy Act does not create a general right of privacy such as has emerged from US court decisions and recent statutory developments. The Act applies generally to personal information rather than to commercial data, with the exception of credit information (explained below). The protection provided under the Act is in addition to any intellectual property rights / protection which may exist in that information.
The Act was amended in 1991 and 1994 to include guidelines for data matching by government agencies as well as tax file guidelines.[6] Its focus is on breach by Commonwealth Agencies of the articulated privacy principles, the tax file guidelines and data matching principles.
The Privacy Act prohibits ‘interferences with privacy’. Such interferences are said to occur when a Commonwealth agency breaches one or more of the information privacy principles, the tax file number guidelines or the data-matching guidelines. The Information Privacy Principles are set out in s14 of the Act and cover the following headings:
• Manner and purpose of collection of personal information
• Solicitation of personal information from individuals concerned
• Solicitation of personal information generally
• Storage and security of personal information
• Information relating to records kept by record-keeper
• Access to records containing personal information
• Alteration of records containing personal information
• Record-keeping duties in regard to accuracy of personal information before use
• Personal information to be used for relevant purposes
• Limits on use of personal information
The Privacy Commissioner is given powers of investigation, evaluation and supervision of compliance with the Privacy Act in relation to the privacy principles, tax file number guidelines and data-matching guidelines. The Act sets out the procedure to be followed. The Commissioner can also issue a written determination which may include an award for compensation for any loss or damage suffered as a result of a breach of privacy principles (ss52(1)-(2)).
The Tax File Number Guidelines cover the following headings:
• General provisions governing the scheme
• Use and disclosure of tax file number information
• Obligations of the Commissioner of Taxation
• Obligations of the Department of Social Security
• Collection of tax file number information
• Storage, security and disposal of the tax file number information
• Incidental provision of tax file numbers
• Staff training
• Meaning of terms
The Privacy Commissioner is authorised by s27(p) of the Privacy Act 1988 to issue Data Matching Guidelines.[7] The Privacy Commissioner issued the data matching guidelines effective 1 October 1992. These guidelines have general application to Commonwealth agencies governed by the Privacy Act. With or without a request from a Minister or an agency, the Privacy Commissioner may examine proposals for data-matching or data linkage concerned with an interference with the privacy of individuals (s 27(1)(k)).
In addition, the Data-Matching Program (Assistance and Tax) Act 1990 (Cth) regulates data-matching as between specific agencies, namely the Department of Community Services and Health, the Department of Employment, Education, and Training, the Department of Social Security and the Department of Veteran’s Affairs. The Act distinguishes between ‘source agencies’, ‘matching agencies’ and ‘assistance agencies’. The purpose of the data matching legislation is to prohibit unrestrained matching or creation of a comprehensive databank on citizens. For example, s6 of the act provides that a maximum of nine data-matching cycles are permitted in any one year with only one cycle to be in operation at any one time. Other restrictions cover the storage of data, set time limits on when the data must be examined and investigated, require notice to persons whose benefits are to be impacted, and so on.[8]
The Privacy Amendment Act 1990 (Cth)[9] extends privacy protection to consumers in relation to their credit records.[10] The legislation seeks to establish a check and balance against the risk that credit databases may be used for non-credit purposes and become available to unauthorised users and in clear violation of the privacy principles established under the Act. Among these principles:
• there should be limits to the collection of personal data and any such data should be obtained by lawful and fair means with the knowledge or consent of the data-subject;
• personal data should be relevant to the purposes for which it is to be used and should be accurate;
• the purposes for which personal data is collected should be specified at the time of collection and subsequent use limited to the fulfilment of these purposes;
• personal data should not be disclosed for other purposes except with the consent of the data-subject or where required by law;
• personal data should be protected by security safeguards;
• individuals should be aware who holds their personal data;
• individuals should have a right of access to and correction of their personal data;
• a data controller should be accountable for complying with measures to give effect to these principles.[11]
In accordance with these principles, the Privacy Amendment Act gives consumers a statutory right to: access their credit file; correct or update information; and make a complaint to the Privacy Commissioner seeking compensation for damage suffered because of the infringement of the debtor’s privacy.[12] Credit providers also have restrictions placed on their use and dissemination of information.[13] Criminal offences also apply to a credit-reporting agency or credit provider who provides a false or misleading credit report; or to any person who gains unauthorised access to credit information.[14] According to former Senator Tate, this legislation sits firmly alongside the agreement on uniform national credit legislation - which gives consumers uniform information and uniform practices in their personal dealings with financial institutions.[15]
Finally, other important provisions of the Privacy Amendment Act include:
• The definition of “credit provider” includes non-corporate businesses and individuals engaging in the provision of credit. This allows non-corporate, but substantial, credit providers to have access to the credit reference databases.
• The Act also ensures that credit reporting agencies are able to pass credit information amongst themselves. This provision enables credit providers to receive information on applicants moving from one state to another. Finally, the Act allows credit providers to receive the credit history of a person agreeing to act as a guarantor. The proposed guarantor would have to give their written consent, which should also impress the guarantor of the implications involved in agreeing to answer for the debt of another.[16]
Seeking further to encourage private sector protection of privacy, the Commonwealth Privacy Commissioner in 1998 published the National Principles for the Fair Handling of Personal Information. The general insurance industry became the first Australian industry to develop and implement a privacy code, having created the General Insurance Information Privacy Principles in August 1998.
The Government revised its Privacy Principles in January 1999 and released new privacy principles for Australian businesses.[17] The Human Rights and Equal Opportunity Commission developed these, following wide consultation with industry, with the principles setting standards for the collection, use, disclosure, security, access and quality of information and bring Australian law into line with the EU's data protection framework.
In summary form the principles are:
• Collection. Only collect personal information for legitimate purposes and where practicable and reasonable, collect it from the person concerned.
• Use and disclosure. Personal information for a secondary purpose should only be disclosed where it is related to the main reason and the individual consents, where the person consents or it is authorised by law.
• Transborder data flows. Only transfer information outside of Australia if the individual has consented and the business has taken reasonable steps to ensure the information will not be collected, held or used in contravention of these principles.
• Data quality. Collect, use or disclose information only if it is accurate, complete and up to date.
• Data security. Take reasonable steps to keep information secure. Remove identification if the records are no longer necessary for any purpose.
• Openness and access. Establish a policy in respect of the management of information and make it readily available. Reasonable charges can be imposed for this and exceptions exist, for example where it relates to a sensitive matter, the business purpose in collecting the data would be compromised and so on.
• Miscellaneous. Use your own identifier for individuals and not a government assigned one, such as a tax file number. Individuals should have option of not identifying themselves where this is lawful and practical.
Section 27(1)(h) of the Privacy Act 1988 (Cth) provides that the Privacy Commissioner is entitled to: ‘conduct audits of records of personal information maintained by [Commonwealth Government] agencies for the purpose of ascertaining whether the records are maintained according to the Information Principles.
Under s68 of the Privacy Act, the Privacy Commissioner or a person authorised by the Commissioner has the power to enter premises occupied by an agency and inspect any documents relevant to the performance of the Commissioner’s duties.
1. The audit will usually focus on designated records. In the case of a University, this would most likely be student and staff records.
2. Prior to the privacy audit, the organisation will be asked to provide:
• an organisational chart
• copies of all forms used to collect personal information
• copies of computer systems documentation and specifications including systems security
• a copy of the IT Security Policy
• results of any internal audits and reviews conducted which included compliance with the Privacy Act as part of the audit
• copy of the internal audit program and plan
• copies of the most recent Annual Report, Corporate Plan and other documents
• copies of any staff instructions or memoranda addressing privacy and security matters
• details of any staff training concerning the Privacy Act and copies of any training material presented to participants.
A Privacy Audit is carried out in five phases.
1. Planning Phase
This involves notification of the audit and pre-planning, an opening conference involving senior management from the organisation being audited. At this meeting a time and groundrules are set, the audit process is explained to senior management, a timetable is determined and accommodation arranged for audit staff who carry out the preliminary investigation of the privacy culture of the organisation.
2. Examination of Systems and Privacy Controls
The auditors identify and assess the agency’s systems and controls for privacy protection. Where appropriate this phase may involve information technology systems review in a number of areas of the agency.
3. Confirmation Audit Testing
In this phase, auditors confirm how the organisation carry’s out the privacy policy in day-to-day operations. This involves interviewing staff, conducting tests of records and examining computer systems for dealing with personal information.
4. Closing Conference
The Audit team will discuss its audit findings and possible recommendations and receive comments from the agency being audited.
5. Reporting
The Privacy Commissioner, after reviewing the report, will make an assessment. Usually, a draft report will be sent to the audited agency for comments on the report.
At present, the Commonwealth Privacy Act covers the federal public sector. At the state level, NSW has passed the Privacy and Personal Data Protection Act 1998, Victoria has introduced the Data Protection Bill and Queensland has recommended the passage of privacy legislation. The NSW legislation permitted the development of private privacy codes to be approved by the State Privacy Commissioner. The Victorian legislation is quite comprehensive, covering information use by business as well as State and local government agencies.
Given the sensitivity of health records, some jurisdictions have acted to legislate privacy protection. A case in point is the Health Records (Privacy and Access) Act 1997 (ACT) which for health records replaces both the Privacy Act and the Freedom of Information Act and applies to all services public and private. The legislation is designed to deal with the particular issues of privacy concern in relation to the health services and health industry.
Most states, like the Commonwealth, also have Ombudsmen and one can file a complaint against a government agency for breach of privacy principles. However, where there is a legislative privacy regime and a Privacy Commissioner, such as in the Commonwealth and NSW, the complaint is likely to be referred to that person.
Recent governments and legislation across most areas, including insurance, banking, privacy, credit, real estate, and so on have encouraged industry to adopt their own codes. The logic is that government will provide the broad principles of regulation and oversee the development and effectiveness of codes, but that the private sector should, as far as possible, be left to develop their own codes that meet the specific needs of industry. This includes a faith in industry itself to see the need to give due consideration to consumer protection and privacy.
The Privacy Act encourages the development of industry codes consistent with national principles. These industry codes generally must be consistent with the National Principles for the Fair Handling of Personal Information. Based on the OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980), these principles establish a benchmark for the handling of personal information and provide guidelines about the collection, use, disclosure, quality, security, access and correction of personal information.
The Telecommunications Act 1997 (Cth) similarly encourages the development of industry codes and gives the Australian Communications Authority the power to prepare a legally enforceable industry standard if no acceptable code is developed by industry. Industry codes can deal with all sorts of matters, including privacy and the protection of personal information.
Related to the issue of industry codes is the rise of third party verification services. Website verification services assure consumers that the particular website bearing its seal is audited to ensure specified consumer safeguards. In the case of TRUSTe,[18] to get their seal of approval, a web site must have a privacy policy which is expressed. The policy statement must include:
• The personal information being gathered by the site
• The names of individuals or groups collecting the information
• The ways in which the data is used
• The names of the individuals or groups with whom the information will be shared
• The choices available to users regarding collection, use, and distribution of their data. Users must be offered the chance to opt-out of internal secondary uses, as well as third-party distribution to secondary users.
• The security measures in place to protect users’ information from loss, misuse, or alteration. If the site collects, uses or distributes personally identifiable data such as credit card numbers, accepted transmission protocols, such as encryption, must be in place.
• The ways in which users can update or correct inaccuracies in their pertinent information. Appropriate measures should be taken to ensure that information collected online is accurate and complete, and that simple mechanisms are in place for users to verify that inaccuracies have been corrected.
Third parties aren't the only ones that play a monitoring role. Government monitoring of sites is also beginning to occur. The Commonwealth Department of Health, for example, has recently established a watchdog site, www.healthinsite.gov.au. The Australian Competition and Consumer Commission audits sites to monitor compliance with the Trade Practices Act, some provisions of which might apply in privacy contexts.[19]
Responding to growing consumer concerns about privacy and international developments such as the European Union’s directives on privacy,[21] the Australian Government on 6 December amended the Privacy Act 1988 so that it will cover the private sector, but this change will not come into effect for one year.[22] With the extension of the Privacy Act to include the private sector, Australia will boast a comprehensive scheme governing the holding, use, correction, disclosure and transfer of information.
The Privacy Amendment (Private Sector) Act was introduced into Parliament on 12 April 2000, and referred to the House of Representative Standing Committee on Legal and Constitutional Affairs on the same day. The Committee tabled its report on 26 June. The Government response to the Committee report, which included amendments it proposed to move to the Bill, was tabled on 7 September. The proposed amendments include: allowing small businesses to voluntarily opt into the privacy scheme; giving individuals the opportunity to opt out of direct marketing communications; and strengthening provisions on sensitive health information.[23]
The Act was also referred to the Senate Legal and Constitutional Legislation Committee on 16 August, which tabled its report on 10 October. The Act was debated in the House of Representatives during the November/December Sitting Session. The Senate Select Committee on Information Technologies also conducted an inquiry into e-privacy matters, and held public hearings in Canberra and Sydney in August and September 2000.
The legislation applies broadly across the private sector. The Act does not apply to small businesses (ie less than $3 million annual turnover) for 24 months after the legislation commences. This will give them time to adjust to the new laws. After 24 months, small businesses will still be exempt unless they:
• Provide a health service to another individual and hold health information (except in employee records)
• Disclose personal information about another individual to third parties for a benefit, service, or advantage
• Collect personal information about another individual from third parties by providing a benefit, service or advantage
• Are contracted to provide a service to the Commonwealth; or
• Are prescribed by regulation as being covered by the legislation.
This small business exception has been criticised by many privacy groups because it would have the effect of excluding the majority of Australian businesses. There is also a 'media' exception with a broad definition of 'media' that has also been criticised by consumer groups.[24]
Political parties are exempt from the Act in relation to activities in connection with an election, a referendum, or other participation in the political process.
There is also an exemption for personal information collected for domestic use. For example, making a family history or conducting household affairs.
The Act also applies to bodies corporate and unincorporated and to individuals and sole traders or consultants operating in their business capacity. [25] It will also apply to Government business enterprises not now under the Privacy Act because of the commercial nature of their operations. The new legislation, therefore, will apply to the ABC, Australia Post, the CSIRO and Telstra.
The Act makes a distinction between personal information and sensitive information. Personal information is information (whether fact, opinion or evaluative) about an identifiable individual that is recorded in any form, but does not include information that is generally available to the public (eg, name, address and telephone number). Sensitive information includes information or an opinion about a person's:
• Racial or ethic origins
• Political opinions
• Membership of a political association
• Religious beliefs or affiliations
• Philosophical beliefs
• Membership of a professional or trade association
• Membership of a trade union
• Sexual preference or practices
• Criminal record
• Individual health information
The Act gives greater protection to sensitive information with stricter limits put on how this information may be collected and handled by private sector organisations. Specifically banned is the use of sensitive information such as health information for direct marketing purposes. For example, a university research group could not pass on to a drug company, health information of individuals that would help the drug company target prospective users of its drug. Note that personal information may be used for direct marketing as long as the individual is given an opportunity to opt out of receiving any further direct marketing material.
The Act permits related corporate groups to share personal information amongst the group, but not sensitive information. However, all members of the group must comply with the national privacy principles or an approved code. This permits central data warehousing activities that are becoming increasingly common.[26]
What about existing databases? The Act requires private sector organisations that hold existing databases of personal information to take reasonable steps to ensure that the data is up to date, accurate, complete and adequately secured. People will be able to access and correct information collected about them on existing databases when the organisation uses or discloses the information. When pre-existing databases are updated after the passage of the Act, the owners of the database will be required to comply with all aspects of the new law in updating their information.
Website owners collecting personal information will have to take steps to see that internet users know who is collecting the information and how it used. They must also ensure that the information is safely secured and stored.
The new provisions apply to all but small business. Exclusions from the legislation relate to: records for domestic use; employee records (workplace arrangements covers this) and media use. Employee records are records collected or held by an employer about an individual employee which pertain to or arise out of their employment relationship. They include letters, resumes, referee reports and other material relating to engagement, variation of the terms of engagement, disciplinary matters, termination or resignation, personal and financial details, performance or conduct notes, time and wage records, payslip information, tax records and leave records.
The Act does not apply to State and Territory public sector agencies. Some States have introduced privacy legislation, eg Privacy and Personal Information Protection Act (NSW) and Australian Capital Territory Government Service (Consequential Provisions) Act 1994, Victorian Data Protection Bill 1999 based on the National Principles and addresses both public and private sector privacy issues.
Where an Australian organisation is dealing with information about Australians the Act applies to conduct no matter where it occurs, ie within or out of Australia. A foreign corporation that collects information in Australia or then moves that information overseas will have to apply the safeguards required in the Act.
State and Territory laws dealing with privacy will continue to operate as long as they are not inconsistent with the Commonwealth law. Other laws protecting confidential information will continue to operate. These include common law trust principles, breach of confidence, equitable duties of confidence, confidentiality inherent in particular relationships (banker-customer; lawyer-client).
The National Privacy Principles (NPP's) are central to the new regime. These principles set the minimum standards for the handling of personal information. They differ from the Information Privacy Principles that apply to Commonwealth Agencies. The National Privacy Principles relate to:
• Collection of Personal Information. Collection must be necessary for an organisation's activities. It must be collected lawfully and fairly, and as a general principle, with the individual's consent.
• Use and disclosure of personal information. Information can only be used or disclosed for its original purpose unless the person has consented to its use or disclosure for another purpose. Exemptions may apply to initial contact for direct marketing if consent wasn't practicable originally. Other exceptions include law enforcement needs, public safety, need for medical research, need to manage, fund and monitor a health service and where necessary to prevent or lessen a threat to a person's life.
• Accuracy of personal information. Organisations must take reasonable care to ensure that they keep personal information accurate, complete and up to date.
• Security of Personal Information. Organisations must take reasonable steps to protect the personal information which they hold from misuse, loss, unauthorised access, modifications or disclosure.
• Openness of the Organisation's Practices. Organisations that collect personal information must be able to document their practices and make the information available upon request.
• Access and Collection Rights. Organisations must give individuals access to their personal information and allow them to correct it or explain something with which they disagree, unless that explanation would invade someone else's privacy. Another exception is where this would compromise a fraud investigation.
• Use of Government Identifiers. Organisations cannot use a Government agency's identifier as its identifier. This includes driver's licence numbers, Medicare numbers, tax file numbers or any other future identity number assigned by a Government agency.
• Anonymity. Organisations must give people the option of entering into transactions anonymously where it is lawful and practicable. An example of where it would be unlawful would be the opening of a bank account.
• Restrictions on Trans-border Data Flows. Organisations can only transfer the personal information about an individual to a foreign country if they believe that the information will be protected by a law or a contract that upholds privacy principles similar to the NPP's.
• Special Provisions for Sensitive Information. A higher level of privacy protection applies to sensitive personal information. This includes health information, political beliefs, religious affiliation, sexual preferences, membership in political parties, etc.
Privacy Commissioner will have a central role with overall promotion and oversight of the scheme in relation to the private sector. This will include approving private codes, providing assistance and advice, handling complaints and promoting awareness and understanding of the scheme. A breach of a Privacy Code or of the National Privacy Principles will constitute interference with a person's privacy and enable the injured person to make a complaint. Complaints must in the first instance go to the organisation. If a satisfactory conclusion cannot be reached, the complainant may request an independent investigation. Where there is no relevant organisational or industry code, the independent investigator will be the Privacy Commissioner. People will have an automatic right of appeal to the Privacy Commissioner if they are unhappy with the decisions made by the private-sector complaints adjudicators. The Commissioner, upon finding that an interference with privacy has occurred may order the organisation to redress any loss, for example by paying compensation, removal of the person's name from a direct mailing list, etc. The order may be enforced in Federal Court or the Federal Magistrates Service.
Code Authorities, such as the Telecommunications Industry Ombudsman, like the Privacy Commissioner, will have to submit an annual report of their complaint handling activity.
Finally, the Act gives the Commissioner the power to conduct random audits to ensure compliance with the code.
The Government has adopted a co-regulatory approach. As noted above, it has drafted a set of National Privacy Principles to apply to business and these will come into effect by default where an industry or specific industry sector does not draft its own privacy code, approved by the Privacy Commissioner. This Code must be consistent with the National Privacy Principles, though the writer is a little unclear about what this actually means in practice.
Under the proposed framework there will be two avenues of handling complaints. The first applies in those situations where there is no approved private code with its own complaint handling process. It involves the Privacy Commissioner’s hearing of the complaint under powers given by Part V of the Privacy Act 1988 (Cth). The Privacy Commissioner has wide powers to conciliate or make determinations, for example that the organisation complained against ‘should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant.’[27] or that the complainant is entitled to compensation for a particular amount by reason of the practice complained about.[28] If the organisation or person complained about refuses to comply with the Privacy Commissioner’s determination, then there must be a full re-hearing on the merits in Federal Court.[29] The second avenue is to hear the complaint pursuant to an approved code, with the body designated to hear the complaint having the same determinative powers as the Privacy Commissioner would have under method one above. And, as above, if the defendant does not comply, recourse will be had to the Federal Court where the matter will be held de novo.[30]
• Members of an industry body, or
• A specific industry sector; or
• Interested organisations or individuals wanting a code to cover a type of activity or information.
The privacy code can also be part of a wider industry code though the privacy legislation will only impact on the privacy provisions. The Code should make it clear who is bound by the Code. It should set out the period for which it will operate or the circumstances under which it will expire. It must include privacy principles consistent as a whole with the NPP’s. It may provide additional protection and/or elaborate as to how one or more of the Code Privacy Principles are to be applied or complied with.
The legislation will be phased in.
Stage 1 (after Proclamation) will involve the Privacy Commissioner in providing education, guidance and promotion of the scheme and approval of codes. In approving the Code or granting a variation to a Code, the Privacy Commissioner can consult any person or body that they consider it appropriate to consult. The Commissioner must be satisfied that the public is given adequate opportunity to comment on any code or variation. The Commissioner will be required to keep a public register of approved codes. During stage 1 the privacy standards will not have legislative effect.
Stage 2 (12 months after commencement.) This applies to most organisations, including all health services holding health information. This allows time for implementation issues to be addressed and for the Privacy Commissioner to conduct education programs for industry.
Stage 3 (2 years after commencement). Small businesses (except health services) will have an additional 12 months (ie till Jan 2003) to comply with the new provisions.
Industry schemes will be funded in a variety of ways. The legislation will allow for the development by the Privacy Commissioner of a charging system for handling complaints that takes into account both the desirability of complaints being resolved by conciliation rather than determination, and the appropriate balance between Government, organisations and individuals in bearing costs.
Note that the Privacy Commissioner has various investigative powers under the Act. It is expected that privacy codes will require participants to cooperate with and provide information requested to code complaint bodies.
Decisions of the Privacy Commissioner are reviewable under the federal Administrative Decisions (Judicial Review) Act 1977 (Cth). Under the legislation decisions of code complaint bodies deemed to be decisions under an enactment for the purposes of the ADJR Act.
Another feature of the proposed legislation is that initial plans to draft outsourcing legislation to cover privacy concerns of government services contracted out to private parties not covered by the Privacy Act 1988 (Cth) will not now proceed. Instead, such provisions will be rolled into the proposed new legislation. The Privacy Amendment (Private Sector) Act explicitly prohibits a service provider contracted by the Government from using or disclosing personal information collected under a Commonwealth contract. The Act also requires an agency entering into a public sector service contract to ensure that the contract contains terms prohibiting the service provider from doing anything that, if done by the agency, would be a breach of a privacy principle.
While the Privacy Act 1988 (Cth) and State legislation and industry codes provide the broad framework for the protection of data on individuals, there also exists a number of common law doctrines and statutory provisions which may have the indirect effect that they may be used in some contexts to protect one’s privacy. In brief, these include:
• Contract law. If privacy is important, there is no reason that one cannot contract for its protection and provide appropriate remedies should the contractual provisions be breached. See the discussion of contracting out of government services for an example of the type of detailed clauses which could be made part of any contract.
• Negligence. Depending on the context several possibilities exist in enforcing a duty of care. For example, a party who undertakes the duty of storage and controlling use of data, can be held liable if they are negligent in the performance of these duties. The standard which will be required will be one of reasonableness in the circumstances.
• Corporations Law. Civil and criminal remedies exist for those who are involved with unauthorised dealings in company books and records stored on a computer (Corporations Law, s1307).
• Trade Practices Act, s52. "A corporation shall not in trade or commerce engage in conduct that is misleading or deceptive or likely to mislead or deceive." The broad language of this general provision against misleading and deceptive conduct could no doubt be utilised in some contexts where to disclose information would be involved.
For example, a web site that sells information on customers to others, notwithstanding the fact that it has a privacy policy that warrants any information collected will not be passed on to others, could be liable for misleading and deceptive conduct.
• Interference with Contract. Originating in the context of employment contracts, this doctrine has now been extended to cover any contractual obligation. An example of its application to a privacy context would be a cause of action against a third party who deliberately interfered with a person/entity who had a contractual obligation to safeguard the data.
• Confidentiality. This equitable doctrine is designed to protect confidential information and those who wrongfully violate that confidence.
• Conversion. Given that software can in some circumstances be classified as ‘goods’, the taking or interference with software which contains personal information could trigger a cause of action for conversion, the intentional and unlawful interference with goods belonging to another.
• Trespass. This very old tort has been extended to cover a broad range of applications. Originally, it involved the wrongful entry onto land belonging to the plaintiff. Today, it could cover unauthorised access to information stored on a computer.
• Defamation or damage to one’s reputation is also protected by law. A person is liable for defamation if, without a legal defence, the person reveals defamatory information about another person thereby lowering their reputation in the community.
• Intellectual Property (IP) Rights. As mentioned above various IP remedies may come into play where the disclosure violates trade mark, copyright or other IP rights.
• Procedural avenues. In some cases, the breach of privacy may be prevented to begin with, for example, by requesting an injunction, claiming legal privilege, and so on.
• The Ombudsman. Privacy complaints can also be made to the Ombudsman, though where there is a privacy legislative scheme, the activity would probably be referred to the privacy commissioner. See Ombudsman Act 1976 (Cth), Ombudsman Act 1974 (NSW); Ombudsman Act 1973 (Vic), Ombudsman Act 1972 (SA), Ombudsman Act 1978 (Tas), Ombudsman Act 1989 (ACT), Ombudsman (Northern Territory) Act 1977 (NT), Parliamentary Commissioner Act 1974 (Qld), Parliamentary Commissioner Act 1971 (WA).
The telecommunications legislative regime contains a number of provisions that relate to the protection of information.
The various participants in telecommunication are classified according to whether they are carriers or service providers, with most provisions of the Act dealing with carriers. Carriers include those who own the telecommunication infrastructure, the network units, which include the transmission facilities and line links to establish connections between various points across the country.
Service providers are of two types: carriage service providers and content service providers. Carriage service providers supply a ‘listed carriage service’ to the public utilising a network unit provided by one or more of the carriers. A ‘listed carriage service’ is one with at least one of its points located in Australia. While many provisions of the Telecommunications Legislation apply to carriage service providers, most of these deal with carriage service providers who operate a ‘standard telephone service.’
Content service providers use the listed carriage service to provide a ‘content service’ to the public. A content service can involve educational, entertainment, information or other material.
Internet access providers (ISP’s) are carriage service providers while anyone operating a website is arguably a content service provider.
‘Eligible’ carriage service providers must subscribe to the Telecommunications Ombudsman scheme. The Broadcasting Services Amendment (Online Services) Act 1999 (Cth) uses the same definitions, likewise regarding ISP’s as carriage service providers.
The Telecommunications Legislation Amendment Act 1997, in Part 13, deals with ‘Protection of Communications’. Part 13 imposes duties of confidence so that ISP’s are obligated to protect the personal particulars of information they transmit. This duty to safeguard the confidentiality of the information transmitted is subject to a number of exceptions, eg information released pursuant to a warrant from a law enforcement agency, as required by law, where necessary to enforce a criminal law or pecuniary penalty, the protection of national security or topreserve the public revenue.
The Telecommunications Legislation Amendment Act 1997 (Cth) obligates carriers and carriage service providers to assist the authorities in enforcing the criminal law as well as laws related to raising revenue, safeguarding national security and imposing pecuniary penalties. Carriers and carriage service providers must have interception capabilities and ensure they are installed and maintained.[31]
‘Communications passing over a telecommunications system’ are regulated by the Telecommunications (Interception) Act 1979 (Cth). One of the key definitions under the Act is ‘passing over a telecommunications system’ This requires a determination of the boundaries of the system in question. It is clear that this would include the equipment, a line, or other facility connected to a telecommunications network and located within Australia.[32] A telecommunications network is a means of carrying communications by guided or unguided electromagnetic energy or both.[33] Gunning suggests that this means a communication, under the legislation, must still be in the form of electromagnetic form and that information stored in a computer is not caught by the legislation because it is not ‘passing over a telecommunications system’ at that time.[34] In other words, the Telecommunications (Interception) Act only applies to real time exchanges.
Thus, an ISP provider who is monitoring e-mail is not likely to be in breach of the act. However, such conduct in some circumstances could be considered unauthorised access to a computer or computer trespass.[35] It has been suggested that the unauthorised use of a ‘cookie’ may in fact breach some broadly worded criminal laws regarding unauthorised access to computers. Cookies are packets of information sent by the web server to the consumer’s machine so that the source can get a history of past requests and return to the user’s machine on subsequent occasions. Cookies have legitimate uses in facilitating customisation of a website and better customer service. However, many consumers do not know about them and it is possible to ‘abuse’ the information by developing individual consumer profiles without the consumer being aware of it. Because the cookie involves the sending to and storage of information on someone else’s computer and without their consent, it could be a breach of computer trespass legislation.
The critical question is that of consent. In cases where the consumer is contacted and permission given to use cookies, there would be no problem. But, does someone who configures their computer to accept all cookies, thereby give consent to a particular cookie? Does a consumer consent by merely accessing a website, a component of which is the cookie reality inherent in the HTTP communication process?[36]
A common element of much of electronic commerce is the use of e-mail. E-mail is particularly vulnerable because it is written in Simple Mail Transport Protocol (SMPT) that is encoded in plaintext with ASCII which in turn is readable by most computers.
Unauthorised access to someone else’s e-mail can give rise to a host of legal issues, depending on the context. If the information is confidential, a breach of confidence action could be brought. If the information is protected by contract, then contract remedies would ensue. If one intercepted the e-mail then, the Telecommunications (Interception) Act 1979 (Cth) may come into play.
If the conduct involved unauthorised access to a computer then various criminal acts could even come into play. Criminal matters such as the Crimes Legislation Amendment Act 1989 (Cth) which amended the Crimes Act 1914 (Cth) which outlaws wrongful gaining access to computers,[37] altering data[38] or impeding access to computers.[39] The Crimes Act 1914 (Cth) also prohibits the use of communications for improper purposes, the intentional or reckless causing of communications in the course of carriage to be received by a person or service other than to whom it was directed and the wrongful sending of signals to satellite without lawful authority or excuse.[40]
It may happen that the major protector of an individual’s privacy may come not from the law, but from technology itself. The World Wide Web Consortium (W3C) has trialed its new Platform for Privacy Preferences (P3P). With this new technology, organisations can express their privacy policy in XML. The user can enter into a P3P compliant browser the information they are willing to share and how it can be used. This saves consumers the chore of hunting privacy documents and wondering whether they provide the same protection as other privacy policies. Using this technology, the software compares the user’s preferences with the privacy policy to see whether consumer expectations match what the policy proclaims to deliver. However, one problem with the new technology is that there is no body which enforces the privacy protection which firms say they provide.
The greater use and availability of encryption software should also help to ensure a greater level of privacy protection. One of the most widely used software is PGP (pretty good privacy). It is based on what is known as asymmetric encryption. The sender encodes a message with a public key, which the recipient, who must also have PGP, has access to. The recipient can only decode the message with their private key. In addition, the sender can digitally sign their message so the recipient can see whether the email is from the person it purports to be from.[41]
The use of encryption also raises privacy issues. On the one hand, the use of encryption can help to ensure privacy. On the other hand, powerful encryption technology is a potential threat to society if it is used, for example, by criminal elements to perpetrate fraud, money laundering, national security breaches and so on. Law enforcement authorities would like to have encryption codes placed in escrow with a government authority so that they can minimise the misuse of such technology. However, a recent study[42] reports that many countries have given up their attempts to require that a third party escrow agent be given a spare key to an encryption code as a condition for loosening government controls. Other countries are studying proposals that give governments new controls to conduct surveillance, break into buildings, or hack into computers to get encryption keys and obtain information. These developments raise real concerns about privacy.[43]
Education, especially of vulnerable groups such as children, will also play an important role in privacy protection. Recent US legislation restricts the personal information that net providers can collect from children under 13 without the permission of their parents. However, enforcing the law may be difficult because of the attitude of children in relation to giving such information. A survey by the Annenberg Public Policy Centre[44] concludes that adults and children alike are providing unprecedented information about their personal and family lives, for example by providing profiles of their interests, likes and dislikes. Also disturbing was the fact that many parents and children do not realise that firms are involuntarily gathering information about consumer preferences through the use of such devices as cookies. Also problematic is that children have a different attitude to their parents regarding the release of such information. The Study found that 41% of those surveyed had already had family disputes about the release by children of personal information over the web. Clearly, if privacy concerns are to be addressed, law reform is not enough. Children need to be educated about the use of the Net and the means used by web providers to gather information and build profiles.
Businesses seeking to emulate best practice in the area of privacy protection should:
• Make privacy protection an integral part of overall business compliance and management
• Develop a privacy policy that is written in plain English
• Highlight the privacy policy and link to it on every page
• Allow consumers to access their personal information
• Allow consumers to correct inaccurate information
• Give consumers a choice about whether they could be contacted again for marketing purposes
• Provide consumers control over whom the information could be disclosed to.
• Provide a complaint and dispute resolution procedure to redress consumer complaints about their privacy protection
• Be active in promoting privacy protection by the industry. It is good business to do so. For example, some governments are seeking agreement of all pharmarceutical dealers to develop compatible technology, information processes, standards and online policies.
• Consider using a Third-Party Verification Service that will provide you with a seal and independent audit of your site
• Monitor legislative developments
• When in doubt seek legal advice
The issue of privacy regulation exemplifies the contrasting approaches of Australia/North America and Europe. Europeans, for example, regard private regulation as tantamount to no regulation or certainly insufficient regulation. In North America and Australia, in contrast, self-regulation is seen as an excellent way to achieve the balance between consumer concerns and business needs. In the employment context, an email/web usage policy seeks to balance the interests of employees versus that of the employer. In reality, there is evidence that both systems work. Also, the differences between the two approaches are not as great as they seem. This is because in the European regime, the directorates are written in broad language that allows for and requires individual firms to flesh out. In the case of private regulation, such regulation takes place ‘within the shadow of the law’. For example, in Australia, private codes must be consistent with the broad privacy protection principles. They also take place within the context of broad legislation such as the Trade Practices Act.
The US is presently debating the Online Privacy Protection Act of 1999 (Senate Bill 809), the Consumer Privacy Protection Act of 2000 (S 2606) and the Consumer Internet Privacy Enhancement Act of 2000 (S 2928).[45] Senate Bill 2928, for example, would make it unlawful for a Web site to collect personal identifying information online from a user unless the site operator provides notice to the user and offers the user an opportunity to limit the use of the information for marketing purposes. The Bill directs the FTC to contract with the National Research Council of the National Academy of Sciences for a study of privacy that would examine the causes of concern about privacy in the information age and the strategies for responding to those concerns. The bill would require operators of web sites to provide notice on the site in a 'clear and conspicuous manner' of the identity of the operator, what personal information is collected, how the operator uses the information, and what information may be shared with other companies. The bill adopts an 'opt-in' model that requires companies to seek direct permission to use consumers' information in any fashion. An 'opt-out' model would require Net operators to stop using the information in certain ways, but does not require direct permission to use that information.
From the above discussion of privacy developments occurring in Australia and elsewhere, it is possible to draw a number of conclusions. First, as shown by the planned introduction of a regime to cover the private sector, it is clear that fundamental structural changes are occurring in relation to privacy. Not only is there a need to balance business efficacy and consumer expectations, but there is also the question of whether the online environment is sufficiently unique to require special privacy protection. The more conservative view is that online and traditional commerce should be subject to the same legal regime; that in the end, privacy is privacy is privacy. Given the broad language encompassed in the privacy principles as well as the flexibility inherent in s 52 of the Trade Practices Act, this makes some sense. Secondly, this structural change perhaps also suggests a different mindset. No longer will the regime be focused primarily on government collection of information. Privacy is of concern generally and both public and private sector organisations should comply with public and consumer expectations. This, in turn, means that more attention should be given to finding out what consumers want and expect in relation to safeguarding their privacy. Third, regulators and industry seem now intent on working together to lift the privacy bar. Fourth, this bar will be enforced by sanctions, whether from the Privacy Commissioner, industry code or other source. Fifth, we are seeing that countries and firms that have an adequate level of privacy protection will have a marketing edge and competitive advantage in the emerging global economy.
Finally, it must be acknowledged that getting consistency of privacy protection, especially across all jurisdictions is very difficult to achieve.
Yet, the only constructive way forward is to keep pushing for a global convergence of privacy regulation. As concluded by a recent Federal Trade Commission Report,[46] it is not desirable for each country to impose a separate privacy regime. Any other course of action would: "Encourage a race to the bottom, reducing protection on a global scale." It would also frustrate law enforcement efforts, impede informed decision making by consumers and deprive consumers of meaningful access to judicial recourse. Eventually we will need a global agreement if global online business is to become a reality.
Anthes, G (1993) ‘Study Cites Software Industry Growth, Piracy Problems, Computer World, March 29, p. 119.
Akindemowo, O (1999). Information Technology Law in Australia, Sydney, LBC Information Services.
Attorney General’s Department, The Government’s proposed legislation for the protection of privacy in the private sector Information paper, September 1999, http://law.gov.au/infopaper/infopaper.pdf.
Branscomb, A (1994) Who Owns Information? From Privacy to Public Access, NY, Basic Books.
Campbell, D and Connor, S (1986), On the Record: Surveillance, Computers and Privacy, London, Michael Joseph.
Clarke, R (1998), ‘Serious flaws in the National Privacy Principles’ 4 PLPR 176.
Connors, J & Smith, F (1984), The Legal Protection of High Technology, Melbourne, BLEC.
Data Protection Bill (Victoria) Discussion Paper. http://www.mmv.vic.gov.au
Davey, K (1997), ‘Privacy protection for Internet e-mail in Australia—part 1’ Computers & Law, No 33, June, p. 8; part 2 No 34 December 1997 at 2; Part 3: No 35, April 1998, at 21.
Douglas, R and Jones, M (1993), Administrative Law, Sydney, Federation Press.
Greenleaf, G (1989) ‘The Privacy Act 1988: Half a Loaf and Other Matters’ 63 ALJ 116.
Greenleaf, G & Waters, N (1988) ‘Private Parts: Self-Regulation on One Wing' 5 Privacy Law and Policy Reporter, 20.
Greenleaf, G (1996) ‘“Interception” on the Internet--the risks for ISP’s,’ 3 Privacy Law and Policy Reporter 93.
Greenstein, M & Feinmann, TM (2000) Electronic Commerce: Security, Risk Management and Control, Boston: Irwin McGraw Hill, pp. 45-46, 55.
Gunning, P (2000), ‘Legal aspects of privacy and the Internet’, in A Fitzgerald et al., Going Digital 2000, Sydney, Prospect Publishing.
Hughes, G (1991), Data Protection in Australia, Sydney, LBC Information Services.
Hughes, G & Sharpe, D, Computer Contracts: Principles and Precedents, Sydney, LBC Information Services, looseleaf.
Hughes, G (1990 ) (ed), Essays on Computer Law, Melbourne, Longman Professional.
Hughes, G (1990) ‘The Development of Personal Data Protection Laws in Australia’, in G Hughes (ed) Essays on Computer Law, Melbourne, Longman Professional, 182-196.
ICC (1991), Protection of Personal Data: An International Business View, Doc No 373/128, 4 October, p. 7.
Kirby, Justice Michael (1990), ‘Legal Aspects of Informatics and Transborder Data Flow’, in G Hughes (ed) Essays on Computer Law, Melbourne, Longman Professional, 197-214.
National Telecommunication Infrastructure Administration, Department of Commerce , Privacy and Self-Regulation in the Information Age.
http://www.ntia.doc.gov/reports/privacy/privacy rpt.htm
New South Wales Privacy Committee (1995.), Big Brother’s Little Helpers, No 66, 1.
New Technologies: A Challenge to Privacy Protection? Strasbourg, Council of Europe, 1989.
Organisation for Economic Co-operation and Development (1980) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Paris, OECD.
Paterson, M (1998) ‘Privacy protection in Australia: the need for an effective private sector regime,’ Federal Law Review, vol 26, pp 580-604.
Federal Trade Commission (2000), Privacy Online: A Report to Congress,: http://www.ftc.gov/reports/privacy3/index.htm
Robins, MD (1998), ‘Electronic Trespass: an Old Theory in a New Context’, The Computer Lawyer, no 7, July, p. 1.
Roy Morgan Research Centre Pty Ltd (1999) ‘Big Brother bothers most Australians’ in Bulletin 30 August, at http://www.roymorgan.com/polls/1988/3221/
Scollary, M (1997), ‘Information Privacy in Australia; A national scheme for fair information practices in the private sector’ 4 PLPR 42.
Taylor, G (1998), ‘Legitimate interception or total overkill?’ 1 Internet Law Bulletin 11.
Tealby, J (1999), "E-mail & Privacy at Work’ Journal of Law and Information Science vol 10(2), 207.
Waters, N (1998), ‘Privacy and Outsourcing - The Privacy Amendment Bill’ 1998, Privacy Law and Policy Reporter 181.
[1] Eugene Clark is Professor of Law and Pro Vice-Chancellor, University of Canberra. George Cho is an Assoc Prof, Geographic Information Systems and the Law. Both Eugene and George are members of the E-Business Group, National Centre for Corporate Law and Policy Research, University of Canberra. For further details see: www.infosys-law.canberra.edu.au. Parts of this article are derived from the authors' book, Clark, E, Cho, G, Hoyle, A et al (2000), E-Business: Law & Management, Infosys Law, Canberra.
[2] Olsen, S (2000) ‘Tiny new bugs threaten privacy’ Canberra Times, Monday 17 July, p. 12, 17 See also: www.news.com
[3] Macklin, B (1999), 'Australian Privacy and Security Website Survey 1999' Privacy Law and Policy Reporter, October, p. 45-47.
[4] Internet Privacy Survey Shows Australian Websites lacking, Privacy Law and Policy Reporter, Jan 2000, vol 6, no 7. p 102.
[5] See Hughes, G., "Federal Regulation of Databanks" (1991) March Australian Accountant 87.
[6] Data Matching Program (Assistance & Taxation) Act 1991 (Cth).
[7] Data-Matching Program (Assistance and Tax) Act 1990 (Cth).
[8] See Hughes, G, 1994, 'Government Data Matching to Continue' 68 Law Institute Journal 488.
[9] Passed on 6 November 1990.
[10] On a related topic see the Data-Matching (Assistance and Tax) Act 1990 (Cth) which is designed to ensure the tax file number system will not be used as a national identification system.
[11] Second Reading Speech, House of Representatives. In Australian Consumer Sales & Credit Law Reporter, Sydney, CCH, 1991, 54,659.
[12] Senator Michael Tate, Minister for Justice and Consumer Affairs, Media Release, Tuesday, 6 November 1990.
[13] Privacy Amendment Act 1990 (Cth) ss18K, 18L, 18M.
[14] Ibid. ss18R, 18S, 18T.
[15] Ibid.
[16] Senator Michael Tate, Minister for Justice and Consumer Affairs, Media Release, 10 September, 1990.
[17] See http://www.privacy.gov.au/publications.
[18] TRUSTe is a non-profit organisation issuing a seal. The objective of TRUSTe is to promote online privacy awareness and increase consumer confidence about the collection and use of private, personal information. See Greenstein & Feinman 2000: 45.
[19] For example, to lure customers to a site on the basis of a privacy policy that is not in fact complied with, may be misleading and deceptive conduct in breach of s 52 of the TPA.
[20] The Commonwealth Government has issued a Consultation Paper found at http://law.gov.au
[21] For example, the European Directive on the Protection of Personal Data and on the Free Movement of Such Data, Art 25(1) provides: local law must restrict flow of data to another country unless there is adequate protection within that country. The US is taking a more self-regulatory approach with overall supervision to be provided by the Federal Trade Commission.
[22] Draft legislation is to be introduced into the House in April-May 2000.
[23] A copy of the proposed amendments can be obtained through the Parliament House Website: www.aph.gov.au/legis.htm under Current Bills - Privacy Amendment (PrivateSector) Bill 2000.
[24] See eg, Gilchrist, M and Kerin, J (2000), 'Net Privacy laws Full of 'Loopholes', The Australian, Tuesday, August 22, p. 3; Lester, L (2000) 'Privacy Exemption Queried', Australian Financial Review 25 August, p. 66. 'Media' is defined as acts or practices done in the course of journalism. Journalism is defined as including the collection, preparation and dissemination of news, current affairs, documentaries and other information for the purpose of making the material available to the public.
[25] Privacy Act as amended, s. 6c.
[26] 'Related bodies corporate' is defined under s50 of the Corporations Law. 'where a body corporate is: a) a holding company of another body corporate; b) a subsidiary of another body corporate; c) a subsidiary of a holding company of another body corporate, [the bodies] are related to each other. A subsidiary is defined in s46. A body corporate is a subsidiary if and only if: a) the other body controls the composition of the first body's board; b) controls more than one-half of the maximum number of possible votes at a general meeting of the first body; or c) holds more than one-half of the issued share capital of the first body.
[27] Privacy Act 1988 (Cth), (s52(1)(B)(b)(ii)).
[28] Privacy Act 1988 (Cth), (s52(1)(B)(b)(ii)).
[29] Privacy Act 1988 (Cth), ss54, 55.
[30] Attorney General's Department, The Government's proposed legislation for the protection of privacy in the private sector information paper, September 1999, http://law.gov.au/infopaper/infopaper.pdf.
[31] Telecommunications Legislation Amendment Act 1997 (Cth), s324.
[32] Telecommunications (Interception) Act 1979 (Cth) s 5(1), 'telecommunications system'.
[33] Telecommunications (Interception) Act 1979 (Cth) s 5(1), 'telecommunications system'.
[34] Gunning, P (2000), 'Legal aspects of privacy and the Internet', in A Fitzgerald et al, Going Digital 2000, Sydney, Prospect Publishing at 225-226.
[35] In Victoria, for example, it is an offence for a person to gain access to or enter a computer system or part of a computer system without lawful authority to do so. Summary Offences Act 1966 (Vic), s9A.
[36] See Director of Public Prosecutions v Murdoch [1993] VicRp 30; [1993] VR 406.
[37] Crimes Act s76B and D.
[38] Ibid, s76C.
[39] Ibid s76C and D.
[40] Ibid s85ZD-ZH.
[41] A free version can be downloaded from www.pgpi.com
[42] Found at: www2.epic.org/reports/crypto.2000.
[43] Australian Financial Review, 4 April 2000, p. 48.
[44] Turow, J (2000), The Internet and the Family 2000: The View from Parents, the View from Kids, http://appcpenn.org/
[45] See also, Federal Trade Commission , FTC Report: 'Online Profiling: A Report to Congress:
http://www.ftc.gov/os/2000/07onlineprofiling.htm
[46] A Federal Trade Commission Report: Consumer protection in the Global Electronic Marketplace: Looking Ahead (http://www.ftc.gov)
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/2000/2.html