Privacy Law and Policy Reporter
The Australian Privacy Charter Council aims to make the Privacy Charter, launched recently, one of the major privacy protection initiatives of the 1990s. The Privacy Charter sets out 18 general privacy and data protection standards whose content reflects the range of issues associated with the right to privacy in the 1990s. These principles are intended for uniform application across all sectors of the economy. The Council aims to take privacy protection beyond the regulatory environment and into the private sector as an issue of best practice.
The development of the Privacy Charter was initiated in August 1992 by Justice Michael Kirby, President of the NSW Court of Appeal; Graham Greenleaf, Associate Professor of Law at the University of NSW; and Simon Davies, Director-General of Privacy International. Justice Kirby chaired the Council through the process of developing the Charter.
The Privacy Charter Council brought together a wide range of experts from law, academia, information technology, finance, telecommunications, media, entertainment, health, civil liberties and privacy advocacy. These individuals were selected for the expertise they were able to contribute to the development of the Charter. The Council's purpose was to establish a clear statement of the meaning of the right to privacy for Australians, and to spell out principles to guide organisations and individuals in observing this right.
A draft copy of the Privacy Charter was circulated in late 1994 (see (1994) 1 PLPR 136) for comment and response both locally and internationally. After 1 PLPR 136) for comment and response both locally and internationally. After final amendments, the Privacy Charter was launched by Justice Kirby, Graham Greenleaf and Janine Haines at a meeting in the NSW State Parliament House on 6 December 1994.
The Privacy Charter is designed as a set of privacy standards able to address the technologies of the 1990s and beyond, without the limitations of being technology-specific. Currently, privacy regulation is largely based on the 1981 OECD Guidelines governing the protection of privacy and transborder flows of personal data. While these guidelines have set international standards in establishing fair information practices, they are now more than 15 years old. The OECD guidelines do not address a range of issues which have emerged due to technological developments since the late 1970s.
The measures required to protect personal privacy have changed in the last 15 years. Information privacy issues now focus on the development of networks and the rapid exchange of information around the nation and around the globe. The privacy debate now goes beyond information privacy issues into a range of surveillance, communications and other technology issues. Information privacy remains the prominent issue in privacy protection, with developments such as the Internet, computer-matching and profiling in recent years. But a range of other developments including smart cards, biometric identification, genetic testing, and surveillance technologies have widened the scope of debate over the right to privacy.
The second purpose of the Privacy Charter is to address the existing inadequacies of data protection laws by establishing a benchmark for privacy legislation. Despite the sophistication of expertise which has been developed in privacy protection, coverage of privacy laws remains patchy and inconsistent. The extent to which Australians can assert a right to privacy is heavily constrained. Many activities involving the collection and use of personal information remain unregulated, and there are few protections against the intrusions of modern surveillance technologies. In the sectors where legislation does apply, its effectiveness is being eroded by other technological and administrative developments. As Australia's Federal Minister for Justice, Duncan Kerr, argues in an address in this issue of the Reporter, the changing technological environment demands a reassessment of the adequacy of privacy protections.
The third purpose of the Privacy Charter is to establish best practice guidelines for privacy protection in the private sector. Privacy and data protection measures have often been seen in a regulatory context as a matter of minimum compliance with legislative provisions. In countries such as Australia and the US, where the private sector has remained largely unregulated by privacy and data protection legislation, this has meant that private sector practices have fallen short of public expectations.
Businesses are becoming more aware of privacy as an issue of importance quite apart from any regulatory requirements. Increasingly, consumers expect that companies operate fair information handling practices, such as allowing access to records of personal information. Some industries have developed self-regulated codes of practice relating to the handling of personal information, perhaps anticipating the potential of privacy legislation extending to the private sector. The Charter assists in assessing the adequacy of such codes.
The Council's belief is that the private sector should not wait for the passage of legislation to take measures to protect the privacy of customers and employees. Besides being an internationally recognised human right, privacy is an issue of customer service and corporate ethics. The implementation of privacy principles reinforces a relationship of mutual trust between an organisation and individuals. The Charter sets out the reasonable expectations which customers may have of organisations in relation to practices impacting on the right to privacy. The involvement on the Council of a range of individuals from industry and information technology-assisted experts in the process of developing a set of standards which were realistic to the business context.
The fourth purpose of the Charter is to assist Australians in articulating their privacy rights. Debate over the individual's right to privacy is often dominated by complex legal and technological issues. The privacy principles give individuals a clear guide to the dimensions of their right to privacy. The Charter is therefore able to guide individuals in holding organisations accountable for their privacy safeguards.
The Privacy Charter enhances many of the principles laid down in the Information Privacy Principles on which the Commonwealth Privacy Act 1988 is based. Seven major points of distinction stand out:
1. The Privacy Charter establishes consistent, universal standards which do not discriminate between public and private holdings of personal information. The rationale of the public-private information distinction no longer exists in an era of large private sector aggregations of personal information, data exchange between the public and private sectors, and outsourcing of many public sector data processing functions to the private sector. The European Union's Directive on the processing of personal data, passed by the Council of Ministers on 20 February 1995, also applies uniform standards to public and private data.
2. Just as the privacy principles apply to information in the private sector, under principle 17 they also apply to personal information on public registers. This principle addresses the fact that a substantial amount of personal information is collected on public registers such as electoral rolls, land titles information, company share registries, and electronic white pages telephone directories. It has long been held that this information should be accessible to the public. However, as manual records have been computerised, it has become possible to use this information for purposes other than those of its original collection. In fact, privacy protections may be even more strongly justified for public registers than for many other data collections, given that individuals often do not consent to providing this personal information, but are required to provide it under legislation. An exception from the principles permits public access to the extent required to achieve a specific purpose.
3. The Charter requires organisations to be accountable for their practices relating to the observance of the privacy principles. The third principle states that an identifiable person within an organisation should be responsible for ensuring compliance with the principles. This addresses the common problem that organisations fail to establish clear lines of responsibility for the implementation of measures to protect privacy. The person who takes responsibility for the implementation of the principles should preferably have an understanding of the organisation's information practices, while also occupying a sufficiently senior role to ensure that the necessary measures to ensure the observance of each principle are enacted (in accordance with the fourth Charter principle on observance).
4. The Privacy Charter establishes that the scope of the right to privacy expands well beyond data protection. Principles 6 to 9 of the Charter include a right to freedom from surveillance, privacy of communications, private space, and freedom from interferences with physical privacy. These provisions address a range of new technological applications which have the potential to affect the individual's right to privacy.
5. A right to make anonymous transactions is established in principle 10 of the Privacy Charter. As with other principles in the Charter, this is subject to exceptions, providing there is a high degree of justification. Transactions which require an ongoing relationship between an individual and an organisation and which involve a significant level of risk, such as the provision of credit, or air travel, would be an exception. But identification should not be required in circumstances where a high degree of justification does not exist, such as when an individual travels on a bus, makes a telephone call, or makes purchases.
6. Principle 18 establishes that people should not be disadvantaged by asserting their right to privacy. There is a danger organisations will establish information collection practices which are described as 'voluntary' but which heavily penalise individuals who do not identify themselves or provide a range of personal information. The Charter states that the provision of reasonable facilities for the exercise of privacy should be a normal operating cost for business.
One current application of this principle relates to the introduction of calling line identification technology on telecommunications networks. Customers should not have to pay for the exercise of line-blocking or call-blocking facilities to prevent the display of the caller's telephone number. Similarly, this principle has application to customer loyalty schemes which allow organisations to develop extensive databases on a consumer's spending patterns by only allowing discounts if consumers identify themselves in transactions.
7. The Charter also makes a range of less conspicuous changes to existing privacy principles. Principle 2 establishes that when organisations gain consent from individuals for the collection of their personal information, individuals should be given a genuine choice, should be fully informed as to the implications of giving consent, and should have a right to withdraw this consent at a later time.
The Charter also requires a clear justification for technologies, systems or services likely to impact on personal privacy (principles 1 and 5). These provisions may best be implemented through the process of a Privacy Impact Statement, a concept which has been used in the US and is embraced by the Telecommunications Industry Ombudsman, Mr Warwick Smith, in an excerpt from an address in this issue.
The aim of the Privacy Charter is to set a benchmark for the future of privacy protection. In this regard it is noteworthy that several of its new provisions relating to information privacy are echoed in the ten principles of the Canadian Standards Association Model Code for the Protection of Personal Information, a draft copy of which has recently been released. These principles relate to:
(b) identifying purposes;
(d) limiting collection;
(e) limiting use, disclosure and retention;
(i) individual access; and
(j) challenging compliance.
The Charter Council is now promoting the Privacy Charter throughout Australia. It aims to develop explanatory memoranda on the implementation of the Charter in various sectors through separate expert groups. Some of the areas which expert groups are likely to cover include legislation, health care, accounting, telecommunications, information technology, and education.
Further information on the Privacy Charter may be obtained by calling (02) 231-4949, by fax (02) 313 7209, or by writing to the Australian Privacy Charter Council, Faculty of Law, University of NSW, 2052.
Tim Dixon, Secretary, Australian
Privacy Charter Council.