Privacy Law and Policy Reporter
The following is an edited text of a speech given by the Federal Minister for Justice, Duncan Kerr, at the Institute for Mercantile Agents National Convention in Tasmania in March. In his speech the Minister reflects on the implications of the information superhighway, suggesting that existing laws may not meet the public's growing expectations of privacy protection. This article is reprinted with permission of the Institute of Mercantile Agents, from 'The Agent', April 1995.
I want to speak about some of the critical issues thrown up by the latest development in the information revolution, the information superhighway.
The Commonwealth is fully committed to ensuring that personal information about individuals is protected from misuse. This principle underpins the Commonwealth's Privacy Act 1988.
The information superhighway offers unprecedented opportunities for individuals and organisations to systematically collect, process and manipulate enormous amounts of information. This raises serious privacy concerns. As a matter of priority, we need to examine whether the standards embodied in the Privacy Act meet the demands of these new technologies.
Legislation must keep up with developments in the cyber revolution. Across government, this is taking place. For example, my portfolio responsibilities include copyright law and I have initiated a wide-ranging review and reform of the Act to take it out of the 1960s from whence it came and into the next century.
Privacy, of course, is by no means the only issue raised by the information superhighway. I'll comment on some of the major factors that need addressing if we are to protect the information highway. These include:
In releasing the Broadband Services Expert Group report, the Prime Minister said being linked to the national information infrastructure is a fundamental right for all Australians.
Privacy is also a fundamental right. People expect to be free from unwarranted intrusion in their private life and activities. People also expect personal data will be protected from any use other than that for which it has been collected.
The government is committed to meeting those expectations.
Issues of human rights and privacy are achieving increasing prominence nationally and internationally. Globally, resources are steadily moving from national security issues to protecting personal data and privacy, and to combating industrial espionage and computer crime.
As I have already mentioned, privacy protections are already embodied in the Commonwealth Privacy Act. Broadly stated, the privacy issues for the information superhighway are similar to those for existing manual and electronic information systems but on a vastly increased scale.
However, two main concerns arise here. The first is that people want assurance that information on how they use the network is protected. Useage patterns are of particular interest and value to various groups such as direct marketers.
The second concern is that people need to feel confident that the content of their information is protected.
There is also the related problem of privacy-intrusive information flowing across the network. For example, both electronic junk mail and anonymous defamatory material are already emerging as problems.
While the data protection standards embodied in the Privacy Act provide a general privacy protection framework, they do not specifically address the dimensions added by the new technologies. Given the enormous data collection and manipulation potential of the information superhighway, these standards need re-examination.
The Privacy Commissioner has already identified a number of underlying assumptions in the Information Privacy Principles as being potentially open to challenge.
First is the assumption that one can identify a single record keeper agency who is responsible for controlling the data in accordance with the principles.
Second, that one can identify separate self-contained systems in which individual organisations control comprehensive blocks of data.
Third, that an organisation holds itself, most, if not all, of the data concerning the performance of its key functions.
Finally, there is the assumption that an organisation has the capacity to amend and rectify the data on which it relies in dealing with individuals.
The result is uncertainty in applying several of the Information Privacy Principles. Of course, uncertainties arising from the information superhighway also extend to those standards as embodied in other parts of the Privacy Act, particularly those relating to credit reporting.
Broadly stated, the Act requires the use of information to be limited to those purposes for which the information is collected, on the basis of informed consent. New technologies create the potential for large-scale capture and interchange of information that could circumvent this principle.
The second standard is that personal information should be protected against the risk of loss or unauthorised access. Historically, the Internet has been an insecure environment. Security controls must be built into the new networks.
The third potentially-affected standard is that individuals are entitled to access and correct information that is held on them. The sheer volume of information on the network will create difficulties in locating personal information, establishing who is responsible for correcting it and ensuring that all copies stored on the network are correct.
Finally, there is the standard on the integrity of information - that it should be up-to-date, accurate and complete. Again, the sheer volume of data causes problems.
In the modern, networked environment, privacy protection will need to focus on the flow of information, a well as the more traditional philosophies of the Privacy Act.
Apart from the Commonwealth Privacy Act, there is little formal regulation of privacy in Australia. Genuine discomfort is emerging in the private sector about the expanding reach of information systems. Some people have a sense of loss of control over their personal information. This is apparent in public attitudes towards reverse telephone directories, automatic dialling equipment and calling line identification. The Government responded by appointing a Telecommunications Ombudsman in 1993. In addition, AUSTEL has established a committee on privacy issues.
The Government is seeking the best way to formulate appropriate regulation to ensure that objectives are met in the most efficient and effective manner. The aim is for the minimum degree of intervention while still achieving policy objectives. Options to safeguard privacy include formal legislation, industry codes, licence conditions or some combination of these.
The new information technologies also demonstrate the need to focus on technology-based controls. These include such things as audit trails, encryption, tokens such as smart cards and passwords which would be the conditions of participation in the information superhighway. At the same time, such a focus must not lose sight of fundamental privacy protection principles.
The information superhighway operates across all regional and national boundaries, challenging all communities, in particular, legislators worldwide, to develop a global perspective on privacy protection. Coherent solutions at an international level are necessary if regulation is to work.
Beyond the domestic scene, Australia is active in international arenas such as the OECD in addressing the types of issues I have just raised. Data protection requires us to look beyond a community's immediate expectations. We also need to look at the expectations of other communities with which we interact. This also applies to legislative requirements which can differ from State to State, not just from country to country.
There is also an emerging community expectation of anonymity of transactions in the new information infrastructures. In much the same way as people sometimes prefer to use cash so there is no record of the transaction, so people are looking for an untraceable means of carrying out some transactions in the superhighway. Finally, organisations expect data protection and security of information systems, although they often underestimate the importance to them of corporate information. While they might have mechanisms in place to reduce the risk of fraudulent activity or of events such as virus attacks, they overlook the fact that information such as business plans and client lists are valuable to a competitor. In other words, security is an integral part of business, not just an add-on which may be imposed by legislation.
The good news is that the technology needed to solve these problems is being developed nationally and internationally. The framework within which it will operate is also being examined. They illustrate the enormous effort going into planning life with the superhighway. The challenge is to get this right, and to get it right in time.