Privacy Law and Policy Reporter
Compiled by Graham Greenleaf and Tim Dixon
The Hong Kong legislature has unanimously enacted the Personal Data (Privacy) Bill. The passage of the Bill on 27 July makes Hong Kong only the third jurisdiction outside Europe with a comprehensive law covering both public and private sectors, joining NZ and Quebec. The law is also the first outside Europe to impose restrictions on the exports of personal data to places which do not have adequate privacy laws.
Michael Suen, Secretary for Home Affairs, said that Hong Kong needed the law because the European Community was requiring trading partners to have such laws to enable data exchange. The Government accepted one amendment to require the Commissioner to apply to the High Court before he can ask journalists to reveal sources of information. However, it rejected amendments proposed by the Democrats which sought to limit the exemptions in the Bill, require more extensive reporting of uses of personal information, place greater controls on data matching, and have the legislature approve the appointment of the Privacy Commissioner.
The Bill is based substantially on the recommendations of the Hong Kong Law Reform Commission (see 1 for details), and includes six 'data protections principles' which must be complied with by both the public and private sectors, It establishes a Privacy Commissioner to enforce them. The Reporter's Hong Kong correspondent, Mark Berthold, will provide a comprehensive account of the new law in a future issue.
The NZ Privacy Commissioner, Bruce Slane, has now made extensive information from his office (including details of decided complaints) available via the internet's world-wide-web. The home page (http://www.dete.co.nz/privacy/welcome.html) was announced at the Privacy Issues Forum on 29 June. There is no access charge.
The Australian Government announced in July that it had no plans to add smart card capabilities to the Medicare card. The first indication of such a proposal appeared in an article in the Australian newspaper in March, reporting that 'the Minister for Health and Human Services, Dr Lawrence, is examining a proposal to insert a smart card on the Medicare card to save more that $1.5 billion in the next five years.' It went on to describe propsed changes to the Medicare card and the government's Pharmaceutical Benefits Scheme. The proposal was referred to openly as the 'Medicare smart card proposal' over the next four months.
The 'plan' gained new credibility from an Australian Broadcasting Commission interview with Senator Peter Cook (Minister for Industry, Science and Technology), in which he discussed a proposal for a smart card which could record a 12-month prescription history, and which would produce cost savings in the administration of the Pharmaceutical Benefits Scheme. He added that, in the future, the card might record full medical details, and details relating the education, training employment and social security.
After the media made strong comparisons between this proposal and the Australia Card proposal (sparked by an article in the June edition of Communications Update), Senator Cook and Dr Lawrence issued a joint press release saying that there were no government plans to introduce a Medicare smart card. The press releases stated that 'the only proposal before the government is one from the Pharmacy Guild and the Warren Centre at Sydney University. This proposal is for possible federal funding for a trial which could involve pharmacists and doctors in the Orange area and would offer patients a smart card that could store their prescriptions and medication details such as dosage. This proposal has no Federal Government endorsement and will not be in any way linked to pharmaceutical benefits or other Medicare benefits that a patient receives.'
In light of Senator Cook's earlier comments, privacy and consumer organisations will continue to take an active interest in this proposal because of the potential for any health smart card to act as a platform for further government applications down the track.
The Canadian Province of British Columbia is going ahead with what Information and Privacy Commissioner David Flaherty has described as the only system in the world which will automate prescription information in a public system. In a 1994 report, Flaherty described the system as covering every person's prescription information for the previous 14 months, and making it available in all 700 pharacies in the country. At that time he was 'not persuaded that the risks outweigh the benefits'. He considered that there was a high risk that police would want to use the system to locate suspects, and that there would be enormous pressure on pharmacy staff to provide corrupt access. While opposing the system he also proposed that it must not go ahead without a legislative code of fair information practices and higher security standards.
A year later, Flaherty states that the outcome of the Pharmanet debate illustrates what he thinks is his appropriate role as a Privacy Commissioner (speech at University of Victoria School of Law, 7 February 1995). 'We have achieved a privacy code for pharmacists vthat will have the force of law and be the first of its kind in North America; we have achieved strong security measures', and his office will have audit powers. However, Flaherty says 'at the end of the day I remain opposed to Pharmanet's prescription profile in its present form', because it is mandatory and there is nothing to stop employers or others from demanding a printout from the system. However, in light of a Cabinet decision to proceed, he decided not to 'go to the wall to oppose it but states that 'residents of his province may balance competing interests differently'. As usual, he is very blunt about his role in the political process, and its limits.
Half a million Australians may be subjected to criminal record checks id SOCOG (the Sydney Organising Committee for the Olympic Games) has its way. An estimated 500,000 applicants for 40,000 jobs at the games are all to be checked by the Federal Attorney-General's Department on behalf of SOCOG, but the Attorney-General's department will only advise SOCOG that an applicant is not acceptable (but will not disclose the record to SOCOG), according to press reports. NSW Privacy Committee Chairman Chris Puplick has attacked the proposed screening on applicants as 'excessive', as it will include 'volunteers who work for a day' on low-security tasks. It appears that SOCOG's approach bears little resemblance to accepted privacy principles, but they can get away with it in the privacy vacuum in NSW caused by the lack of effective legislation.
(Source: Nathan Vass, Sydney Morning Herald, 29 July 1995)
The ever-handy Tax File Number has attracted the attention of the Senate Select Committee on Superannuation, which in a February 1995 report has recommended that the relevant legislation be amended to allow the TFN to be used for superannuation purposes. The proposed uses are not only tax-related but include transfer of benefits and internal fund administration. The uses are to be 'subject to members consent'. All tax-related use of the TFN here is, of course, voluntary in theory. Organisations such as the Australian Federation of Consumer Organisations (AFCO) and the Privacy Commissioner (in relation to an early draft) had supported some further use of TFN's already collected. The arguments against 'function creep' have once again lost the day.
The Australian Privacy Commissioner held a meeting on 27 July 1995 of organisations interested in the privacy implications of data profiling, prompted by the release of his office's information paper on the subject (see review this issue). Of the 50 or so attendees, a substantial number were from banks and the financial industry, where credit scoring methods are widespread. Insurers attended but said nothing. Some Commonwelath agencies such as Social Security and Veteran's Affairs attended and were fairly frank about their activities. However, the big profiling user, the Tax Office, was unrepresented despite being invited. The main achievement of the meeting seemed to be to 'clear the air' to establish that many users of profiling recognise privacy issues and the potential need for some type of regulation, and that consumer and privacy representatives did not have any blanket opposition to profiling practices. The Commissioner's office insisted it did not have any 'regulatory agenda' and it is uncertain as yet what further steps will be taken.