Privacy Law and Policy Reporter
In this report, only one aspect of privacy -- protection of personal data -- is considered. The importance of data privacy increases as we cross the threshold into the digitised way of life and become users of the so-called electronic information highway. Many business and government organisations now electronically record details of relationships and transactions and are able to store, collate and analyse vast amounts of data in a time-frame never previously envisaged.
In Australia, the current legal framework provides for patchy protection of personal data. Essentially, the Privacy Act 1988 (Cth) provides regulation of the federal public sector and the consumer credit reference industry. The Privacy Commissioner also has an important public education role in relation to privacy. The private sector and state and territory governments remain largely unregulated. The common law also provides limited protection through a range of special relationships based upon contract or tort law. For example, there is an implied contractual duty in the bank-customer relationship which requires the officers of banks to respect customer confidences. In some other relationships, including doctor-patient, lawyer-client and priest-parishioner, an implied duty is placed upon the professional to respect confidences.
In addition to this, some industries and companies have adopted a voluntary approach to protection of personal data by establishing codes of conduct or some form of self-regulatory framework. For example, Telstra (formerly Telecom) has set up its own privacy committee to monitor this area internally. Data protection is also addressed in the banking industry's Code of Banking Practice.
Pressure is clearly mounting to move from the patchwork of regulations outlined above to a comprehensive set of regulations throughout Australia. There have been a series of reports which have advocated this.1
At international level, the Ministerial Council of the European Union, representing 15 countries, has formally adopted a legally-enforceable Directive or law which provides a minimum set of data protection standards across these countries.2 Moreover, across the Tasman, NZ has enacted comprehensive data protection legislation contained in the Privacy Act 1993. All of this indicates that many major industrialised countries are taking data privacy seriously and enacting sets of fair information principles across the board. At their ministerial meeting in Brussels,3 the G7 major industrialised countries flagged privacy as an issue requiring creative solutions in order to realise the full economic and social benefits of the global information superhighway. The Seoul meeting of APEC ministers responsible for telecommunications and information industry4 declared privacy to be among ten core principles for the Asia Pacific information infrastructure.
Impact of information privacy concerns
With many businesses planning to access the information highway as a medium for sales and marketing, it makes good sense to ensure that potential customers can use it secure in the knowledge that at least some of their basic rights or interests are protected. Without this, potential users may be `chilled out' and not use, or under-utilise, the information highway. Should this occur, the expected social and economic gains will not be realised.
Private sector perceptions
The survey results revealed a high awareness by these business sectors of information privacy as a concern to employees and customers. However, there appeared to be significant inconsistencies in attitudes and practices towards the treatment of personal information collected, even within a given sector.
The majority of organisations sought consent for the collection of data, but there was a notable proportion (approximately 18 per cent) of organisations that did not seek consent from the clients or employees. Of the organisations that sought consent, approximately half sought it prior to collection and half at the time of collection. A majority of those organisations (58.6 per cent) used clauses on application forms to acquire this consent. Only 7.2 per cent claimed the consent was implied into the contract. A small proportion of respondents (10.2 per cent) indicated that their organisation never set out the purposes for which the personal information was collected. Approximately two thirds (67.5 per cent) of the organisations stated that these purposes were always communicated to the employee/client, while one quarter (25.4 per cent) said the purposes were communicated sometimes. In most cases the communication of purposes occurred before or at the time of collection. A very small proportion (1.7 per cent) communicated the purposes after the collection of the data. This practice may be regarded as unusual as it affords little opportunity for the individual to decide whether to divulge the information.
It appears that personal data about clients was more likely to be collected externally than data about employees. `External collection' means that data are obtained from sources outside the organisation concerned. Of the organisations surveyed, 52.7 per cent collected personal data about clients externally, while 27.7 per cent externally collected data about employees.
The questionnaire's third section focused on data management including access to and use of the personal data, disclosure to third parties, security and storage time of the data.
Approximately half of the organisations (49.6 per cent) stated they regard the personal data collected as their own, to use as their organisation wished. This squarely raises the issue of the legal status of the personal data once it has been collected. In the absence of any legal duty, statutory or otherwise, the collectors and users of personal data at liberty to treat it as they wish. Technically, consumers or employees may have no legal ownership rights to the data.
Less than one quarter (22.1 per cent) restrict the personal data to the relevant division within the company and do not make it generally available .
More than one third of the organisations do not inform the individuals about disclosure of their personal information to third parties. One explanation for this lack of disclosure may be that lack of regulation of the privacy results in no importance being attached to disclosure of the data. Other explanations may be that `prior consent' to disclosure was obtained or the disclosure occurred under compulsion of laws like the Income Tax Assessment Act or the Social Security Act.
Over one-fifth (22.2 per cent) of the organisations do not have a formal data security policy. This is significant given that the industries chosen for this survey are data merchants in the sense that they rely upon accurate timely information flows in their business. Of the organisations that do have a formal policy, the steps taken to ensure data security vary. Most of these organisations (92.3 per cent) prevent unauthorised access, while a majority also control input (75.8 per cent), have staff confidentiality agreements (65.9 per cent), use organisational control (72.4 per cent) and audited the data security (57.1 per cent). A minority of the organisations encrypted personal data (27.5 per cent) or controlled any external processing of the data (31.9 per cent). Of course, the level of security required will vary in accordance with the sensitivity of the data itself and the likely harm caused by unauthorised access to them.
Access and amendment
The fourth section of the questionnaire sought to discover the individuals' awareness of, and access to, the personal data and also the existence of procedures for amendment or deletion.
Almost one quarter (24.3 per cent) of the organisations believed the individuals concerned were not aware of all the information held about them. Further investigation revealed that this proportion increased significantly with increasing size of the organisation, as shown in Table 1 (see p 105).
Credit information was most often listed as a category of personal information of which the individuals were unaware. Other categories of information included medical records, psychological reports, referee and police reports and insurance claim histories. One quarter of the organisations completing this question also identified that the individuals were either unaware or had forgotten the level of detail of the information held about them.
The responses to this question were also analysed according to the type of organisation concerned. The following graph shows the proportion of each segment who believed the individuals concerned were not aware of all the information held about them (see Table 2 on p 105).
In relation to access by individuals to personal information held about them by the organisation, approximately one-fifth of the organisations (22.2 per cent) had no procedure for access by clients and one tenth (11.3 per cent) had no procedure for access by employees. The difference between access procedures for clients and staff was statistically tested5 and found to be significant.6 Interestingly, the size of the organisation appeared to have different impacts on the existence of access procedures. The very large organisations (more than 10,000 employees) appear more likely to provide access procedures to clients, whereas the small organisations (less than ten employees) appear more likely to provide access procedures to employees.
A high proportion of the organisations (81.2 per cent) have procedures allowing requests for amendment of data, while a lesser proportion (60 per cent) have procedures allowing requests for deletion of data.
The fifth section of the questionnaire concerned the ways in which the organisation was currently accountable for personal data privacy protection and staff training in collection, use and disclosure of personal data.
Most of the organisations were accountable for protection of personal data under legislation (89.3 per cent). This could be due to the fact that the sample was focused on the finance sector which is regulated by the Privacy Act 1988 (Cth). Half the organisations were also accountable through industry supervision, leading to concern about industry codes of practice and supervision for the remaining 50 per cent of the organisations. Less than one fifth (18.8 per cent) believed they were accountable for personal data privacy protection by court decisions. Approximately six per cent claimed they were accountable in `other' ways, including internal codes of practice and business ethics.
The graph (Table 3) illustrates the ways in which the various segments of the population considered themselves accountable for the protection of personal data. Interestingly, more than ten per cent of the banks responding to the survey chose not to answer this question (see Table 3 on p 105).
More than one quarter of the organisations (27 per cent) do not train staff concerning the collection, use and disclosure of personal data. The results were analysed by industry segments, and the following graph shows the proportion of each type of organisation which does not provide staff with this type of training (see Table 4 on p 105).
The final section of the questionnaire related to policy considerations, including the importance of information privacy to clients and employees as perceived by the organisation, any competitive advantage in having a formal policy for protection of personal data and the current costs associated with their protection of personal data.
Most organisations (more than 82 per cent) believed that protection of personal data was `extremely' important to their clients and employees, while more than one tenth (11.7 per cent) believed this to be `highly' important. This perception is in line with a recent paper by the Privacy Commissioner,7 which found that Australians viewed the confidentiality of personal information held by government and business organisations as one of the most important social issues. Almost three quarters of the organisations also believed that this issue would increase in importance for both clients and employees in the next five years. There was no statistically significant difference in the perceived importance of this issue for clients compared to employees.
Given that the organisations perceived protection of personal data to be so important to clients and employees, it is interesting to see the mixed results concerning competitive advantage in having a data protection policy. Slightly less than half the organisations thought that there would be competitive advantage within their industry to have a formal policy for protection of personal data. The results appeared to reveal a trend in relation to the size of the organisation -- the larger the organisation, the less likely it would perceive a competitive advantage in this area. When analysed according to the organisation type, the results also revealed that a much higher proportion of the building societies and banks believed there would be a competitive advantage involved here. The following graph illustrates the proportion of each type of organisation believing the possession of a formal protection policy would give a competitive advantage to an organisation in their industry (see Table 5 on p 105).
The Federal Government has stated a commitment to developing information privacy regulation to include the private sector. On a state level, there are also moves afoot to enact legislation and relevant codes of practice to bind not only the relevant state authorities, but also private sector business within that state.
Finally, the authors acknowledge the limited scope of the survey, covering only a small proportion of the private sector. A further extensive study would allow more general findings and would provide useful information for any detailed consideration of a national privacy regime covering the private sector in Australia. vJennifer Boykett, Hugh O'Reilly & Professor Greg Tucker are from the Faculty of Business and Economics, Monash University. For a copy of the full Report, tel +61 3 9904 4634 or e-mail Jennifer.Boykett@buseco.monash.edu.au
This paper was presented at IIR Conferences' `Information Privacy Conference' Sydney 12 & 13 August 1996. This paper was presented at IIR Conferences' `Information Privacy Conference' Sydney 12 & 13 August 1996.
1. Australian Law Reform Commission, Freedom of Information, Discussion Paper 59, May 1995; Parliament of the Commonwealth of Australia, House of Representative Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report of the Inquiry into the Protection of Confidential Personal and Commercial Information held by the Commonwealth, AGPS, June 1995; National Information Services Council, Agenda Papers from the First Meeting of the Council, 10 August 1995, Office of Chief Scientist, Office of the Prime Minister and Cabinet, Canberra, August 1995.
2. Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 12330/94, ECO291, CODEC 92, Brussels, 20 December 1994.
3. 25-26 February 1995.
4. 29-30 May 1995.
5. Both the t-test for paired samples and the Wilcoxon Matched-Pairs Signed-Ranks test were used.
7. Community Attitudes to Privacy, Human Rights and Equal Opportunity Commission, Sydney, 1995.