Privacy Law and Policy Reporter
The focus of the following remarks is on strengthening the privacy principles which will form the foundation of the new privacy legislation. ... The proposals are largely based on the principles contained in the Australian Privacy Charter.
The main weakness in the Government's proposal is the attempt to apply the IPPs almost unchanged to the private sector. The IPPs, based on the 1981 OECD Guidelines, reflect thinking on the major privacy issues from 20 years ago. Legislation implemented in the late 1990s should take account of more recent developments.
The Privacy Charter proposes that any new system, technology or practice which may affect personal privacy should face initially be justified as being in the public interest before proceeding. This could be implemented systematically through conducting privacy impact assessments (PIA), which have been defined as `a process whereby a conscious and systematic effort is made to assess...any actual or potential effects that [an] activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.'3 Based around the concept of the environmental impact assessment, an effective PIA would involve public consultation, the appropriate use of expertise, and independence. It should be integrated into the decision making process of both the public and private sectors. PIAs have been described by a NZ privacy expert as the `third generation of privacy protection'.4 The introduction of a PIA process was also supported by the former Telecommunications Industry Ombudsman.5 It has also been advocated by the Information and Privacy Commissioner of British Columbia:
The preparation of privacy impact statements by a government agency or a private sector concern should be an essential prerequisite to the promotion and application of a new technology. This should be done as far down in the agency/organisation as possible in order to reflect the realities of information practice and to raise sensibilities among managers of operational units about the identification and preservation of privacy interests.6The advantages of implementing the justification principle through a process of privacy impact assessment are that it:
* allows for consideration of privacy issues in advance of privacy erosion rather than retrospectively;
* may deal comprehensively with privacy issues including those which are not covered by the existing IPPs;
* can operate as a means to raise public awareness of potential threats to privacy;
* could enhance consistency in assessment and regulation of practices and technologies which may affect privacy;
* without unduly adding to a firm or industry's costs, it would actively involve developers in thinking through the privacy implications of proposed activities;
* ultimately may allow the community to exercise a more informed choice and `to opt for a more privacy friendly, but equally effective alternative'.7
A similar means would be a requirement that the privacy principles be taken into account in the design, development and modification of information systems. This would allow compliance issues to be addressed earlier in the development of systems, encouraging systems developers to choose more privacy-friendly options.
The proposed functions of the Privacy Commissioner are broad enough to encompass investigating new technologies and systems which may affect personal privacy.8 However, in the absence of any systematic process by which to do this, these issues will only be examined on an ad hoc basis, generally because either a regulatory agency or community organisation gives the issue a high enough profile.9 Technologies are often implemented with little or no public consideration of their impact on privacy. Examples include the development of personal data profiling practices, the use of video surveillance in workplaces and public places, and biometric identification.
<3 PLPLR 172>
physical privacy -- The Charter is based on a belief that privacy principles should go beyond information privacy. The inclusion of principles recognising the rights of individuals to freedom from surveillance and privacy of communications would bring within the ambit of the Privacy Commissioner issues such as the use of listening devices on telephone lines and video surveillance (including surveillance of future videophone services), and interception of email. Under current proposals these can be investigated by the Commissioner but because they generally fall outside of the range of the Information Privacy Principles, the Commissioner would not be able to take action to compensate an individual or prevent repeat incidents.
While existing Codes provide general recognition of the importance of privacy protection, they are too brief to provide significant guidance to journalists in striking an ethical balance between privacy interests and the journalist's task of disclosure. While there are persuasive arguments for why the media should not be included in the scope of general privacy protection, there is nevertheless a need for improving the self-regulatory framework of privacy protection in the media. The interaction of privacy principles with media responsibilities needs to be reviewed, and detailed consideration should be given to the most appropriate framework which may strike a balance between privacy and other interests.
Tim Dixon, research consultant to the Communications Law Centre, prepared this summary. The CLC is based at the University of NSW. Its submission also covered telecommunications privacy issues.
1. This argument has been made by Professor David Flaherty, in Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989, p 385.
2. Simon Davies, Monitor: Extinguishing Privacy on the Information Superhighway, Pan Macmillan, Sydney 1996 138ff.
3. Blair Stewart, `Privacy impact assessments' < 3 PLPR 61>.
3. Blair Stewart, `Privacy impact assessments' < 3 PLPR 61>.
4. Elizabeth Longworth, Principal, Longworth Associates, Auckland, commentary at IIR Information Privacy conference, Sydney, 12 August 1996.
5. Warwick Smith, Telecommunications Industry Ombudsman, `Privacy in the Telecommunications Industry -- A TIO Perspective', IIR Information Privacy in the Public Sector Conference, 24 March 1995.
6. David H Flaherty, `Suggested Rules for Evaluating the Privacy Impacts of Emerging Technologies', Office of the Information and Privacy Commissioner, Victoria, BC, 30 November 1994.
7. Stewart, p 61.
8. Attorney-General's Department Discussion Paper, pp 22-23.
9. Two examples of this occurring during recent years in Australia are the initiative of Austel in raising issues associated with the introduction of calling line identification technology in its 1992 report, and the introduction of smart card technologies, mainly as a result of the NSW Privacy Committee's 1995 report and work associated with the Smart Card Advisory Network.