AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1997 >> [1997] PrivLawPRpr 4

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Dixon, Tim --- "Communications Law Centre wants IPPs revised in line with Australian Privacy Charter" [1997] PrivLawPRpr 4; (1997) 3(9) Privacy Law & Policy Reporter 171

Communications Law Centre wants IPPs revised in line with Australian Privacy Charter

Extracts from the CLC submission on the Discussion Paper

The focus of the following remarks is on strengthening the privacy principles which will form the foundation of the new privacy legislation. ... The proposals are largely based on the principles contained in the Australian Privacy Charter.

The main weakness in the Government's proposal is the attempt to apply the IPPs almost unchanged to the private sector. The IPPs, based on the 1981 OECD Guidelines, reflect thinking on the major privacy issues from 20 years ago. Legislation implemented in the late 1990s should take account of more recent developments.

Principle 1 -- Justification

One of the greatest weakness of most privacy and data protection legislation is that it generally only addresses privacy issues raised by new technologies and systems in their final stages of implementation. Privacy legislation does not address the threshold question of whether there is adequate justification in the first instance for the use of a new technology which may compromise personal privacy.1 Some advocates have argued that because privacy legislation often only regulates information practices, its effect may be to legitimise systematic privacy invasion by failing to stop new technologies and systems which represent an unacceptable invasion of personal privacy.2

The Privacy Charter proposes that any new system, technology or practice which may affect personal privacy should face initially be justified as being in the public interest before proceeding. This could be implemented systematically through conducting privacy impact assessments (PIA), which have been defined as `a process whereby a conscious and systematic effort is made to assess...any actual or potential effects that [an] activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.'3 Based around the concept of the environmental impact assessment, an effective PIA would involve public consultation, the appropriate use of expertise, and independence. It should be integrated into the decision making process of both the public and private sectors. PIAs have been described by a NZ privacy expert as the `third generation of privacy protection'.4 The introduction of a PIA process was also supported by the former Telecommunications Industry Ombudsman.5 It has also been advocated by the Information and Privacy Commissioner of British Columbia:

The preparation of privacy impact statements by a government agency or a private sector concern should be an essential prerequisite to the promotion and application of a new technology. This should be done as far down in the agency/organisation as possible in order to reflect the realities of information practice and to raise sensibilities among managers of operational units about the identification and preservation of privacy interests.6
The advantages of implementing the justification principle through a process of privacy impact assessment are that it:

* allows for consideration of privacy issues in advance of privacy erosion rather than retrospectively;

* may deal comprehensively with privacy issues including those which are not covered by the existing IPPs;

* can operate as a means to raise public awareness of potential threats to privacy;

* could enhance consistency in assessment and regulation of practices and technologies which may affect privacy;

* without unduly adding to a firm or industry's costs, it would actively involve developers in thinking through the privacy implications of proposed activities;

* ultimately may allow the community to exercise a more informed choice and `to opt for a more privacy friendly, but equally effective alternative'.7

A similar means would be a requirement that the privacy principles be taken into account in the design, development and modification of information systems. This would allow compliance issues to be addressed earlier in the development of systems, encouraging systems developers to choose more privacy-friendly options.

The proposed functions of the Privacy Commissioner are broad enough to encompass investigating new technologies and systems which may affect personal privacy.8 However, in the absence of any systematic process by which to do this, these issues will only be examined on an ad hoc basis, generally because either a regulatory agency or community organisation gives the issue a high enough profile.9 Technologies are often implemented with little or no public consideration of their impact on privacy. Examples include the development of personal data profiling practices, the use of video surveillance in workplaces and public places, and biometric identification.

Principles 6-9 -- beyond information privacy

Freedom from surveillance, privacy of communications, private space and

<3 PLPLR 172>

physical privacy -- The Charter is based on a belief that privacy principles should go beyond information privacy. The inclusion of principles recognising the rights of individuals to freedom from surveillance and privacy of communications would bring within the ambit of the Privacy Commissioner issues such as the use of listening devices on telephone lines and video surveillance (including surveillance of future videophone services), and interception of email. Under current proposals these can be investigated by the Commissioner but because they generally fall outside of the range of the Information Privacy Principles, the Commissioner would not be able to take action to compensate an individual or prevent repeat incidents.

Principle 10 -- Anonymous Transactions

The right to anonymity has emerged as a crucial issue during the debate over the introduction of smart card technologies. The principle states that people should only be required to identify themselves in transactions when there is a substantial public interest reasons why an individual should be identified. This principle establishes an individual's right to anonymity in communications such as making a telephone call, or sending an e-mail message. The advantage of including the right to anonymity within the IPPs is that it gives a principled basis to arguments in favour of an individual's right to per line and per call blocking of CND, and to the use on the Internet of anonymous remailer services which can make the source of correspondence anonymous. The right to anonymity strengthens the protection of free speech, although it may of course also widen the scope for defamatory comments and hate speech. Exceptions to this principle would include transactions which require an ongoing relationship between an individual and an organisation and which involve a significant level of risk, such as the provision of credit, or air travel.

Principle 17 -- Public Registers

Public registers such as electoral rolls, births and deaths records, and land and titles records, contain a limited range of personal information. Traditionally, public registers have been excluded from privacy legislation. More recently there has been a move away from excluding public registers from privacy regimes, such as with the NZ privacy legislation. The Privacy Charter Council concluded that given technological developments, there is a strong justification for controls over access to public registers, given that individuals often do not consent to the collection of personal information for public registers, but are legally required to provide it.

Principle 18 -- No Disadvantage

This principle establishes that people should not be disadvantaged by asserting their right to privacy. Experience in the US has shown that organisations sometimes establish information collection practices which are described as `voluntary' but which financially disadvantage individuals who do not identify themselves or provide personal information. Privacy would thus come at a premium price, undermining its status as a fundamental right. The Charter states that the provision of reasonable facilities for the exercise of privacy should be a normal operating cost for business.

Media privacy

While the Discussion Paper notes that there are special issues associated with privacy protection and the media, it does not outline options for implementing privacy protection in the media. A number of self-regulatory Codes in the media industry provide guidelines for protecting the privacy of individuals... Complaints are also received and investigated by bodies including the Press Council, the NSW Privacy Committee, and the Broadcasting Standards Association.

While existing Codes provide general recognition of the importance of privacy protection, they are too brief to provide significant guidance to journalists in striking an ethical balance between privacy interests and the journalist's task of disclosure. While there are persuasive arguments for why the media should not be included in the scope of general privacy protection, there is nevertheless a need for improving the self-regulatory framework of privacy protection in the media. The interaction of privacy principles with media responsibilities needs to be reviewed, and detailed consideration should be given to the most appropriate framework which may strike a balance between privacy and other interests.

Tim Dixon, research consultant to the Communications Law Centre, prepared this summary. The CLC is based at the University of NSW. Its submission also covered telecommunications privacy issues.

1. This argument has been made by Professor David Flaherty, in Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989, p 385.

2. Simon Davies, Monitor: Extinguishing Privacy on the Information Superhighway, Pan Macmillan, Sydney 1996 138ff.

3. Blair Stewart, `Privacy impact assessments' < 3 PLPR 61>.

3. Blair Stewart, `Privacy impact assessments' < 3 PLPR 61>.

4. Elizabeth Longworth, Principal, Longworth Associates, Auckland, commentary at IIR Information Privacy conference, Sydney, 12 August 1996.

5. Warwick Smith, Telecommunications Industry Ombudsman, `Privacy in the Telecommunications Industry -- A TIO Perspective', IIR Information Privacy in the Public Sector Conference, 24 March 1995.

6. David H Flaherty, `Suggested Rules for Evaluating the Privacy Impacts of Emerging Technologies', Office of the Information and Privacy Commissioner, Victoria, BC, 30 November 1994.

7. Stewart, p 61.

8. Attorney-General's Department Discussion Paper, pp 22-23.

9. Two examples of this occurring during recent years in Australia are the initiative of Austel in raising issues associated with the introduction of calling line identification technology in its 1992 report, and the introduction of smart card technologies, mainly as a result of the NSW Privacy Committee's 1995 report and work associated with the Smart Card Advisory Network.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback