Privacy Law and Policy Reporter
compiled by Nigel Waters
Centrelink is considering the introduction of both electronic service delivery (ESD) and smart cards for its clients. It is intended that these technologies may supplement, and possibly replace over-the-counter services and enable all transactions including (eventually) the payment of benefits to take place on the Internet or at special ATMs that can read the smart cards.
If the plan proceeds, smart cards will be phased in over a long period, starting next year with a special smart card for the administration of child-care benefits. The plan has in-principle government support following the release last year of a Parliamentary report on concession cards: Concession Cards: Who Benefits?
Consultation with the community about the use and introduction of smart cards is at a very early stage. While smart cards and the Internet may prove useful for Centrelink clients it is important to remember that not everyone will have access to, or will be comfortable using the technology. There are also real concerns about privacy, consumer protection and a range of practical implementation issues.
The privacy issues fall into two categories:
1. Issues relating to the types of information collected on the cards and control over use and disclosure of this information.
2. Issues relating to ‘function creep’ (the term used to describe the process by which a technology or product is introduced for one purpose, but its functionality is gradually expanded to include more and more privacy intrusive applications).
The privacy protections that must be put in place as such a system develops will need to be able to address both the public and private sector. This is particularly so as it seems likely that the cards will not be issued as stand alone Centrelink cards, but will share card space with commercial organisations such as banks and health insurers.
To date Centrelink has committed itself to developing an information kit for community information and advocacy organisations, and to conducting workshops with invited privacy and consumer organisations. However, it is to be hoped that efforts such as these will be accompanied by wider public consultation and education.
Chris Connolly. For further information contact Chris Connolly at the Electronic Money Information Centre, tel (02) 9262 4237, email email@example.com
On 27 March in the District Court in Sydney, Skeeve Stevens was sentenced to three years imprisonment for offences under the Commonwealth Crimes Act computer misuse provisions. Stevens had earlier pleaded guilty to charges of inserting data into a computer and unlawful access to computer data.
According to reports, Skeeve, operating under the pseudonym Optik Surfer, had hacked into AUSNet’s computer network in March 1995, two months after he was refused a job with the company. Using the user account and password details of AUSNet’s technical director, Stevens altered the company’s home page by displaying a message that subscriber credit card details had been captured and distributed on the Internet, and subsequently published some credit card details of identified individuals.
The incident is said to have cost the company more than $2 million in lost clients and contracts, and the widespread publicity about the case has undoubtedly contributed to a general lack of consumer and business confidence in the security of the Internet.
Nigel Waters (Sources: Sydney Morning Herald and Link E-mail list postings)
The EU Data Protection Directive (95/46/EC) must be implemented in the UK by 24 October 1998. The Directive is to be implemented in the form of a new Data Protection Act. The Data Protection Bill received its third reading in the House of Lords on 24 March 1998 and will now proceed to the House of Commons. The Bill is not expected to receive Royal Assent before the summer.
The Data Protection Registrar’s general comments on the Bill have been published in the form of a press release and are available on the Internet, together with a series of short briefing papers on specific issues raised by the Bill: http://www.open.gov.uk/dpr/dprhome.htm. A revised version of our paper ‘Preparing for the New Law’ will also be available on the website shortly.
(Source: UK Data Protection Registrar’s Homepage)
In view of the current interest in the effect of the European Union Directive, which takes effect in October, the following World Wide Web sites should be useful resources for PLPR readers.
The Commission of the European Union’s Directorate-General XV, which is responsible for the Data Protection Directive and related matters, has a range of information available at http://europa.eu.int/comm/dg15/en/index.htm
Included on the site are the texts of the Directive itself, papers issued by the Art 29 Working Party, news and background information, and links to other international instruments.
In a press release dated 27 January, (see http://europa.eu.int/comm/dg15/en/index.htm) the EU Commission (DGXV) said that the Commission is seeking to negotiate within the Council of Europe the drafting of ‘guidelines for the protection of individuals with regard to the collection and processing of personal data on the information highways’. These recommendations, though not binding, would call upon member countries to secure their adoption by businesses, users and authorities. The Commissioner responsible, Mr Monti, stressed the seriousness of the social and economic implications of the proposal and gave his assurance that the Commission will see to it that it is compatible with EU directives and actively promotes the protection of privacy.
The Commission intends to see to it that the work embarked on by the Council of Europe in this area ensures a comparable level of protection and does not interfere with the Directives’ implementation. The procedure for amending guidelines is the same as for amending Council of Europe recommendations and the legal effects of both types of instrument are similar. The guidelines are thus not binding, but by adopting them the member countries of the Council of Europe commit themselves politically to supporting the measures proposed and to recommending their implementation by businesses, users and authorities.
The release goes on to say that:
During the work of the competent Council of Europe bodies the Commission will pay particular attention to:
The Council of Europe (which has a broader membership than the European Union) has had an active involvement in data protection policy since the 1970s, including passage of the influential The Convention 108 of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data in 1981. The Council has a lot of useful material on its web site at http://www.coe.fr/DataProtection/, including links to the text of the Convention itself and of the various Recommendations issued by the Council over the years. There is a useful overview and history of the Council’s data protection work at http://www.coe.fr/DataProtection/emission.htm. There does not yet appear to be any reference to the current guidelines work referred to in the EU press release featured above.
Nigel Waters, Associate Editor.