Privacy Law and Policy Reporter
Privacy and consumer advocates and organisations involved in the discussions leading to the A into National Principles for the Fair Handling of Personal Information of February 1998 (see (1998) 4 PLPR 165 for text) have withheld any endorsement of the Principles, and may yet reject them.
The privacy and consumer groups prepared a Position Statement setting out revisions which they believe need to be made to the ‘National Principles’, in order to ensure that they ‘provide a minimum level of information privacy protection, sufficient to at least provide Australians with an acceptable set of rules, and to satisfy any reasonable test of international adequacy’. The full text of the proposed changes follows.
The Position Statement was discussed at a meeting between the Privacy Commissioner, business representatives, and privacy and consumer advocates on 31 August 1998. The meeting was called by the Commissioner to discuss informal comments on the ‘National Principles’ by Directorate General XV of the European Commission (some of which were critical), to discuss the changes necessary to the Principles because of the acknowledged deficiencies in the law enforcement clauses (see (1998) 4 PLPR 162), and as part of the review after six months that the Commissioner had indicated would take place.
The Commissioner has not yet indicated whether she is willing to make any of the changes proposed in the Position Paper, but did indicate reluctance to make major changes. The privacy and consumer groups have stated that, when the Commissioner’s response is received, they will decide whether they will endorse the Principles, reject them outright, or adopt some qualified approach. Until then they are simply reserving their positions.
The current status of the National Principles for the Fair Handling of Personal Information is somewhat uncertain. Consumer and privacy groups have not endorsed it. Only a very limited range of business organisations have endorsed it or shown interest in implementation, among them the banking, insurance, direct marketing and retailer organisations. The Ministerial Online Council only gave a qualified endorsement in May 1998, urging governments to ‘endeavour to standardise on the National Principles — once further developed to set a benchmark’ (emphasis added).
Victoria’s proposed legislation (see (1998) 5 PLPR 21) is intended to include a modified version of the Commissioner’s ‘National Principles’ with the aim of achieving national uniformity, but consumer and privacy groups argue that there is as yet no national consensus that this is an appropriate model, and that in the absence of such consensus governments may have to make policy decisions as to what is an adequate level of privacy protection.
Privacy and Consumer Advocates' Position Statement in relation to the Privacy Commissioner's National Principles for the Fair Handling of Personal Informations; 28 August 1998
This Position Statement is issued by the Australian Privacy Foundation, the Australian Consumers Association, Electronic Frontiers Australia, the Campaign for Fair Privacy Laws and the Australian Privacy Charter Counsel.
This Position Statement was discussed at a meeting between the Privacy Commissioner, business representatives, and privacy and consumer advocates on 31 August 1998. The numbering in the Position Statement follows that in the Commissioner’s National Principles for the Fair Handling of Personal Information, which can be found at (1998) 4 PLPR 165 — General Editor.
This paper documents the revisions which the privacy and consumer advocates believe need to be made to the Privacy Commissioner’s ‘National Principles’ of February 1998, in order to ensure that the Principles provide a minimum level of information privacy protection, sufficient to at least provide Australians with an acceptable set of rules, and to satisfy any reasonable test of international adequacy.
Most of the changes are minor adjustments to wording, in order to ensure that the Principles reflect the intention of the drafters, and to avoid ambiguities. A couple of them are more substantive.
This paper consolidates points made in papers by Graham Greenleaf & Nigel Waters in (1998) 4 PLPR 161 and by Roger Clarke in (1998) 4 PLPR 176, in Ulf Brühann’s letter of June 1998, and during the Privacy Commissioner’s meeting of privacy advocates and industry representatives on 18 August.
Notes: These contain a very brief explanation of our position. They are not necessarily intended to be incorporated into the guidance notes Where we specifically suggest changes or additions to guidance notes this is made clear.
Global Matter — Workplace Privacy
In the Introduction, delete the words ‘whether the principles are applied to personal information about employees’.
Note: It must be made clear the standards are relevant to information about employees. The process by which the National Principles are applied then becomes a matter for the implementation phase.
Replace ‘reasonably expect’ with ‘reasonably expect and accept’.
Note: The protection afforded by the existing phrasing is insufficient. The key words ‘reasonably expect’ are capable of being interpreted too broadly.
It seems impossible to negotiate an acceptable position on this issue in the time available. We therefore suggest that 2.1(c) is simply deleted, and that the Principles say nothing specific about direct marketing. This will leave a need for guidance as to how 2.1(a) applies to direct marketing, but this can be dealt with during development of the proposed ADMA Code of Practice and in any legislative implementation of the Principles.
Note: Since the consultations leading to the February Principles, the wider privacy and consumer advocacy movement has made it clear that they regard unsolicited direct marketing in general, and especially outbound telemarketing and unsolicited e-mail (spam), as an area of major public concern.
The way in which the drafters intended exception 2.1(c) to operate, in relation to 2.1(a), is not clear enough and has caused misunderstanding. Many privacy advocates interpret it as an unacceptable concession.
A set of Privacy Principles is not the appropriate place to codify the information collection powers of law enforcement and national security agencies. This should be only be done after a major public debate and by Parliaments.
But it is not acceptable to entrench in the Principles an indefinite continuation of the current loose arrangements which conflict fundamentally with individuals reasonable expectation of confidentiality in their dealings with most private sector organisations.
Many of the examples of disclosures given by law enforcement agencies would be permissible under one of the other exceptions: 2.1(f) ‘required or specifically authorised by law’, 2.1(e) the ‘organisation has reason to suspect unlawful activity’; 2.1(d) — emergencies, (which may need to be reworded following further discussions in the sub-group).
Exceptions 2.1(g) and (h) are inappropriate and should be unnecessary. However, in order to ensure that other public interests which may currently rely from time to time on exceptional disclosures of personal information, a revised exception (g) should provide for additional exceptions (however they are finally worded) to be detailed in separate Guidelines to be issued by the Privacy Commissioner.
We suggest the following wording:
2.1(g) TEMPORARY PROVISION — If before 1 January [July] 2000 , the use or disclosure complies with the Temporary Guidelines for Disclosure to Public Authorities issued by the Privacy Commissioner.’ [The first such Temporary Guidelines to be included with the ‘Guidance Notes’ to these principles.]
Logging should be standard practice for ‘secondary purpose’ use and disclosure, and should be required for all instances which fall under 2.1(d) onwards.
Note: The purposes of logging exceptional use and disclosure are to ensure that: — individuals gaining access to their records are aware of such uses and disclosures (subject to exceptions provided in Principle 6 where that knowledge would prejudice the purpose) — suspected instances of abuse can be investigated; and — high standards of accountability are promoted and potential abusers are dissuaded from mis-using the provisions, because they are aware that the accesses are logged, that suspected instances of abuse are investigated, and that miscreants are pursued. Organisations will normally want to make a record of exceptional use or disclosures to safeguard themselves against allegations of improper conduct.
Insert ‘for any purpose provided for under these principles’ .
6.1(c) Insert ‘administratively’ before ‘onerous’.
Note: The current wording permits access to a person’s record to be denied where this would be ‘unduly onerous’ to the organisation. As discussed on 18 August, this wording accidentally includes onerousness in the sense of the consequences of disclosure to the person, whereas it was intended to refer only to onerousness in terms of the provision of access.
After 6.1 It should be made clear in a guidance note that where an exception applies to some of the information on a record, the rest of it (ie the maximum amount possible) should still be released.
6.4 Intermediary Access
Replace the words commencing with ‘consider whether ...’ with ‘enable access through an appropriate intermediary’.
Note: The present wording merely requires the organisation, where direct access is impracticable or inappropriate, to ‘consider’ the use of intermediaries. The onus must be on the organisation to make use of intermediary access in such cases. On the other hand ‘mutually agreed’ is unnecessarily tough — there only needs to be an independent intermediary — such as an ombudsman or compliance committee, although we would clearly hope that if an individual suggested another suitable intermediary this would be accepted.
Amend the guidance note to make it clear that it is not intended that organisations would be able to achieve full cost recovery — only a nominal contribution to marginal costs, if anything (and we would hope that many businesses would see the customer relations value of not charging). The cost of setting up a machinery for access (large organisations only) should be seen as a business overhead.
7.1 Private Sector Identifiers
In 7.1, replace the words commencing with ‘government agency’ with ‘another organisation’.
Note: there is a great deal of concern arising in relation to the multiple use of identifiers, because it is an enabler of widespread data surveillance and the emergence of a ‘dossier society’. The present wording, however, applies only to identifiers assigned by government agencies. The proposed wording would not stop businesses from recording other business numbers eg CRAA or DUNS reference numbers, only from using them as their own primary identifiers.
Append to the Guidance Note the following: ‘In addition to full anonymity, organisations should consider implementing schemes whereby pseudonymity can be achieved, and the link between the data and a specific person protected by technical, organisational and/or legal means’.
9. Data Transfer
(1) In the main text, delete the words ‘outside Australia’; (2) In the short-form, change the words ‘outside Australia’ to ‘to another organisation’; and (3) Change the heading to ‘Data Transfers’.
Note: As discussed on 18 August, data transfers within Australia should be subject to the same limitations as those outside Australia.
10.2(a) Necessary for Medicine
Replace ‘required’ with either ‘essential’ or ‘necessary’.
Note: The word ‘required’ is ambiguous, because it could be read as allowing any person who requires (i.e. considers that they need) information to take advantage of the exception.
10.2(b)(ii) Competent Bodies
Before ‘obligations of professional confidentiality’, insert ‘health and medical’ to avoid unintended breadth.
Define as any person (see New Zealand Act) and then exempt ‘personal, family, recreational’ uses (see UK Act)
Avoid using short form National Privacy Principles (NPPs) which implies that the Principles are comprehensive (eg relative to Privacy Charter), when they are not. Suggested alternative is FIHPs (Fair Information Handling Principles) — the full title of the February document was carefully crafted, and is highly descriptive.
Add to the end of the Introduction a further section, as follows:
‘These principles expressly address only information privacy protections that have become generally accepted. They do not encompass such additional matters as justification for the handling of personal information, freedom from data surveillance, and the prevention of disadvantage for people who exercise privacy rights. They also expressly do not address dimensions of privacy other than information privacy, such as privacy of the person, privacy of behaviour, and privacy of communications’.