Privacy Law and Policy Reporter
compiled by Graham Greenleaf and Nigel Waters
On 31 March, the Attorney General announced the appointment of Mr Malcolm Crompton as the third Australian Privacy Commissioner, to succeed Moira Scollay who left the post in January after only two years of a five year term. Mr Crompton has also been appointed for a five year term, commencing on 20 April. For the last three years he has been the Manager of Government Affairs with AMP. AMP is a major financial services group, originally a mutual organisation with insurance as its main activity, but recently floated on the stock market and converted to a licensed bank with interests in most areas of financial services. Before 1996, Malcolm Crompton held a succession of positions in the Commonwealth Department of Finance, with involvement in many of the public administration reforms of the last two decades. A fuller biography can be found on the Commissioner’s web site at www.privacy.gov.au.
In announcing the appointment, the Attorney emphasised the Commissioner’s role in relation to the proposed private sector legislation:
My department is consulting widely on the development of the draft legislation, and the Privacy Commissioner will be an important and valuable source of advice in this process.
The Privacy Commissioner will also have an important ongoing role in educating and assisting business to implement the scheme, and in advising me on its operation. I will be particularly looking to the Privacy Commissioner to provide assistance to small business in implementing the scheme.
This emphasis probably explains why the new Commissioner is someone with private sector experience. But like his predecessors, Moira Scollay and Kevin O’Connor, Malcolm Crompton has been a public servant for most of his career, and this should probably be regarded as a strength rather than a weakness. The focus on the private sector over the last few years has arguably led the Commissioner’s office to neglect, relatively, important developments in public administration — such as the growing integration of tax and benefits administration, major new initiatives in health care, and increased powers for law enforcement agencies.
Even the extension of the law to the private sector will require an understanding of legislative and bureaucratic processes as much as knowledge of the business. The privacy issues that arise in the private sector are so diverse in any case that no particular qualifications or experience can be regarded as essential. Of more importance are generic qualities such as a keen intellect, good negotiation skills, political ‘nouse’ and hopefully an underlying commitment to the importance of privacy protection in modern society. The new Commissioner’s career path suggests he has the first three. It remains to be seen if he has the fourth and how he will apply his undoubted ability to this important task.
In an unusually open process, the Commonwealth Attorney General’s Department has been consulting widely in developing drafting instructions for the Bill to extend privacy protection to the private sector. The Information and Security Law Division of the Department convened a ‘core consultative group’ (CCG) for two meetings in March and April. The CCG includes most of the interests represented in the Privacy Commissioner’s consultations in 1997 and ’98 on the development of the National Principles, but has been broadened to include previously unrepresented sectors such as real estate (tenants and realtors).
Unfortunately most representatives of consumer and privacy bodies were unable to attend the first meeting in Canberra, which was addressed by the Attorney General, as no funds were provided, even for travel. They were able to attend the second meeting in Sydney. The meetings worked through a comprehensive agenda of issues relating to the necessary components of a law — excluding the principles which are already taken by the Government to be settled, in the form of the Privacy Commissioner’s National Principles. The timing of implementation was also discussed, along with related issues such as transition periods and application of the law to existing data.
While differences remain among the various interests represented, there was also a good measure of agreement on many issues (see the ‘Essential elements’ article on p 168 for a privacy advocate position). The CCG is not intended to be a negotiating body — rather, it is to provide advice and ideas to the Attorney General’s Department, which will now produce drafting instructions for Parliamentary Counsel to work from.
Kathy Leigh, who chaired the meetings of the CCG, indicated that the timetable was for a Bill to be drafted for introduction in the Spring session of Federal Parliament.
The Queensland Freedom of Information Act 1992 (FOI Act) is being reviewed by the State Parliament’s Legal, Constitutional and Administrative Review Committee. This is the same Committee which issued a major report on privacy in Queensland last year (see (1998) 5 PLPR 49 and 72). The Committee received a reference from the Parliament in March and issued a call for submissions, with a closing date which was extended to the end of May. The terms of reference for the review are very broad — primarily ‘whether the basic purposes and principles of the FOI Act have been satisfied, and whether they now require modification’.
The review comes after several years of controversy over successive limitations and restrictions on the right of access under the Act by both Labour and Coalition governments, and critical reports by the Information Commissioner, appointed under the Act. Although the terms of reference do not expressly mention privacy, the interface between FOI and privacy, in relation to access by individuals to personal information, will inevitably have to be considered. Interested parties can contact the Committee’s Research Director, Kerryn Newton, on (07) 3406 7909.
One of the key issues the Committee should address, in light of its own privacy recommendations, is the definition of personal information. The Queensland FOI Act already provides for individuals to have access to personal information about themselves, and sets up an elaborate process for balancing privacy rights against a general public interest in open government.
But there is a very significant difference between the FOI Act’s concept of ‘personal affairs’ and the wider definition of ‘personal information’ used in privacy principles. Unless the FOI Act definition is changed, FOI processes would not completely satisfy the access and correction privacy principle in the forthcoming Queensland privacy regime. Separate processes would need to be set up to handle requests for access to information that was covered by the privacy principles but not within the concept of ‘personal affairs’. Such a parallel process would clearly be unwelcome and it is desirable that the difference should be sorted out by legislative amendment. The Commonwealth dealt with the same issue by changing the definition in the Federal Act from personal affairs to personal information to bring it into line with the Privacy Act.
There are strong arguments on both sides of the definition issue, and adopting the privacy definition is not without its dangers. Too wide a definition allows privacy to be claimed inappropriately as an exemption for government information which only incidentally contains information about individuals. Too narrow a definition deprives individuals of access to a wide range of significant information held by government and used in decision-making about them. It also limits the protection that the law gives to individuals against incidental disclosure of their information in response to third party FOI requests.
If the wider definition is adopted, then there should be clear limitations on the ‘privacy’ exemption so that only a very narrow category of sensitive personal affairs information about public servants is exempt, and so that even where personal information about a member of the public is involved, there is a discretionary public interest override.
There is also the wider issue of the ‘location’ of access and correction rights; the ALRC/ARC concluded that they should stay in the FOI Act. On balance they rejected the strong arguments that access to personal information (however defined) should be transferred to a privacy regime, leaving the FOI Act and Commissioner to concentrate undistracted on the vital public interest in open and accountable government. To the limited extent that the two interests conflicted in particular cases, these could be sorted out through sensible consultation arrangements, such as appear to operate well in New Zealand.
The Queensland Committee will presumably consider the same range of factors as the ALRC and ARC did in their review of the Commonwealth Act in 1995 (their report Open Government, previously analysed in (1995) 2 PLPR 121 — see www.parliament.qld.gov.au/committees/legalreve.htm).
Regrettably, the Federal Government has failed to respond comprehensively to the ALRC/ARC report to date and shows no sign of doing so. A recent letter to the Editor of FOI Review, Rick Snell (see <http://www.comlaw.utas.edu.au/law/foi>) from the Attorney General’s Department suggests that, with the exception of a few minor changes already made, and the proposed extension of the FOI Act to cover outsourcing, the Government sees no need for any of the more significant recommended changes.
The bizarre story of the Government’s attempts to censor the Walsh Report on Encryption (see (1999) 5 PLPR 145 and 163) has reached its (anti)climax with the notice to Electronic Frontiers Australia in late March that AusInfo has withdrawn its copyright claim. Presumably the Attorney General’s Department has finally realised that the futile attempt to put the stopper back in the bottle was only leading to more publicity for the passages they initially decided to exempt from publication, and making them look very silly in the process. Author Gerard Walsh’s judgment, in his foreword to the report, that ‘[t]here is an immediate need for broad public discussion of cryptography’ and that ‘[this] report is intended to contribute to that process’ is finally vindicated.
On 7 June, the Federal Government and the Australian Mobile Telecommunications Association (AMTA) announced the issue of a Request for Proposal for a mobile handset registration system. The initiative aims to ‘address the lost and stolen mobile phone issue for the benefit of mobile phone customers, carriers, industry associations, user groups and Law Enforcement Agencies (LEAs)’, according to the government media release.
AMTA (see <http://www.amta.org.au/index.htm>) says:
The system, when established, will provide a central repository of information which can be used by industry, LEAs, authorised businesses and other designated sections of the industry to facilitate the return of handsets, minimise use of stolen handsets and further assist LEAs to prosecute criminals.
When the possibility of a register was being debated in the press last year, concerns were raised about the privacy implications, particularly if there was an intention to register all phones rather than just those which are reported lost and stolen, and those recovered by police and others. A comprehensive register could all too easily become another building block in the edifice of surveillance, if linked, as it would be, to interception capability (see article on p 177) and development of more fine grained mobile origin locator information (MOLI).
It is not clear from the announcement of this initiative whether these concerns have been addressed. The RFP will hopefully allay fears, and should be examined carefully.
At its meeting on 21 May, the Online Council ‘strongly supported the Commonwealth Government’s intention to introduce light-touch privacy and data protection legislation for the private sector in the Spring sittings of the Commonwealth Parliament’ according to the joint media release. The State, Territory and Federal Ministers:
re-affirmed their commitment to building nationally consistent legal and regulatory frameworks for the information economy in Australia. Ministers agreed legal and regulatory frameworks need to secure the confidence of all Australians that online information and transactions are authentic, private, secure, legally sound and that there are redress mechanisms available. [They also] endorsed the principle that consumers engaged in electronic commerce should be provided the same level of protection as is provided for off-line forms of commerce.
Parts of the UK’s Electronic Commerce Bill have been labeled a potential ‘damaging and embarrassing failure’ by a parliamentary inquiry, according to a recent report.
The House of Commons Trade & Industry Select Committee report, released in May, found that the controversial Department of Trade and Industry Bill made proposals to license encryption and digital signature providers that were ‘not fit to be written into law’.
The committee said it saw no benefit in the most contentious part of the Bill — key escrow and key recovery. These would have provided law enforcement access to users’ encryption keys and therefore their confidential data.
The Committee also questioned the European Union plan to get ISPs and telecom carriers to set up an infrastructure for law enforcement agencies to intercept internet traffic. The Committee chair said that the Enfopol resolution proposed unrealistic requirements on service providers and raised overwhelming civil liberties concerns.
Source: http://www.techweb.com/wire/story/TWB19990519S0001 and http://www.techweb.com/wire/story/TWB19990520S0022 articles by Madeleine Acey, TechWeb , forwarded by Greg Taylor, EFA.
In late May, the Federal Government released a series of fact sheets for consumers on internet shopping. ‘Shopping on the internet: facts for consumers’. One of the sheets (No 5), developed with input from the Privacy Commissioner’s office, gives advice about privacy, and explains how some merchants collect personal information over the internet. It is available from the DoCITA web site at www.docita.gov.au.
The Federal Privacy Commissioner, Malcolm Crompton, has released an issues paper on health privacy. On 3 May he was asked by the Attorney General for advice on the applicability of the National Principles, developed by his predecessor Moira Scollay, to the health sector. The issues paper, released on 25 May, is accompanied by a background paper — both can be obtained from the Commissioner’s website at www.privacy.gov.au.
Crompton’s provisional position is that the National Principles need relatively few changes to be workable in relation to health information. This follows the experience of New Zealand where the Health Code of Practice issued by the NZ Privacy Commissioner in 1984 varied only a little from the statutory Information Privacy Principles. Crompton is inviting comments in two stages — initially by Friday 18 June, with a further round of consultation to follow.
The urgency of this work relates to the need to be able to draft the over-arching private sector legislation, due to be introduced in the next session, in a way that does not unduly alarm the health sector, which was largely unrepresented in the consultations held by Moira Scollay on the National Principles. Scollay had been conscious of this omission and had already commenced work on the issues, making possible the immediate response by Crompton to the Attorney’s request.
The National Health and Medical Research Council (NHMRC) has issued draft guidance on ethical aspects of human genetic testing, including specific advice on privacy and confidentiality — see www.nhmrc.health.gov.au/ethics/contents.htm. The Council has invited submissions by 16 July.
This is a timely initiative given the push towards greater use of genetic testing, particularly in law enforcement. The recent announcements concerning the DNA database which will form part of the federally sponsored CRIMTRAC system leave a lot of questions unanswered. The NHMRC guidance may help to bring pressure on Federal and State Governments to address privacy and civil liberties concerns. The guidance will also, and more directly, assist in consideration of medical uses of genetic testing.
Further to the recent article on privacy impact assessment ((1999) 5 PLPR 147), readers’ attention is drawn to two more resources on the subject readily accessible on the internet: a model privacy impact assessment and a privacy impact assessment form prepared by the Office of the Information and Privacy Commissioner of British Columbia (at http://www.oipcbc.org/publications/pia/ in Adobe .pdf format); and Roger Clarke’s resource page at http://www.anu.edu.au/people/Roger.Clarke/DV/PIA.html
The Commonwealth Auditor General has issued an audit report calling for the quotation of tax file numbers to be made compulsory, and for increased data-matching between the Health Insurance Commission and the Tax Office. (Audit Report No 37 Management of Tax File Numbers — see http://www.anao.gov.au/Whatsnew.html ).
In the latest of what has become a depressing series of audit reports, the Commonwealth Auditor General has again failed to give adequate weight to either the letter or the spirit of the Privacy Act, focusing almost entirely on efficiency arguments.
While the Audit Office has been a useful ally for the Privacy Commissioner on security issues, it has consistently played down the significance of legislated privacy protections such as one of the founding principles of the enhanced tax file number system, that of voluntary quotation. While the choice may be more symbolic than real, particularly for benefit recipients who are effectively forced to quote their number, any change deserves a much more wide-ranging debate about the direction of the TFN system. The Auditor General has become, knowingly or not, an accomplice in the Federal bureaucracy’s not so latent desire to re-introduce the Australia Card by stealth.
It is to be hoped that the Privacy Commissioner will provide a robust response to the Audit Office report.
In the May issue of the Press Council News, Council member Chris McLeod has an article which appears under the dramatic title ‘Excessive privacy laws undermine democracy’. This follows a piece by the Council’s Chairman Professor Dennis Pearce in the November 1998 edition entitled ‘Is privacy dying?’ in which he argues for a lowering of expectations about how much privacy the public can realistically retain. Whether these articles represent the start of an organised campaign by the media to resist the imposition of privacy laws remains to be seen.
While predictable, the reaction is disappointing. Both in Australia and overseas, the media do not seem to have been able to separate a legitimate debate about media privacy intrusion from the case for general privacy laws. Their concern about potential restrictions on their own ability to report public affairs is understandable, as is their cynicism about politicians interest in passing laws to protect themselves — given the sad experience of defamation laws. But to allow these concerns to spill over into outright hostility to privacy protection in general, as it has done so virulently in New Zealand, is irresponsible.
PLPR is seeking permission to re-print these two provocative articles in future issues.
A consortium of a number of State and Territory governments and Centrelink is looking at identifying a smartcard operating system that will enable multiple applications to exist on one or more smartcards. Identifying a system will not bind any of the consortium members when making decisions about developing smart card applications in their own jurisdictions, but is a step towards taking a coordinated approach to applications involving two or more governments. The consortium has been consulting with privacy and consumer advocacy groups in establishing the criteria for an interoperable platform. A Draft Request for Information is expected to be released in early July and will be available at www.act.gov.au/government/reports/smartcard
The Steering Committee for the project will be seeking comments from interested organisations and individuals on the proposed Draft.
Source: Ian Donald, March Consulting Pty Ltd, tel: (02) 6205 0486, email: email@example.com