Privacy Law and Policy Reporter
compiled by Graham Greenleaf and Nigel Waters
On 16 August, the Australian Competition and Consumer Commission (ACCC) made a determination in respect of the application from the Australian Direct Marketing Association (ADMA) for authorisation of their Direct Marketing Code of Practice. A copy of the determination and accompanying report has been placed on the Commission’s internet homepage at <http://www.accc. gov.au> under ‘adjudication’.
The ACCC has summarised and dealt in detail with the submissions made in response to their draft determination issued last October. The determination itself authorises the Code for a four year period to August 2003, subject to a range of amendments and conditions.
Wins for privacy and consumer groups include:
In other respects, privacy and consumer submissions have not been fully taken on board, and significant weaknesses remain. Perhaps the most disappointing ‘loss’ is that the ACCC has accepted the application of a ‘notice and opt-out’ standard to telemarketing and unsolicited email as well as to direct mail. Advocates had argued that an opt-in standard should apply to these inherently more intrusive channels of direct marketing.
Note: ADMA launched its Code, with some amendments to take account of the ACCC’s proposed conditions and other criticisms, in November 1998, and has been promoting adoption of the Code by members during the first part of 1999, holding briefing sessions around the country.
Source: ACCC Determination — see <http://www.accc.gov.au/>.
[We hope to carry a more detailed analysis of the ADMA Code of Practice in a future issue — Editor.]
The Internet Industry Association issued a fifth draft of its Code of Conduct in late August. While most of the media coverage has focused on the ‘Internet Censorship’ provisions designed to be given statutory effect under the Broadcasting Services (Online Services) Amendment Act 1999, the Code also contains the revised provisions relating to unsolicited email or ‘spam’. The ‘spam’ provisions of version four of the Code were withdrawn earlier this year after an outcry about the perceived weakness of the ‘opt-out’ approach. The revised Code introduces what it calls a ‘qualified opt-in’ approach which is far better than the equivalent section of the ADMA Code (see separate report in Private Parts).
The IIA Code also ensures that the general privacy provisions are consistent with the Privacy Commissioner’s revised National Principles, with a view to seeking authorisation for that part of the Code under the proposed new private sector privacy legislation — see separate feature in this issue.
Source: IIA web site at <http://www.iia.net.au/>.
[We hope to carry a more detailed analysis of the IIA Code of Conduct in a future issue — Editor.]
A recent report from the Australian National Audit Office (ANAO) (Commonwealth Auditor General Report No 8 1999-2000, Managing Data Privacy in Centrelink, August 1999) has concluded that while Centrelink generally had suitable policies, procedures and systems relevant to privacy issues in place,
[the agency’s] framework for the management of data privacy was incomplete in that an assessment of risks to data privacy and planning aimed at minimising these risks had not been undertaken at an organisation wide level. As well, Centrelink’s performance information on the actual number of privacy breaches or significant influencing factors was not adequate for performance management or accountability purposes. Consequently, Centrelink’s management was unable to be assured of the effectiveness, in practice, of the elements of the framework which had been implemented.
In addition, ‘Centrelink could not effectively monitor and assess its success in achieving privacy outcomes’.
The ANAO recommends that:
Particular actions Centrelink would be well advised to take, in relation to information technology controls necessary to promote data privacy, are as follows:
- development and implementation of procedures relating to the access to and distribution of personal information from secondary data stores; and
- identification and removal of discrepancies between staff access rights and the requirements for positions.
Other areas that need remedial action relate to:
- implementing standards to govern the transfer of data into and out of Centrelink;
- ensuring accountability by programmers for data extraction programs; and
- the overall management and monitoring of data store creation and usage.
Source: ANAO web site at <http://www.anao.gov.au>.
Comment: The ANAO claims to have consulted the Privacy Commissioner throughout the audit on audit criteria and key issues, including on the final draft report. The question that must be asked is why, given what the ANAO describes as the ‘ Privacy Commissioner’s key role in respect of the audit topic’, it has taken a report from the Auditor-General to reveal these weaknesses. The Department of Social Security (Centrelink’s predecessor), was always held up to be a model for privacy awareness and training and compliance systems, nothwithstanding a few highly publicised privacy breaches. To be fair, the ANAO Report comments favourably on many on the agency’s systems and general approach to privacy compliance. But it seems that the Privacy Commissioner has for some reason (resource constraints?) neglected to ensure that Centrelink has maintained the high standards necessary, given the sensitivity and volume of the personal information held by the agency.
The report demonstrates yet again the importance of ‘competing’ sources of advice and monitoring of privacy compliance. Had the job been left exclusively to the Privacy Commissioner, would we now be aware of the measures that still need to be taken in this key agency? — Editor.
The Cyberspace Electronic Security Act is an unprecedented attempt by the Clinton Administration to impose ‘big brother’ monitoring powers over American citizens’ according to the lobby group Americans for Computer Privacy. The group supports instead the Security and Freedom Through Information (SAFE) Act, introduced by civil libertarian Senators and Congressmen, which it claims ‘would secure [our] rights to use encryption to protect personal information and communications in the Information Age’. ACP says that:
SAFE Act supporters understand that encryption prevents online crime, and that the right to privacy is not negotiable. The fact is that current laws provide law enforcement broad powers to obtain information. [The Administration] proposal — offered as an alternative to a failed attempt to impose a third party encryption key scheme on the American public — is an affront to all law-abiding citizens.
Source: August 20 media release from Americans for Computer Privacy — see <www.computerprivacy.org>.
In a decision overturning federal privacy protection, the 10th US Circuit Court of Appeals has ruled that phone company records belong to the phone companies. That means they can use the information about customers for marketing purposes without obtaining their consent.
Consumer advocates are not happy with the decision, and neither is the Federal Communications Commission. The FCC, which regulates telephone companies, plans to appeal the ruling by the three-judge panel.
FCC Chairman Bill Kennard said the court’s decision to reject commission rules adopted last year removes important protections to consumer privacy. ‘We think that consumers should have the right to determine where this information goes and who uses it,’ he told CNN. ‘Only after the consumer gives express consent should this information be sold to a telemarketer or used for other purposes.’ Kennard said information such as calls made to a doctor or to a help group — and the frequency of such calls — could become fodder for marketers to target their goods.
Phone companies, however, say that won’t happen. ‘The important thing customers should understand is that phone companies have no interest in selling numbers to outsiders, so we’re not pressing the privacy panic button,’ Bill McCloskey of Atlanta-based BellSouth told CNN.
When people make calls or pages, the companies providing them service end up with personal information including who was called, when the call was made and how long the call lasted. They can also tell how much their customers paid for service.
The FCC rules had required telecommunications companies to obtain permission — either written, oral or electronic — before using or sharing customers’ records, calling patterns and other personal information to market new services to them. A 1996 telecommunications law had mandated such approval without specifying how it had to be given.
In a two to one ruling published last week, the Appeals Court overturned the FCC restrictions, saying they wrongly interfered with the phone companies’ First Amendment right to free speech. The court said the government failed to show any specific harm to customers from the practice.
‘Although we may feel uncomfortable knowing that our personal information is circulating in the world, we live in an open society where information may pass freely,’ the ruling said.
Kennard expressed concern that the ruling would let companies assume they had permission to use customers’ personal information unless customers told them they did not. Customers might then inadvertently forfeit their right to privacy by missing a notice from the company informing them of the policy, he said. Other FCC officials warned that the decision could open a wide door for releasing information, such as phone companies selling information about a customer’s toll-free catalogue shopping habits to a rival retailer.
Source: CNN, 27 August 1999 (Reporter Deborah Feyerick and The Associated Press contributed). See mirror copy of full report at <http://www.anu.edu.au/people/Roger.Clarke/DV/USCallRecs9908.html >.
The OECD invites people to test the Generator and provide them with comments on it. A special email account has been set up to receive all comments, which is accessible through links on the Generator. The address is <firstname.lastname@example.org>.
A reminder that among the treasure trove at Roger Clarke’s web site is a regularly updated paper A History of Privacy in Australia: Current Developments — see <http://www.anu.edu.au/people/Roger.Clarke/DV/OzCurrent.html>.