Privacy Law and Policy Reporter
This is an extract from the transcript of ABC Radio National’s The Law Report programme, broadcast on
9 November 1999.
Susanna Lobez: As we move through our daily lives in this electronic age, we leave behind us a trail of data, about our purchases, our finances, our health, even personal details. Paper documents can be shredded to protect our secrets, but not electronic records.
Roger Magnusson: Control over our privacy in the information age is increasingly a pipe dream, because our information goes everywhere. We kind of shed it like skin wherever we move. I think it was Bill Gates that said that the previously scattered nature of information has meant that we have a de facto level of privacy, but not any more, not in the computer age.
Susanna Lobez: Dr Roger Magnusson, a lecturer in Privacy, Surveillance and Fair Information Practices in the Law Faculty of the University of Sydney. And since the recent anti-monopoly decision, Bill Gates no doubt wishes he had a bit of privacy.
Perhaps we’ve been seduced into sacrificing privacy for convenience, as we give out our credit card details by phone or internet, as we fill in various kinds of forms and hand them or send them on to others. Privacy protection has been a patchwork: a bit of defamation law here, some new laws restricting surveillance there, journalism codes of conduct, other bits and pieces.
The Federal Privacy Act restricts those in the public sector from dealing in information about us, but private organisations have been free to collect, cross-reference and pass on our information exhaust, left like a snakeskin behind us.
New Federal legislation to amend the Privacy Act will incorporate national privacy principles, which apply to public and private sectors alike. The amendments are due to be debated next month. Broadly, they say if information about us is being collected or held, we have the right to be told. Privacy consultant Nigel Waters told Daniel Hirst this will curtail practices like the secret blacklisting of tenants.
Nigel Waters: At the moment, a lot of information about people that rent houses are placed onto central databases without the individual knowing about it, and then used by real estate agents to check up on people when they apply for a new property, and quite often that information can either be malicious or it can just be plain wrong or out of date, and individuals are given no right to challenge it or to rebut that information. We’re not saying that those databases shouldn’t exist, but individuals should know about them and have rights.
Daniel Hirst: So if I turned up and I was trying to rent a house and somehow my name had gotten on one of these blacklists, and the information was completely false — let’s say it came through an avenue where I’d paid my friend’s rent which was overdue and somehow my credit card database had linked up to the tenant database and said that I’d paid for an overdue rent. If I got on to that blacklist this way, I wouldn’t be able to correct that?
Nigel Waters: That’s right, and you wouldn’t even know that that database existed. Most tenants don’t. Under the new law, they would have to tell you when you signed on for a house that they were going to put that information into the database so that you could then, if you wanted to, have a look at the record and challenge it if you thought it was wrong.
Susanna Lobez: Under these new laws, collectors of information have an obligation to keep the records safe and not to pass it on to anyone without our consent. Importantly, they must explain exactly how our private details will be used. Federal Privacy Commissioner Malcolm Crompton gave Daniel Hirst a graphic example of where information was misused.
Malcolm Crompton: Only in the last week or two we had somebody calling us about her baby, who’d died from cot death, and as is proper procedure, the police had organised a contractor to collect the baby and take it to the morgue for an autopsy. The sad thing is that the contractor later on then rang the lady a couple of days later at home and offered his services because that person was also the funeral director. And really, it’s a quite inappropriate use of that person’s personal information to have tried to drum up business in that way, and at the moment there’s nothing that can be done about it.
Daniel Hirst: In this particular instance, was the information actually passed from one person to another, or was the information maintained with the contractor?
Malcolm Crompton: The information, as I understand it, was not passed from one person to another, but part of these privacy principles is that information should be only used for the purpose for which it’s collected. So that even if the same person had the information, they really should have only used it for its original purpose.
Daniel Hirst: This could be seen as an example of direct marketing. Is direct marketing the main target of these new changes?
Malcolm Crompton: Not by any means. Direct marketing will be affected. Some of the more undesirable ways in which direct marketing can be undertaken would change. It would also give the individual Australian more control over the amount of direct marketing that they were exposed to. But direct marketing is most certainly not the only target. I have in front of me an article that’s in the Sydney Morning Herald of 3 November, and it relates to a fairly prominent database that’s being run in America off a website called Real Networks. In fact it has about 13 and a half million customers. It’s turned out that this website makes a promise in its privacy statement about the use of people’s personal information, and it’s been discovered that in fact that promise is not being honoured. In Australia, at the present time, nothing can be done about people using the internet in a way which allows their personal information to be collected without them knowing it, and they can seek no redress. This would change; with the new legislation we would see individuals being able to be assured as to why the information is being collected or even if it is being collected at all, and be able to stop that if that’s what they wanted to do.
Daniel Hirst: In situations like this, where someone is actually visiting a website overseas, does it come under your jurisdiction as an Australian Privacy Commissioner?
Malcolm Crompton: You do actually have a debate running at the moment as to what is the appropriate jurisdiction when these things happen. One of the things that has to happen though is that some element of the transaction between here and America has to have been done through an Australian-based entity. And it’s not clear whether it’s simply being done through an Australian internet service provider would be enough, or whether there has to be something more than that — that is Australian — before I can take action. But almost certainly, in most instances, there will be some point of leverage at which I can take action if necessary.
Daniel Hirst: How will these new laws work?
Malcolm Crompton: The main form of enforcement would be by complaint. People who felt that something wrong had been done with their personal information as against the rules set out in these national privacy principles would be able to lodge a complaint for investigation with some appropriate correction.
Daniel Hirst: What sorts of penalties would there be for the breach of privacy laws?
Malcom Crompton: I believe we apply the Mikado principle here: the punishment fits the crime. If in fact somebody was not able to gain access to personal information, when clearly they should have, what I arrange for is that access. This is not a gold-digging operation here; this is not the big end of town when it comes to financial penalties or anything like that, it is a simple respect for human dignity, it is obtained by allowing the individual person to be in control of their own personal information, and where it goes wrong, for the wrong to be properly righted. This law that the Government is proposing will be relatively simple, relatively basic and quite wide in its coverage. But it can’t possibly be the answer to every circumstance by itself. The law in an area as complicated and fast growing as this can’t be the solution by itself. All of us will have to take an increasing responsibility for the handling of our own personal information; it’s just a matter of balance.
Susanna Lobez: But is this legislation toothless? Is privacy protection, as he suggests, so hard to police and enforce, it relies on consumers complaining and organisations watching their image?
Privacy consultant Nigel Waters says bad PR may be indeed the biggest disincentive to privacy breaches.
Daniel Hirst: Are there holes in this new legislation which you’d like to see filled, in order to protect privacy properly?
Nigel Waters: Well, I’ll give you two good examples that have come to light just in the last week. Unfortunately where the new law wouldn’t help, because they’re both in an area of employee records. We’ve had reports within the last week of both Telstra and the NSW State Rail Authority monitoring in one case, employees’ calls, and in the other case employees’ attendance patterns, without their knowledge, and unfortunately, although that’s the sort of area where we desperately need privacy laws, any records that an employer kept about its employees, whether it’s monitoring their phone calls or doing drug tests or police record checks or psychological or health examinations, would be exempt from this new law, and we can’t understand why that is the case, because that’s very often some of the most sensitive information, and the information that individuals most need to have held according to proper rules and to have access to.
Daniel Hirst: And this could be held without the knowledge of the employee?
Nigel Waters: That’s right.
Daniel Hirst: Would they also be able to pass on information say to your next employer telling them exactly what phone calls you made and so on?
Nigel Waters: Yes, they would. That’s another major concern, that they would be exempt from the disclosure principle, and therefore be able to basically do what they like with that sort of information.