Privacy Law and Policy Reporter
compiled by Graham Greenleaf and Nigel Waters
The first week in December saw an unprecedented wave of media attention to privacy. A joint venture between the Packer family’s Publishing and Broadcasting Ltd (PBL) and US database company Acxiom is building a major database on Australian consumers, drawing on both public records and privately compiled data.
While it is the Packer connection that has attracted the media, the venture brings together in one project most of the privacy ‘hot buttons’. Direct marketing, data matching and profiling, use of public register information for unexpected purposes, and the overarching issues of informed consent and access to records are all there.
Roger Clarke has brought together most of the publicly available material on the project, which by some accounts is already fully developed — see <http://www.anu.edu.au/people/Roger.Clarke/DV/InfoBase99.html#Dec>.
The Federal Privacy Commissioner, Malcolm Crompton, has issued his first Annual Report — the 11th since the 1988 Act took effect. The Report is available for download at <www.privacy.gov.au/news/index.html>.
Among the reported activities is an example of the rare use by the Commi-ssioner of his power to vary the operation of the Act in special circumstances.
The Privacy Commissioner issued a Public Interest Determination (PID) in favour of the Department of Foreign Affairs and Trade (DFAT). PID 7A came into force on 1 June 1999 and amends PID 7 (issued in October 1997) to overcome doubts raised by the Senate Standing Committee on Regulations and Ordinances. The Committee had questioned whether the conditions to which the determination is subject would be effective. Both versions allow DFAT to disclose personal information about Australians overseas to their next of kin in circumstances that would not otherwise be permitted by the Act.
Source: 11th Annual Report of the Privacy Commissioner.
Parliament has passed laws that allow the Australian Security Intelligence Organisation (ASIO) to tap into and alter data on private computer systems.
The ASIO Amendment Bill 1999 passed the Senate on 25 November, giving federal authorities the power to tap into private computer systems for surveillance purposes. This is the first time in 13 years a major change has been made to the ASIO Act 1979 (Cth).
While the legislation gained bipartisan support, some members expressed concern that the Bill was rushed through Parliament.
The Australian Democrats claim that the new law is a serious breach of Australians’ privacy. Deputy leader Senator Natasha Stott Despoja said that the laws could be intentionally misused to plant evidence. ‘The government has found quite a convenient excuse for significant new excursions into personal surveillance,’ she said.
Privacy groups are angry that the Bill gives ASIO the power to tap into private computer systems. Consumer group Financial Services Consumer Policy Centre has previously called on the Senate to reject the Bill, claiming it contains ‘serious flaws’.
Source: William Maher, APC Newswire 26 November.
The Canadian House of Commons has passed the Personal Information Protection and Electronic Documents Act (Bill C-6), an omnibus data protection proposal previously known as Bill C-54. The legislation — affirmed by a comfortable 200-49 margin — would put in place strict privacy rules for the private sector. Like its predecessor, Bill C-6 contains limits on the collection, use, disclosure and retention of personal information. Companies will be expected to conform to high standards of accuracy and security while providing individuals with access to information about themselves. The Privacy Commissioner will be granted power to receive complaints concerning violations of the law, conduct investigations and resolve complaints through mediation or legal procedure.
The Bill must now pass the Senate, where many members have strong connections to the business community. The insurance and health care industries oppose the Bill in its current form, and several Senators are expected to propose amendments that would weaken some of the more stringent provisions.
Acting according to a mandate provided by the Health Insurance Portability and Accountability Act of 1996, the Clinton Administration has proposed a rule designed to protect the privacy of electronic medical records. The proposed rule requires providers and health plans to give patients written explanations of how they intend to use, keep and disclose personal information. Healthcare entities covered by the regulations would not be allowed to condition treatment, payment and coverage on agreement to disclose personal information for other purposes. The rule also provides patients with the right to see and make corrections to their medical records.
Health privacy experts reacted positively to the proposal, but warned that certain loopholes would require further action. The regulations do not, for example, protect paper based medical records and there is no authority for a private right of action to enforce individual privacy rights. Personal health information could still be shared between companies under the vague purpose of ‘disease management’ and law enforcement officials would be able to obtain medical records with a simple subpoena.
A summary of the proposed rule is currently located at <www.aspe.hhs.gov/admnsimp/pvcsumm.htm>.
Malaysia’s Deputy Energy, Telecommunications and Multimedia Minister, Datuk Chan Kong Choy, has stated that the Personal Data Protection Act is in its final stage and is likely to be tabled in Parliament in 2000. He said that unless laws were drawn to deter the abuse of information, the public would have doubts about using the internet. This, in turn, will curb the growth of information technology which Malaysia tries to spearhead through the Multimedia Super Corridor (MSC) masterplan.
He noted that Malaysia was following the discussions between the US and the European Union.
Source: Loong Meng Yee ‘Law to guard personal data soon’, Star Publications (Malaysia) September 9, 1999.
All the papers from the 21st International Conference of Privacy and Data Protection Commissioners, held in Hong Kong in September, are now available on the HK Commissioner’s website at <http://www.pco.org.hk/conproceed.html>.
New Zealand Privacy Commissioner Bruce Slane has released his latest Annual Report, with press releases highlighting a number of issues, including the weakness of computer crime laws and the absence of spent convictions provisions to encourage rehabilitation of offenders. Slane also calls for the presentation of privacy impact statements for major new government policies, and criticises inadequate reporting on data matching and the failure of the internal affairs department to comply with the law in relation to disclosures of passport information. The report is available at <http://www.privacy.org.nz>.
After revelations that its software was secretly transmitting users’ personal information back to the company, streaming media software maker RealNetworks has promised to amend its privacy policies. In doing so, the company got away with little more than a slap on the wrist from the online privacy group whose seal of approval it bears on its website.
According to EPIC News, TRUSTe refused to launch an investigation since RealNetworks did not technically violate any part of its licence agreement. The TRUSTe licence agreement only covers information collected from individuals over a website. TRUSTe claimed that since the information collection and transmission occurred through software downloaded at a site, there was in fact no violation of the licence agreement. However, TRUSTe did announce plans to change its licence agreement to include software downloaded through a website.
See also <http://www.currents.net/newstoday/99/11/09/news11.html>.
Source: Industry Standard via Quicklinks, <http://www.qlinks.net/items/qlitem5432.htm> and EPIC News 6.19.