Privacy Law and Policy Reporter
compiled by Graham Greenleaf and Nigel Waters
The Senate Legal and Constitutional References Committee was due to submit its report on Privacy and the Private sector on 15 February but has obtained a further extension of time to 9 March. See http://www.aph.gov.au/senate/committee/legcon_ctte/index.htm
The Committee hearings in 1998 were a vital focal point for information flows which led to the government adapting its policy and agreeing to proceed to a ‘light-touch’ legislative regime for the private sector.
The report will be a useful historical document, but doesn’t seem likely to contain any thing we don’t already know.
Source: Roger Clarke & Dave Banisar.
BEP is an Internet based, free, one-stop service to business, designed to reduce red tape and make it easier for users to interact with all levels of Australian governments (see http://www.about.business.gov.au for more information).
Source: Department of Employment, Workplace Relations and Small Business.
The NZ Police have long had to report the number of interception warrants granted for tapping telephones and placing electronic bugs (23 sought last year, none refused). However, the 1997/98 Annual Report of the NZ Police, just to hand, is the first to provide information on the recently established ‘call data warrants’. These authorise the attachment of ‘telephone analysers’ to telephone lines to obtain real-time information about the calls into, or out of, a suspect’s telephone. Only call data, such as numbers called or calling, times and duration of connections is revealed — not the content of communications. In 1997/98 it appears that there were 87 warrants granted, although it is unclear from the report whether this includes renewals. The average duration of the warrants was 58 days.
The report was also notable for reporting the quadrupling of the DNA databank maintained under the Criminal Investigations (Blood Samples) Act 1995. Over the year the databank of stored DNA profiles grew from 909 to 3,980. Of those 3,069 were obtained by consent (usually provided for elimination purposes by innocent people) with the remaining 991 the subject of a compulsion order (following conviction for certain serious offences). During the year the Police used force on two occasions to assist a medical practitioner to take a blood sample pursuant to a compulsion order. The courts have been rigorous in their scrutiny of applications for suspect compulsion orders (in the course of investigations) and databank compulsion orders (following conviction). Neither has been a rubber stamping exercise with a suspect application refused in each of the last two years and 10 databank orders refused in the first year and four in the second.
Source: Blair Stewart.
Note: the 1997-98 Annual Report on the Australian Telecommunications Interception Act 1979 was tabled in February. A summary of the report will appear in a future issue.
The Federal Government’s GST mail-out to pensioners last year — a major part of its taxpayer-funded pre-election propaganda blitz — has been found to have breached the Privacy Act.
According to press reports, Privacy Commissioner Moira Scollay determined that the mail-out was unlawful because it used the Centrelink database for a purpose which was not authorised by the Social Security Act.
The reports appear to have been based on draft findings sent by the Commissioner to complainants. There has been no public statement of findings to date, although questions were asked in Senate Estimates hearings on 8 February. Details are expected to become available through the Joint Committee on Public Accounts and Audit, which is reviewing the Auditor-General’s report into the mail-out.
Source: Frank Cassidy, Canberra Times, 16 January 1999.
In September 1998, Justice Einfeld of the Federal Court dismissed as misconceived an application from a complainant for review of a decision of the Privacy Commissioner, Moira Scollay. Ms Scollay had dismissed the complainant’s case against Avco Finance Ltd (AVCO), Optus Communications Pty Ltd (OPTUS) and the Credit Reference Association of Australia (CRAA). The complainant had alleged that AVCO and OPTUS listed him with the CRAA, without giving him the required notice under the Privacy Act 1988. Ms Scollay had found no evidence of a breach of the provisions of Pt IIIA of the Privacy Act.
While Justice Einfeld emphasised that judicial review did not involve a review of the merits of the Commissioner’s decision (only of the process), he did as an aside comment that ‘... despite the fact that on reading the Commissioner’s decisions it seems that the applicant’s complaints are completely unfounded’.
Although unimportant in itself, this case is a landmark in that, nearly 10 years after the Privacy Act came into force, it is the first time a decision of the Privacy Commissioner has been judicially reviewed.
See: Mario Riediger v. Privacy Commissioner, No. NG 774 of 1998
FED No. 1742/98. http://scaleplus.law.gov.au/html/feddec/0/98/2/FD013970.htm
Source: Patrick Gunning.
The Internet Industry Association’s Code of Practice, which has been in gestation for over a year, was finally issued for adoption in January (see http://www.iia.net.au). But it immediately provoked major criticisms, not least from Electronic Frontiers Australia (EFA); see http://www.efa.org.au/. There is particular concern about the provisions in the Code relating to content censorship and to ‘spamming’. The IIA sum up the spamming issue as follows:
Currently the Code provides for a qualified opt-out regime, however there is some feeling that we should consider revising this to a qualified opt-in approach. That is, that the default (subject to a few exceptions perhaps) is that Code subscribers should not send unsolicited commercial emails.
The relevant provisions were temporarily suspended in early February and members invited to comment.
Detailed personal information about hundreds of Air Miles cardholders has been available on the Web free for the taking throughout the month of January and possibly for as long as a year. The incident has renewed calls for tough laws holding corporations responsible for customer data they collect. A Toronto software developer discovered last year that files containing the names, card numbers, home phone numbers, and addresses of hundreds of Air Miles cardholders was left unprotected at the Air Miles Web site (http://www.airmiles.ca).
Source: David Akin, Technology Reporter, the National Post 22 January 1999.
[Officials in some American States] have begun selling the images wholesale. ... In the past several months, South Carolina has released 3.5 million digital photographs, Florida has started the process of transferring 14 million images in its files and other states have expressed interest in doing the same.
The buyer is Image Data LLC, a small New Hampshire company that wants to build a national database of photos and personal information to help retailers prevent identity theft—a fast-growing crime in which fraud artists use victims’ personal information to run up bills in their names or empty their bank accounts.
Image Data’s computers can flash the photo of person named on a credit card or a check to a small screen near a cash register when a transaction begins. Company officials say the service could head off billions of dollars in fraud by giving clerks an instant, tamper-proof way to verify the identity of customers.
The company’s desire for the personal data contained in motor vehicle files is far from novel. Such records are routinely sold by many states and have become a computerised staple for direct marketers, information services and others in recent years.
But by adding photographs into the mix, Image Data has crossed into new territory, raising on the one hand the possibility of improved security for consumers and retailers and, on the other, new questions about personal privacy.
Extracts from article by Robert O’Harrow Jr. Washington Post Staff Writer Friday, January 22, 1999; Page A01 Full story at:
Update: The Washington Post reported on February 18 that the U.S. Secret Service provided money and technical assistance to the New Hampshire company that purchased 22 million digital driver’s license photographs from three states before public protests stopped the transfers.