Privacy Law and Policy Reporter
compiled by Nigel Waters
Federal legislation progress report — EU process explained
Speaking in Perth in October, Attorney-General Daryl Williams said that the Privacy (Private Sector) Amendment Bill 2000 would progress with debate in the House on the Bill and the Government’s amendments (in response to the House of Representatives Committee Report, see 7(1) PLPR 1) during the current Parliamentary sittings. The Government is considering the recommendations of the Senate Standing Committees which has looked at the Bill, and the Attorney also mentioned the Senate Select Committee which has looked at e-privacy but has not yet reported.
Predictably, speaking to a business audience, the Attorney chose to emphasise the ‘light touch’ nature of the legislation. ‘One of the first things you will notice about the Bill is that it is not prescriptive and it does not impose a heavy handed regime on the business community,’ he said.
He also emphasised the delayed commencement and numerous exemptions. The Government has found a new excuse for the employee record exemption: ‘To attempt to deal with employee records comprehensively in this legislation would not be practicable. It would create an unacceptable level of interference with State and Territory laws and it would create a confusing mosaic of obligations.’
Usefully, the Attorney spelt out, more clearly than anyone has done to date, the process under the EU Directive.
The EU’s assessment of the adequacy of privacy protection of data in Australia will start formally [see note below] after the Bill receives Royal Assent. The Commission will then make a proposal to the Member States to consider the adequacy of Australia’s privacy legislation.
Once the European Commission has made its proposal, it will submit a first draft opinion to the Article 29 Committee — which is made up of data protection commissioners from the Member States. The first opinion will compare the Australian approach with the EU approach and form the basis for the Article 29 Committee’s examination of the legislation.
What follows next is a consultation process — representatives from the Commission and the Article 29 Committee will examine the legislation and consult with Australia. When this process is finished, ... the Article 31 Committee will prepare a draft recommendation for the EC to consider, and then the EC will itself make a recommendation on adequacy.
The EC’s recommendation will be taken to the College of Commissioners and the European Parliament. The role of the European Parliament is to scrutinise the process, rather than the recommendation itself. The College of Commissioners will make the final decision about adequacy. This process could take between six to twelve months.
Optimistically, the Attorney is ‘confident that many businesses will go on to adopt their own, more stringent, privacy standards because the simple reality is that good privacy protection is good for business’.
Source: Speech released by the Attorney General’s Office.
Note: While the EU Commission’s assessment of the adequacy of Australia’s privacy protection may not have formally commenced, it appears to be well under way — a Commission officer met with privacy advocates (and others?) in September to gather opinions about the existing legislation and the Government’s Bill.
Federal Privacy Commissioner Malcolm Crompton has confirmed that the absence of appropriate security measures in the Treasury Department’s GST-Assist website prior to 29 June 2000 was a breach of the Federal Privacy Act.
Crompton said that the unauthorised accessing of the website in June by an internet user, revealing GST suppliers’ bank account details, illustrates the need for government departments and organisations to develop rigorous privacy protection measures as they move operations and services online. ‘Although the person who accessed this personal information only circulated it to those named in the record, the potential for misuse of this information was considerable.’
The Privacy Commissioner found that security testing of the GST-Assist website was limited and primarily concerned with business access requirements without adequately addressing the need to protect personal information in the database from unauthorised access.
‘A greater degree of effort must be put into protecting personal information in the online environment including the specific requirement that privacy be addressed in contracts with software and systems suppliers,’ said Crompton.
Source: Privacy Commissioner Media Release 16 October 2000, at <www.privacy.gov.au>.
The Commonwealth Government has moved to implement the Model Bill for Forensic Procedures (February 2000) by introducing the Crimes Amendment (Forensic Procedures) Bill 2000 into the Senate. The Bill is currently under consideration by the Legal and Constitutional Affairs Committee which called for submissions by 1 November.
In October, the Hong Kong Government announced a HK$3 billion project to issue nearly 7 million replacement identity cards to permanent residents of the Special Administrative Region.
As well as the existing functions, the new ‘smart’ cards will support automated clearance at borders. Equipped with the smart card, cross-border travellers could simply swipe their cards at checkpoints. People stopped for ID card checks would slide their cards into a small machine and provide a thumb imprint. Names and details will be instantly shown on a reader. The $3.06 billion project follows years of debate on the new breed of identity cards.
Secretary for Security Regina Ip Lau Suk-yee guaranteed only ‘minimal, basic’ personal data would be stored on the cards. ‘The Government will take every necessary measure to ensure the right of individuals to preserve the privacy of their personal data is protected,’ she said.
Basic data to be contained in a microchip on the card includes personal particulars such as name, date of birth, a photograph and a fingerprint.
Optional functions may include a driver’s licence number, government library cards and certificates in digital form. Cardholders will have the choice of deciding whether these functions should be included. Six designs will be put forward for public consultation, which will end on November 30.
Mrs Ip said a regular privacy impact assessment would be carried out. She added that the only plans at the moment were for applications allowing the use of government services.
Cross-sharing of data among government departments would be strictly prohibited, as only the relevant department would have an access code to a particular pool of data, Mrs Ip said.
Privacy Commissioner Stephen Lau Ka-men said, ‘The card with its capabilities to support the various applications can be regarded as quite a comprehensive personal dossier.
‘While portability of the card can be an advantage to the holder, it can also make the embedded personal data accessible to many, thus diminishing protection of the individuals’ data privacy.’ He said his office would monitor the development of the program.
Source: South China Morning Post and media release.
Note: Hong Kong Privacy Commissioner Stephen Lau has publicly noted that the first privacy impact assessment for the replacement ID card has been carried out by a consortium of privacy experts led by Nigel Waters (Associate Editor of PLPR). The client, the HK Dept of Immigration, has not yet acknowledged this and it is not known if the PIA will be made public.