Privacy Law and Policy Reporter
Compiled by Graham Greenleaf and Nigel Waters
Over the past weeks, Australia’s two northernmost jurisdictions have announced very different paths to privacy protection, both somewhat at odds with what the rest of Australia is doing.
The new Northern Territory Labor Government has tabled a draft Freedom of Information Bill which also includes some elements of privacy protection, going beyond the correction of personal records which is found in all Australian FOI laws. The draft Bill was introduced by Attorney-General Peter Toyne on 24 October 2001. Comment on the draft will be accepted until 28 February 2002.
Announcing the draft Bill, Dr Toyne said:
The information scheme we propose also seeks to protect the community against improper use of personal and commercial information held by government. It will place constraints on the use of such information for commercial purposes and provide an opportunity for an independent review where someone believes that improper use has occurred.
Provisions limiting the use of personal information contained in public registers are included in both the NSW and Victorian public sector privacy laws.
‘The draft bill is unique in that it has been specifically written to cater for the new information based economy and is therefore more relevant than similar legislation in other jurisdictions,’ Dr Toyne claims. An Information Commissioner, as is found in Queensland and WA, will deal with FOI/privacy complaints under the legislation. The Department of Corporate and Information Services will be actively involved in implementing the information and privacy scheme.
In contrast to this legislative route, the Queensland Government implemented, in September, a new purely administrative privacy regime. Attorney-General and Minister for Justice, Rod Welford, said the Government’s new policy created strict rules about how personal information was collected, stored, used and disclosed by the public sector. He said that an Information Standard, approved by State Cabinet, is based on Information Privacy Principles (IPPs) that apply to the Commonwealth public sector under the Commonwealth Privacy Act 1988. Each Queensland agency is required to develop a Privacy Plan within the next six months, and to appoint a Privacy Officer. Local government is not part of the privacy regime, unlike in NSW and Victoria, States which have privacy laws. Unlike NSW and Victoria, it would seem that Queenslanders will have no enforceable remedies or compensation in the event of privacy breaches by government. v
Further information (Qld):<www.justice.qld.gov.au/dept/privacy.htm>.Further information (NT):<www.nt.gov.au/ntg/information/index.shtml>.
In August, federal Commissioner Malcolm Crompton wrote to the Australian Chamber of Commerce and Industry (ACCI) which had been critical of the Commissioner’s perceived approach to enforcement of the new private sector Principles. The following extract is an important statement of the Comissioner’s position.
I refer to the reports that you say you are receiving about the approach this Office will take to promoting compliance with the new law after 21 December this year. As I understand it, you are concerned that I have stated in a number of public forums that we will be deliberately seeking early breaches of the law then making public examples of the organisations involved, as a warning to others.
Let me assure you that this is not an accurate account of what I have been saying. In every public speaking engagement where the question of our approach to compliance has been raised, I have clearly stated that publicising breaches of the Act would be a last resort where it has proved impossible to arrive at a conciliated outcome.
Let me outline to you the approach that I have repeatedly espoused. This approach is based on using the lowest cost, lowest profile approach that the complainant and respondent organisation will allow.
These arrangements are:
In making these points, I should point out that this includes our jurisdiction over credit reporting activities in the private sector. Against this background, in all of my public speaking, I have noted that while publicity is an obvious option, we will only use it as a last resort and I have pointed out that we would much rather celebrate success than condemn failure; and that we are here to help organisations find privacy solutions. This approach is explicitly stated in the Strategic Plan launched in March 2000 and has been reiterated ever since.
In the course of making these remarks, I have also pointed out that if an organisation does not do the right thing after a complaint has been resolved, for example continues to flout the law or is clearly and consciously a ‘repeat offender’, then and only then will we seek to put the matter in the public arena.
I hasten to add that this approach has had, and will have, an impact on the public standing of this Office in the eyes of some. For example, when I outlined this philosophy in a talk to the Melbourne Press Club last March, I was roundly criticised during debate for being soft. In another instance when we issued a media statement (on request only) that flatly described the terms of a settlement with Harts Financial Services, its clients were described as ‘outraged that the Federal Privacy Commission (sic) has chosen not to fine the finance company’.
Hong Kong’s widely respected Privacy Commissioner for Personal Data, Stephen Lau, has decided not to seek re-appointment at the expiry of his term as Commissioner and has rejoined the private sector as President, Asia Pacific North, of Electronic Data Systems Corporation (EDS). Mr Lau was with EDS before taking up the post of Commissioner. Among other things, Mr Lau will be remembered for hosting in 1999 the most open and stimulating International Data Protection and Privacy Commissioner’s Conference in its 25 year history. He also holds a special place in the internationalisation of privacy principles, as the first Privacy Commissioner in an Asian jurisdiction.
The new Commissioner Mr Raymond Tang took up his post on 1 November 2001. Mr Tang is a lawyer of 35 years experience and until appointment was a barrister in private practice. From 1996 to 1999 he was with Hong Kong’s Securities and Futures Commission, first as its Chief Counsel and then as Special Counsel to the Chairman.
The Law and Justice Legislation Amendment (Application of Criminal Code) Act 2001 (Cth) makes generic changes to the Criminal Code which apply to Federal privacy law. Schedule 40 amends the Privacy Act 1988 (Cth), to replace ‘knowingly or recklessly’, with ‘intentionally’ in the offence provisions (all of which are in the credit reporting provisions, Pt IIIA).
‘The results of the websites audit are overall disappointing,’ said Federal Privacy Commissioner, Malcolm Crompton, in a letter to agency heads about the results of a recent privacy audit of Commonwealth Government websites. In May 1999, the Commissioner’s Office issued Guidelines for Federal and ACT Government websites. The Government adopted these guidelines as part of the Government’s Online Strategy for the delivery of Commonwealth Government services, and set 1 June 2000 as the deadline for implementing the guidelines.
The 2001 survey found that nearly one third of Commonwealth websites still fail to meet the baseline requirement of displaying a privacy statement. Less than one quarter (21.6 per cent) of all websites that collect personal information had an adequate Information Privacy Principle 2 (IPP 2) statement or a direct link to a privacy statement. Less than half (42 per cent) of all websites audited warn users of the risks of transmitting data across the internet. Only 2.8 per cent of sites audited used encryption methods to ensure secure transmission of personal information.