Privacy Law and Policy Reporter
This article comments on some of the National Privacy Principles (NPPs) and other aspects of the new private sector regime, and on its application to online activities. Readers are assumed to be familiar with the wording of the actual principles, which can be found at <www.privacy.gov.au>. This is an edited version of an address presented to the Records Management Association in Melbourne on 7 June 2001, incorporating issues arising from the Privacy Commissioner’s Guide-lines issued in September 2001 — Editor.
An organisation collects personal information if it gathers, acquires or obtains personal information from any source and by any means. Collection includes when an organisation keeps personal information it has come across by accident or has not asked for.
The collection stage is critical because it may be the only stage of the process in which the data subject is directly involved and can therefore assert his or her rights. The principle requires that the individual be equipped to determine whether he should furnish the information or decline to do so.
The Commissioner’s Guidelines adopts the narrow interpretation of ‘fair’ as meaning without intimidation or deception.
Principle 1 also imposes the test of relevance on the collection of personal information. Collecting information just because it may be useful in the future is generally not acceptable. Even if information is relevant, it does not follow that it need be ‘personal information’ — as the Commissioner’s Guidelines point out, de-identified information may suffice. It may also not be necessary to require individuals to identify themselves when they interact with the organisation.
The purpose of this requirement is to ensure fairness and transparency and to prevent the type of ‘bait and switch’ that can easily result if a consumer is led to believe that a disclosure of personal data is necessary for a transaction when it will in fact be used for another purpose. That different purpose requires the individual’s ‘consent’. In his Guidelines the Privacy Commissioner defines ‘consent’ as meaning:
voluntary agreement to some act, practice or purpose. It has two elements: knowledge of the matter agreed to, and voluntary agreement. Consent can be express or implied. Express consent is given explicitly, either orally or in writing. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. Consent is invalid if there is extreme pressure or coercion.
In determining whether a use falls within the ‘primary purpose’ and accordingly does not require consent, the Privacy Commissioner’s Guidelines focus on whether that use accords with what the data subject would reasonably expect regarding his or her data.
Inaccuracy is a major problem for records generally, and the constant need for updating presents particular problems for personal records. A comprehensive US study of State criminal records highlighted the extent of the problem, finding that those that were complete, accurate and unambiguous ranged from 49.5 per cent for Minnesota to a mere 12.2 per cent for North Carolina.
The Privacy Commissioner’s Guidelines interprets this requirement as only requiring organisations to take reasonable steps to confirm the accuracy, completeness and currency of the personal information they hold at the time they collect, use or disclose it. Relevant factors are the likelihood that the personal data is accurate and reliable; whether the data is prone to becoming outdated; how recently it was collected; its source; and its proposed use and potential impact on the data subject.
Absolute security is unattainable. The appropriate degree of security is determined by the sensitivity of the personal data: what is reasonable for customer records will be inadequate for health data.
Principle 4.2 is essentially an elaboration on Principle 1 regarding the collection of relevant personal information. Its application will be affected by the various laws stipulating minimum retention periods.
Compliance with this principle requires the organisation to review its handling of personal information. The most obvious place to provide the resultant policy is on the organisation’s website.
Access and correction rights enable a data subject to participate in the management of his or her personal information. It enables the data subject to monitor whether the data user is complying with the other data protection principles. It also provides a crucial mechanism in enhancing data quality, as often the data subject will be in the best position to update and otherwise correct his or her personal data.
This statutory principle is not capable of operating concurrently with the common law duty of confidence and thus overrides the latter. Accordingly, access must be provided to personal data whether or not it was originally collected by the record keeper from a third party on a confidential basis.
This principle will have a particular impact online. Interactions in cyberspace reveal no self-authenticating facts about identity, whereas in real space one reveals one’s gender, age and language spoken. Most of the activities conducted online, such as reading news, shopping for products and searching for information, can be done without the collection of information from consumers. However, the trend has been for websites to increasingly require registration and to use new tracking techniques such as cookies and web bugs to profile internet users. Consumers are responding by utilising online anonymisation technologies such as anonymiser or Zero-knowledge Systems (enabling an individual to disaggregate his or her identity into five digital pseudonyms, which precludes even the company tracing back his or her actual identity). This anonymity will cease upon a purchase being made with a credit card, which is fair enough because identification becomes justifiable upon entering into legal relations.
The differentiation of ‘sensitive’ from other personal information derives from the EU Directive. It greatly complicates the application of a privacy law and focuses on data looked at in isolation, whereas the context rather than the categorisation of personal data is often important in determining its significance. Nonetheless, there is no doubting that the categories of sensitive information identified are those which are particularly prone to provide the basis of decisions which are considered discriminatory.
The phased application of the principles presents an organisation with a dilemma — in particular, whether it should quarantine its ‘personal information’ collected before 21 December 2001 in order to block access and correction requests. The difficulty is that such information immediately becomes subject to those requests upon its subsequent use or disclosure. Also, if the original record is amended, does it thereby become new ‘personal information’ in any event? Both legal and IT input is required in charting a course through these difficult provisions. These difficulties are exacerbated by the usage in the Privacy Act 1988 (Cth) (the Act) of ‘personal information’ rather than ‘personal data’, with the latter’s clearly understood concept of data fields.
The Act also provides for exemptions from coverage for:
(a) a current or former employment relationship between the employer and the individual; and
(b) an employee record held by the organisation and relating to the individual.
Unlike privacy laws elsewhere, none of the privacy principles are applied to exempted records. No sensible data user should, however, cease concerning itself with such parameters as security and data quality! This is particularly so in view of the sensitive nature of much employment data. A further problem — one which unfortunately characterises the Act — is that the scope of the exemption for employment records is unclear. In particular, it is not apparent whether personal emails sent by employees are covered by the Act or not. In view of these considerations, together with the undoubted application of the common law to such records and international (EU) requirements mentioned above, organisations need to seriously consider whether they should endeavour to apply the principles to employment records instead of resorting to this exemption.
The most comprehensive survey of the extent to which companies were addressing these concerns was published earlier this year by Consumers International and found that:
most sites collect personal information but fail to tell consumers how that data will be used, how security is maintained, and what rights consumers have over their own information.
In the Australian context, these failures will constitute a breach of the NPPs and hence the Act.
Privacy seal programs are becoming popular. These vary in stringency from those where an organisation is essentially licensed to sport the trademarked seal upon completing an online questionnaire to those requiring the successful completion of a comprehensive audit. As with most internet developments, the US is the main scene of activity although the extent to which Australian websites are subscribing to US seal programs does not appear to be presently documented. Most US seal programs are inadequate under Australian law as the suite of privacy principles adopted in that country by its Federal Trade Commission are restricted to awareness, choice, access and security. The key standards of purpose limitation, data minimisation and duration of storage covered by the Australian principles are omitted. There are also local seals based on the NPPs.
Studies indicate that a privacy seal of approval encourages consumers to make
a purchase. Organisations considering adopting a privacy seal need to consider a variety of factors, including the adequacy of the standards the seal attests to and the extent to which the organisation’s compliance with those standards is both initially established and subsequently monitored by the seal provider. While affecting the price charged by the seal provider, the ‘brand recognition’ of the seal is not necessarily the best guide of its adequacy in protecting standards and ensuring customer satisfaction.
Privacy seals may encompass both off-line and online privacy practices or focus solely on the latter. Off-line procedures for the handling of personal information are generally much more complex, with various mechanisms for the collection of personal information and differing standards of security depending on the stage of the information cycle involved.
It follows from the above that for most organisations the prime incentive to comply with this legislation will be to gain the ‘privacy advantage’ over its competitors. The primary sanction will be customer resistance. Organisations also need to be aware, however, that the Act does provide for legal sanctions against errant organisations. Alleged or apparent contraventions will be investigated by the Privacy Commissioner, either as a result of a complaint or on his or her own initiative. Initially, as the Commissioner’s Guidelines point out, an attempt is made to conciliate:
If an individual thinks an organisation has interfered with their privacy they can complain to the Commissioner. When the Commissioner receives a complaint the individual must in most cases be referred back to the organisation to give the organisation a chance to resolve the complaint directly (see s 40(1A)).
If the individual and the organisation cannot resolve the complaint between themselves, the Office conciliates the complaint using letters and phone calls, or in some cases, face to face meetings. In the majority of cases, the complaint is resolved this way.
Failure to conciliate has legal consequences. Section 52 of the Act provides that after investigating a complaint, the Commissioner may find the complaint substantiated and make a determination that includes a declaration requiring the organisation to desist and to redress any loss or damage suffered by the complainant. The Commissioner may make a further declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice which is the subject of the complaint. ‘Loss or damage’ includes injury to the complainant’s feelings or humiliation suffered by the complainant. The Commissioner may include a declaration that the complainant is entitled to a specified reimbursement for expenses reasonably incurred in connection with the making of the complaint and the investigation of the complaint.
A determination is enforced by the Federal Court or the Federal Magistrates Court.
It hardly needs mentioning that the costs of legal compensation will pale in comparison with the loss of goodwill inevitably inflicted on a company which is subject to proceedings under the Act.
The regulatory focus of the Act is on the organisation controlling the personal data involved. A company can only act through its employees and, accordingly, determining whether there has been a contravention of the Act will involve examining the actions of specific individuals. However, such individuals will not be the formal focus of the investigation or claim. Instead, the Act recognises that specific individuals will, as part of a larger organisation, reflect the procedures and norms provided by that organisation. The Act treats the acts and practices of employees (and those ‘in the service of’ an organisation) in performing their duties of employment as those of the organisation
(s 8(1)(a)). This works both ways: whereas the organisation will be in the firing line for its staff’s infractions, where it has taken reasonable steps to prevent the contravention from occurring this will provide mitigation should there be an investigation.
In this context adequate staff training is vital. Management may have a sound appreciation of the legal requirements but if this awareness has not percolated down to the rank and file employees, the organisation remains vulnerable to contraventions.
Complying with the Act will require fundamental changes in current attitudes and practices of businesses and other organisations. Companies adopting a systematic approach will incur costs. To those who may be disposed to doubt the utility of complying with the new law, or indeed the utility of the law itself, reference to a US study may be salutary. Based on extensive interviews with executives in the banking, credit card and insurance industries, it found that without legal regulation, executives were afraid to confront privacy issues. The result was policy drift. This wandering and reactive policy making process was attributed to various factors. Managerial attention tended to focus on items benefiting the company in the short term, whereas the privacy principles are more likely to reap organisational and customer benefits in the longer term. Frequent absence of leadership from the top left middle managers to develop their own localised and often divergent policies, reducing their legitimacy and influence. However, the most serious obstacle to the development of coherent privacy policies was found to be the lack of clear cut boundaries of appropriate and inappropriate practices concerning personal information. The result was that companies were left to plot their own course through a thicket of conflicting views. The Privacy Act goes a long way towards dispelling this ambiguity. As with any piece of legislation it has its borderline applications — this is inherent in any law. But it does provide a set of standards where before there were none. V
Mark Berthold, firstname.lastname@example.org. Legal advisor to the Hong Kong Privacy Commissioner. Currently coauthoring a new title on Hong Kong Privacy.
 Burnham D The Rise of the Computer State Vintage Books New York 1983 p 73.
 Lessig L Codes and other Laws in Cyberspace Basic Books New York 1999.
 See for example <www.epic.org> regarding US trends.
 Consumers International Privacy 2001 cites these and other studies: Consumers International 2001 Privacy@net.
 Killingsworth S ‘Minding your own business: privacy policies in principle and in practice’ (1999) 7 Journal of Intellectual Property Law at 57.
 Smith HJ Managing Privacy University of North Carolina Press Chapel Hill 1994.
Bennet C Regulating Privacy: Data Protection and Public Policy in Europe and the US Cornell University Press Ithaca 1992 p 37.
EU 2001 European Union article 29 Data Protection Working Group Opinion on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000, adopted on 26 January 2001.