Privacy Law and Policy Reporter
Compiled by Graham Greenleaf
The Australian Federal Privacy Commissioner has decided that it is only in ‘rare circumstances’ that he will consider identifying a company that is the subject of a privacy complaint. Information Sheet 13 ‘The Privacy Commissioner’s Approach to Promoting Compliance with the Privacy Act’ <www.privacy.gov.au/publications/is13_01.html> states that the normal anonymised approach will be as follows:
The Office includes in its annual report some cases studies on complaints it has handled and investigations it has carried out. These are reported in summary form and do not generallyl identify the complainant or respondent. With the new private sector provisions, the Office plans to add to this approach by publishing more frequent, de-identified case notes on complaints it has handled. The aim of these will be to help organisations and the community understand the way the Office applies the provisions of the Act and, where relevant, the provisions of approved codes.
The circumstances where respondents (companies and other entities) will be named are as follows:
On occasion there may be some merit in making public the circumstances of a particular complaint or investigation. This may be, for example, where there is already publicity around a particular matter before it reaches the Office or where, despite all the other approaches the Office has taken, an organisation continues to engage in behaviour that constitutes an interference with privacy. This would clearly be a serious step which could have commercial consequences for the organisation concerned. It would only be appropriate in rare circumstances. In the ordinary course of events, the Commissioner would not consider such a step unless:
This conjunction of requirements means that no matter how repeatedly or seriously a company has breached the Privacy Act 1988 (Cth), if it demonstrates an intention to mend its ways it will not be named at the Privacy Commissioner’s initiative. ‘Name and shame’ is not part of this Commissioner’s armoury.
The only likely way that the identities of privacy-invading companies will be known is where complainants have the courage to go public and the media to report them, or the complainant pushes for a formal determination under s 52 of the PrivacyAct. The two s 52 determinations made by previous Commissioners in the past 13 years have been published, and have identified the respondent departments, but Information Sheet 13 is silent on that.
Even more restrictive, the reporting of identified compliants is completely eliminated if a complaint is dealt with under an industry Privacy Code (Pt IIIA Privacy Act). The Privacy (Private Sector) Regulations 2001(Cth)(the Regulations) set out in Sch 1 ‘Prescribed standards for procedures relating to complaints’, which gives the Commiss-ioner his instructions from the government as to what industry codes he can and cannot approve. Part 5 ‘Accountability’ states under ‘Principle’ that ‘Reports of determinations and information about complaints must be published...’, but in fact only mentions determinations. In relation to determinations it includes the initially positive requirement that ‘written reports of determinations by an independent adjudicator must be made available to any other interested person or body’ (Sch 1 cl 5.2(1)(b)) but unfortunately then provides that ‘a report must not name any complainant or respondent organisation’ (Sch 1 cl 5.2 (4)(b)). The ‘determinations’ made by Code adjudicators are supposed to be the same as those made under s 52 (s 18BB(3)(d)), so there appears to be an inconsistency between previous practice and the Regulations. Part 5 says nothing about publication of details of other complaints which are resolved by mediation not by a determination, so there is no reason to assume that the Commissioner’s approach to providing de-identified summaries will be followed.
The new Hong Kong Privacy Commissioner for Personal Data, Raymond Tang Yee-Bong, has revised the Consumer Credit Data Code of Practice made under the Personal Data (Privacy) Ordinance, but the revisions (February 2002) do not yet allow the ‘positive’ reporting that has been called for by the Hong Kong banking and finance industry. ‘Positive’ reporting allows banks and others to provide to credit bureaux details of the payment performance of all customers, even those who have had no credit defaults. In contrast, the currently permitted ‘negative’ reporting system used in Hong Kong (and Australia) only allows reporting of credit defaults, plus details of credit applications and ‘file activity’ (enquiries by credit grantors).
The amendments allow credit bureaux to keep credit application and file activity (for instance, enquiry) data for two years (instead of 90 days or 12 months), giving credit providers a lengthier picture of a person’s credit activities. Commissioner Tang said it would be necessary to see how well this more liberal system worked before positive reporting was considered, and industry and public consultation would also be required.
The revised Code now also allows credit bureaux (not only credit grantors) to use information on file for ‘consumer credit scoring’, and to use credit application and file activity data for this period for five years. The revised Code is at <www.pco.org.hk/english/ordinance/code_credit.html>.
Comcast Corp, the third largest US cable company, has been forced to abandon its recently discovered practice of logging all web browsing of its one million subscribers after Congressional and public complaints. On February 13 2002 Comcast, which said it was storing the information ‘temporarily’ to increase user efficiency, and not for profiling or marketing purposes, stated it would no longer do so. Critics argued that the information, once stored, could be obtained by third parties under subpoena and other process. Other US cable ISPs stated that they did not record user browsing habits.
Sources: EPIC Alert 9.03 and the International Herald Tribune February 14 2002.