Privacy Law and Policy Reporter
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law and Policy Reporter |
|
Judith Bannister
This is an abridged version of a paper presented at the Australian Centre for Independent Journalism Conference: ‘The Public Right to Know’,[1] in a session on the media and privacy. The article does not consider the media specifically, but instead looks at information that is in the public domain because it is generally known or published, and discusses how that information is dealt with by laws that endeavour to protect personal privacy.
Some protection offered by the law is only granted to information that is kept private in the sense that it is not generally known. There is an expectation that the individual (the information subject) will take some responsibility for ensuring that the information is not disclosed. However, data protection laws (commonly referred to as privacy laws) offer broader protection to personal information, some of which may already be in the public domain.
In this article I will argue that while some personal information has no place in the public domain, there may be legitimate reasons for us to know at least some details about the people we deal with. There may also be legitimate public policy grounds for providing an independent source for that information in the form of public registers so that we need not always rely exclusively upon the information that others present to us. This article considers the potential conflict between demands for personal privacy in the digital age and the need for public information of this kind.
Some personal information is known to others simply because we live in a community. General observation tells me that the man next door has a female partner and that the couple across the road have two children. Shortly after moving into our home, a neighbour filled us in on the occupations of a number of the residents in the street, and I felt obliged to answer truthfully her question about our own careers in return. So we can assume that at least some of our neighbours know something about us! You might say that this was a voluntary, if somewhat reluctant, publication of personal information. We volunteer information about ourselves in many other contexts, fully aware that it will become generally known and that further distribution of this information is beyond our control. Interaction with others depends upon a certain level of information exchange. In small communities, information of this kind is available from direct observation and personal relationships. In larger communities, official sources of information, such as public registers, place this information in the public sphere and facilitate informed, ideally honest, dealings.
There is a long tradition of information on the public record that might be consulted without reference to the subject of that information. In the age of print, certain kinds of personal information were available from official and non-official sources to anyone with the time and the inclination to look:
In some circumstances, public access to this information is required by law to serve specific public purposes — for example, to verify professional qualifications or the accuracy of other information that has been provided to us, or to ensure accountability by public scrutiny. There is a good deal of discussion about the need for privacy protection in the digital age; however, in a world of e-commerce and anonymous e-mail, it is also essential that independent sources of information are available that assist with verification. This does not attract much attention in the privacy debate. Laws that grant rights of control over personal information, to determine access and accuracy, have an impact upon the availability of this information in the public domain.
Before the development of computer databases, we had certain expectations about privacy and accepted a certain level of public disclosure of personal information. With the development of new computer and communications technologies, our expectations of privacy have been heightened. Our conceptions of privacy are not fixed; they are socially constructed and subject to change over time. A US commentator has suggested that:
our very conception of privacy is dependent on society's technology. There is a possibility that the internet is not changing the ways in which privacy may be invaded as much as it is changing society's conception of privacy itself.[2]
Concerns about privacy and arguments for greater legal protection for personal information have emerged in the last four decades from discussions about developments in computer and telecommunications technology.
This is not the fist time that new technology has acted as the stimulus for privacy demands - before the development of computers came the intrusion of the camera. The origins of the right to privacy that has been developed by the courts in the US can be traced back to an influential article written by Samuel Warren and Louis Brandeis in 1890.[3] It is interesting to consider their arguments for the development of a law of privacy based on the threat of new technology form a 21 century perspective:
The [law as it existed at that time] may have satisfied the demands of society at a time when they abuse to be guarded against could rarely have arisen without violating a contract or a special confidence; but now that modern devices afford abundant opportunities for the perpetration of such wrongs without any participation by the injured party, the protection granted by the law must be placed upon a broader foundation. While, for instance, the state of the photographic art was such that one's picture could seldom be taken without consciously 'sitting' for the purpose, the law of contract or of trust might afford the prudent man sufficient safeguards against the improper circulation of his portrait; but since the latest advances in photographic art have rendered it possible to take pictures surreptitiously, the doctrines of contract and of trust are inadequate to support the required protection.[4]
Warren and Brandeis were also troubled by the conduct of the press that was:
overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery.[5]
The contemporary equivalents that have led to the introduction of data protection laws are computer databases, the internet and direct marketers. It would seem that while we may accept quite a degree of exposure to the public sphere, be it gossip or our names and addresses on the electoral role, it becomes intolerable once that exposure is more sophisticated because of advances in technology, and when it is commercialised.
The response to such concerns is, invariably, the introduction of new rights of control to be exercised by the information subject. Data protection laws, which will be discussed in this article, grant individuals rights of control over collection, use and accuracy of their personal information. Protection of this kind may be justified in many contexts, however it is neither practicable nor desirable that the law grants us absolute control. When living in a community, it is inevitable that some of our personal information is public. This is not an argument against a right to privacy. Nor is it an argument for a ‘right to know’ the personal information of others. However, it is important to assess the impact of this increased control on the flow of information and ask the following questions.
The protection granted to information concerning our personal lives varies across different regimes of legal protection. In some instances the information must be secret, while in others it is information from which individuals may be identified. There is a significant difference between protection that is confined to information that is private (not generally known), and the protection of personal information that potentially includes information known to the public.
The law of breach of confidence protects personal information along with trade, government, artistic and literary secrets.[6] To be protected, the information must have the necessary quality of confidence — it must be secret, or relatively secret. Once disclosed, personal information can become part of the public domain and so no longer be protected by obligations of confidence.
A range of statutory provisions also place restrictions on the use of personal information, particularly in relation to information held by government. The Commonwealth and various State Freedom of Information (FOI) legislation include exemptions to disclosure of personal information[7] in government records. This is not an absolute protection of personal privacy. Disclosure is refused if unreasonable, but is allowed if in the public interest. There is a balancing here between the public interest in disclosure and the public interest in the protection of personal privacy.
The exemption from discloure of such information is not to protect private rights, rather it is in furtherance of the public interest that information of this kind is excepted from the general right of public access.[8]
There are also provisions in the FOI legislation that require consultation with persons affected before personal information is released. The fact that information is publicly known may be a relevant consideration when determining whether release is reasonable under the personal privacy exemption. Under Commonwealth legislation, when determining whether an affected person might reasonably wish to contend that a document is exempt because it contains personal information, the following are relevant matters:
(a) the extent to which the personal information is well known;
(b) whether the person to whom the personal information relates is known to be associated with the matters dealt with in the document;
(c) the availability of the personal information from publicly accessible sources; ...[9]
When personal information is contained in a public register, disclosure under FOI legislation that gives effect to the purpose of the register may not be unreasonable. In a case involving unclaimed money databases held by the Australian Securities and Investment Commission (ASIC),[10] there was a public interest in ensuring that unclaimed moneys were paid to the rightful payee, and this was held to outweigh any privacy issues. The applicant in that case had established a business based upon searching the records and notifying persons entitled to claim. He was, therefore, facilitating the purpose of the register, which the Administrative Appeals Tribunal (AAT) thought to be reasonable, even though it was done for his own commercial interest. While generally under FOI law the person’s reasons for seeking access has no bearing on the matter, the AAT appeared to consider the applicant’s proposed use of the information and its consistency with the purposes of the register when deciding whether granting access to personal information was reasonable.
Data protection legislation also protects personal information. Commonwealth government agencies have been subject to Information Privacy Principles (IPPs) for over a decade.[11] NSW and Victoria have also introduced provisions covering State government records[12] and the Commonwealth legislation has recently been amended to cover personal information held by the private sector.[13] This is not privacy in the sense of being concealed from public view. Under data protection law, personal information need not be secret; information is personal if an individual can be identified from it. This grants individuals a degree of control over information that is in the public domain, such as names and addresses. Information subjects must be made aware that their personal information is being collected and the reason for collection. For information collectors in the private sector, where practicable, the information must be collected directly from the information subject rather than from another source. Consent is required for use or disclosure of information for purposes other than those related to the original collection. Information subjects can also seek access to, and correction of, personal information that is not correct, complete and up to date. Wherever practicable, individuals must also be given the opportunity to transact with a private sector organisation anonymously.
What matters to me is not whether information about me exists, but whether other people can find it. Even if all of the information I wish to keep private — say, my marital history or criminal record — exists in publicly accessible archives, it remains, for all practical purposes, private so long as the people I am interacting with do not know that it exists nor where to look for it. Modern information processing has at least the potential to drastically reduce this sort of privacy.[14]
The concern expressed by this commentator explains the recent focus upon privacy in a digital environment. Paper based files placed practical constraints upon the invasion of individual privacy even when the information was in a public register. It seems that while access was limited to professionals and the very determined, these public sources were not perceived as being a threat to privacy. With the ‘democratisation’ of access offered by the internet, the place of this information in the public domain is now being questioned. So long as use was generally limited to lawyers, persons engaged in business, maybe even journalists, there seemed little reason for concern. But if your neighbour can spend an idle evening looking you up on the internet, then you may believe your privacy has been infringed. Why? For the purposes of this discussion, I will not consider those special cases where persons are being stalked, harassed by ex-partners or are on witness protection programmes. No new issues arise with computerisation of public registers for such cases. A determined pursuer could have used public registers in traditional media, and there are provisions that allow opting out of the registers in such cases. I will also put to one side the problem of intrusive direct marketing practices. If the floods of letters, email, and telephone calls were the only problem to be solved, specific legislation and industry codes could regulate this. Direct marketing alone cannot justify the complete removal of information from the public domain if there are good public policy reasons for that information to be available.
In this article, I have chosen two recent controversies over computerisation of public records to illustrate these concerns. In the first case, the records were temporarily removed but reinstated. In the second case, information that was to be made available to the public was withdrawn.
In May 1996 the Australasian Legal Information Institute (AustLII),[15] which provides free access to Australian legal databases on the internet, attracted media attention because decisions in family law cases were available to be searched. While there are restrictions on the general publication of accounts of Family Court proceedings that identify parties or associated persons, an exception allows the publication of law reports intended primarily for use by professionals. For many years, reports of decisions in family law cases that include the parties’ names and a range of personal information have been available in law libraries. When the same information was published on the internet, it attracted objections on the grounds of privacy.
The arguments made for their removal are of interest to this analysis. The power of computer technology was thought to be so intrusive that it warranted removal of information from the public domain. While the Secretary of the Attorney General’s Department expressed the view that:
[i]f it is appropriate for it to be available on paper, I see no reason why it is not appropriate to be available on the internet,[16]
the Chairperson of the Privacy Committee distinguished computer access:
It is different [from the hard copy] because it becomes available for people who are essentially motivated by reasons that are not in the public interest.[17]
The concern seemed to be that the motivation may be voyeuristic, malicious or mischievous when information of this kind is accessed on the internet.
Ultimately the database returned to the internet. Public confidence in the Family Court is, it was argued, increased when the proceedings are open to scrutiny. In a report to the Attorney General, a former Chief Judge of the Family Court of WA, Ian McCall, set out the policy reasons for publicity of Family Court cases in the following terms:
In order for the public to have this confidence it must know what the courts are doing and how they are administering the law...[18]
[Without publicity the] community it is left with its hearsay sources to ascertain what is the law and how it is administered.
This is unsatisfactory.
Publicity of proceedings fulfils two roles, disciplinary and informative or educative. The disciplinary has two sides to it. It ensures the accountability of the judiciary and provides a safeguard against arbitrariness and idiosyncrasy. In addition, it imposes a discipline upon the parties and their witnesses. To know that there may be publicity imposes a restraint upon reckless or inaccurate testimony...
In a court which has such wide discretionary powers, the informative or educative role of the media has particular importance. It is the way in which this discretion is exercised by the application of the broad principles of the Act to specific factual situations that provides information of utility to the community.[19]
Ian McCall then went on to argue that failure to publicise Family Court cases has led to a distorted view of the way in which the Court makes decisions. While he would have ensured full privacy protection for children in Family Court proceedings, Ian McCall made no distinction between family law cases involving property settlements and commercial, bankruptcy and de facto relationship cases heard in the common law courts, all of which may publicly disclose personal financial information.[20] The report proposed increased, although not unregulated, publicity through the media. These recommendations have not been implemented.
There was a similar (probably greater) uproar in 2000 when it was admitted that the Australian Tax Office (ATO) proposed to make available, upon payment of a fee, information collected from applications for the new Australian Business Number (ABN) and included in the Australian Business Register (ABR).[21] Along with the company records were entries for sole traders and family partnerships (as all were required to apply for an ABN). Granting access to business and trading information in public registers is not new. Nor is it uncommon to charge a search fee, although when electronic databases are searchable by end users, the allegation that the agency is ‘selling’ the information, rather than charging a fee for a searching service, will inevitably be made. The problems for the ATO were compounded by its failure to inform people that the information would be made public at the time it was collected. Unauthorised secondary use of the information emerged as a matter of particular concern.
In this case, limitations were placed on the categories of information made publicly available. The A new Tax System (Australian Business Number) Act 1999 (Cth) was amended to exclude personal information. The information now available on ABR Online is basic information about a business such as the ABN, trading names, entity type (in other words, individual, partnership, public company) and location indicated by State. Street and email addresses are not included and the only information remaining that is ‘personal’ is the names of sole traders. By removing what is, in effect, all contact details (email and street addresses) not just for individuals but for companies, the usefulness of this as a source of public information about business has been significantly reduced.
In cases such as these, the arguments for increased privacy sometimes succeed; in others, the information remains in the public domain. We have seen an example of each here. What these cases illustrate are the kinds of pressure that are being made on the public domain of information in the name of privacy in the digital age. This heightened sensitivity to privacy has lead to discussions about personal information in public registers generally.
Australian data protection laws do not grant individuals absolute control over information which identifies them. There is still some scope for access to information in the public domain. A significant exception is personal information contained in generally available publications. This is defined in the Privacy Act 1988 (Cth) as:
a magazine, book, newspaper or other publication that is or will be generally available to members of the public.[22]
Public registers that fall within this definition of generally available publications include records of the Australian Securities and Investment Commission, the electoral roll and court records.
The privacy implications of access to personal information in public registers is a topic that has attracted a good deal of attention in recent years.[23] The Federal Privacy Commissioner has reported this as a matter of public concern:
Recent public debate indicates that the community is apprehensive about the use of public registers, including the electoral roll, for purposes other than the purpose of collection. This is particularly so where there is some compulsion to provide information to the Government for these registers.24
The matter has been raised in government and parliamentary reviews in Australia25 and overseas.26 In 1995 the House of Representatives Standing Committee on Legal and Constitutional Affairs recommended that the reasons for allowing access to public registers be reviewed.27
In the recently passed NSW and Victorian information privacy legislation, certain restrictions have been placed on the disclosure of personal information from public registers, thereby limiting use of the information to purposes commensurate with the public purpose for establishing the register. While one of the main purposes behind these provisions was to deal with use of public register information for commercial purposes, specifically direct marketing, the result is a partial withdrawal of information from the public domain.
In NSW, personal information must not be disclosed from a public register unless the government agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the relevant Act. So that this can be established, the person applying for the information may be required to sign a statutory declaration giving particulars of the intended use.28 Information is now being collected about the information seekers! The implications of these provisions for local government in NSW have been discussed by the NSW Privacy Commissioner. After distinguishing confidential information from the concept of privacy (in other words, data protection) the following point was made:
Privacy only covers information which is personal. It emphasises concepts of fair and legal collection, up front notification and fair use, regulated by the purpose of collection. The fact that information is in the public domain will not necessarily exclude it from protection when it _is collected and used for other purposes.29
Specific public register provisions are also included in the Victorian legislation. Public sector agencies must, as far as is reasonably practicable, comply with the IPPs in relation to personal information in public registers. The implications of this are currently being reviewed by the Victorian Privacy Commissioner in relation to building permit data in local council registers.30
Attempts to remove personal information from the public domain with these public register provisions, or at least limit its use, seem to have been only partially successful. Significantly, public registers held by the NSW Land Titles Office have been excluded from the provisions in the NSW legislation,31 and the provisions have been modified in relation to local government allowing inspection and copying of single entries without the need to determine the reason for the request.32 This could be presented as the result of delicate balancing between rights of privacy and access to information. To me, it suggests a fundamental flaw in data protection law when attempts are made to control the use of published information.
Computerised databases and internet access are often the triggers for demands for increased privacy protection. There is apprehension about the availability of personal information in public registers, particularly once they are computerised. The literature, government reports and recent legislation indicate that the reasons for allowing access to public registers will be subject to review, and perhaps challenge, in the future. In some circumstances, public access to personal information has a legitimate public policy basis — for example, to verify the accuracy of information that has been provided by the information subject, or to ensure accountability by public scrutiny. There is a good deal of discussion about the need for privacy protection in the digital age. It is important that this matter attract the same level of attention in the privacy debate.
Judith Bannister, Lecturer, _School of Law, Flinders University.
[1] (26-28 October 2001) Sydney.
[2] Schauer F ‘Internet privacy and the public-private distinction’ (1998) 38 Jurimetrics 555, 560.
[3] Warren S and Brandeis L ‘The right to privacy’ (1890) 4 Harvard Law Review 193.
[4] Above note 3 at 211.
[5] Above note 3 at 196.
[6] There is some indication from the English courts that this may extend to a broader right to privacy: see Douglas v Hello! Ltd [2000] EWCA Civ 353; [2001] 2 All ER 289. See also the recent Australian High Court case Australian Broadcasting Corp v Lenah Game Meats Pty Ltd [2001] HCA 63.
[7] Or the more limited concept of ‘information relating to personal affairs’.
[8] Colakovski v Australian Telecom-munications Corp [1991] FCA 152; (1991) 13 AAR 261 at 270 per Jenkinson J.
[9] Freedom of Information Act 1982 (Cth) s 27(1A).
[10] Re: Evans and Australian Securities and Investment Commission (1999) 54 ALD 171.
[11] Privacy Act 1988 (Cth).
[12] Privacy and Personal Information Protection Act 1998 (NSW); Information Privacy Act 2000 (Vic).
[13] Privacy Amendment (Private Sector) Act 2000 (Cth).
[14] Freidman D ‘Privacy and technology’ in Frankel, Miller, and Jeffrey (eds) The Right to Privacy Cambridge University Press 2000 p186.
[15] This is available at <www.austlii.edu.au>.
[16] Cited in Raethel S ‘Family Court data removed for internet’ 13 May 1996, 5.
[17] Above note 15.
[18] McCall IWP Publicity in Family Law Cases; Report to the Attorney General for the Commonwealth on Proposals for Amendments to the Family Law Act s 121 April 1997 p 53 (tabled in the House of Representatives on 24 June 1997 but not printed). (Copy on file with author).
[19] Above note 18, 54-5.
[20] Above note 18, 60.
[21] This is available at <www.abr business.gov.au>.
[22] Privacy Act 1988 (Cth) s 6.
[23] See discussion in the following conference papers: Clarke R ‘Privacy and “public registers’’, — Invited Address to the IIR Conference on Data Protection and Privacy, Sydney (12-13 May 1997) (available at <www.anu.edu.au/people/Roger.Clarke/DV/PublicRegisters.html>); Gellman R ‘Public registers and privacy: conflicts with other values and interests’ and Stewart B ‘Five strategies for addressing public register privacy problems’ — papers presented at the Hong Kong Privacy Commissioner for Personal Data 21st International Conference on Privacy and Personal Data Protection (September 1999) _which are available at <www.pco.org.hk/english/infocentre/conference.html>.
[24] Office of the Federal Privacy Commissioner The Operation of the Privacy Act Annual Report (1 July 1999 – 30 June 2000) p 5, available at <www.privacy.gov.au>. See also The Federal Privacy Commissioner Submission to the Senate Legal and Constitutional References Committee — Inquiry into Privacy and the Private Sector (July 1998) para 16, available at <www.privacy.gov.au>
[25] Australian House of Representatives Standing Committee on Legal and Constitutional Affairs In Confidence: A Report on the Inquiry into the Protection of Confidential Personal and Commercial Information held by the Commonwealth (June 1995) para 9.6; The Parliament of the Commonwealth of Australia Joint Standing Committee on Electoral Matters User Friendly, Not Abuser Friendly: Report of the Inquiry into the Integrity of the Electoral Roll (May 2001) paras 2.134-2.144 available at <www.aph.gov.au/house/committee/em/ElecRoll/Report.htm>.
[26] See, for example, Information and Privacy Commissioner of British Columbia Investigation P98-011 Report: An Investigation Concerning the Disclosure of Personal Information Through Public Property Registries (March 1998) at <www.oipcbc.org/investigations/reports/invrpt11.html>; NZ Privacy Commissioner Report of the First Periodic Review of the Operation of the Privacy Act 1993 (December 1998) at <www.privacy.org.nz/spubregf.html>; Davies JE and Oppenheim C Study of the Availability and Use of Personal Information in Public Registers: Final Report to the Office of the Data Protection Registrar (September 1999).
[27] Australian House of Representatives Standing Committee on Legal and Constitutional Affairs In Confidence: A Report on the Inquiry into the Protection of Confidential Personal and Commercial Information held by the Commonwealth (June 1995) rec 34.
[28] Privacy and Personal Information Protection Act 1998 (NSW) s 57. See also discussion in Privacy NSW A Guide to Public Registers (1999).
[29] Privacy NSW Local Government and the Privacy and Personal Information Protection Act Issues Paper (January 2000) at <www.lawlink.nsw.gov.au/pc.nsf/pages/localgovernment>.
[30] Office of the Victorian Privacy Commissioner Public Registers and Privacy: Building Permit Data Issues Paper (January 2002) at <www.privacy.vic.gov.au/publications.html>.
[31] Privacy and Personal Information Protection Regulation 2000 (NSW).
[32] However, requests for the whole or a substantial part of a public register may require scrutiny: Privacy Code of Practice for Local Government (June 2000) at <www.agd.nsw.gov.au/pc.nsf/pages/locgovtcode>.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2002/3.html