Privacy Law and Policy Reporter
The Northern Territory Assembly passed the Government’s Information Bill on 8 October after a lengthy ,debate. Following a period of public consultation earlier this year, the Government had introduced a revised Bill into the Assembly in August.
The Bill still covers the three ,related areas of privacy of personal information, freedom of information and archives/records management. ,The privacy part of the Bill includes principles for the NT public sector based on the Commonwealth NPPs, ,a right of complaint about breaches for individuals, and complaint handling, audit and code making powers for the proposed Information Commissioner.
Source: National Territory Government media release 8 October 2001.
The federal Privacy Commissioner has made two public interest determinations allowing the collection of family medical histories without consent in the course of normal health consultations. They have been tabled in Parliament and will take effect after ,15 sitting days unless disallowed.
One determination (No 9) is in favour of the applicant, ACHA Health, while the other (No 9a) generalises the same ‘waiver’ from compliance with NPP10.1. Any health service provider may now collect health information from a health consumer about a third party without the consent of the third party when both of the following circumstances are met:
The other NPPs continue to apply. The determinations, issued on 15 October, replace substantially similar temporary determinations already in force, and will have effect for five years.
[Associate Editor: Interestingly, the Commissioner found that it was not necessary to grant a waiver from NP 1.5, which arguably requires steps ,to ensure that the third parties are notified about the collection. The Commissioner relies on the fact that NPP 1.5 only requires ‘reasonable steps’, and concludes that in the case of family medical history collection, ,it will not normally be reasonable ,to require notification. This is ,an important decision by the Commissioner as it sets a precedent for a generous ‘pro-business’ interpretation of the ‘reasonable steps’ wording that appears in several of the principles. The Commissioner has accepted inconvenience, cost and disruption to established practices ,as reasons for not requiring strict observance of measures that would ,in some cases be practicable, in circumstances where individuals ,might generally expect their information to be collected.]
The federal Privacy Commissioner has issued Information Sheet 16-2002, ‘Application of key NPPs to due diligence and completion when buying and selling a business’. ,The advice is set out in terms of obligations on both vendors and purchasers, both prospective and actual.
The advice, in summary, is that some disclosure of personal information may be unavoidable in the course of due diligence processes, but that every effort should be made to limit the amount of such information to which access is given, and in what form, with strict conditions on its use only for the immediate purpose.
The advice reminds organisations that they can only disclose in accordance with NPP 2. However, the Commissioner suggests that ‘[i]n most cases, the vendor organisation’s disclosure would be directly related ,to the primary purpose of collecting the information and within the individual’s reasonable expectations’. To get round the requirement for consent to collect sensitive information, the Commissioner suggests that either the prospective purchaser reviews any such information without recording it, ,or that it is de-identified first.
The advice also discusses the transfer of personal information ,upon a completed sale of a business. It accepts that if the sale is of a ,going concern, such transfer will normally be a related purpose within reasonable expectations. By contrast, where a business is not sold as a going concern, or the purchaser organisation contemplates significant changes to the character or operations of the business, the vendor organis-ation will need to give very close consideration to the question of whether a proposed disclosure is permitted under NPP 2.1.
The Ministerial Council on Consumer Affairs is reviewing its Direct Marketing Model Code of Practice. A period of public consultation on a discussion paper closed on 11 October. Privacy Victoria has made a public submission calling for an opt-in regime for spam. l
Source: <www.privacy.vic.gov.au/whats_new.html>. See also <www.consumer.gov.au/html/direct_marketing/,index.html>.
The Joint Parliamentary Committee of Public Accounts and Audit is holding an inquiry into the security and accuracy of electronic information used by federal government agencies — including taxpayer records, electoral roll information and social security details. No details of timing or hearings have yet been announced but the terms of reference are available.
Source: The Australian, 29 October 2002. See also <www.aph.gov.au/house/committee/jpaa/>.
The World Anti-Doping Agency (WADA) is in the midst of a major international consultation on a proposed World Anti-Doping Code. It will mandate and regulate testing and disciplinary practices affecting elite level athletes and, to a degree, all people participating in competitive sports. Australia and New Zealand will likely have to amend their respective sports drug testing laws to comply. Drug testing is an intrusive process and there are a host of privacy issues involved in the reliability of testing results and the disclosure of results, particularly before available challenges are complete. Some aspects of the code have been controversial in earlier versions, including the roles of governments and the limitation of appeals to a Lausanne Tribunal subject to Swiss law. The current e-version 2.0 is available at <www.wada-ama.org> and is open for submission until 10 December 2002. One matter of interest is the proposed new requirement for athletes identified for out-of-competition testing to keep national organisations continually apprised of their whereabouts and for this information to be shared internationally. Another is the intriguing reference to controlling ‘genetic transfer technology’.
Source: Blair Stewart, New Zealand.
The EU’s Article 29 Working Party issued an opinion in October 2002 on the adequacy of Argentina’s data protection law. The Working Party took into account not only the Personal Data Protection Act of 2000 (Act 25.326) and its implementing Regulation (Decree No 1558/2001), but also the ‘habeas data’ provision in the Constitution (art 43.3, which guarantees a right of access and correction of personal data). The Working Party concludes that within the areas covered, Argentinean law provides an adequate level of privacy protection in the context of art 25 of the General Data Protection Directive 95/46.
While the EU processes require further opinions from the Article 31 Committee of government representatives, and from the Parliament, the qualified approval of the Article 29 Committee should ensure a formal Commission decision soon to add Argentina to the adequacy list — currently comprising the Hungarian, Swiss and Canadian laws and the ,US Safe Harbor scheme. l
The Article 29 Working Party has ,also issued a working document on ‘blacklists’ in which it analyses the common characteristics of a range of official and unofficial databases which are designed to have an adverse or prejudicial effect on individuals whose details are entered on them, based on various criteria. The paper notes that blacklists in relation to indebtedness, fraud and criminal records are common to most member states and are typically officially sanctioned (or operated) and regulated. Other types of blacklist contain details of such things as administrative offences, professional misconduct and employment history and are typically less strictly regulated.
The Working Party notes that blacklists are generally subject to the requirements of data protection laws pursuant to Directive 95/46, and recommends the use of harmonized ,and objective criteria for blacklists, for greater transparency, and for a range of procedural safeguards and rights.
The Article 29 Working Party has raised an alarm in relation to the requirements imposed on international airlines by US authorities to report extensive personal information about airlines passengers, pursuant to US legislation passed in response to terrorist actions and threats (Advanced Passenger Information System). These reporting requirements can in some cases include information about passengers who are not even travelling to or through the US.
In Opinion 6/2002, the Working ,Party finds some of the requirements incompatible with obligations on European airlines under legislation implementing the general Data Protection Directive 95/46. Amongst other issues, the Working Party sees the US requirements as leading to disproportionate routine transfers of personal information, with inadequate guarantees as to subsequent uses of that information. It recommends negotiations between the Commission ,and the US Government to try to resolve these issues.
Fines defaulters could find themselves being stopped from leaving the country under a NZ government initiative to enforce fines at international airports.
Courts Minister Margaret Wilson said the Courts Department and Customs Service would be able to compare their database to intercept ‘hard core’ fines defaulters under proposed legislation.
This initiative will allow courts to apply a proactive focus to preventing serious fines defaulters leaving the country, according to the Minister. It is believed the initiative could lead to an extra $1.5 million of fines a year being paid.
The Privacy Act, Customs and Excise Act, Immigration Act and the Summary Proceedings Act would have to be amended to enforce the initiative, with the necessary amendments included in the Courts and Criminal Matters Bill.
Source: NZPA 1 November 2002 <www.nzpa.co.nz>.
The Victorian Law Reform Commission (VLRC) has invited public submissions in response to its Issues Paper Workplace Privacy and the accompanying Occasional Paper Defining Privacy, both issued in November 2002. The Issues Paper has information about the current law and the options for regulation. Both papers are available from the Commission — see <www.privacy.vic.gov.au>.
The VLRC has asked for submissions by 23 January 2003.