Privacy Law and Policy Reporter
As from 21 December 2002, small business organisations with a turnover of less than $3 million are subject to the Privacy Act 1988 (Cth) if they ‘trade’ in personal information; handle personal health information as a health service provider; contract to the Common-wealth Government, or are ‘related’ ,to a non-exempt larger business.
The Federal Privacy Commissioner has started publishing on his website case notes of finalised complaints that he considers would be of interest to ,the general public. Cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry. The notes do not identify the parties to the complaint. Identities are kept confidential to maintain the privacy of the parties involved.
The first two case notes concern the adequacy of a privacy statement in relation to the collection of personal information by an insurer, illustrating NPP 1.3 (A v Insurer  ,PrivCmrA 1); and disclosure of personal information in a sample notice provided to employers, illustrating NP 2.1 (B v Private Health Insurer  PrivCmrA 2).
Many private sector health service providers are understandably confused about the privacy rules that apply to them, given overlapping jurisdiction between the federal Privacy Act and the health specific privacy laws in the ACT, Victoria, and NSW (the latter yet to be commenced). Partly in recognition of this confusion, the Australian Health Ministers Advisory Council (AHMAC) has been working on a set of common standards. AHMAC has now published a discussion paper which includes a draft National Health Privacy Code. Disappointingly, the paper does not address the more serious issue of jurisdictional overlap, and this will remain a problem even if agreement can be reached on common principles.
The AHMAC discussion paper is available at <www.health.gov.au/pubs/nhpcode.htm> and submissions have been invited by 18 April 2003.
The Office of the Federal Privacy Commissioner has made significant changes to its draft information paper on collection of publicly available personal information. After two rounds of consultation and a meeting of interested parties in December, the OFPC will release a final version ,of the paper early in 2003.
A related draft paper has been issued on what ‘reasonable steps’ need to ,be taken (under NPP 1.3) to make individuals aware that personal information about them is being collected. Comments on this paper ,were invited by 24 January.
Information about both papers can ,be found at <www.privacy.org.au>.
The Federal Privacy Commissioner conducted an ‘own motion’ investigation into the Department ,of Family and Community Services (DFCS) The Source website.
During April 2002 the Department ran 34 online ‘Win Free Stuff’ competitions which attracted thousands of entries. ,In June 2002 the website editor of The Source was approached and agreed to send marketing emails to the ‘Win Free Stuff’ entrants on behalf of RMIT students who were running a project ,to send spiders into space with NASA.
The OFPC sent two audit staff to conduct a physical audit of The Source website premises and its practices including interviewing the staff and managers involved. The auditors checked the Department’s practices against the Information Privacy Principles (IPP) in the Privacy Act ,and also against the Commissioner’s Guidelines for Federal and ACT Government websites.
The Commissioner found that the Department had breached the Privacy Act (IPP 10.1), but concluded that the breaches have been adequately addressed by the Department and that measures are now in place to prevent similar breaches occurring again. These include:
Source: OFPC Media Release ,2 December 2002 <www.privacy.gov.au>.
Bruce Slane, New Zealand’s first Privacy Commissioner, has been given ,a top award in the New Year Royal Honour’s List. Mr Slane has been made a Distinguished Companion of the New Zealand Order of Merit (DCNZM). Bruce Slane was appointed Privacy Commissioner in 1992 and his term expires in April 2003. The honour also recognises Mr Slane’s other services to personal and human rights and the ,law, particularly as a Human Rights Commissioner 1992-2001 and as a member of the International Bar Association’s Management Committee, one of three persons elected by 180 Bar Associations.
The general trend in the US towards greater governmental surveillance has had at least one positive spin-off for privacy protection. A new statute, the E-Government Act of 2002, passed by Congress in November but still to be signed into law, includes an innovative and potentially far-reaching provision requiring federal government agencies to conduct privacy impact assessments before developing or procuring information technology or initiating any (presumably major) new collections of personally identifiable information.
The E-Government Act also requires agencies to post privacy notices on their websites, detailing agency practices and individual rights. Most agencies already post written privacy notices after the Clinton Administration, required them in an administrative order. The new ,law will take the agencies one step further by requiring ‘machine readable’ notices, such as those specified in the Platform for Privacy Preferences (P3P) standards.
Source: CDT Policy Post Volume 8, Number 25 <www.cdt.org/>.
The US Federal Trade Commission (FTC) has amended the Telemarketing Sales Rule to establish a national ,Do Not Call (DNC) list that will accommodate both internet and toll ,free phone number enrollment. The FTC received more than 64,000 ,public comments on its January 2002 proposal. For the list to operate, Congress will have to approve the levying of charges to the telemarketing industry in order to fund the program. The amended rule also requires telemarketers to transmit caller ID information (so that consumers can identify the caller).
This initiative is part of the FTC’s new privacy agenda announced in October 2001, which calls for a 50 per cent increase in privacy resources, improved privacy complaint handling, more protection for consumers from spam, telemarketing, pretexting and ID theft, and increased enforcement of privacy policies and existing laws ,such as the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA). The FTC Chairman concluded, however, that it was ‘too soon’ to recommend broad based online privacy legislation.
The Federal Communications Commission has also been consulting on proposed rulemaking under the Telephone Consumer Protection Act (TCPA), a federal law that regulates telemarketing and fax advertising. The notice requests comments on creating a national DNC list (now superseded by the FTC initiative?), and on regulations for autodialers and prerecorded voice telemarketing.
Source: EPIC — see <www.epic.org/privacy/telemarketing/>.