Privacy Law and Policy Reporter
Further amendment to Privacy Act
The Federal Government has introduced an additional item into its Privacy Amendment Bill 2003 currently before the Parliament. A new s 27(1)(ha) is proposed to give the Privacy Commissioner the power to carry out audits relating to handling of personal information that falls outside any of the specific jurisdictions in the Privacy Act 1988 (Cth) if they are expressly specified by Regulation. The change is required to authorise the auditing of non-retention of passenger name record (PNR) data agreed by the Government in order to secure an adequacy assessment for the collection of PNR data by Australian Customs from airlines. This is because the IPPs applying to Commonwealth government agencies do not contain a retention/disposal principle equivalent to NPP 4.2.
Source: parliamentary website.
Privacy Act reviews
The Attorney-General’s Department and the Department of Employment and Workplace Relations have issued a joint issues paper on Employee Records Privacy. This is the first public progress with the review of employee privacy protection promised by the Government in late 2000. The paper analyses the current legal protection for employee records and puts forward a range of options including amendments to the Privacy Act and/or Workplace Relations Act 1996 (Cth). Submissions have been invited by 16 April. The paper is at <www.ag.gov.au> under ‘publications’.
The long promised issues paper on childrens privacy has yet to appear. The last reference to this initiative on the Attorney-General’s Department’s web-site is a December 2000 fact sheet promising a paper ‘early next year’.
The Attorney-General’s Department revealed to the Senate Estimates Committee in November that the Attorney-General had sent draft terms of reference (ToR) to the Privacy Commissioner and that the Commissioner had raised ‘concerns and issues’ about them, which the Attorney-General was then considering. The Department declined to detail the Commissioner’s concerns, which had been raised orally. It seems likely that the new Attorney-General will consult the new Privacy Commissioner, once appointed, before finalising the ToR, which will mean the review will not commence until later in the year. The Estimates Committee hearing in February was told that interviews were being scheduled in the hope of having a new Commissioner in place when Malcolm Crompton’s term ends on 20 April, but this seems optimistic, and another interim arrangement is more likely.
Privacy Act audits and complaints
Senate Estimates Committee hearings in November 2003 revealed that the Office of the Federal Privacy Commissioner has effectively wound up his audit program due to lack of resources — only three audits will be undertaken in 2003-04 year, being ones separately funded by the ACT Government (two audits) and by Customs (one). Other Commonwealth agencies, credit providers and credit reference bureaux, and tax file number recipients can therefore safely assume that they will not be subjected to any external scrutiny of their compliance with the Privacy Act other than in the context of specific allegations. While the Commissioner has discretion under the Act to launch an ‘own motion’ investigation, his statements about moving resources to handle the more than 1000 complaints a year suggest that he is unlikely to exercise this option.
Estimates Committee hearings in February 2004 revealed that the Commissioner has received 136 credit related complaints since July 2003, compared to 209 in the whole of 2002-03, and 186 in 2001-02. The OFPC is currently closing 31 per cent of all complaints within 10 days, 58 per cent in 30 days or leas, and 73 per cent in within 90 days. These figures include cases which are found to be outside jurisdiction, so of substantive complaints a significant proportion are still taking more than three months to resolve.
Widespread flaws in website security
The Federal Privacy Commissioner has highlighted an industry wide problem, in commenting on a breach of privacy by Melbourne ticketing agency Ticketmaster7. He alleges that many businesses have continued to run websites that allow anybody to view other customers’ personal information by changing numbers in the URL (website address) of their online services.
The Commissioner has publicly cautioned all companies to ensure they are meeting their obligations under the Privacy Act, especially when it comes to their online activities. Two years after they became subject to the new private sector law, he finds there is no longer any excuse for not having privacy built into information technology system redesign and or upgrades.
The Commissioner found that Ticketmaster7 did breach the federal Privacy Act. However, he commended them on their quick response to the privacy breach. He said he was satisfied with the measures that Ticketmaster7 have put in place since the problem was discovered.
See: <www.privacy.gov.au/news/ media/04_01.html>.
Lax email practices endangers privacy
The Federal Commissioner has also found against a large retailer which unintentionally broadcast the email addresses of hundreds of its customers in the ‘copy to’ field of a marketing message. The retailer was found to be in breach of NPP 2 (disclosure), and agreed to either use ‘blind copy’ in future mailings or adopt an alternative method of mailing to a group.
See: <www.privacy.gov.au/act/casenotes/ ccn13_03.html>.
Tenancy databases — joint government action
The Federal Privacy Commissioner has welcomed the publication of an issues paper on the operation of residential tenancy databases in Australia. A working party, chaired by the Federal Treasury, includes Commonwealth, State and Territory officials. It will report to the Ministerial Council on Consumer Affairs (MCCA) and the Standing Committee of Attorneys-General (SCAG) on this matter during 2004. Submissions to the Treasury were invited by 24 December 2003. The issues paper is at <www.consumer.gov.au/html/latest_news.htm>. A submission by Privacy NSW is available at <www.lawlink.nsw.gov.au/ pc.nsf/pages/p_sub>.
Privacy in Bill of Rights proposal
Greens Federal MP Michael Organ is seeking input to a proposed private members Bill to establish a Bill of Rights and Responsibilities in Australian Federal law. Included as art 12(1) is the first part of the text of art 17 of the 1966 International Covenant on Civil and Political Rights (ICCPR), to which Australia is a party. This reads:
No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.
Article 12 of the Bill then goes on to set out expressly the parameters of unreasonable search and seizure.
See: <http://www.michaelorgan.org.au/ 300_issues_sub.php?deptItemID=16>.
NT Information Commissioner launches website
The Northern Territory Information Commissioner, Peter Shoyer, has launched a website, in anticipation of the Information Act taking full effect in July 2004.
US ‘do not call’ registry does not violate the First Amendment
On 17 February 2004, the US Court of Appeals for the Tenth Circuit issued a decision upholding the constitutionality of the national ‘do not call’ registry. The decision overturned two lower court decisions that had found that the law infringed the First Amendment right to free speech.
The do not call registry was established in 2003. It is a list containing the personal telephone numbers of telephone subscribers who have voluntarily indicated that they do not wish to receive unsolicited calls from commercial telemarketers. So far, 50 million phone numbers have been registered. Because consumers have to register for this list, it is often referred to as an ‘opt in’ telemarketing regulation. Commercial telemarketers are prohibited from calling numbers on the list and they have to pay an annual fee to access the registry. The rules apply to sellers of goods and services and not to charitable or political fundraising calls. The Court specifically indicated that it was leaving open the question of whether a rule applying to political and charitable calls would be permitted.
See: Laws of .com Volume II, Issue 5: 4 March 2004.
Privacy legislation in the Philippines
The Philippines Information Technology and Electronic Commerce Council (ITECC) is drafting a Bill on data protection and privacy. The Bill will build on various international instruments, including the Organisation for Economic Co-operation and Development (OECD) Guidelines; the EU Data Protection Directive; the Asia-Pacific Economic Co-operation (APEC) Data Privacy Framework and ASEM Guidelines.
See: IT Matters, Manila, 13 October 2003, <http://itmatters.com.ph/ news/news_10132003a.html >.