Privacy Law and Policy Reporter
Compiled by Nigel Waters, Associate Editor
Tasmanian Privacy Law commenced
The Personal Information Protection Act 2004 (Tasmania) came into effect on 5 September 2005. It applies to State government agencies, statutory boards and statutory office holders, government business enterprises (GBEs), Ministers, the University of Tasmania, and all municipal councils, although there are some exemptions such as for courts, tribunals and law enforcement activities. The Minister (for Justice and Industrial Relations) can authorise further exemptions on application. The law requires compliance with a set of principles modelled on the federal National Privacy Principles. Access and amendment principles defer to the existing provisions of the Freedom of Information Act 1991. Complaints about breaches of any of the principles will be handled by the Tasmanian Ombudsman http://www.ombudsman.tas.gov.au/ .
Workplace Surveillance law commences in NSW but Interception law still applies
The NSW Workplace Surveillance Act 2005 commenced on October 7 2005. The Act was proclaimed in the Government Gazette on 17 September. The Workplace Surveillance Regulation 2005 was also gazetted on the same day. The regulation prescribes the form of applications for covert surveillance authorities and the form of the authorities, and provides for reports to the Minister on all such applications and authorities.
The new Act replaces the existing Workplace Video Surveillance Act of 1998, which is now repealed, but also now extends to other forms of surveillance, including of telephone calls and email.
The Commonwealth Attorney-General has brought to the attention of the NSW Attorney General that under the Telecommunications (Interception) Act 1979 (‘the Interception Act’), there is a general prohibition against the recording of a communication passing over a telecommunications system. This includes the interception and recording of emails. If an employer is intercepting incoming or outgoing emails without the knowledge of both the sender and receiver, the employer is likely to be committing an offence under the Interception Act, even if the terms of the Workplace Surveillance Act are being met and even if a covert surveillance authority has been granted by a Magistrate. The Workplace Surveillance Act applies in relation to emails that have ceased to pass over the telecommunications system and are stored, for example, on an employer’s computer server.
Some guidance on the new law is available through http://www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_index
Victorian draft workplace privacy law put forward as potential uniform model
The Victorian Attorney-General has taken to the Standing Committee of Attorneys-General (SCAG) the draft Workplace Privacy Bill included in the final report of the Victorian Law Reform Commission, launched in October 2005. SCAG has commissioned further work on the idea of uniform legislation, to be led by the NSW Department. However, the Victorian Attorney, when launching the VLRC Report, indicated that the Victorian Government intended to legislate along the lines of the draft Bill and would not allow inter-jurisdictional discussions to unreasonably delay this.
The VLRC Report concluded that there was a major gap in statutory privacy protection left partly by the exemption of private sector employee records from the Commonwealth Privacy Act and partly by the limitation of privacy laws to information privacy. The VLRC recommends a comprehensive approach to the protection of privacy of all employees, covering not only information privacy but all forms of surveillance, tracking and testing. Comprehensive protection requires rules in relation to the authorisation of surveillance in the first place, whether or not it results in the creation of a record of personal information.
The draft Bill attached to the Report would create a tiered framework of regulation – ranging from merely advisory codes through mandatory codes for certain surveillance activities to complete prohibition of others – such as CCTV monitoring of toilets and change rooms. All permitted surveillance would be subject to general principles, and an independent regulator would monitor and enforce the law. However, unlike the NSW law, covert surveillance would not require a magistrate’s approval, only compliance with a mandatory code to be developed by the regulator.
The VLRC Report and Draft Bill are at www.lawreform.vic.gov.au
Privacy Guidelines for Broadcasters
In August 2005, the Australian Communications and Media Authority (ACMA) published Privacy Guidelines for Broadcasters. The guidelines say that they were developed by ACMA’s predecessor, the Australian Broadcasting Authority (the ABA) in consultation with the broadcasting industry. And that in developing the guidelines, the ABA had regard to past ABA investigations, case law, and consideration by other authorities and media regulators of key issues arising from complaints about media intrusion into privacy. However, there appears to have been no consultation either with the public generally or with consumer representatives, or even with the Privacy Commissioners?
Privacy Commissioners call for universal worldwide privacy protection
Privacy Commissioners from around the world, meeting at the International Conference of Data Protection and Privacy Commissioners in Montreux, Switzerland, have adopted a declaration calling not only for the spread of privacy principles around the world, but also for cooperation with NGOs around the world, for efforts at increasing the sharing of information on international policies, and for intergovernmental organizations (IGOs) to comply with such principles and to appoint privacy officers.
The Montreux Declaration calls for heads of government meeting in Tunis in November for the World Summit on the Information Society to include in their final declaration a commitment to develop or re-inforce a legal framework that ensures the rights to privacy and data protection to all citizens. It also calls on the UN to prepare a legal binding legal instrument which clearly sets out in detail the rights to privacy and data protection as enforceable human rights.
Source: Privacy International Policy Laundering website http://www.policylaundering.org/CommsionerRes.html
Regulations provide for Centrelink Confirmation eService
The Privacy (Private Sector) Amendment Regulations 2005 (No.1) (Select Legislative Instrument 2005 No. 301), made on 15 December 2005 insert a new exception to National Privacy Principle 7.2 (restriction of private sector use of Commonwealth Identifiers) in the Privacy (Private Sector) Regulations 2001. The new exception authorises the use and disclosure by 24 organisations of the Customer Reference Number assigned by Centrelink for the purpose of accessing the Centrelink Confirmation eService in order to determine whether an individual is entitled to receive a concession.
The 24 organisations listed are mostly private sector water, gas or electricity utilities, but also include the St George Bank.
The use and disclosure of the Centrelink Customer Reference Number by each private sector organisation is in each case only for the benefit of the individual concerned. It enables service providers to access Centrelink’s Confirmation eService, with the customer’s consent, and determine a customer’s eligibility to concessional entitlements. This removes the need for customers to go into a Centrelink office to get proof of their eligibility for these concessions. The verification occurs on-line in real time, providing up to date eligibility information.
Source: Explanatory Memorandum at http://www.privacy.gov.au/publications/2005No301es.pdf
Victoria creates new Police data ombudsman in wake of LEAP database breaches
In response to several serious breaches of security of the Law Enforcement Assistance Programme (LEAP) database, maintained by Victoria Police, the State government has enacted special legislation establishing a new ‘watchdog’. The Commissioner for Law Enforcement Data Security Act 2005 creates the position of Commissioner for LEDS, who will be responsible for setting standards, monitoring police compliance, and referring any findings to other relevant bodies, including the Director of Police Integrity and the Privacy Commissioner. While the new LEDS Commissioner appears to have wide powers, the Commissioner of Police can withhold information on a wide range of grounds. The government originally announced its intention to cerate a new body to be responsible for the operation of the LEAP database, but appears to have retreated significantly from this strong initial response to the security breaches. It remains to be seen how well resourced and effective this new watchdog will be.
Meanwhile, the Victorian Privacy Commissioner is conducting a Part 6 investigation into a specific breach of LEAP database security earlier in 2005. The Commissioner announced in December that he expects his report to be ready for tabling in State Parliament in February 2006. (see www.privacy.vic.gov.au )
Major expansion of Financial Transaction Reporting proposed
The federal government has issued for consultation a draft exposure Bill concerning Anti-Money Laundering and Counter-Terrorism Financing. The government argues that a major overhaul of the existing Financial Transaction Reports Act 1988 is required to meet obligations under international standards issued by the Financial Action Task Force on Money Laundering (FATF).
The draft legislation follows a lengthy consultation initiated in early 2004, but mostly only with industry representatives, and represents a ‘first tranche’ of reforms, covering the financial sector. The consultation paper foreshadows a second tranche of reforms to impose obligations on other industry sectors, including real estate agents, jewelers and professionals such as accountants and lawyers performing non-financial services.
Obligations under the new legislation, as under the existing FTRA, include customer identification and reporting, but go significantly further in both respects. Much of the detail of implementation would be contained in AMF/CTF Rules, to be issued by the Australian Transaction Reports and Analysis Centre (AUSTRAC), and draft rules are included in the consultation package.
Submissions are invited by 13 April 2006, and a range of consultation forums will be held in the meantime.
ALRC to conduct major review of Privacy law
On 31 January 2006, the federal government announced a reference to the Australian Law Reform Commission (ALRC) to review existing Commonwealth, State and Territory laws and practices and consider the needs of individuals for privacy protection in light of evolving technology. The ALRC will also examine current and emerging international law in the privacy area and consider community perceptions of privacy and the extent to which it should be protected by legislation.
The ALRC will consult widely, with at least two interim papers, before reporting by 31 March 2008.