Submission

22 December 2004

Review of the Private Sector Provisions of the C'th Privacy Act 1988

This is a submission in response to the Issues Paper issued by the Office of the Federal Privacy Commissioner (OFPC) in October 2004.

Contents:

  1. Executive Summary
  2. Introduction
  3. Community Confidence and the Online Environment
  4. Inconsistencies between Legislation
    1. Telecommunications Act 1997 - Part 13
    2. Spam Act 2003
  5. Small Business Exemption
  6. Related Bodies Corporate Exemption
  7. Contractors
  8. Inadequate Definition of "Personal Information"
  9. Primary and Secondary Purposes of Collection
  10. Bundled "Consent" and NPP 1.3 Notices
  11. Data Quality claimed as justification for Bundled "Consent"
  12. Use & Disclosure by Secondary Collectors
  13. Collection of Unlawfully Disclosed Personal Information
  14. Definition of Direct / Indirect Collection
  15. Anonymity
  16. Transborder Data Flows
  17. Direct Marketing Exemption
    1. Primary Purpose of Direct Marketing
    2. Secondary Purpose of Direct Marketing
  18. Enforcement Issues
  19. Conclusion
    References
    About EFA

1. Executive Summary

  1. The Privacy Act 1988 as amended fails to adequately protect and enforce individual privacy, creates a confusing regulatory environment and needs to be replaced.

  2. Low community confidence in internet companies is justified and stems not from a lack of awareness of privacy rights, but rather from a lack of rights and lack of enforcement.  This requires strengthening and clarification of privacy laws rather than misleading attempts to encourage community confidence in the current weak framework.

  3. Information about internet users and their online behaviours is currently being used and disclosed in ways that consumers are unlikely to have consented to or even be aware of.

  4. There is an inconsistency between s289 of the Telecommunications Act 1997 and NPP 2.1 of the Privacy Act 1988, resulting in less privacy protection in respect of businesses in the telecommunications sector.

  5. As interpreted by the Australian Communications Authority, the s291 exemption in the Telecommunications Act 1997 is vastly less privacy protective than the Privacy Act 1988. The legislation should be amended to provide at least equivalent protection to that of NPP 2.

  6. The s290 exception in the Telecommunications Act 1997 results in inadequate protection for personal information about third parties referred to in a communication. The exception should be amended to ensure that telecommunications businesses cannot disclose personal information about third parties based on an assumption that other persons (the sender and recipient) would have consented.

  7. The Privacy Act 1988 needs to be amended to make clear that NPP 2.1 does not authorise use or disclosure that would otherwise be in breach of the Telecommunications Act 1997. Alternatively, s280 of the Telecommunications Act 1997 needs to be amended to state that s280(1)(b) does not authorise uses or disclosures that are authorised by NPP 2.1 of the Privacy Act 1988.

  8. The small business exemption should be deleted from the Privacy Act 1988.

  9. The related bodies corporate exemption should be deleted from the Privacy Act 1988.

  10. The privacy principles applicable to government agencies and private sector organisations should be harmonised to provide the highest level of privacy protection from each of the two existing regimes.

  11. The Privacy Act 1988 should be amended to place obligations on organisations that engage contractors to ensure the contractor only uses and/or discloses the personal information given to them for the purposes for which it is given and keep it secure, etc.

  12. A broader definition of "personal information" must be embraced in order to adequately protect individuals' privacy in the electronic information age. The current focus on identification as the basis for privacy protection is inadequate. Identifiers such as an Internet user's machine ID, IP address, user ID, email address, passwords, etc. must be clearly incorporated within "personal information" protected by the Privacy Act and the Principles.

  13. NPP 2.1 should be amended to regulate use and disclosure of information collected for the primary purpose of collection as there is no legitimate reason for NPP 2 to apply only to use and disclosure for secondary purposes. Organisations should not be able to use personal information for either primary or secondary purposes unless the individual concerned would reasonably expect the organisation to use or disclose the information for the purpose or has consented to the use or disclosure for that purpose.

  14. The common organisational practice of requiring bundled "consent" and providing NPP 1.3 information in privacy policies that are changeable without notice are undermining the objectives of the Privacy Act 1988. Amendments should be made to ensure that when information contained in NPP 1.3 and 1.5 notices concerning use and disclosure is not sufficiently specific to enable the individual to give free and informed consent, NPP 2.1(a) cannot be relied on to use or disclose the individual's personal information.

  15. Amendments should be made to ensure that privacy policies containing NPP 1.3 and 1.5 information must include the date of issue and information on changes made since the prior version. Further, any changes to NPP 1.3 and 1.5 information involving new uses or disclosure should not apply to previously collected personal information unless the organisation has directly notified the individual concerned of the changes and provided an easy to take up opportunity to opt-out of such new uses and disclosures or to terminate their relationship with the organisation without detriment.

  16. NPP 3 relating to data quality should be clarified so that it cannot be used as an excuse for using bundled consents.

  17. NPP 2 should be amended to explicitly place restrictions on use and disclosure by secondary collectors, that is, organisations that have collected personal information from another organisation.

  18. The NPPs must be amended to ensure that knowingly collecting unlawfully disclosed information is prohibited.

  19. The NPPs must be amended so that awareness by the collecting organisation that the personal information may have been unlawfully disclosed is a relevant consideration in deciding whether collection has been by fair means.

  20. The NPPs must be amended to require organisations to destroy information that has been unlawfully disclosed to them once that organisation becomes aware of the unlawful disclosure.

  21. NPP 1 should be amended to specifically require that collection be for a lawful purpose, as NPP 1.2 currently only requires that the means of collection be lawful.

  22. NPP 1.4 should be amended to clarify that the phrase "only from that individual" refers to the relationship and not the communications chain. It must refer to collection not only directly from an individual but also indirectly from an individual, that is, from a third party when an individual has expressly consented to that third party passing on information from that individual - otherwise all sorts of legitimate contemporary transactions would be prohibited.

  23. NPP 8 needs to be amended to clarify that the anonymity obligation is to wherever possible (lawful and practicable) facilitate anonymous transactions, including with other organisations.

  24. NPP 9 may not effectively protect individuals' personal information.  The NPPs should be amended to ensure that individuals' privacy is adequately protected where information is to be sent to a foreign country or customers will have to deal with a customer support centre located overseas.

  25. The NPP 2.1(c) exception permitting secondary use of personal information for direct marketing without consent is unacceptable and must be replaced with an "opt-in" provision that permits the use of personal information for direct marketing purposes only by specific prior consent. NPP 2.1(c)(i) is currently inconsistent with the Spam Act 2003 in that it permits sending of such messages without consent, contrary to the Spam Act.

  26. The Privacy Act 1988 should contain enforcement mechanisms that persuade compliance from both big business and small business.  The Commissioner should be given additional powers, particularly in respect of obtaining enforceable undertakings, issuing binding codes, enforcing compliance where a breach has been found as a result of his or her 'own motion' investigation and proactively auditing private sector compliance (and adequate funding to exercise the additional powers).

  27. Complainants and organisations should have the right to appeal against the Commissioner's determination to the Administrative Appeals Tribunal to have the matter heard afresh.

  28. Additional funding should be provided to the OFPC to enable dealing with complaints promptly, and without needing to remove staff from other important areas such as policy and auditing of government agencies as has reportedly occurred.

Up ArrowGo to Contents List


2. Introduction

1. In 2000 EFA informed two Parliamentary inquiries that EFA did not support the Privacy Amendment (Private Sector) Bill 2000, in the form proposed, because the Bill contained too many exemptions and exceptions and failed to come to grips with consumer privacy needs in the 21st century. The Bill was at best a token attempt to introduce privacy legislation.

2. Among many other things, we remarked that the definition of "personal information" is inadequate in context of the electronic environment; that the exemption for small business would introduce a confusing and complex regulatory environment that fails to protect consumers from privacy invasive practices; and that enforcement provisions are inadequate.

3. Our experience since the private sector provisions commenced has shown that our concerns were well founded.

4. Instead of empowering individuals to exercise their right to privacy of personal data, the private sector provisions have conferred on business interests the right to invade individual privacy.

5. We had hoped that NPP Guidelines to be issued by the Privacy Commissioner would assist towards clarifying the complex, unwieldy and ambiguous nature of the NPPs and we were generally supportive of the draft guidelines issued for public consultation. However, subsequently the draft guidelines were gutted after heavy lobbying by big business.

6. In the absence of comprehensive guidelines, there is no impediment whatsoever to some businesses and regulators interpreting the NPPs in the least privacy protective way possible. In our view some interpretations being used are contrary to the intent and objectives of the legislation and contrary to what many individuals would expect from reading the NPPs.

7. In 2000 we considered the private sector provisions needed to be re-drafted, preferably as a replacement for, rather than an amendment to, the Privacy Act 1988 [1].

8. We remain of the view that the Privacy Act 1988 as amended needs to be replaced with a new Act that makes a genuine attempt to protect individuals' privacy.

9. In the remainder of this submission, we comment on a number of aspects of particular concern. However, we stress that we do not believe that patching the existing legislation will result in adequate privacy protection.

10. Furthermore, a lack of comment on any particular issue in this submission should not necessarily be taken to mean that EFA has no concerns in that regard. There are too many problems with the provisions of the legislation to document them all herein. Also, it is apparent from the Issues Paper that OFPC is already aware of many of the problems and we would be happy to advise our view concerning any particular issue not mentioned herein on request from OFPC.

Up ArrowGo to Contents List


3. Community Confidence and the Online Environment

11. We note the findings of the OFPC's recent research showing that:

"Individuals' trust is lowest of all in internet companies (9%). These were intended to particularly benefit from the introduction of the private sector provisions. Trust in internet companies appears to remain unchanged since 2001. Six in ten respondents to the Office's 2004 survey have more concerns about the security of their personal details than usual when using the internet and this level of concern has risen since the 2001 study." (OFPC Issues Paper, p26 [2])

12. We find the results of the OFPC research concerning lack of trust in the online environment, not only completely unsurprising, but also justified.

13. The Issues Paper (p27) goes on to suggest that the lack of confidence may be due to "a lack of awareness about privacy rights [that] has prevented people from developing a clear and concrete sense of confidence that their privacy rights are protected" and seeks suggestions concerning ways that the OFPC, or others, can encourage community confidence that privacy rights are protected online.

14. EFA considers that any attempt by the OFPC or others to encourage the community to believe that their privacy "rights" are protected online would be highly misleading at best. The fact is that, under existing Australian law, individuals have almost no privacy "rights" in the online environment and even the few rights they allegedly have are not protected adequately and are difficult, sometimes impossible, to have enforced. The lack of rights arises from a combination of factors, including but not limited to, uncertainty regarding the definition of "personal information"; no requirement to obtain consent before collecting personal information; use of bundled "consents" including to disclose information to unspecified "partners"; the small business exemption; and/or technological developments.

15. Before the private sector provisions commenced, it was no secret that Internet companies have access to huge amounts of personal information. For example, as pointed out in May 2000 by the then General Manager of OzEmail ISP in a paper presented to an IIR Privacy Law Conference:

"...And here's the somewhat scary bit. We [OzEmail] have the username and password for every one of our users; we have their credit card details, we have a lot of information about their liquidity, we can know about every purchase they make online, with whom, when and for how much. We can know every site they visit on the web - every page, every newsgroup, every picture they look at. We could read all of their mail and know all about their romances and the jobs they're applying for.

The commercial opportunities arising from this are endless, of course. We could watch what each of our customers does, and then just pop them a quick email that says, 'Oh - we see that you just bought a nice new pair of brown boots. One of our other merchants just happens to have a special on black socks - just follow this link.' Or 'We see that you've been looking at dirty pictures tonight - in fact the sixth and 10th pictures you looked at were over the top and you're busted.' In short there's not much we couldn't find out about the online life of our customers - and remember, in a few years our customer base will represent a sizeable chunk of the Australian population. A chunk about the size of NSW for example. This is becoming irresistible to both marketers and governments, who often share the view that they have a God given right to access private information about the general public.

Then, of course, we could go in for a bit of datamatching, where we instruct our databases to match names, products and addresses with other databases. String three or four conditions together in a query which trawls two or three databases and you get amazing pinpoint clarity. The accuracy of this kind of targeting truly provides the so called 'market of one'. And the nature of the net means that the marginal cost of marketing to the next market of one is effectively zero.

And right now in Australia there is almost nothing to stop us from doing this."
(OzEmail - an ISP's approach to privacy, Privacy Law and Policy Reporter 26, 2000 [3])

16. It has since become apparent that some ISPs are covertly disclosing information about their users' online activities to, for example, market analysts/researchers.

17. Media reports about the activities of market analysts/researchers give rise to serious questions concerning how, and the extent to which, online users' activities are being monitored and tracked. For example:

  • Online research a wise hit , by Louise Hattam, Herald Sun Melbourne (Business, p25), 19 Jul 2004 [4]:
    "Each day, Hitwise monitors more than 25 million home, work and educational internet users worldwide. ...
    The company was the first in Australia to obtain its information from internet service providers, rather than the conventional survey methods of market research companies. ...
    'Hitwise gathers information from partner ISP networks and other data sources,' Mr Walsh [Hitwise CEO] said. ...
    The reports [also] show where users have been immediately before and after visiting a site. ..."

  • Bright future for online banking, by Adrian Giles [founder and director of Hitwise], WebHead Magazine, ZDNet Australia, 26 Sep 2001 [5]:
    "...Who visits Internet banking sites?
    According to Hitwise demographic data, 57 percent of visitors are men, slightly up on the overall average of 55 percent for all sites. While 18-24 year-olds account for 23 percent of all Internet traffic measured by Hitwise, they supply just 13 percent of traffic to Internet banking sites, showing that younger Australians use the Internet more for education and entertainment purposes than they do for paying bills and accessing their banking details. Online banking is particularly popular with the 25-34 age group, who supply 33 percent of visits to Internet banking sites. ...
    Adrian Giles is a founder and director of Hitwise."

  • Heavyweights back Sinewave, by Jane Schulze, The Age (Business, p5), 13 Jul 2000[6]:
    "...Mr Barlow said Hitwise differed from competitors by measuring traffic passing through about 45 local Internet service providers ... 'Our product is plug-in-and-play, highly transportable and very scaleable,' he said. ..."

18. Individuals with a basic understanding of how the Internet works would know that market analysts/researchers cannot know how many individual visits are made to any particular web page, nor where they were visiting before or after, without access to the IP address of the computer used by the Internet user.

19. Many users would also know that the IP address can be used to identify some individuals.

20. Concerned individuals, on visiting the Hitwise website, would have found it readily apparent that Hitwise uses IP addresses recorded in ISP proxy server logs which are made available to Hitwise by some ISPs, which Hitwise refers to as "partners". For example:

  • "The Hitwise service provides clients with an indication of the relative popularity of websites, based on the measurement of visits, visit duration or page downloads from a range of geographically diverse ISP networks. The [ISP] proxy server records requests for web pages made by the ISP's users. Hitwise then analyses these proxy server records daily, to produce website rankings across more than 150 subject categories."
    ("About Hitwise Australia" page, as at 16 Dec 2004 [7])

  • "Most IP addresses analysed by Hitwise are unique to an individual and are not serving more than one visitor.
    ...
    Hitwise has developed proprietary software that can analyse a range of usage logs from ISPs or via the opt-in mega panel. These usage logs can be created in three unique ways.
    1. Via proprietary client based tracking systems, or
    2. Via proxy servers, or
    3. Via Hitwise's proprietary 'packet sniffing' hardware technology that extracts the usage data directly from an ISPs network creating a real-time log of all user activity. ..."
    (Hitwise Methodology FAQ, as at 2 Dec 2004 [8])

21. Visitors to the Hitwise website would also be given the understanding that the Privacy Act 1988 does not protect them from having their online activities monitored and/or tracked by Hitwise, nor prevent Hitwise from disclosing information about them to other organisations:

Hitwise Privacy Statement, as at 16 Dec 2004 [9]:
"...Legal nature of this Privacy Statement
"...Hitwise will act to ensure it complies with the privacy principles contained in this statement, but is not legally bound to enforce these principles under Australian law."

22. Some individuals may conclude from the above that Hitwise is a small business exempt from compliance with the PA, while others who have read media reports stating that Hitwise had a turnover of $20 million in 2004 (Herald Sun, 19 July 2004 [4]) may wonder whether or not Hitwise is required to comply with the PA.

23. We consider it highly unlikely that community trust in Internet companies, and confidence that privacy "rights" are being protected, will increase while disclosure and collection practices such as the above continue without the prior express consent of the subject individuals.

24. If the collection and disclosure activities referred to above are not currently prohibited by Australia law, then in our view the law needs to be changed. If ISPs are currently prohibited from using and/or disclosing the information without consent, or Hitwise is prohibited from collecting and/or using the information without consent, the most effective and appropriate means of increasing community confidence would be for regulators to enforce the law.

Up ArrowGo to Contents List


4. Inconsistencies between Legislation

4.1 Telecommunications Act 1997 - Part 13

25. As noted in the Issues Paper, another regulatory mechanism which includes personal data protection obligations on organisations is Part 13 of the Telecommunications Act 1997. In this section we respond to the invitation in the Issues Paper to provide information regarding "areas where the private sector provisions overlap with another law..., and whether this overlap creates issues requiring resolution" and "any areas where the interactions between...other statutory law and the private sector provisions are unclear".

26. The Telecommunications Act 1997 [10] ("the TA") contains a number of exceptions to the Part 13 privacy protections that are inconsistent with the Privacy Act 1988 ("the PA") without justifiable reason. Furthermore, exceptions to the privacy provisions of the TA are now being used in ways that are most unlikely to have been intended by the Parliament when originally enacting them in the very early 1990s to facilitate the introduction of competition in the telephone call services market. Subsequently, new telecommunications-based services and technologies together with a much larger range of service providers has resulted in uses and disclosures of personal information that are unlikely to have been envisaged by the Parliament over a decade ago.

27. In addition, several events associated with the commencement of the private sector provisions of the PA have resulted in circumstances where individuals have less privacy rights (including less than previously) in relation to collection, use and disclosure of personal information by members of the telecommunications industry. Those events include:

  • insertion of then new Section 303B into the TA which states that exceptions to the Part 13 privacy protections of the TA are taken to be "authorised by law" for the purposes of the PA;

  • de-registration by the Australian Communications Authority ("ACommA") on 21 December 2001 of the previously enforceable [11] ACIF Industry Code-Protection of Personal Information of Customers of Telecommunications Providers [12]. The Code expanded on the privacy protections of Part 13 of the TA and had been enforceable since 1 May 2000. As stated in the Code:
    "Part 6 of the [Telecommunications] Act sets out the intention of the Commonwealth Parliament that bodies and associations that represent sections of the telecommunications industry should develop codes of practice relating to the telecommunications activities of those bodies and lists key privacy issues as examples of areas where codes may be developed. One area expressly mentioned is the protection of personal information. [113(3)(f) "privacy and, in particular: (i) the protection of personal information;"] ... This Code complements the privacy protection in the Act, and also addresses matters which are not dealt with in Part 13, such as how information should be collected, stored and handled, and how consent and reasonable awareness are to be determined."
  • apparent failure to pay due regard, prior to de-registering that Code, to the fact that small businesses, including those in the telecommunications industry, are not required to comply with the PA.

28. It should be remembered that the exceptions to the privacy protections of the TA apply not only to large telecommunications service providers such as telephone call companies, but also to small businesses including Internet Service Providers; resellers of carrier and/or ISP services; carriage service "intermediaries"; and telecommunications contractors (s271).

29. We discuss below provisions of the TA that now in effect authorise breach of the NPPs, although prior to the 2001 Privacy Act amendments the breadth of these exceptions in the TA were limited by a registered and enforceable industry code which was substantially the same as the NPPs.

Consent, knowledge, awareness, reasonable expectations

30. This section discusses the following provisions of the TA and PA:

TA: 289 Knowledge or consent of person concerned
Division 2 does not prohibit a disclosure or use by a person of information or a document if:
(a) the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person; and
(b) the other person:
(i) is reasonably likely to have been aware or made aware that information or a document of that kind is usually disclosed, or used, as the case requires, in the circumstances concerned; or
(ii) has consented to the disclosure, or use, as the case requires, in the circumstances concerned.

PA NPP: 2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or

31. During a November 2004 meeting convened by the OFPC at the Melbourne office of the Australian Communications Authority ("ACommA"), a representative of a large telecommunications service provider expressed the view that there is little difference between s289 of the TA and NPP 2.1 of the PA, that is, that they are not inconsistent. We disagree with that view as discussed below.

32. In the case of use or disclosure for the primary purpose of collection, the TA (s289) is more protective than the PA (NPP 2). The TA restricts use or disclosure for the primary purpose to circumstances of which the individual is "reasonably likely to have been aware" or has consented. In contrast, NPP 2 does not restrict use or disclosure for the primary purpose at all.

33. However, in the case of use or disclosure for a secondary purpose of collection, the TA is significantly less protective than the PA.

34. NPP 2.1 prohibits use or disclosure unless both "the secondary purpose is related to the primary purpose of collection" (and directly related if sensitive information) and "the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose" (or has consented).

35. In contrast the TA (s289) authorises use and disclosure when the individual is merely "reasonably likely to have been aware" that the information is usually disclosed or used for the secondary purpose/s (or has consented). Hence, it appears that businesses in the telecommunications sector can merely notify individuals they use and disclose personal information (including sensitive information) for numerous stated secondary purposes (including purposes unrelated to the primary purpose and that the individual would not reasonably expect), thereby making it "reasonably likely" that the individual has been "made aware". Further there is no requirement that the individual actually be "made aware", nor that they were "reasonably likely to have been aware" before their personal information was collected.

36. As has previously been pointed out by the OFPC:

"Expectation is more than awareness. Telling an individual in NPP 1.3 information or by some other method about the proposed secondary use or disclosure is not necessarily enough to create a reasonable expectation although it may help."
and
"In applying NPP 2.1(a) the Commissioner suggests that it may help an organisation if it considers whether a reasonable individual in the circumstances, if asked, would have agreed to the proposed use or disclosure."
(Consultation paper on the draft National Privacy Principle Guidelines [13] issued by the Office of the Federal Privacy Commissioner, 7 May 2001)

37. Moreover, that NPP 2.1(a) requires more than an individual being "reasonably likely to have been aware" (s289 of TA) is made plain in the PA Explanatory Memorandum (2000) which states:

"The 'reasonable expectations' test would be applied from the point of view of the person in the street, that is, an organisation should be able to use or disclose personal information in ways in which a person with no special knowledge of the industry or activity involved, would expect. For example, if a person has several different types of contact with one bank, he or she could expect the information about themselves to be shared within that bank. If the banking group also ran a health insurance business, the individual would not expect their health claims record to be matched with banking information."

38. EFA submits that either the PA or TA must be amended to require businesses in the telecommunications sector to comply with NPP 2.1(a) in relation to use and disclosure for secondary purposes, that is, so that TA s289 ceases to authorise breach of NPP 2.1(a). In so doing, the long existing protection of the TA in relation to use and disclosure for the primary purpose must not be removed or made any weaker.

Unnecessary collection, use and/or disclosure without consent

39. This section discusses the following provisions of the TA:

TA: 291 Business needs of other carriers or service providers
(1) Section 276 does not prohibit a disclosure or use by a person of information or a document if:
(a) the disclosure or use is made by or on behalf of:
(i) a carrier (the first carrier); or
(ii) a carriage service provider (the first provider); and
(b) the disclosure or use is made for a purpose of, or is connected with, any other carrier or service provider carrying on its business as such a carrier or provider; and
(c) the information or document relates to a person (the third person) who is a customer or former customer of:
(i) the first carrier or the first provider; or
(ii) the other carrier or the other provider; and
(d) the disclosure or use is made for a purpose of, or is connected with:
(i) the supply, or proposed supply, by the other carrier or other provider to the third person of a carriage service or a content service; or
(ii) the supply, or proposed supply, by the other carrier or other provider to the third person of goods or services for use in connection with the supply of a carriage service or a content service; or
(iii) the installation, maintenance, operation or provision of access to a telecommunications network or a facility, where the network or facility is used, or for use, by the other carrier or the other provider to supply a carriage service or a content service to the third person.

291(2) and (3) [contain similar exceptions to 291(1) above concerning intermediaries, resellers, contractors etc]


40. The s291 exemption in the TA is vastly less privacy protective than the PA, if the interpretation of the law being used by some telecommunications service providers and the Australian Communications Authority ("ACommA") is correct. Whether or not their interpretation is correct (and we believe it is not), the law should be clarified to provide at least equivalent protection to that of NPP 2.

41. According to the opinion of the ACommA included in a complaint decision issued in August 2004, s291 authorises businesses in the telecommunications sector to:

  • use and disclose personal information without the subject individual even being "made aware" including:
    • use and disclose personal information about individuals who are former customers of the disclosing business, including when that business has collected the personal information from a third party many years after the individual ceased to be a customer of that business
    • disclose personal information about individuals who are not customers of the business to which it is disclosed and who have no wish to become a customer of that business (e.g. disclosure to another business for the recipient business's direct marketing purposes)
    • disclose personal information that is not necessary for one of the recipient business's, functions or activities. According to the ACommA's decision, the s291 exception does not involve a needs test notwithstanding that the intent of the exception is plain in the section title Business needs of other carriers or service providers.

42. We believe the ACommA's opinion is wrong because among other things their analysis failed to take into account the fourth element of s291 which must be satisfied for the s291 exemption to apply. More detailed information on this matter has been provided to the OFPC in a representative complaint [14] (OFPC Reference C6951).

43. Irrespective of the correct interpretation, it is fact that some telecommunications service providers are relying on s291 to use and disclose personal information in circumstances that would otherwise be in breach of NPP 2 and that are very unlikely to have been intended by the Parliament in enacting s291 of the TA. Such use and disclosure is also contrary to previous interpretations of s291 made publicly available by the ACommA and TIO, for example:

  • Previously ACommA registered ACIF Industry Code-Protection of Personal Information of Customers of Telecommunications Providers (p18)
       "...section 291 of the Act...allows uses for the business needs of other carriers or service providers (which would generally be accompanied by a disclosure...) that are associated with providing a service to the person who is the subject of the information or document. This provision is designed to allow uses/disclosures which are 'triggered' by some action or request by a customer such as dialling an access Code to make use of another carrier." (emphasis added)

    (Notably, in relation to the complaint referred to earlier herein, Telstra commenced disclosing personal information in circumstances other than the above three months after the Code was de-registered. The relevant Telstra service had operated without such disclosures since November 2000, at which time the Code was registered.)

  • ACommA Telecommunications and Law Enforcement Manual [15]
       "to permit a carriage service intermediary to pass on the details of a customer to a network operator so as to permit connection. Disclosures would also be permitted where a customer changes his or her CSP."

  • TIO Position Statement, 2003 [16]
       to allow a "provider who has the customer's details to disclose the customer's information to another provider [e.g. a 190 calls provider] so that it can bill for the calls made"

44. In our view, either the PA or TA must be amended so that all businesses in the telecommunications services industry are required to comply with NPP 1 in relation to necessary collection and NPP 2 in relation to use and disclosure, so that TA s291 (and the related s302 secondary use/disclosure exceptions) cannot be interpreted or applied in a way that authorises breach of NPP 2 of the PA.

Personal Information about third parties in communications

45. This section discusses the following provisions of the TA:

TA: 290 Implicit consent of sender and recipient of communication
Section 276 does not prohibit a disclosure or use by a person if:
(a) the information or document relates to the contents or substance of a communication made by another person; and
(b) having regard to all the relevant circumstances, it might reasonably be expected that the sender and the recipient of the communication would have consented to the disclosure or use, if they had been aware of the disclosure or use.

46.This exception, on its face, appears to result in inadequate protection for personal information about third parties referred to in a communication. The exception should be amended to ensure that telecommunications businesses cannot disclose personal information about third parties based on an assumption that other persons (the sender and recipient) would have consented.

47. We note that the de-registered ACIF Code states that s290 "is intended to allow disclosure of public communications, for example, where a carrier discusses the content of an on-line bulletin board, or the content of a pay-television program carried on a cable network". However, that interpretation is not obvious from s290 itself. In the absence of a registered industry Code, and with increasing numbers of new entrants including small businesses in the telecommunications industry, it is doubtful that s290 would always be interpreted as said to have been intended in a de-registered code.

Authorisation by or under law

48. This section discusses the following provisions of the TA and PA:

TA: 280 Authorisation by or under law
(1) Division 2 does not prohibit a disclosure or use of information or a document if:
(a) in a case where the disclosure or use is in connection with the operation of an enforcement agency-the disclosure or use is required or authorised under a warrant; or
(b) in any other case-the disclosure or use is required or authorised by or under law.
(2) In this section:
enforcement agency has the same meaning as in section 282.

PA: NPP 2.1
(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(g) the use or disclosure is required or authorised by or under law; or
(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
...
Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

49.The private sector amendments to the PA inserted then new s303B into the TA which states that exceptions to the Part 13 privacy protections of the TA are taken to be "authorised by law" for the purposes of the PA (NPP 2.1(g) contains an exception for use or disclosure that "is required or authorised by or under law"). It is thus clear that the specific exceptions in Part 13 of the TA over-ride the privacy protections of the PA.

50. However, Part 13 of the TA also contains an exception for "disclosure or use [that] is required or authorised by or under law" and in our opinion it is not sufficiently clear that the list of exceptions in NPP 2 of the PA do not over-ride the specific privacy protections of Part 13 of the TA.

51. We believe the PA needs to be amended to make clear that NPP 2.1 does not authorise use or disclosure that would otherwise be in breach of the TA. Alternatively, s280 of the TA needs to be amended to state that s280(1)(b) does not authorise uses or disclosures that are authorised by NPP 2.1 of the PA.

Recommended Solution to Part 13 Inadequacies

52. While EFA considers that the TA requires amendments to address the above mentioned inadequacies, we would not support removal of Part 13 of the TA (for example, to replace it with reference to the NPPs and PA).

53. The telecommunications industry, and especially carriage service providers, of necessity have access to vastly more information about individuals than do most private sector organisations. The information held by them, and accessible to them as it passes through their networks, includes information about not only their own customers but also about members of the public in general, including the content of their communications. As such, the telecommunications industry is a special type of industry that the Parliament has long recognised should be subject to special obligations to protect privacy and that recognition resulted in the enactment of the Part 13 obligations and responsibilities many years ago.

54. Further, Part 13 deals with many aspects of the telecommunications industry that are specific to that industry and that are not addressed at all, let alone adequately, by the high level NPPs. These include not only obligations to protect privacy but also detailed rules concerning use and disclosure of information for specifically authorised purposes such as to law enforcement agencies and emergency services, etc. In our view, it would not be practical or desirable to replace or substantially change Part 13.

55. In summary, we are of the view that the telecommunications industry must remain subject to Part 13 of the TA which contains significantly more specific and detailed obligations and responsibilities in relation to use and disclosure of information than is provided by the high level NPPs. However, Part 13 should be amended to address the inadequacies in privacy protection discussed above.

Up ArrowGo to Contents List


4.2 Spam Act 2003

56. In relation to commercial electronic messages, the NPP 2.1(c)(i) direct marketing exemption is inconsistent with the Spam Act 2003. This matter is discussed under the heading Direct Marketing Exemption later herein.

Up ArrowGo to Contents List


5. Small Business Exemption

57. EFA remains of the view, originally expressed in 2000, that the small business exemption should be deleted from the PA.

58. Small businesses comprise some 94% of Australian businesses, according to information provided by the Department of Employment, Workplace Relations and Small Business to the Standing Committee on Legal and Constitutional Affairs' inquiry into the provisions of the 2000 Bill.

59. Privacy rights do not disappear just because a consumer happens to be dealing with a small company. The responsibility upon commercial organisations to recognise the privacy rights of consumers does not magically become apparent when an organisation's revenue base exceeds some arbitrary figure. Individuals are rarely able to know whether or not an organisation is a small business for the purposes of the PA since annual turnover figures are rarely publicly disclosed.

60. We understand that there have been suggestions that the small business exemption be changed to apply to organisations with an arbitrary number of employees instead of an arbitrary annual turnover figure. We are opposed to an exemption based on number of employees because this would still result in exemption for organisations that collect and disclose substantial amounts and types of personal information. Even a sole trader may collect, use and/or disclose large quantities of personal information, especially via, for example, an e-commerce web site.

61. At the very least, all small businesses involved in the telecommunications and Internet services sector must be required to comply with the NPPs. The limited privacy protection provisions of the Telecommunications Act do not cover collection of personal information at all. Further, as discussed above in relation to the TA, individuals currently have less control and rights in relation to collection, use and disclosure of their personal information by small businesses in the telecommunications sector than they did before December 2001 when the ACIF industry code was de-registered by the ACommA. That Code contained substantially the same provisions as the NPPs, together with related guidelines, and was enforceable by the ACA. It did not contain an exemption for small businesses.

62. Further, in conjunction with the related body corporate/small business operator provisions, this exemption could conceivably be used by large organisations with complex corporate structures to evade their responsibilities by transferring data collection activities to a smaller entity. (For further detail see the discussion about SBOs in section titled Direct Marketing Exception).

63. EFA recommends that the exemptions for small businesses and small business operators be dropped.

Up ArrowGo to Contents List


6. Related Bodies Corporate Exemption

64. EFA sees no justification for allowing organisations to escape compliance with some of the NPPs simply because they are part of a larger organisation. The exemption also enables large businesses to intentionally structure their affairs to enable avoidance of some of the NPPs.

65. Individuals often do not know that an organisation is related to another organisation and should not have to ask or attempt to investigate corporate structures in order to find out how far and wide their personal information could be spread.

66. The related bodies corporate exemption should be deleted. The same provisions should apply to related bodies corporate as to any other third party organisation.

Up ArrowGo to Contents List


7. Contractors

67. The section of the Issues Paper titled Commonwealth Contractors demonstrates the impractability of having different sets of Privacy Principles applicable to government agencies and private sector organisations. Clearly the two different regimes need to be harmonised. We would support harmonisation provided that the outcome results in the highest level of privacy protection from each of the two existing regimes. We would not support an exemption for Commonwealth contractors who are small businesses or small business operators.

68. With regard to private sector contractors (as discussed in the Issues Paper under Business efficiency and private sector contracting), we consider this situation is another reason why the exemption for small businesses and small business operators should be deleted from the PA. In addition, we consider the PA should be amended to place obligations on organisations that engage contractors to ensure the contractor only uses and/or discloses the personal information given to them for the purposes for which it is given and keep it secure, etc.

Up ArrowGo to Contents List


8. Inadequate Definition of "Personal Information"

69. Currently:

"personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

70. A broader definition of "personal information" must be embraced in order to adequately protect individuals' privacy in the electronic information age. The current focus on identification as the basis for privacy protection is not adequate, nor was it adequate when the private sector provisions commenced in 2001.

71. The Issues Paper asks (p.21) "whether ability to contact or some additional approach should be taken to protect individual privacy". We consider that additional approach should be incorporated, however, that alone will not adequately protect individuals' privacy.

72. The definition must be extended to cover identifiers irrespective of whether it is obvious to the collector or discloser that an individual's identity can reasonably be ascertained from that identifier and whether or not an individual can be contacted by use of that identifier.

73. In the Internet environment there are a wider ranger of identifiers available than off-line, such as an Internet user's machine ID, IP address, user ID, email address, passwords, etc. Identifiers such as these must be clearly incorporated within "personal information" protected by the Privacy Act and the Principles.

74. Aggregation of data can occur with minimal identifiers if one identifier is sufficiently unique to be cross-referenced with another.

75. Internet technologies enable the collection of information about individual Internet user's behaviour across thousands of web sites. Personal profiles about them, including their habits and interests, are being compiled surreptitiously and in many cases without users being aware that this is even possible, let alone their having provided their name to such web sites.

76. While many people appear to believe these profiles are only used for purpose such as targeting banner advertisements at particular Internet users and consider this to be of no concern, a far more disturbing aspect is that detailed profiles about consumers can make them more susceptible to discriminatory business practices such as redlining - the practice of placing particular customers at the end of a priority queue, or, of even greater concern, simply not dealing with them at all. As reported in "Weblining" [17] in BusinessWeek Online, 3 April 2000:

"Old-style redlining is unacceptable because it is based on geographic stereotypes, not concrete evidence that specific individuals are poor credit risks. Webliners may claim to have more evidence against the people they snub. But their classifications could also be based on irrelevant profiling data that marketing companies and others collect on the Web. How important to your mortgage status, say, is your taste in paperbacks, political discussion groups, or clothing? Yet all these far-flung threads are getting sewn into online profiles, where they are increasingly intertwined with data on your health, your education loans, and your credit history."

77. On the Internet, it is not necessary for businesses or any other online service to be able to reasonably ascertain the actual identity of an individual, in order to build a profile about them. All that is necessary is a sufficiently unique identifier. Such identifiers (and profiles) may be disclosed to other entities who are able to connect a "cyberspace" identifier with a name or other "real-world" identifier.

78. For further information on regarding online identifiers and associated privacy issues, see Privacy Principles - irrelevant to cyberspace? [18], Graham Greenleaf, Privacy Law & Policy Reporter (Prospect Publishing), 3 PLPR 114, September 1996.

79. EFA recommends that the definition of "personal information" in the PA be extended to include wording such as

"any information which enables interactions with an individual on a personalised basis, or enables tracking or monitoring of an individual's activities and/or communication patterns, or enables an individual to be contacted"

80. In addition, the definition should be amended to include an explanatory note such as:

"For the avoidance of doubt, in determining whether information is personal information, it is irrelevant that the identity of the individual may not be known or ascertainable by the collecting or disclosing organisation at the time of collection or disclosure."

Up ArrowGo to Contents List


9. Primary and Secondary Purposes of Collection

81. As stated in the Issues Paper (p32) "[t]he NPPs do not specifically require organisations to get an individual's consent to collect personal information". In addition, the NPPs do not regulate the subsequent use or disclosure of information collected for the primary purpose of collection.

82. As a result, individuals have no choice or control whatsoever concerning collection, use and disclosure of their personal information for the primary purpose of collection. This situation is of greatest concern when organisations collect personal information from a third party, that is, without the knowledge, let alone consent, of the individual concerned.

83. EFA considers that NPP 2.1 should be amended to regulate use and disclosure of information collected for the primary purpose of collection. We see no legitimate reason for NPP 2 to apply only to use and disclosure for secondary purposes. Organisations should not be able to use personal information for either primary or secondary purposes unless the individual concerned would reasonably expect the organisation to use or disclose the information for the purpose or has consented to the use or disclosure for that purpose.

84. If NPP 2 is not amended as above, then at the least, it should be amended to prohibit use and disclosure for the primary purpose of collection in circumstances where the information was collected indirectly without consent, i.e. from a source other than the individual concerned without the consent of the individual, unless the use or disclosure is essential (requiring an objective test) for the provision of a service requested by the individual.

Up ArrowGo to Contents List


10. Bundled "Consent" and NPP 1.3 Notices

85. EFA considers the common organisational practices of requiring bundled "consent" and providing NPP 1.3 information in privacy policies that are changeable without any notice, let alone prior notice, are massively undermining the objectives of the PA.

86. Although the OFPC has widely promoted the PA with the slogan "My Privacy, My Choice", it has become apparent that a more truthful slogan may be "My Privacy, NO Choice".

87. In relation to the commentary concerning "bundled consent" in the Issues Paper (p32-33), we are of the view that such means of allegedly obtaining "consent" do not constitute consent to use and/or disclosure for secondary purposes. Individuals cannot give free and informed consent when they are presented only with broad and/or vague statements concerning possible uses and disclosures, and/or told that services will not be provided if they do not "consent" to the bundle. However, as we see no purpose in using bundles unless the organisation is assuming these result in valid consent, it would appear individuals' personal information is being used and disclosed for purposes for which they did not consent and would not reasonably expect (i.e. in breach of NPP 2.1(a)).

88. Of additional concern is the common organisational practice of including NPP 1.3 information (about use and disclosure) in Privacy Policies that are changeable without any notice, let alone prior notice, to the individual. There appears to be no reason for this practice unless the organisation is mistakenly regarding same as sufficient for reliance on NPP 2.1(a)(ii), i.e. that "the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose". Moreover, as mentioned earlier herein, expectation is more than awareness.

89. Until the above practices are stopped, individuals cannot have confidence that their privacy is respected, let alone protected.

90. Examples of privacy policies changeable without notice:

  • Mobile Phone Service Provider, 14 Dec 2004:
    "[company] reserves the right to change this Privacy Policy at any time and notify you by posting an updated version of the Policy on its web site. The amended Privacy Policy will apply between us whether or not we have given you specific notice of any change. We encourage you to review this Privacy Policy periodically because it may change from time to time." [19]

    Note: The above policy was included in pre-paid mobile phone packs sold in shops in late 2004. Hence it appears that persons purchasing a mobile phone service need to have Internet access to find out whether the printed policy included with the product purchased has been changed.

  • Telephone Service Provider, 14 Dec 2004
    "From time to time, it may be necessary for us to review our Privacy Awareness Policy. We reserve the right to amend our Privacy Awareness Policy at any time and to notify you by posting an updated version on the [company] website [company].com.au" [19]

  • Marketer of leading brand name consumer products, 14 Dec 2004
    "...from time to time, our policies will be reviewed and may be revised. [company] reserves the right to change its Privacy Policy at any time and notify you by posting an updated version of the policy on its website.
    The amended Privacy Policy will apply between us whether or not we have given you specific notice of any change." [19]

  • Australian Domestic Airline, 14 Dec 2004
    "We may amend this Privacy Statement as our business requirements or the law changes. Any changes to this Privacy Statement will be updated on [company].com and [company].com, so please visit [company].com or [company].com periodically to ensure that you have our most current privacy statement." [19]

  • Bank, 14 Dec 2004
    "...In general, we will not use or disclose personal information collected about you otherwise than for a purpose set out in this Privacy Policy, for a purpose you would reasonably expect, a purpose required or permitted by law, or a purpose otherwise disclosed to, or authorised by, you. [emphasis added]
    ...
    This statement sets out our current Privacy Policy. It replaces any of our other Privacy Policies or website Privacy Policy to date.
    Please note that this Privacy Policy may change from time to time. ... We encourage you to periodically review our Privacy Policy for any changes." [19]

91. A further problem is that quite often policies of the above type have no date on them, nor do they highlight changes made since the previous version. Individuals who wish to know the details of the organisation's current policy therefore need to constantly re-read the entire policy.

92. In addition, there appear to be attempts to skate around the law (NPPs) via Privacy Policies. For example, a major telecommunications service provider's Privacy Policy [19] states:

"[company] may Disclose Personal Information to unrelated third parties to enable outsourcing of functions (such as billing), where that is Disclosure or Use for a related Secondary Purpose and has been notified to individuals or where such Disclosure is within the individual's Reasonable Expectations...." [emphasis added]

and at the end of the above policy, in its glossary:

"Reasonable Expectation means a reasonable individual's expectation that their personal information might be Used or Disclosed for the particular purpose." [emphasis added] [19]

93. However, NPP 2.1(a) does not refer to a phantom "reasonable individual's expectation", it refers to what the relevant individual would reasonably expect. In our view, changes need to be made to the NPPs to ensure that:

  • when information contained in NPP 1.3 and 1.5 notices concerning use and disclosure is insufficiently specific to enable the individual to give free and informed consent, or make an informed choice about whether to provide personal information, that the organisation cannot rely on NPP 2.1(a) to use or disclose the individual's personal information;

  • privacy policies containing NPP 1.3 and 1.5 information must include the date of issue and changes made since the prior version must be highlighted or noted therein (e.g. a list of changed clause numbers and date of change at the end of the policy).

  • any changes to NPP 1.3 and 1.5 information involving new uses or disclosure can not apply to previously collected personal information unless the organisation has directly notified the individual concerned of the changes and provided an easy to take up opportunity to opt-out of such new uses and disclosures or to terminate their relationship with the organisation without detriment.

Up ArrowGo to Contents List


11. Data Quality claimed as justification for Bundled "Consent"

94. NPP 3 - Data Quality - states:

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date.

95. We understand that the accuracy requirement of NPP 3 is being used by some organisations as an alleged justification for their use of bundled "consents". For example, at a recent meeting convened by the OFPC, a representative of a mobile telephone call service provider said the organisation used bundled consents to minimise the amount of data needing to be entered into its information systems and had recently re-designed those systems to reduce the amount of data entry required. This was said to be necessary to increase the probability of accuracy of data, that is, to reduce opportunity for inadvertent errors during data entry.

96. Such an interpretation of the NPP 3 accuracy requirement is plainly contrary to the intent and objectives of the PA.

97. NPP 3 must be amended to make clear that it cannot be used as an excuse for giving individuals less choice in relation to the use and disclosure of their personal information.

Up ArrowGo to Contents List


12. Use & Disclosure by Secondary Collectors

98. NPP 2 should be amended to explicitly place restrictions on use and disclosure by secondary collectors, that is, organisations that have collected personal information from another organisation. Secondary collectors should be prohibited from using or disclosing information for purposes other than those for which the disclosing organisation is permitted to use or disclose the information.

Up ArrowGo to Contents List


13. Collection of Unlawfully Disclosed Personal Information

99. We were surprised to hear recently, in relation to a currently unresolved complaint, that collection of personal information that has been unlawfully disclosed by another party might not constitute a collection by unfair or unlawful means under NPP 1.2 and that subsequent use, and disclosure to one or more other organisations, might not constitute breach of NPP 2.

100. Such an interpretation of NPP 1.2 and NPP 2 undermines the objectives of the PA to the extent that individuals are afforded no control whatsoever in relation to collection, use and disclosure of their personal information where that information was unlawfully disclosed in the first place.

101. The unsatisfactory implications of such an interpretation are especially apparent when considering a case where the primary purpose of the secondary collection is direct marketing. For instance, Organisation A unlawfully discloses personal information to Organisation B, and Organisation B's primary purpose of collecting that unlawfully disclosed information is direct marketing. Organisation B would then free to disclose the information to one or more further organisations for direct marketing purposes, so a third organisation would be free to disclose it to a fourth and so on, notwithstanding that the information was only able to be collected, used and disclosed by the second and subsequent organisations as a result of the breach of NPP 2 by the initial collector.

102. If, as has been suggested, NPP 1.2 and NPP 2 can be interpreted as permitting the above scenario, it demonstrates such a massive "hole" in the protection offered by the PA that it cannot have been intended.

103. It is not as if there is some sort of property "title" in individuals' personal information that can be restored to them after discovery (if ever) of the initial unlawful disclosure. That is, personal information cannot be restored to the "owner" in a similar way to stolen goods. Once information about them has escaped "into the wild", an individual has no control whatsoever.

104. The privacy interest supported by the Act is that of the subject person concerned who should have some assurance that the limited promise of protection under that law is actually applied, not avoided by sleight of hand or regulatory acceptance of routine "laundering" of unfairly or improperly collected data through intermediaries or "outsourcing".

105. Furthermore, if it is necessary (NPP 1) for an organisation to collect unlawfully disclosed personal information, then as a matter of general principle such organisations should not be in business or should be required to find a new business model. NPP 1.1 and 1.2 should be interpreted in a manner that discourages such privacy invasive business models. It is not an undue burden on legitimate businesses to require them to only collect and use lawfully disclosed personal information.

106. The NPPs must be amended to eliminate any potential for an interpretation that means, in effect, "an unlawful step in the initial collection process does not mean it was collected unlawfully by the subsequent collector/s, nor that it was used or disclosed unlawfully by those collector/s". In particular, the NPPs must be amended to:

  • prohibit knowing collection of unlawfully disclosed information; and
  • make awareness by the collecting organisation that the personal information may have been unlawfully disclosed a relevant consideration in deciding whether collection has been by fair means; and
  • require organisations to destroy information that has been unlawfully disclosed to them once that organisation becomes aware of the unlawful disclosure.

107. In addition, NPP 1 should be amended to specifically require that collection be for a lawful purpose. Presently NPP 1.2 only requires that the means of collection be lawful.

Up ArrowGo to Contents List


14. Definition of Direct / Indirect Collection

108. NPP 1.4 states:

If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

109. We understand that during investigation of a complaint by the OFPC it has been suggested that NPP 1.4 refers to collection of personal information directly from the individual and that an individual's consent or express denial of consent to collection is irrelevant to the question of whether NPP 1.4 has been breached in collecting information from a third party.

110. Such an interpretation has been used in an attempt to show no breach of NPP 1.4 when an individual's personal information has been collected from a third party, despite the individual concerned having previously expressly denied consent to the third party to disclose the information and the collecting organisation having the contact details of the individual (their customer) enabling them to seek the individual's consent to receive the information from the third party.

111. As NPP 1.4 does not include the word "directly" and the above interpretation is so contrary to the overall intent of the PA, in our view, the interpretation cannot be correct. Nevertheless, it is apparent that NPP 1.4 needs to be amended to prevent such an interpretation.

112. In addition, an interpretation implying "directly" has undesirable consequences that make it unnecessarily difficult for individuals to provide, and organisations to legitimately collect, personal information without breaching NPP 1.4. In this regard, we consider it is necessary in interpreting NPP 1.4 to distinguish the means of collection (the communications chain, which may involve one or more third parties) from the relationship. The wording "only from that individual" must refer to the relationship and not the communications chain - otherwise all sorts of contemporary transactions would be prohibited. For example:

  • If consent is regarded as totally irrelevant to NPP 1.4, then even where an individual wishes to voluntarily give consent to Organisation A to disclose their personal information to Organisation B, Organisation B must not collect that information if it is reasonable and practicable to collect the information from the individual. We consider it highly unlikely that is the intent of NPP 1.4.

  • An interpretation implying "directly", as in the instance referred to above (which concerns telecommunications businesses), would equally apply to collection of personal information from, for example, an email message. That is, that the recipient of the email message is not collecting the information directly from the individual, but from the third party carriage service provider (carrier/ISP) who provides the recipient's incoming mail box from which the recipient retrieves the information. In other words, the above interpretation of NPP 1.4 appears to result in the situation that where it is reasonable and practicable to collect the information directly from the individual, e.g. in person or by a real-time voice call, then email must not be used. We consider it highly unlikely that is the intent of NPP 1.4.

Up ArrowGo to Contents List


15. Anonymity

113. NPP 8 - Anonymity - states:

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

114. We understand, in relation to a currently unresolved complaint, that it has been argued that a disclosing organisation has no responsibility to facilitate anonymous transactions, that is, that the entire responsibility lies with the collecting organisation.

115. We submit that such an interpretation of NPP 8 is incorrect and that NPP 8 needs to be amended to clarify that the obligation is to wherever possible (lawful and practicable) facilitate anonymous transactions, including with other organisations.

116. We note the advice in the OFPC Consultation Paper on the draft NPP Guidelines that:

"NPP 8 along with NPP 1.1 seeks to reverse through law the trend in new and existing information systems to collect more personal information than is necessary for a transaction" and in relation to what is impracticable that "additional cost, inconvenience ... will not be sufficient grounds".

117. With the increasing use of technology and automated information systems, in the absence of a shared responsibility by the disclosing organisation, there is a high risk that NPP 8 will be totally ineffective. Collectors are likely to claim that because the discloser sends them information and the technology in use by the recipient/collector automatically collects the information, it would be "impracticable" for the collector to comply with NPP 8.

118. An interpretation of NPP 8 that places no responsibility on the discloser, and also enables the collector to claim "impracticability" where the disclosure and subsequent collection is carried out by automated technological methods, would have widespread ramifications for the protection of individuals' privacy in the many circumstances where electronic information systems and communications systems are used. Not only would non-compliance with NPP 8 become more widespread, but information and communications systems will continue to be intentionally designed, and/or intentionally configured, to prevent individuals from being able to choose to be anonymous, contrary to one of the objectives of NPP 8 stated in the OFPC Consultation Paper.

119. Further, whether or not it is "impracticable" for the collector to comply in any particular instance, it is certainly impractical, and quite often impossible, for the individual concerned to have sufficient knowledge about a particular technology or information system to support a complaint concerning breach of NPP 8 on the grounds that it is practicable for the organisation to comply.

120. We submit that NPP 8 needs amendment to clarify that the responsibility to facilitate anonymous transactions is shared by the disclosing and collecting organisations. In addition, NPP 8 should be amended to place a specific obligation on organisations to design and build their information and communication systems to facilitate anonymous transactions.

Up ArrowGo to Contents List


16. Transborder Data Flows

121. EFA is concerned that NPP 9 may not effectively protect individuals' personal information. Further, even if it does, individuals rarely have any way of knowing in advance whether their information will be disclosed to overseas organisations (so they have no choice), nor whether appropriate protections exist in the foreign country's law or have been put in place by the Australian organisation.

122. The increasing use of overseas call centres, for example by Australian credit card providers, is of significant concern. Staff in such call centres obviously have access to credit card details and transaction histories, etc.

123. In our view, the NPPs should be amended to require organisations to:

  • provide prior notice (i.e. before collection) to individuals that their information will be sent to a foreign country, and/or that the individual will be required to deal with customer enquiry/support centres located in a foreign country; and
  • provide notification of the means by which the Australian organisation has ensured their personal information will be effectively and adequately protected;
  • unless:
    • the overseas organisation is subject to a law which is substantially similar to the private sector provisions of the PA; or
    • the individual concerned has consented to the transfer.

Up ArrowGo to Contents List


17. Direct Marketing Exemption

124. In relation to commercial electronic messages, the NPP 2.1(c)(i) direct marketing exemption is inconsistent with the Spam Act 2003 in that it permits sending of such messages without consent, contrary to the Spam Act. At a minimum, NPP 2.1(c)(i) should be amended to be equivalent to the Spam Act in relation to consent.

125. In addition, the Spam Act is inconsistent with NPP 2.1(c) which appropriately requires all organisations sending direct marketing communications to inform the individual that they have the right to opt-out and provide details of how to do so. In contrast, the Spam Act inappropriately established a special class of senders who are authorised to send spam "relating to goods and services" and also a special class of exempt messages ("designated" commercial messages) and exempts those senders from the requirement to provide a means of opting out, i.e. functional unsubscribe facility. The Spam Act should be amended to require all senders to provide a functional unsubscribe facility and thereby remove the inconsistency with NPP 2.1(c)(iv) and (v).

126. We believe however that the direct marketing exception in the PA needs a complete overhaul as discussed below.

17.1 Primary Purpose of Direct Marketing

127. As discussed above under Primary and Secondary Purposes of Collection, the NPPs do not regulate use and disclosure for the primary purpose of collection at all and organisations are free to collect personal information for any "primary purpose" they wish without consent.

128. Unless NPP 2 is amended to regulate use and disclosure for the primary purpose of collection (as recommended earlier herein), then the NPPs must be amended to prohibit collection without consent for the primary purpose of direct marketing.

17.2 Secondary Purpose of Direct Marketing

129. The NPP 2.1(c) exception permitting secondary use of personal information for direct marketing without consent is totally unacceptable. It must be amended.

130. Personal information should only be used for marketing purposes with explicit consent, not by default with the blessing of the government. Unsolicited direct marketing, whether in the form of junk mail, telemarketing phone calls, junk fax, or by E-mail is notoriously unpopular with consumers.

131. The direct marketing exemption requires a consumer to be aware that they are permitting the use of their data (provided for the primary purpose of, e.g. purchasing a specific product) to also be used for the secondary purpose of direct marketing unless they remember to specifically request not to receive direct marketing communications at the time of providing the information.

132. EFA considers this to be an unfair information practice which inadequately protects an individual's fundamental right to privacy. Remembering to opt out of direct marketing is unlikely to be foremost in a purchaser's mind when transacting a purchase and what is "impracticable" for an organisation in terms of seeking an individual's consent (NPP 2.1(c)(i)) is, to say the least, not clear and hence a matter of argument.

133. Furthermore, although the NPP permits the sending of direct marketing material once only (if the recipient then asks not to be contacted again), the NPPs only apply to "organisations" and the definition of an "organisation" excludes a "small business operator" (SBO), which is defined to be an entity that carries on one or more small businesses. Once one small business carried on by an SBO has collected an individual's address, each and every one of the other small business carried on by that SBO can send direct marketing material to the same individual who would, it appears, have to opt out each time (and the SBO businesses are not required to comply with the NPPs in any case). The SBO does not lose its exemption from the definition of "organisation" in the PA by disclosing the information to its small businesses nor by those businesses using the information for direct marketing. The exemption is only lost if the personal information is disclosed to "anyone else for a benefit, service or advantage". Disclosure to businesses within the SBO are not disclosures to "anyone else". Therefore, the collection of personal information by one small business can result in an individual receiving "once only" direct marketing material from numerous other businesses as a result of the collection of the information by one small business.

134. There appears to be no impediment to an SBO business disclosing personal information collected by them and contained in a direct marketing lists to unrelated third parties. While such a business would lose its exemption from "organisation" if it received a "benefit, service or advantage" in return, the damage would already have been done prior to the exemption being lost.

135. We recommend that the direct marketing exception be replaced with an "opt-in" provision that permits the use of personal information for direct marketing purposes only by specific prior consent. In addition, direct marketers should be required to provide "opt-out" instructions, each and every time they send direct marketing materials, not only the first time. Sanctions should be applied to breaches of these principles.

Up ArrowGo to Contents List


18. Enforcement Issues

136. We remain of the view expressed in 2000 that a major weakness in legislation is the lack of adequate enforcement provisions. We consider the PA should contain enforcement mechanisms that persuade compliance from both big business and small business.

137. We note the discussion concerning enforcement mechanisms in the Issues Paper (p47) and advise that in our view:

  • the Commissioner should be given additional powers, for example, to ask organisations to commit to an undertaking that would be enforceable in the courts, or to issue a standard or binding code;

  • the Commissioner should be given powers to enforce compliance with the PA where a breach has been found as a result of his or her 'own motion' investigation into the practices of private sector organisations;

  • the Commissioner should be given power to proactively audit private sector organisations' compliance with the NPPs;

  • the Commissioner's office should be provided with adequate funding to exercise the above additional powers.

138. It has also long been of major concern to EFA that:

"[T]here is no right of review of the substance of a Commissioner's determination ... Respondents have the possibility of having a case hear [sic] afresh by refusing to comply with a determination and waiting for the Commissioner to seek to have the case enforced in court. However, this strategy is not available to an aggrieved complainant." (Issues Paper p30)

139. This unsatisfactory situation should be removed by amendments giving both complainants and organisations the right to appeal to the Administrative Appeals Tribunal and have the matter heard afresh.

140. In relation to the complaints process, we note the following remarks in the Issues Paper (p30):

"There may be concerns that the complaints process lacks transparency because the confidential nature of conciliation settlements means that the nature of breaches, and the Office's view about the application of the NPPs, is hidden from public scrutiny.

141. It may be argued that individuals' ability to exercise their rights is impeded by the Office's focus on conciliation in handling complaints. Individuals may not be in a position to negotiate their interests effectively in this process. In the absence of understanding the basis on which cases have been decided or resolved in the past, they may be negotiating in a vacuum."

142. We have the above concerns arising from the situation in relation to complaints known to us. We consider the complaints process needs greater transparency and considerably more information about the OFPC's views about application of the NPPs needs to be made publicly available.

143. We are also concerned by the delays in dealing with complaints apparently due to inadequate funding of the OFPC. We consider the OFPC should be sufficiently well-funded to deal with complaints promptly, and without needing to remove staff from other important areas such as policy and auditing of government agencies as has reportedly occurred.

144. Without adequate complaints handling procedures, backed up ultimately by strong legal sanctions, the PA will continue to be a generally ineffective and token piece of legislation.

Up ArrowGo to Contents List


19. Conclusion

145. The operation of the private sector provisions over the past four years has predictably shown that the limited privacy protections allegedly offered are a totally inadequate response to consumer privacy needs in the 21st century.

146. The definition of "personal information" in the PA is inadequate in context of the electronic environment.

147. The legislation contains too many exemptions and exceptions. In addition, numerous provisions of the PA and the NPPs are lacking in clarity and ambiguities are being exploited in ways contrary to the stated intent of the legislation. There is increasing evidence that even the regulator is interpreting the NPPs in the least privacy protective manner possible. Furthermore, enforcement provisions in the legislation are inadequate.

148. Instead of empowering individuals to exercise their right to privacy of personal data, and choice about how that data may be collected, used and disclosed, the legislation confers on certain business interests the right to invade individual privacy.

149. Finally, we consider the OFPC's use and promotion of the slogan "My Privacy, My Choice" to be highly misleading at best. In our view, use of the slogan should cease until such time as a major overhaul of the legislation has been undertaken and implemented that results in the slogan expressing fact instead of wishful thinking.

Up ArrowGo to Contents List


References

1. Privacy Act 1988
<http://scaleplus.law.gov.au/html/pasteact/0/157/top.htm>

2. OFPC Issues Paper: Review of the Private Sector Provisions of the C'th Privacy Act 1988, October 2004
<http://www.privacy.gov.au/act/review/index.html>

3. OzEmail - an ISP's approach to privacy, Justin Milne-OzEmail, Privacy Law and Policy Reporter 26, 2000
<http://www.austlii.edu.au/au/journals/PLPR/2000/26.html>

4. Online research a wise hit, Louise Hattam, Herald Sun Melbourne (Business, p25), 19 Jul 2004

5. Bright future for online banking, Adrian Giles [founder and director of Hitwise], WebHead Magazine, ZDNet Australia, 26 Sep 2001
<http://www.zdnet.com.au/news/business/0,39023166,20260621,00.htm>

6. Heavyweights back Sinewave, by Jane Schulze, The Age (Business, p5), 13 Jul 2000

7. "About Hitwise Australia" page, as at 16 Dec 2004
<http://www.hitwise.com.au/about/>

8. Hitwise Methodology FAQ, as at 2 Dec 2004
<http://www.hitwise.com.au/faq/?currentfaq=Methodology>
(Note: The content of the above page no longer refers to IP addresses. The page has been changed since 2 Dec 2004, perhaps not coincidentally shortly after some members of the public and journalists started asking questions about Hitwise's collection and use of information from ISPs).
See also: Hitwise Pty Ltd Patent Application: Method and System for Characterization of Online Behaviour
<http://v3.espacenet.com/textdes?DB=EPODOC&IDX=CA2460668& F=0&QPN=CA2460668>

9. Hitwise Privacy Statement, as at 16 Dec 2004
<http://www.hitwise.com.au/info/privacy.html>

10. Telecommunications Act 1997
<http://scaleplus.law.gov.au/html/pasteact/2/3021/top.htm>

11. Australian Communications Authority: Replaced and removed industry codes
<http://internet.aca.gov.au/ACAINTER.2293792:STANDARD:1686360264:pp=DIR3_14,pc=PC_2132>

12. ACIF Industry Code-Protection of Personal Information of Customers of Telecommunications Providers
<http://internet.aca.gov.au/acainterwr/telcomm/industry_codes/codes/c523b.pdf>

13. OFPC Consultation paper on the draft National Privacy Principle Guidelines, May 2001
<http://www.privacy.gov.au/publications/dnppg.html>

14. Representative complaint concerning disclosure of silent and other blocked calling number information to ISPs
<http://www.efa.org.au/Issues/Privacy/cni-complaints/index.html>

15. Australian Communications Authority: Telecommunications and Law Enforcement Manual (875 Kb)
<http://www.aca.gov.au/aca_home/licensing/radcomm/about_radcomms_licensing/leac.pdf>

16. TIO Position Statement, 2003
<http://www.tio.com.au/POLICIES/Privacy/Customer's%20personal%20information%20passed
%20to%20another%20provider.htm>

17. "Weblining", BusinessWeek Online, 3 April 2000
<http://www.businessweek.com/2000/00_14/b3675027.htm>

18. Privacy Principles - irrelevant to cyberspace?, Graham Greenleaf, Privacy Law & Policy Reporter (Prospect Publishing), 3 PLPR 114, September 1996
<http://www2.austlii.edu.au/itlaw/articles/IPPs.html>

19. See Attachment 1

Up ArrowGo to Contents List


About EFA

Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.

EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.

Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.

EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The ten elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.

Up ArrowGo to Contents List