|
|
| |
PO Box 382 North Adelaide SA 5006
Email: [email protected]
Phone: 08 8357 8844 Fax: 08 8373 3829
http://www.efa.org.au/
8 July 1998
The Secretary
Senate Legal and Constitutional References Committee
S1.108
Parliament House
CANBERRA ACT 2600
Facsimile: (02) 6277 5794 / 3830
Internet: [email protected]
Dear Sir or Madam
CONTENTS
Privacy Legislation for the Private Sector
Effectiveness of a Privacy Scheme
National Principles for the Fair Handling of Personal Information
Provisions of the Privacy Amendment Bill 1998
"Australians value privacy. They expect that their rights to privacy be recognised and protected." (The Meaning of Privacy, Australian Privacy Charter Council, December 1994)
Whilst the Privacy Amendment Bill does offer some enhancements to the current Privacy Act 1998, it doesn't go far enough in protecting the rights of individuals in relation to private organisations and companies. Privacy is an important right which needs protection at the highest level being federal legislation.
EFA supports the call from privacy advocates for greater privacy protection within the private sector, and believe that federal legislation is the only way of providing this.
Electronic Frontiers Australia Inc. (EFA) is a non-profit national organisation formed in 1994 to protect and promote the civil liberties of users of computer based communications systems and of those affected by their use. Our major goals are to advocate the amendment of laws and regulations in Australia and elsewhere which restrict free speech and unfettered access to information and to educate the community at large about the social, political, and civil liberties issues involved in the use of computer based communications systems.
While EFA's interests lie mainly in the area of on-line civil liberties and telecommunications, we also provide an advocate role for our members rights to privacy both on-line and off-line.
We hope that our comments may alert you to some omissions to the Privacy Amendment Bill and we would be happy to participate in any further discussions on the important issue of data and communication privacy.
PRIVACY LEGISLATION FOR THE PRIVATE SECTOR
Presently the private sector in Australia is subject to very limited privacy regulation. The Commonwealth Privacy Act provides little, or no, protection in the private sector.
Currently there are no international standards, however the United States of America, Canada and the European Union are making advances toward some privacy protection.
In a statement made earlier this month, United States President Clinton requested the Federal Trade Commission to identify measures for implementing more suitable privacy protection to individuals. Unlike the legislation being proposed by the Australian Government, this is not to be limited to government agencies or agencies who take on outsourced work from government.
The European Union released its Directive concerning the processing of personal data and the protection of privacy in the telecommunications sector on 15 December 1997. Article 25 of this directive prohibits European Union member countries from sending personal information to countries that do not maintain adequate standards of privacy.
While much of the publicity about this Directive has been directed at the United States, Australian businesses and individuals would also be affected by this decision if adequate privacy protection is not provided to individuals. The Privacy Amendment Bill will not provide the necessary protection, as it excludes a huge part of the Australian community (ie. the Private sector).
The directive can be found at:
http://www2.echo.lu/legal/en/dataprot/protection.html.
The United States Council for International Business < http://www.uscib.org/ > provides tools for companies to ensure they comply with various international privacy requirements. The USCIB Privacy Diagnostic is a tool for companies to use in evaluating information collection practices and developing privacy guidelines.
The Privacy Diagnostic tool outlines a mechanism to assist businesses in determining if they require privacy guidelines. Areas which it highlights are: How is Personally Identifiable Information collected? Who controls it? How is the information used?
The Privacy Amendment Bill provides for no such mechanisms for private sector agencies which do not provide outsourced services to, or on behalf of, the Federal Government. This is considered a major flaw of the Bill.
Current Legislative
Frameworks
Role, Responsibilities and Practices of Governments
As the committee is aware the current legislative framework covers only government agencies (excluding some) under the Privacy Act 1988. It is lacking in the area of privacy protection within the private sector. The legislation as it is currently proposed goes some way in enhancing privacy protection within Australia, however does not go far enough.
The Victorian Government recently announced the introduction of privacy legislation to crack down on the trade of personal information and protect consumers using the Internet. In the words of the Victorian Minister for Multimedia, Mr Alan Stockdale "The threat to privacy is greater than ever before. The potential for collating, matching, profiling and dataveillance is increased by new technologies exponentially in fact" (The Melbourne Age, 16 June 1998).
On 24 June 1998, the Joint Committee on Public Accounts and Audit tabled their report on "Internet Commerce To buy or not to buy". A recommendation contained in that report was for "the Australian Government to introduce privacy legislation to govern the use of personal information in the private sector" (Recommendation 17, paragraph 7.75).
At many levels the Federal Government is being encouraged to enhance the current protection of personal information as well as extending this to the private sector. EFA also encourages the Federal Government to do this.
Needs and Responsibilities of the Private Sector
The needs of the private sector should be considered secondary to the needs of an individual's right to privacy. Some in the private sector will suggest that there is little need for a legislated privacy scheme as it would add to their running costs, and their attitude may include that "they don't breach privacy rules anyway".
The responsibilities of the private sector need to be specified in federal statute to ensure compliance. Self-regulation of this type of information is not appropriate and would do nothing to promote confidence by Australians in this scheme.
EFA believes that an individual's rights to privacy are the most important principle which should govern any legislation or regulation.
EFFECTIVENESS OF A PRIVACY SCHEME
The only true measure of the effectiveness of a privacy protection scheme is the confidence that consumers show in it. Australian citizens do believe they have a right to privacy. The campaign against the Australia Card is a good example of this.
The only true way of implementing an effective privacy scheme is through legislation at a federal level. Strict requirements for all businesses, governments, etc under federal legislation will reduce the incidence of private information being incorrectly used, and provide the confidence to the people it is attempting to protect.
The other major factor about not having a federal scheme, and possibly having many state schemes, is the cost of compliance. Under a federal scheme it would be one set of rules to follow. Under state schemes, one organisation operating nationally would be required to comply with seven different laws.
NATIONAL PRINCIPLES FOR THE FAIR HANDLING OF PERSONAL INFORMATION
The Privacy Commissioner released the National Principles for the Fair Handling
of Personal Information in February 1998. Roger Clarke, a privacy advocate,
has identified serious flaws in these principles (see paper by Roger Clarke
located at:
http://www.anu.edu.au/people/Roger.Clarke/DV/NPPFlaws.html
).
EFA supports the claims made in this paper, and supports the amendment of the National Principles, and other relevant legislation / regulation to bring these into line with the suggestions of the Australian Privacy Charter Council.
PROVISIONS OF THE PRIVACY AMENDMENT BILL 1998
In his paper "Flaws in the Glass; Gashes in the Fabric", Roger
Clarke outlines a number of flaws in the current Privacy Act 1988. A copy
of this paper can be found at:
http://www.anu.edu.au/people/Roger.Clarke/DV/Flaws.html
The main thrust of the Privacy Amendment Bill 1998 is to expand the coverage of the legislation to agencies which undertake work which have been outsourced to them from government agencies. It does not address any concerns which are considered flaws in the current legislation.
EFA supports the need to enhance the current federal privacy legislation, however the proposed Privacy Amendment Bill just does not go far enough. Private sector agencies that hold personal information need to be more accountable to the people they hold the information on, and the most workable way of doing this is through federal legislation.
Australian Privacy Charter Council
European directive on privacy can be found at:
http://www2.echo.lu/legal/en/dataprot/protection.html
Roger Clarke's paper on identified flaws in the National Privacy Principles
issued by the Privacy Commissioner in February 1998 located at:
http://www.anu.edu.au/people/Roger.Clarke/DV/NPPFlaws.html
"Flaws in the Glass; Gashes in the Fabric", Roger Clarke located at:
http://www.anu.edu.au/people/Roger.Clarke/DV/Flaws.html
This paper can be found online at:
http://www.efa.org.au/Privacy/efasub02.html
Yours truly
James Nunn
Board Member
Electronic Frontiers Australia Inc.