Response from EFA to the Victorian Government's proposed Data Protection Bill, February 1999.

Jan Whitaker, on Behalf of Electronic Frontiers Australia

 

10 February 1999

Minister,

I write in general support of the Data Protection Bill, also entitled ‘Data Protection Proposals’. I believe it is an important action on the part of the State of Victoria to pursue this legislation in light of recent and emerging technological developments, and the potential for harm that might result without such protections as provided in the proposed legislation.

My comments herein are to identify areas in which I think there is still room for improvement before final passage and areas that need clarification, either in the accompanying explanatory material, should that become a basis of interpretation of the legislation later, or in the language of the bill itself.

Summary of Major Points:

The following pages are details relating to the points listed above, plus a few additional suggestions. In some cases I was able to provide suggestions for improving the situation. In others, I point out the problem and challenge to correct it, but would suggest that wiser minds than mine are needed to develop a solution.

These comments are meant as constructive criticisms of a legislative direction that is long overdue. The human need for control over their private lives is an important aspect of who we are. Invasion of one’s physical body or home or possessions without consent is reprehensible to most of us. In the age of technology, much of our identity is described and exposable by information collected about us. This proposed legislation is an important component for a set of social regulations to address protection from invasion.

It is an important beginning, but I encourage the government to consider the broader value of personal privacy beyond the issues of personal information. As we do not have an American or French style ‘bill of rights’ in Australia, our only method currently is to have legislated ‘rules’. Protection of residents from abuse by anyone, be they government agencies, private companies, or even neighbours, is one of the responsibilities of government. And personal privacy and the ability to make personal choices about how one lives one’s life without impinging on others in the process is an important value that must be examined in light of social and technical change. This includes the areas that have been defaulted by your department to the Department of Justice in the use of public video cameras, employee observations, psychological and physical testing for employment, DNA sampling by law enforcement, release of medical information among the health community without patient consent, discrimination for receipt of services based on pre-existing conditions or potential for such conditions etc. The issues are much larger than data protection as addressed in this bill. Minister, I challenge you and your government to tackle these issues as well, and to do what governments are charged with doing: looking out for the citizens and residents, not the interests of the ‘big end of town’. You have a long road ahead to get it right. Keep working.

Sincerely

Jan Whitaker

EFA Board Member

Technology Management Consultant

Further detail:

1)   BROAD COVERAGE: I support the continuation of the pursuit of this legislation despite the recent announcements from Canberra that the current government will be developing similar legislation. The reason this is important for us is the Victorian Data Protection bill is for both public and private; that is, everyone falls under it. The Commonwealth bill will most likely only be for private since the current law is in place for the public sector at the Commonwealth level. I disagree with the latter approach, as I believe there will be confusion as a result. My opinion is that there should be non-distinctive approaches except in specific aspects, which I'll point to later in this response with regard to the Victorian bill. The main point is that the Victorian bill doesn’t distinguish the coverage in most cases.

2)   ALIGNMENT WITH COMMONWEALTH LEGISLATION: I have been told that if the Commonwealth government passes a private sector coverage law, Victoria will adjust those aspects in that state law that is in conflict, but we'll still have our own public sector coverage. I urge the Minister to exercise caution in making these adjustments without further public consultation. Much of what is in this bill is responsive to community concerns after long and considered discussion. Any modifications in response to Federal proposals should not be taken without further specific consideration for the wishes and values of Victorians.

3)   EU COMPLIANCE: There is an opinion expressed in the Victorian Data Protection bill discussion that EU compliance might be attained by companies following the Victorian legislation; that is, developing a code or agreeing to the default provisions wholly if this company operates nationally. They can point to Victorian compliance as their adequacy. My suggestion is that this be worded very carefully as to not mislead those who may rely on this legislation for just this reason prior to any confirmation from the EU itself.

4)   DEFERMENT TO EXISTING LEGISLATION: In the current presentation, existing legislation will prevail over any cases if there is conflict with the Data Protection legislation. I have a problem with this because we don't know what those conflicts may be and I think they need case by case attention as they arise, not default prevalence codified in the Data Protection law. I think that puts too many limits on situations that are currently unknown and may change as a result of changes in technology or policy in other circumstances. If the intent is to address the changes in the technological environment, this deferment to existing legislation should not be included in the bill or its intent. Instead, the bill should be tempered to say that any conflicts with existing legislation will be dealt with on a case by case basis. I realise that this is perhaps too nebulous, but I also feel that defaulting to existing legislation is very short sighted.

5)   DEFINITION OF MEDIA AND EXEMPTIONS: 'Media' is dealt with too generally in the definitions, although the clause in the body of the bill limits to journalistic publication as an exemption in the public interest. I think there needs to be explicit differentiation between journalism and the business of media/communications. Otherwise we'll get editorial stances and CEO stances that they are exempt from this legislation by virtue of being a member of the class: media. It would be better as ‘professional journalists’ rather than the broader term ‘media’ in the explanatory material, and explicit non-exemption for the media business enterprises themselves.

6)   DISCRIMINATION FOR WITHHOLDING INFORMATION: I think a major lack in the bill is the silence on consequences of denial of service for people who refuse to provide information requested by groups in insurance, employment, benefits. The principles say that information must not be collected that cannot be justified as needed for the task at hand. But who makes that justification argument? There is no provision for if one chooses not to provide certain information that the collector has decided is necessary. I, as an individual, may disagree with that justification or may have personal circumstances that are not understood by the collector. I should not be penalised or discriminated against because I choose to withhold that information. There should be a process by which I can challenge collection by anyone, including a government agency.

7)   PUBLISHED INFORMATION EXEMPTIONS: There is confusion in the bill about what can or cannot be done with information readily available in the public arena such as telephone directories, public registers, etc. and interaction of uses with exempted cover. For example, if someone's details appear in a news story because of journalistic exemption, what can be done with that info by someone else? Secondary use provisions may cover these as breaches, but the current language is unclear in that regard.

8)   LOSS OF CONTROL AND WITHDRAWAL OF PERMISSION: Secondary uses and loss of control of legally acquired information is not clear. For example, rental agencies that collect information may legally do other things with it if permission is received from the person from whom the information was received. There is nothing in the principles or this bill that states what happens with the relationship after that, other than an attempt to let the individual know how the secondary user got the info in the first place. I'm concerned about loss of control and the inability to correct details or retract permission, for example, if a spouse becomes abusive after the permission was given to a vendor to have an address and release it to others. I believe there should be provision for later action and retraction of permission based on changes in circumstances and that choice should be in the hands of the individual

9)   LAW ENFORCEMENT ABUSE: Law enforcement provisions are still too broad. They essentially have far reaching exemptions for too many things. Given the information collection scandal and spying on activists that was revealed recently in Victoria and the disregard for court orders to destroy the information, this is a major issue. I don't trust law enforcement agencies to always do the right thing. They have broken trust too recently to be afforded this level of exemption status.

10)   CONFLICTING MULTIPLE CODES: This bill and its provision for codes does not address the problem of overlapping groups, for example the ADMA/ATA issue currently encountered by the ACCC. What if a person or company belongs to both organisations? Which code is valid for that group or person if those codes conflict as they most likely will in this example? Must each person in direct marketing in the example declare in advance which code they adhere to? How is that to be registered? We must all declare our Code Allegiances? What about workers in an organisation, such as casual staff in a doctor’s office. Are they expected to adhere to the AMA code? The Office Worker’s code? Do they even know there IS any code at all? At least with a legal requirement that is across the board, the issue of competing codes would be eliminated. This is still a problem in the Victorian approach.

11)   DUE PROCESS AND TORT ACTION: The chain of complaint is very administrative with stops at particular points along the way with little recourse. My question is 'can I sue if the complaint is strong enough and the system breaks before a resolution?' Can I have my day in court or will this be handled like the Work Cover where those options are denied by the law? If the latter is the interpretation, I strongly disagree with this position, particularly in light of the dual coverage of private and public sector for this legislation. The right to be heard in a court of law should not be overtaken by administrative procedures, despite the recent decision on the part of the current Victorian government with regard to Work Cover problems. Decisions by impartial jurists or juries is something that must be made available, particularly in the case of a self-interested relationship of the parties making decisions, such as public sector commissioners who stand in their positions at the will of governments.

12)   PUBLIC REGISTER ABUSE: Public register on-selling is to be denied in this bill. But there is still some confusion over the handling of this and the matter is being devolved to departmental control. Access and monitoring needs a system so that those who have been using public registers are using them within the confines of this new bill. In relation to this, the use of public registers must be strictly monitored and staff training is imperative. A recent example is of a friend who was harassed as a result of a council staffer releasing address and phone number from the cat register because the caller thought the cat wasn’t being fed. This resulted in a series of abusive phone calls and threats by the party, who appeared to have a drinking problem indicating a lack of personal control. And all this was because of a cat! What if the issue was because of child custody? The stakes are much higher and the emotions much deeper in the latter, and yet the cat register could be a way to find and attack a person whose whereabouts need to be protected from general knowledge.

13)   EMPLOYEE INFORMATION: Employee information appears to be covered by the Victorian bill and is listed as exempt in the Commonwealth discussions to date. This needs to continue to be covered in Victoria and should not be taken out when/if a Commonwealth bill is passed. The latest example of the release of names of nurses in a Freedom of Information filing by a convicted criminal is one that illustrates the danger of not including employee data in the regime.

14)   FREEDOM OF INFORMATION INTERACTIONS: Interaction with FOI needs to be better addressed. It's in the bill, s.5.2, but if FOI changes as there is talk about in Victoria, there needs to be some definition/clarification in this bill in processes used. For example, if an FOI is filed, then details considered under personal information must be cleared for release by the persons involved unless the issue is one of criminality or suspicion of harm to the person filing. It must be thoughtful, not just defaulted 'OK'. This is an area where the public/private sector issue gets confused.

15)   CONFLICTS WITH DEPARTMENT OF JUSTICE: According to bill drafters, employer invasion and observation of employees is being handled by the Department Of Justice. The presenters of the Data Protection bill have agreed to that and are trying to advise Department Of Justice. I believe that the Data Protection bill should incorporate language dealing with protection of personal communication as part of personal information. If opinion, evaluation, and factual information is my own words that have not been provided for publication as stated in the definition of ‘personal information’ in the bill, then employers have no standing to observe or restrict that communication or to use it for any purpose without my express permission. The conflict between the stance of the Department Of Justice and the Data Protection bill may be large.

16)   UNANTICIPATED USES: New types of personal information should be raised or accounted for in the bill and the implications of that collection - DNA and personal images are examples. Recent press stories have shown the power of DNA information [witness the troubles of the President of the United States], and new products are being promoted to use drivers license images as an identification system in retail outlets. Since the purpose for collecting that information is undoubtedly not to do paternity tests or to approve cheques in a store, these uses should be disallowed and expressly so in this legislation. However, since law enforcement are insisting on collecting the DNA information when someone has not been proven to be guilty of a crime and the drivers license image has been with us for quite some time, we must be sure that this legislation is written to disallow this abuse of personal information. I’m not convinced that these forms and new uses have been taken into account.

17)   PENALTIES DIFFERENTIATION IN PRIVATE AND PUBLIC SECTOR BREACHES: Penalties for public agency breaches need to be different from the private penalties. Private penalties for extreme breaches or for multiple breaches can be determined by the privacy commissioner and can be up to $300,000. This is a silly penalty regime for public agency/government breaches. They just 'rob Peter to pay Paul'. An alternative is criminal penalties, but that does seem a bit harsh. Since this is a public sector issue, removal from office in the case of an elected official or dismissal from employment in the case of a public servant given the severity of the breach or the multiple nature is more in line with the sanctions that should result.

18)   MISSING TECHNOLOGY PROTECTION SUPPORT: Data encryption isn't addressed; back door access breaches via law enforcement requirements to access into computer systems or via telecommunications hubs aren't addressed. 'Protection' is defined very narrowly if these aren't addressed in a bill that is to deal with the changing technologies and support online commercial activity.

19)   REVENUE VALUED OVER HUMAN RIGHTS: I don't like and never have liked the 'public purse' over 'personal liberty' structure in the principles. 'Revenue' is seen as so sacrosanct over the citizen/resident that it's morally reprehensible Minister, sometimes you must put the human value above the money. People’s lives are more important than money. The exemptions for threat to revenue circumstances puts far too much privilege in the hands of government in relation to the damage that could be caused by this exemption for the individual involved. Does it make sense to use exemptive powers to locate a single mother on a pension for missing tax payments, who is in hiding because her alcoholic ex-husband is determined to destroy her and her children? I say it is a wrong set of values that the state should never ever employ. And yet this legislative stance would allow just that.

20)   MIXING DATA SETS: The bill is silent on interaction of media or cross-over uses of information. One relevant example that comes to mind is the internet white pages combined with a street map to not only show you my phone details but physically how to get to me. In a recent community consultation meeting, when this was raised in terms of address publishing generally, the bill’s representatives had a wrong idea that one could put a PO Box as a small business sole trader. However, I recently had to renew my certificate and the Office of Fair Trading requires a physical address or the registration isn't approved. This is an example of the result of the stance of deferment to current legislation and government practices, and how the extended technical capabilities are mismatched in result for the individual.

21)   NATIONAL PRIVACY PRINCIPLE RELIANCE: The reliance on the IPP as developed through the National Privacy Commissioner over the past couple of years and still being revised leaves this bill open for interpretation problems and changes. I don’t have a solution for this as one of the difficulties with codification into law is this issue of changes in public opinion and need. Perhaps this could be addressed in the legislation with a bi-annual review clause that requires minor adjustments until the issue of privacy protection has had a chance to settle into the community norms. Most people assume today that their privacy is protected, even though we know that not to be the case in Australia. Including a review procedure would require a continuing periodic look at the functioning of this legislation over its initial implementation period.