Submission
25 August 2002
Privacy and Collection of Publicly Available Personal Information
Submission to the Office of the Federal Privacy Commissioner [OFPC] in response to the OFPC Consultation Paper for Information Sheet: Privacy and Collection of Publicly Available Personal Information.
In EFA's view, the key issue to address in the information sheet is the neutrality and consistency of all measures under the Privacy Act as amended. Particularly, this refers to:
- Neutrality around technology treating electronic and "hard copy" sources the same;
- Neutrality around form treating "fixed" documents and "variable" documents the same;
- Consistency around type of public source treating "public registers" and "generally available publications" the same
Specific comments on the Consultation Paper follow:
In Point 9 under "Meaning of Publicly Available Personal Information," it states that "The term 'publicly available personal information' might include information in some, but not necessarily all, public registers depending on how publicly available they are and whether they are published or not."
It is unclear in this instance what is the intended meaning of "published".
In Point 10, while the neutrality inherent in the phrase "however published" is important, we feel it is worthwhile specifically including reference to electronic publication, and the Internet, to ensure clarity for the many people who will read the Information Sheet in the context of the practices surrounding unsolicited e-mail.
We recommend the following sentence be added at the end of point 10: "This includes information published both through traditional methods, as well as by electronic means including on the Internet." as suggested in our response to the November 2001 draft.
Point 16 and many sections throughout the consultation paper (such as 27 and 37) appears to be putting in place the framework for businesses to easily argue that the cost of applying the NPPs to publicly available information is too high, and as a result there are "other social interests," being the protection of jobs and business livelihood.
While the policy discussion in points 1 to 16 is valuable, it is not apparent whether this discussion will add any clarity to the application of the NPPs to publicly available information. Given the intention of the Information Sheet is to be "advisory," it seems likely that this policy discussion will serve only to complicate and confuse the content of the document, and establish a situation of conflict between consumer and business where policy beliefs differ.
We remain of the view, as stated in our open letter of 31 October 2001, and our reply to the initial draft Information Sheet on this topic, that in acquiescing to the demands of various business lobby groups, the Commissioner's office is likely to fail, not only citizens, but also many businesses who seek clear guidance on compliance with the law so as to avoid the potential for complaints and/or genuinely wish to undertake best practice in protecting their customers' privacy.
NPP 1.2 Fair and Lawful Collection
EFA considers it important to include a provision for situations where individuals have made it clear in providing information to a public source that they do not wish personal information about them to be used for particular purposes (or for any purpose other than the purpose of the public source). It is unfair collection if an organisation nonetheless collects it and uses it for those purposes.
Similarly, collection should be considered unfair if the publisher or distributor of the information has made it clear that the information is only to be used for particular purposes and an organisation collects the information to use it for other purposes.
EFA agrees with the Commissioner's view as stated in point 23, that "the law should, unless there is a very strong public interest reason, restrict the collection from, and use of, personal information on a public register to the public purposes for which the register is set up and for which the information is made public."
Collection of personal information from a public register such as the Electoral Roll for marketing purposes, or any other purpose not relevant to the purpose of the Electoral Roll, is an unfair means of collecting personal information because individuals did not have the option to decline to provide their information (other than to fail to comply with the law). Since individuals clearly did not voluntarily consent to provide their information in the first place, indirect collection from these sources is clearly unfair.
Point 26 states:
"The case that collection in these circumstances would be unfair might be most strong where the information involved is personal information that people might be more worried about (for example, date of birth or financial information) or the use made of the information would have a major impact on an individual's life."
EFA strongly objects to the interpretation of the Act contained in the phrase "personal information that people might be more worried about". This suggests, contrary to the definition of "personal information" in the Act, that there are two classes of personal information: that which "people" might be "worried about" and that which "people" might not be. The phrase also fails to recognise that the Act and NPPs refer to "individuals" not "people". The Act does not limit the rights afforded to individuals to control collection and use of personal information about them to information that someone else thinks "people" might be worried about.
Whether a collection practice is fair should not be determined by the type of personal information nor someone else's perceptions as to what "people" might be "worried about". The pitfalls of such an approach are demonstrated in the draft information sheet itself. Point 26 purports that "people" might be more worried about "date of birth or financial information". This perception is not in accord with the results of research undertaken for the OFPC in 2001. The research found that the number of people concerned about health/medical information, phone number and home address was at least double the number concerned about date of birth. The level of concern about genetic information and email address was also higher than that about date of birth. The research also showed that the average level of concern people have about various types of personal information varies between groups of people in different age, gender, education level and/or income brackets.
Furthermore, the type of personal information specifically recorded in publicly available sources is not of itself relevant to whether collection of that information is fair. Most public registers and certainly those identified in the Consultation Paper (being the Electoral Roll, share registers, land title registers, and others created under the Corporations Act) will always contain information additional to names, addresses, and phone numbers. However, the mere presence of an individual's name on certain registers (such as share registers) provide implied information concerning the individual's financial circumstances. EFA can see few, if any, situations where the use of information on these registers, for any purpose other than the purpose of initial collection, would not be blatantly unfair and against the spirit of the NPPs.
EFA recommends Point 26 be deleted. If it is included in the final information paper, EFA considers the OFPC's slogan launched in relation to the extension of the Act to the private sector "My Privacy, My Choice" should be changed to "My Privacy, Businesses' Choice".
Point 27 states:
"On the other hand, restricting the collection of this kind of information on the grounds that it is unfair might be considered to unduly restrict business activity and might have a major impact on business costs. For example, The Office understands that a significant a significant percentage of direct marketing in Australia is customer acquisition activity based on the use of public data sources. Based on CEASA figures the Office has been advised that if access to these data sources was restricted, media spending would decline by at least $2.43 Billion, and that employment would decline by 114,000 jobs.1. ..."
EFA strongly objects to the inclusion of "statistical" figures provided by an industry body with an obvious self-interest in their inclusion, particularly given details of the research methodology and context of the statistics is not readily available for public scrutiny.
EFA recommends that these "statistics" be deleted from the information sheet. However, if these are to be included in the final release of the information sheet, EFA recommends that Point 27 be amended to include the following:
- statistics on Australian people's concerns about collection and use of their personal information without their consent for direct marketing, such as the results of the OFPC research conducted in 2001 which found that: 91% thought that businesses should have to ask permission before using people's personal information for marketing purposes; 70% were against the use of the electoral roll for marketing purposes; and 55% were concerned about how organisations (whom they had never dealt with before) obtained their name and address to send them unsolicited marketing information.
- the full name of "CEASA" (i.e. not an acronym). There are at least two organisations that use the acronym "CEASA". These are the "Council of Education Associations of South Australia Incorporated (CEASA)" (http://www.ceasa.asn.au/) and the "Commercial Economic Advisory Service of Australia (CEASA)" (http://www.hotkey.net.au/~ceasa/). We assume the latter is the organisation referred to in the draft information sheet.
- the name of the document that contains the "CEASA figures". We assume this is a CEASA report titled "Direct Marketing in Australia", an annual survey report which can be purchased from CEASA at a cost of $440. (http://www.hotkey.net.au/~ceasa/d-marketing.html)
- the source of the "CEASA figures" referred to in Point 27. If the report is that referred to in (c) above, it appears the figures are probably not "CEASA figures" but figures provided by the Australian Direct Marketing Association (ADMA), and/or its members, to CEASA. The CEASA web site states the report "was prepared in co-operation with the Australian Direct Marketing Association". ADMA's involvement should be stated in the relevant paragraph. (http://www.hotkey.net.au/~ceasa/d-marketing.html)
- what is meant by the term "media spending" as used in "if access to these data sources was restricted, media spending would decline by at least $2.43 Billion". Based on information on the CEASA web site and on newspaper reports concerning the CEASA report, it appears a more accurate statement is likely to be "if access to these data sources was restricted, expenditure on advertising by direct marketing would decline by at least $2.43 Billion". If this is so, the claim in Point 27 that "restricting the collection of this kind of information on the grounds that it is unfair...might have a major impact on business costs" should be deleted or amended. The statistics provided in an apparent attempt to suggest business costs would increase indicate business costs would decrease if businesses did not direct market to individuals who have not consented to collection and use of their personal information from public sources for direct marketing purposes.
- the context of the alleged "decline by at least $2.43 Billion" relative to pre-existing expenditure levels. It appears the $2.43 Billion would represent a 15% decrease from the $16 Billion spent on advertising by direct marketing in 2001, which had risen from $5 Billion in 1995 and reportedly CEASA expected growth to continue at a rate of 15% per annum. (http://www.auspaytv.com/news/feb02a/2304.htm, and http://www.corp.china.com/news/000216.htm)
- details concerning how the figure of $2.43 Billion was calculated.
Point 27 also states:
"It might also inhibit business planning, the ability of charities to fundraise, the ability of businesses to verify the identity and address of individuals applying for finance or other services and the ability of organisations to keep their mailing lists accurate and up to date in line with people's expectations."
The reference to "people's expectations" that an organisation will use publicly available information to update their mailing lists is ludicrous. There is not a consumer in the country that expects that changing their address on the electoral roll (for example) will flow through to an address change on their direct-mail pyjama catalogue.
The claim that businesses might be inhibited in their ability "to verify the identity and address of individuals applying for finance and other services" is nonsense. When an individual has applied for finance or other services, the business can ask the individual for consent to collect personal information about them from whatever source the business considers relevant. When an individual voluntarily consents to a business collecting personal information about them from a publicly available source, such collection is not unfair.
EFA is of the opinion that if businesses are relying on publicly available personal information for business purposes such as this, they are simply being lazy in their relationships with their customers.
With regard to the reference in Point 27 to "business planning", it is not clear why personal information as opposed to summary, de-identified, or statistical information would be necessary.
The suggestion in Point 28 of restricting 'fair use' of public registers to "the purpose for which the register is established and for which the information is made public," is a very valid one, and one with which EFA agrees. However in the implementation of this, the consultation paper states that "this would only apply where the purposes were formally outlined." Such a position would surely require a corresponding requirement for public registers to make formal statements of purpose, or for a default standing of any collection being unfair unless the formal purpose states otherwise.
In our view, there is no logical justification for special treatment for 'public registers'. Such collections should be subject to the same principles as any other collection of personal data. The particularities of their operations and accessibility should, of course, be reflected in the ways in which the National Privacy Principles are interpreted and applied, just as occurs with every other collection of personal data. The public interest is in their use being constrained according to the purposes of collection.
NPP 1.4 Collecting Directly from the Individual
Points 36-38 appear to be setting the stage for easy avoidance of any privacy obligations surrounding publicly available information. The statements are that:
- Some people might argue that where information is publicly available, it will never, or rarely, be reasonable or practicable to collect that information directly from the individual.
- However, what is reasonable or practicable is a matter of balancing a number of considerations. The suggested possible factors outlined in the Guidelines are:
- ...
- the cost to an organisation of collecting directly or indirectly;
- what is accepted practice (by the consumer and the industry).
- ...
- With the advent of new technology, including electronic databases published on the internet, or information sold on CDs, the reasonableness or practicability of direct collection may become increasingly less as the cost of indirect collection reduces and the convenience to business of indirect collection using these publicly available sources rises.
In this context, anything other than a solid statement from the OFPC of the protection provided by the privacy legislation to publicly available information, will be undermined by the inherent "reasonableness" businesses will see in their actions, however fair or otherwise.
It would be naïve to argue that there is no "business efficiency" interest in having indirect collection. It is obviously considerably "easier" to purchase a CD of 1,000,000 records than to doorknock or seek an "opt-in." This issue must be approach from the perspective of a consumer's right to privacy and the protection of their personal information being the main priority.
EFA believes that publicly available information sources should make available information on the extent of pillaging of that information by direct marketers and other business, to enable consumers to make an informed choice about the provision of their personal information. As previously identified, in the instance where the provision of personal information is mandated by law or regulation, there must be protection of that information to both ensure individual privacy, and maintain the integrity of the registers.
As identified by Roger Clarke (see http://www.anu.edu.au/people/Roger.Clarke/DV/PublicRegisters.html), appropriate controls for public registers are as follows:
- the purposes of each public register should be stated, either in legislation or in a formal document prepared by the administering organisation. This should be publicly available, and subject to consultation with relevant agencies, corporations and their industry associations, privacy regulatory agencies, privacy advocacy and consumer advocacy groups, and other interested parties;
- "statutes establishing registers [should] expressly state, and make publicly available, the purposes for which the register can be searched" (Stewart 1995b, p.197);
- "statutes establishing registers [should] expressly ... limit the use of the register for other unrelated or incompatible uses" (Stewart 1995b, p.197);
- the organisation administering the register should implement:
- such security measures as are reasonable in the circumstances, to permit access only where the person's purposes are consistent with purpose of the data collection (or, alternatively, the consent, legal authority or emergency provisions apply); and
- logging of accesses, in order that cases of possibly wrongful access can be investigated;
- such security measures as are reasonable in the circumstances, to permit access only where the person's purposes are consistent with purpose of the data collection (or, alternatively, the consent, legal authority or emergency provisions apply); and
- a person that misrepresents their purpose in order to gain access to data should be clearly acting wrongfully, and should be subject to sanctions;
- provision should be made for individuals to enforce suppression of data about themselves, where they can show reasonable grounds for having fears for the safety or wellbeing of themselves or others.
NPP 1.5 Notice when collecting publicly available personal information
It is crucial that the OFPC make a specific statement rather than a "discussion" around the issue of "someone" versus "something." The suggestion that a narrow interpretation may exist, causing the Act to apply only to publicly available information collected from "someone else" would render the entire publicly available information debate meaningless.
Such a narrow interpretation implies that NPP 1.5 does not apply to any information collected in print form rather than verbally. If Organisation A provides a printed document containing a list of names and addresses to Organisation B, has Organisation B collected the information from "someone" (Organisation A) or from "something" the printed list? The Explanatory Memorandum (EM) to the Bill states at Para 143 that "The Act applies to personal information being collected by an organisation if the organisation collects it for inclusion in a 'record' or 'generally available publication'." (emphasis in EM). There is no indication to suggest that NPP 1.5 was only intended to apply to collection of information by verbal means. This must be stated clearly and forcefully to avoid any "convenient" interpretation of the Act by those with an inclination to find loopholes.
An example provided by the OFPC for where it is "reasonable" for an organisation to take no steps when collecting publicly available personal information from a public register, if the organisation is collecting the information for a purpose that is consistent with the original purpose of collection, is where an organisation "uses the ATO's ABN register to collect personal information for purposes related to the business purposes of the register."
We understand that it is necessary to reference the register maintained by the ATO. It is not clear, however, why an organisation would have a requirement to "collect personal information" in such a situation. EFA understand and appreciate the business need to obtain information from public registers in the course of business operations, but we have not seen demonstrated reasons as to why this would necessitate businesses compiling their own records of such personal information. Where such collection of personal information occurs, individuals would have a reasonable expectation that they would be contacted to validate and verify the details on the register. The very purpose of these registers existing is to maintain up-to-date information, and by organisations taking information from these registers to build their own databases, they can only cause the information to degrade.
Point 49, regarding the provision of NPP 1.3 information in the privacy statement available under NPP 5.1, it is also important in this situation to make available NPP 6 details regarding access and correction. Where an organisation collects and maintains a database of records containing personal information, an individual's right to access and correct that information should be maintained as for all other information.