Annual Report 1999 - 2000
Privacy
Statement of the Privacy Commissioner
I have pleasure in presenting the twelfth Annual Report on the operations of the Privacy Act 1988 for the year 1999-2000. The year past has been a challenging and productive year for the Office.
In our modern democratic society our individual privacy is an issue that is taken for granted. However, the year that has just past has seen a re-emergence of privacy as a key issue for the community. Much has happened that has re-kindled the privacy debate including issues such as the establishment of large databases of personal information in the private sector, whether criminal record information should be published on the Internet, the use of public register information by government, the way in which forensic DNA information should be collected, matched and stored and the publication of a "first draft" of the human genome.
Privacy is clearly perceived by Australians as a fundamental human right, and a right we are eager to preserve in a rapidly changing global environment. As always, the challenge in the debate is to balance this important human right with our rights and responsibilities as members of a civil society; that is, the right to privacy must be balanced against factors such as the need to maintain a free flow of information through the media and elsewhere and the importance of ensuring government and business are able to achieve their objectives in an efficient way.
A significant development in Australia has been the introduction to Parliament of the Privacy Amendment (Private Sector) Bill 2000 (the Bill). Over the last year the Office contributed to the development of the Bill in a number of ways, including providing several key submissions on its development. The last of these submissions during the year was to the House of Representatives Legal and Constitutional Committee, which reviewed the Bill at the request of the Attorney-General.
In that submission I welcomed the Government's move to extend privacy legislation to the private sector by introducing the Bill. This is an important development for the community, as it would introduce privacy law for the private sector and establish a framework to protect personal information held by private sector organisations. This is particularly relevant today with the rapid growth in Australian and Global organisations' utilisation of information handling technologies. There is ample evidence to show that all consumers expect to have control over their personal information and to be able to protect their privacy with minimum inconvenience. Without this control, consumers are unlikely to be willing to participate fully in the developing information economy.
As stated in my submission to the Committee, I believe that the fundamental approach presented in the Bill is sound. However, the Bill also contained a number of exemptions that I believe need careful consideration by Parliament so that the appropriate balance is achieved for the community.
Of these, the exemption for political organisations is of particular concern. If we are to have a community that fully respects the principles of privacy and the political institutions that support them, then these institutions themselves must adopt the principles and practices they seek to require of others. The challenges faced by politicians in appropriately respecting individual privacy are no different than those faced every day by many other professions, including the health professions. I firmly believe that political organisations should follow the same practices and principles that are required in the wider community.
In the submission, I also drew attention to the issues raised by other exemptions. The Committee sought to address these concerns in many of its recommendations. Clearly, the challenge now put to the Parliament is to reach a balance that reflects community expectations. I will look forward to contributing to that debate in the year ahead. Chapter 2 deals with the Bill at greater length.
While the Office has been focusing on these new developments, it has also continued to work on improving compliance with the current legislation. These current responsibilities have also raised new challenges. Many of these are questions arising from new uses of information enabled by new technologies, including the Internet and data mining. The involvement of the Office in assessing the privacy implications of the new taxation system resulted in decisions to change the new tax legislation so that information provided by people for the purpose of obtaining an Australian Business Number would be better protected. Similarly, the Office investigated the provision of an electronic copy of the electoral roll, by the Australian Electoral Commission, to the Australian Taxation Office for mail-out purposes. Recent public debate indicates that the community is apprehensive about the use of public registers, including the electorate roll, for purposes other than the purpose of collection. This is particularly so when there is some compulsion to provide information to the government for these registers.
Similar community concerns were expressed following the launch of commercial on-line databases that made personal information, such as convictions and debt, publicly available. While the Office's jurisdictional involvement with such databases was from a credit reporting perspective, I have expressed my general concern about the use they are making of sensitive information collected from court reports and other publicly available information. This again raises the question of how the community expects publicly available information to be used. The Office intends to undertake some research into this area in the year ahead.
Debate about privacy on-line for Australians using the Internet has escalated in the past year. Questions have arisen with respect to appropriate behaviour for businesses operating online, consumers seeking to transact and preserve the privacy of their personal information online, and employers and employees trying to work out rights and responsibilities in relation to e-mail protocols. The Office has worked consistently on these issues, building on the Guidelines on Web Browsing and Privacy released in 1998-1999, by developing Guidelines on Workplace E-mail, Web browsing and Privacy in 1999-2000. The guidelines were launched by the Attorney-General in March 2000. These guidelines advocate building an environment of trust between employers and employees and were the most frequently downloaded item from the Office website in 1999-2000.
Personal health information can be intensely intimate information about the fundamentals of an individual's life. Its misuse can also cause great harm. For these reasons alone, it is very important to protect this information appropriately and to ensure that people have a reasonable level of control over their health information. With public debate increasingly focusing on Health Providers' management of information, the government has been concerned to review mechanisms that can be used to protect such information while at the same time ensuring that health consumers have access to services made possible through powerful new technologies. At the Attorney-General's request, I provided advice on the appropriateness of the National Privacy Principles [1] as a tool to protect personal health information. This advice was based on broad consultation with key health organisations and has been addressed in the development of the current amendments to the Privacy Act 1988.
Given the range of work that the Office is undertaking both in our current jurisdiction and with the development of the private sector legislation we need to ensure that our efforts are well focused. To that end, over the last year the Office undertook a significant strategic planning process designed to prepare us for our extended role.
The Attorney-General launched the Office's strategic plan in March 2000. The Plan commits the Office to achieve results in the key areas of:
- establishment of the Privacy Connections network that will support organisations and individuals in the development and implementation of privacy solutions;
- development of a comprehensive understanding of current community perceptions of privacy to ensure the solutions we develop are meeting the needs of our clients;
- ensuring that strategic themes are reflected in the job roles of everybody in the Office; and
- ensuring that the Office is ready and prepared to implement the new legislation.
Even though the plan was only launched in April 2000, the key result area relating to the roles and skills of the Office is now completed. With this fundamental strategy complete, work on the remaining strategies has already commenced. This preparatory work meets a commitment made in last year's annual report.
With all that is happening within Australia it is important that we do not lose sight of what is happening internationally. Clearly, the increasing awareness and concern within the Australian community of privacy issues reflects similar developments elsewhere.
In 1995, the European Union (EU) passed a directive[2] that restricts the transfer of personal information from member countries to other countries unless adequate privacy safeguards are in place. In part, the government's private sector privacy legislation aims to provide those safeguards for Australian companies, ensuring Australian access to international markets.
It has been very interesting to watch the United States of America move from a self-regulatory environment to one potentially covered by a great deal of privacy law. Consumer reaction to privacy intrusions by a number of key online organisations, for example, Double-Click, and the sale of personal information held by failed Internet companies has placed the issue firmly on the agenda. The US Federal Trade Commission has called on the American Congress to enact new laws regarding online privacy. This represents a significant change of emphasis, and privacy has become an election issue in the USA.
Seeking an answer to the EU Directive in a currently unregulated environment, the US Government entered into "Safe Harbor" discussions with the EU. Once negotiations are complete, US companies that meet "Safe Harbor" requirements for protecting information would be granted the right to transfer and use data on European citizens.
The 21st International Data Protection Commissioners' Meeting held in Hong Kong in September 1999, saw online privacy assurance programs as a key issue, and established a working group (of which I am a member) to consider the effectiveness of such programs in promoting good privacy practice. We will deliver a report on the project to the 22nd meeting in Venice in September 2000.
Looking Ahead 2000-2001
I believe that the next twelve months will see the community focus even more on the privacy issue. The Office will focus on the development of privacy schemes for the private sector, and also continue our work in supporting privacy rights and responsibilities in relation to Federal Agencies, Credit Reporting Agencies, and users of Tax File Numbers. The Office is also likely to contribute significantly to the appropriate protection of health information stored electronically.
The Strategic Plan will guide the Office throughout the year. It will continue to evolve and as we implement the strategies the Office will focus on the subsequent key results to be achieved for the years ahead. With the passing of the Privacy Amendment (Private Sector) Bill 2000, I anticipate that a key strategy will develop in relation to a communication program to inform Australians of their privacy rights and responsibilities, and the role the Office can play in developing privacy solutions.
For next year, however, the Office will focus on developing the Privacy Connections network into a vibrant resource, and improving our appreciation of community perceptions of privacy, and best practice privacy solutions.
I would like to note that 1 July 2000 marks the formal commencement of our Office as the new Office of the Federal Privacy Commissioner. The formal separation of the Office from the Human Rights and Equal Opportunity Commission is based on sound administrative principles and will ensure that the Office can give best effect to the proposed private sector legislation. We acknowledge the significance of our relationship with the Commission and the importance this has played in recognition of privacy as a fundamental human right.
[1] The National Privacy Principles are as set out in the Privacy Amendment (Private Sector) Bill 2000, and are developed from the National Principles for the Fair Handling of Personal Information as issued by the Office in 1999.
[2] 1995 European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, issued 24 October 1995.
Last updated 1 December 2001.
