The Privacy Bill needs an independent arbiter and more

The Australian Consumers’ Association (ACA) is a not-for-profit, non-party-political organisation established in 1959 to provide consumers with information and advice on goods, services, health and personal finances, and to help maintain and enhance the quality of life for consumers. Independent from government and industry, the ACA lobbies and campaigns on behalf of consumers to advance their interests.

The ACA has long advocated and anticipated legislative privacy protection for Australian consumers – we regard such legislation as a necessity. We consider that the Privacy Amendment (Private Sector) Bill 2000 makes a good start in defining the principles that should govern the regulation of the collection and use of personal information in Australia. However, we feel that the framework for the operation of privacy protection that is established has flaws that will undermine the good intentions of the Bill. The self-regulatory regime is not defined as a co-regulatory model capped by an Authority with real power, serviced by an complaints office of last resort, but rather as a weak default system and fractured self-regulation.

We also have a number of concerns with the details of the Bill as relates to Internet use and make specific recommendations for its improvement from the consumers’ perspective, which are summarised below. We feel that from an initial goal of simple legislation meshed with a self-regulatory regime, the shape of the Bill embodies considerable complexity based in legislative exception and definition, which will ultimately make the operation of privacy protection opaque and uncertain. In its current form it will fail to adequately protect the privacy of individuals.

The Framework

The ACA does not object, in principle, to the self-regulatory approach to the protection of privacy in Australia. However, we recommend three changes to the framework of the Bill:

1. That the Bill be amended to provide penalties which apply to serious breaches. There is no enforcement authority to monitor the operation of the self-regulatory system. In the event of self-regulatory failure, such an authority should be able to take action, both to redress offences against individuals and to issue credible penalties against industry players.

2. That the Bill be amended to provide a mechanism by which decisions of industry Code Authorities can be appealed to the Privacy Commissioner, and that his findings become precedents for other Code Authorities. At the least a system of review under which the Privacy Commissioner can issue binding interpretation should be provided. In the absence of such an appeal process, it is our concern that interpretations of what is reasonable, impracticable, practicable, serious and imminent, frivolous, excessive, related etc will come to be treated in different ways by different Code Authorities. This will in all likelihood evolve what might be termed "privacy silos", where the experience of privacy protection for a consumer will vary from sector to sector, and even within sectors as different industry associations create Privacy Codes.

3. The Commissioner should be empowered, and indeed required, to undertake self-directed research, and their own motion investigations and audits, extending across the full range of code administration schemes, not just the default scheme. The Commissioner’s powers to approve, audit and discipline recalcitrant players are uncertain in the Bill.

4. ACA has serious concerns relating to health provisions in the Bill. As currently stated in the provisions, the consumer’s right of access to their health records are substantially undermined by the range of "exceptions" that can be used to deny access to health records. The right of access in this Bill is substantially weaker than that under legislation that gives consumers a right of access to public sector health records.

It is important that all health records have consistent rules with regard to access and the right to correct incorrect details. Our recommendation is that either the health provisions be removed from this Bill and dealt with under a separate code or health be dealt with as an enforceable code directly supervised by the Privacy Commissioner

Definitions

A number of terms used in the Bill are critical to the successful operation of privacy protection but are undefined. The Bill needs to deal with them explicitly.

Use

We recommend that Use of personal information be defined as any operation or set of operations performed on personal data including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, including but not limited to the participation of that information in a decision to do or to omit to do an act, and the utilisation of that information in any act. This is particularly relevant where conditions on ‘use’ are the primary safeguard for the sharing of data across organisational boundaries. Is it a use of information simply to store it, in other words to possess it? Does reading or browsing a record imply use of it, or is it only when action results that use eventuates? What crystallises use?

Purpose

We recommend that Purpose be defined to ensure that information applicable to an individual that has been derived from personal information collected from the individual is protected to the same degree in terms of purpose and the operation of the other Non-Primary Purposes. Does the purpose of information change if it is computer-processed in some way? For example, if purchasing records are correlated to infer information about the health status of an individual, what is the purpose of the information derived?

Collection

We recommend that Collection be defined to include update and correction of data items as well as original de novo collection, and that the insertion of one item in a dataset (defined as the set of data records related to a particular individual in an organisation) should be deemed to have been a collection. Is data collected if it is derived by means of a correlation or inference from other data held by an organisation? Has data that has been updated or corrected been collected? If so, are only the data items so processed collected, or does the whole record (undefined) inherit this property? Indeed, do related records (the record set) pertaining to the individual also inherit the collection at this point? Does the process of updating a data item move it into the privacy regime or not, that is, is it then collected after the operation of the section? For the same reasons, the terms Disclose, Consent, and Store should be given a defined meaning in the Bill.

DNA information

DNA information should not be assumed to be privacy-sensitive and potentially commercially useful only in the context of health. As an additional item of definition, we feel it should be included as sensitive information in its own right.

Related bodies corporate

We recommend that an explicit test of consumers’ expectation or a test of related or similar business activities be used to limit the reach of organisations within which information can be freely disclosed. The effective extension of organisations to include entities related as defined under Corporations Law makes effective protection of consumers’ rights to opt out of information sharing impossible. It is also presumable that the broad definition cuts two ways, and "a request to the organisation not to receive direct marketing communications" will be required to be honoured throughout large corporate webs.

Small Business Exemption

We recommend that the exemptions for small business should be removed from the Bill. The proposed definition of small business as a business with an annual turnover of $3,000,000 or less in a nominated test month will make it hard for a consumer to judge whether a business should be meeting privacy standards or not. The ACA considers that a positive obligation on all business to observe proper privacy practice is more effective.

Political Parties

We recommend that the exemption for political parties should be refined to reflect actual concerns related to possible infringements on democratic processes. The ACA is sensitive to the needs for democratic processes to be protected. However, it would set a double standard for political parties to be granted a global and sweeping exemption. Political parties should set a best-practice example in the management of personal information gathered from constituents.

Application of National Privacy Principles

We recommend that National Privacy Principles 2 (Use and Disclosure) and 6 (Access and Correction) be applied to existing data, although perhaps only after a phasing-in period. As discussed above, the question of the definition of collection is very material to this issue and that these principles are not applied is a serious deficiency in the Bill as proposed.

Privacy Codes

We recommend that Privacy Codes should be a disallowable instrument for the purposes of the Acts Interpretation Act 1901. The ACA considers that given the potential weakness of the proposed self-regulatory regime, the Privacy Codes approved by the Privacy Commissioner should also be subject to parliamentary review. We are also concerned that the Privacy Commissioner can charge fees for access to the Register of privacy codes and Register of determinations. We recommend that the Commissioner not charge fees for making the registers available to the public, though the Commissioner may charge fees providing copies of, or extracts from, the registers.

Comment on Schedule 3 - National Privacy Principles

Use and disclosure

We recommend that organisations should not be allowed to send unsolicited mail, except to either people with whom they have a pre-existing relationship or people who have consented to receive it. The issue of the ‘practicality’ of seeking consent is entirely within the gift of the marketer. Once again, the ‘privacy silo’ problem of the self-regulatory model arises, making it almost certain that various Code Authorities will determine this question differently. Is the test of practicality money? How much money is impractical, in other words, how much is a consumer’s privacy worth? It is also our recommendation that the direct marketer should be required to offer an opt-out opportunity at each approach.

Data security

Given that the primary purpose is the reason the consumer gave permission for the collection of data, we recommend that an organisation must destroy or permanently de-identify personal information if it is no longer needed for the primary purpose for which it was collected. We further recommend that an organisation must destroy or permanently de-identify personal information on the request of the individual to whom that personal information relates.

Openness

We recommend that Openness require an organisation to make certain documents available to the general public.

Access and correction

We feel the same access test should apply to health information as general personal information, particularly since the test for general personal information is stronger. In addition, we feel it is important that individuals have guaranteed access to their own data. We further recommend consumers should not be charged for access to their own information.

Where providing access would reveal the intentions of an organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations, some providers may hide information from consumers who, providers believe, wish to complain. In the present draft Bill the organisation is made the judge of what will prejudice negotiations as opposed to information that the consumer may need simply to negotiate on an equitable basis. This situation illustrates the need for an appeal mechanism to a neutral authority that can make binding rulings. We would prefer this to be the Privacy Commissioner, backed up by courts or ADJR review, but in the absence of such an apporach, we recommend that organisations must agree to the use of mutually agreed arbitrator to review the reasonableness of decisions and actions by the organisation.

Sensitive Information

The operations of some non-profit organisations reach deeply into the lives of some consumers and we recommend that only such information as relates to their non-commercial activities should be exempted from scrutiny.

We do not feel the consumers’ interests should be overridden by professional bodies, however constituted or conducted. We are very concerned by the question of who judges in the specific instance "purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained". It is in the very act of interpreting purportedly authoritative codes and guidelines that significant uncertainty for consumers arises. Therefore we recommend that de-identified data be allowed only for research relevant to public health or public safety purposes.