The Privacy Bill needs an independent arbiter and more

The Australian Consumers’ Association (ACA) is a not-for-profit, non-party-political organisation established in 1959 to provide consumers with information and advice on goods, services, health and personal finances, and to help maintain and enhance the quality of life for consumers. Independent from government and industry, the ACA lobbies and campaigns on behalf of consumers to advance their interests.

The ACA has long advocated and anticipated legislative privacy protection for Australian consumers – we regard such legislation as a necessity. We consider that the Privacy Amendment (Private Sector) Bill 2000 makes a good start in defining the principles that should govern the regulation of the collection and use of personal information in Australia. However, we feel that the framework for the operation of privacy protection that is established has flaws that will undermine the good intentions of the Bill. The self-regulatory regime is not defined as a co-regulatory model capped by an Authority with real power, serviced by an complaints office of last resort, but rather as a weak default system and fractured self-regulation.

We also have a number of concerns with the details of the Bill as relates to Internet use and make specific recommendations for its improvement from the consumers’ perspective, which are summarised below. We feel that from an initial goal of simple legislation meshed with a self-regulatory regime, the shape of the Bill embodies considerable complexity based in legislative exception and definition, which will ultimately make the operation of privacy protection opaque and uncertain. In its current form it will fail to adequately protect the privacy of individuals.

The Framework

The ACA does not object, in principle, to the self-regulatory approach to the protection of privacy in Australia. However, we recommend three changes to the framework of the Bill:

1. That the Bill be amended to provide penalties which apply to serious breaches. There is no enforcement authority to monitor the operation of the self-regulatory system. In the event of self-regulatory failure, such an authority should be able to take action, both to redress offences against individuals and to issue credible penalties against industry players.

2. That the Bill be amended to provide a mechanism by which decisions of industry Code Authorities can be appealed to the Privacy Commissioner, and that his findings become precedents for other Code Authorities. At the least a system of review under which the Privacy Commissioner can issue binding interpretation should be provided. In the absence of such an appeal process, it is our concern that interpretations of what is reasonable, impracticable, practicable, serious and imminent, frivolous, excessive, related etc will come to be treated in different ways by different Code Authorities. This will in all likelihood evolve what might be termed "privacy silos", where the experience of privacy protection for a consumer will vary from sector to sector, and even within sectors as different industry associations create Privacy Codes.

3. The Commissioner should be empowered, and indeed required, to undertake self-directed research, and their own motion investigations and audits, extending across the full range of code administration schemes, not just the default scheme. The Commissioner’s powers to approve, audit and discipline recalcitrant players are uncertain in the Bill.

4. ACA has serious concerns relating to health provisions in the Bill. As currently stated in the provisions, the consumer’s right of access to their health records are substantially undermined by the range of "exceptions" that can be used to deny access to health records. The right of access in this Bill is substantially weaker than that under legislation that gives consumers a right of access to public sector health records.

It is important that all health records have consistent rules with regard to access and the right to correct incorrect details. Our recommendation is that either the health provisions be removed from this Bill and dealt with under a separate code or health be dealt with as an enforceable code directly supervised by the Privacy Commissioner

Definitions

A number of terms used in the Bill are critical to the successful operation of privacy protection but are undefined. The Bill needs to deal with them explicitly.

Use

We recommend that Use of personal information be defined as any operation or set of operations performed on personal data including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, including but not limited to the participation of that information in a decision to do or to omit to do an act, and the utilisation of that information in any act. This is particularly relevant where conditions on ‘use’ are the primary safeguard for the sharing of data across organisational boundaries. Is it a use of information simply to store it, in other words to possess it? Does reading or browsing a record imply use of it, or is it only when action results that use eventuates? What crystallises use?

Purpose

We recommend that Purpose be defined to ensure that information applicable to an individual that has been derived from personal information collected from the individual is protected to the same degree in terms of purpose and the operation of the other Non-Primary Purposes. Does the purpose of information change if it is computer-processed in some way? For example, if purchasing records are correlated to infer information about the health status of an individual, what is the purpose of the information derived?