On Line Opinion is a not-for-profit publication and relies on the generosity of its sponsors, editors and contributors. If you would like to help, contact us.
___________

Syndicate
RSS/XML

The Privacy Bill needs an independent arbiter and more

By Charles Britton - posted Thursday, 15 June 2000

Collection

We recommend that Collection be defined to include update and correction of data items as well as original de novo collection, and that the insertion of one item in a dataset (defined as the set of data records related to a particular individual in an organisation) should be deemed to have been a collection. Is data collected if it is derived by means of a correlation or inference from other data held by an organisation? Has data that has been updated or corrected been collected? If so, are only the data items so processed collected, or does the whole record (undefined) inherit this property? Indeed, do related records (the record set) pertaining to the individual also inherit the collection at this point? Does the process of updating a data item move it into the privacy regime or not, that is, is it then collected after the operation of the section? For the same reasons, the terms Disclose, Consent, and Store should be given a defined meaning in the Bill.

DNA information

DNA information should not be assumed to be privacy-sensitive and potentially commercially useful only in the context of health. As an additional item of definition, we feel it should be included as sensitive information in its own right.

Related bodies corporate

We recommend that an explicit test of consumers’ expectation or a test of related or similar business activities be used to limit the reach of organisations within which information can be freely disclosed. The effective extension of organisations to include entities related as defined under Corporations Law makes effective protection of consumers’ rights to opt out of information sharing impossible. It is also presumable that the broad definition cuts two ways, and "a request to the organisation not to receive direct marketing communications" will be required to be honoured throughout large corporate webs.

Small Business Exemption

We recommend that the exemptions for small business should be removed from the Bill. The proposed definition of small business as a business with an annual turnover of $3,000,000 or less in a nominated test month will make it hard for a consumer to judge whether a business should be meeting privacy standards or not. The ACA considers that a positive obligation on all business to observe proper privacy practice is more effective.

Political Parties

We recommend that the exemption for political parties should be refined to reflect actual concerns related to possible infringements on democratic processes. The ACA is sensitive to the needs for democratic processes to be protected. However, it would set a double standard for political parties to be granted a global and sweeping exemption. Political parties should set a best-practice example in the management of personal information gathered from constituents.

Application of National Privacy Principles

We recommend that National Privacy Principles 2 (Use and Disclosure) and 6 (Access and Correction) be applied to existing data, although perhaps only after a phasing-in period. As discussed above, the question of the definition of collection is very material to this issue and that these principles are not applied is a serious deficiency in the Bill as proposed.

Privacy Codes

We recommend that Privacy Codes should be a disallowable instrument for the purposes of the Acts Interpretation Act 1901. The ACA considers that given the potential weakness of the proposed self-regulatory regime, the Privacy Codes approved by the Privacy Commissioner should also be subject to parliamentary review. We are also concerned that the Privacy Commissioner can charge fees for access to the Register of privacy codes and Register of determinations. We recommend that the Commissioner not charge fees for making the registers available to the public, though the Commissioner may charge fees providing copies of, or extracts from, the registers.

Comment on Schedule 3 - National Privacy Principles

Use and disclosure

We recommend that organisations should not be allowed to send unsolicited mail, except to either people with whom they have a pre-existing relationship or people who have consented to receive it. The issue of the ‘practicality’ of seeking consent is entirely within the gift of the marketer. Once again, the ‘privacy silo’ problem of the self-regulatory model arises, making it almost certain that various Code Authorities will determine this question differently. Is the test of practicality money? How much money is impractical, in other words, how much is a consumer’s privacy worth? It is also our recommendation that the direct marketer should be required to offer an opt-out opportunity at each approach.

Data security

Given that the primary purpose is the reason the consumer gave permission for the collection of data, we recommend that an organisation must destroy or permanently de-identify personal information if it is no longer needed for the primary purpose for which it was collected. We further recommend that an organisation must destroy or permanently de-identify personal information on the request of the individual to whom that personal information relates.

Openness

We recommend that Openness require an organisation to make certain documents available to the general public.

Access and correction

We feel the same access test should apply to health information as general personal information, particularly since the test for general personal information is stronger. In addition, we feel it is important that individuals have guaranteed access to their own data. We further recommend consumers should not be charged for access to their own information.

Where providing access would reveal the intentions of an organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations, some providers may hide information from consumers who, providers believe, wish to complain. In the present draft Bill the organisation is made the judge of what will prejudice negotiations as opposed to information that the consumer may need simply to negotiate on an equitable basis. This situation illustrates the need for an appeal mechanism to a neutral authority that can make binding rulings. We would prefer this to be the Privacy Commissioner, backed up by courts or ADJR review, but in the absence of such an apporach, we recommend that organisations must agree to the use of mutually agreed arbitrator to review the reasonableness of decisions and actions by the organisation.

Sensitive Information

The operations of some non-profit organisations reach deeply into the lives of some consumers and we recommend that only such information as relates to their non-commercial activities should be exempted from scrutiny.

We do not feel the consumers’ interests should be overridden by professional bodies, however constituted or conducted. We are very concerned by the question of who judges in the specific instance "purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained". It is in the very act of interpreting purportedly authoritative codes and guidelines that significant uncertainty for consumers arises. Therefore we recommend that de-identified data be allowed only for research relevant to public health or public safety purposes.