Private sector privacy: not a ‘light touch’ but a ‘feather touch’

The Privacy Amendment (Private Sector) Bill 2000 reflects the federal government’s approach to data protection that is based upon the premise of a ‘light touch’ legislative regime.

The Bill gives limited effect to the National Principles for the Fair Handling of Personal Information, which provide a basis for business to develop practices to ensure the protection of individual privacy. The National Principles set out standards about how businesses and other private sector organisations should collect personal information, how that information can be used and disclosed, and how it should be maintained accurately and securely.

Under the Bill, private sector organisations will be bound by the National Principles unless they have their own privacy code that has been approved by the Privacy Commissioner. A code will only be approved by the Commissioner if it provides at least as much privacy protection as the National Principles.

However, as presently drafted, the Bill is inadequate to protect the privacy of Australians’ personal information. Among the many criticisms of the Bill - it will have no effective application to existing databases; the enforcement mechanisms are too weak; and it does little to protect families in this electronic age. It’s not a ‘light touch’, but a ‘feather touch’.

The first area of deficiency relates to the treatment of information in existing databases. The Bill specifically provides that Privacy Principle 2 – which relates to the use and disclosure of personal information – will not apply to existing databases. This means that the information privacy horse has bolted, it is riding away with the personal information of Australians, and the federal government is not prepared to take any action to halt its progress.

For example, the legislation will not affect the use of information held in a massive database by Axciom containing the personal information of some 15 million Australians. It has been reported that the information was collected from merging personal information obtained from numerous internet sites. It will remain possible to sell that information even though Australian citizens unquestionably did not consent to their personal information being used for that purpose.

The Bill also provides that Privacy Principle 6 – which relates to access and correction of personal information – will not apply to existing databases. Accordingly, any Australian citizens who suffer damage as a result of inaccurate information currently held on them will be unable to do anything about it.

For example, inaccurate information held on a database regarding somebody’s financial affairs could significantly impede that person’s ability to rent a property or even to obtain finance for a business venture. It will also mean that information held in the controversial private criminal history database CrimeNet will not be subject to correction on request. The damage that could be caused to an individual’s reputation by such a database speaks for itself.

The second area of deficiency is in respect to enforcement. While the privacy Commissioner has power to recommend compensation for privacy breaches, there is no provision in the legislation for civil penalties to be available to punish corporations who engage in particularly serious breaches. If experience under the Privacy Act 1988 – which currently only applies to the activity of Commonwealth departments and agencies – is any guide, Australians can anticipate that any recommendations for compensation made by the Privacy Commissioner will be extremely conservative.

At an individual level, damage sustained because of a breach of privacy can sometimes be relatively minor. For instance, disclosing that somebody has booked a particular movie or play through an online booking agency may have little effect on the reputation of that person. However, such a practice may reflect a far more intrusive and systematic breach of privacy with a considerably greater public impact. In April this year, it was reported that hackers in the United States had extracted subscribers’ phone numbers and log in names directly off an ISP's terminal server. Severe penalties should be available to deter organised abuses of privacy of this kind.

A third area in which the legislation is deficient lies in the fact that there is no special treatment of information collected from children. This compares, for instance, to the United States Children's Online Privacy Protection Act 1998 – which requires that operators of commercial web sites and online services directed to children:

• provide parents with notice of their information collection practices;

• obtain parental consent before collecting, using or disclosing personal information about a child, with certain limited exceptions;

• obtain new consent from parents when information practices change in a material way;

• allow parents to review personal information collected from their children;

• allow parents to revoke their consent, and delete information collected from their children at the parents request;

• not require a child to provide more information than is reasonably necessary to participate in an activity; and

• maintain the confidentiality, security and integrity of information collected from children.