|
This
mid-2001 paper appears courtesy of Mark Berthold.
Introduction
In 1988 the federal government enacted the Privacy
Act (Cth). That legislation applies to federal government
agencies, the tax file number, and credit information.
Last December the Privacy Amendment (Private Sector) Amendment
Act ("the Act") received the royal assent and
it comes into force on 21 December 2001. It will extend
the application of the Act to significant segments of
the private sector. The Act also provides for the development
of codes of practice but this paper focuses on the legal
parameters imposed on organisations not subject to a code
of practice.
New South Wales and Victoria have also enacted privacy
legislation to regulate their public sectors (detailed
here).
This paper addresses compliance issues facing companies
and the provisions of the state enactment will not be
further considered. The paper addresses the following
issues:
-
What is privacy?
- A law regulating personal records to protect
the individual
- The international context
- Other sources of privacy law in Australia
- Scope of application-some small businesses
excluded
- Exemptions
- E-commerce and privacy
- Legal sanctions
- The need for training
- Conclusion
What is privacy?
The short title of the Privacy Act proclaims that it is:
"An
Act to make provision to protect the privacy of individuals,
and for related purposes".
What
then is "privacy"? The definitions are many
but in its 1983 report
the Australian Law Reform Commission (ALRC)
usefully identified four distinct privacy interests of
an individual:
-
the interest in controlling entry to that
individual's personal space, or "territorial privacy".
Legal protections include the tort of trespass and nuisance.
- the interest in freedom from interference
with that individual's person, or "personal privacy".
Laws touching on this include those regulating body
searches.
- the interest in freedom from surveillance
and from interception of that individual's communications,
or "communications and surveillance privacy".
In Australia relevant legislation includes at the Federal
level the Telecommunications Act, the Telecommunications
(Interception) Act and, at the state level, laws controlling
the use of listening devices.
- the interest in controlling information
about that individual-controlling personal information.
Notwithstanding
its very general short title, the Privacy Act is concerned
primarily with personal information, although as regards
on-line information, communications and surveillance privacy
interests also arise.
A law regulating personal records to protect the individual
The definition of "personal information" demarcates
the scope of the Privacy Act: if the information does
not come within its terms it is not regulated by the Privacy
Act.
Personal information means information or an opinion (including
information or an opinion forming part of a database),
whether true or not, and whether recorded in a material
form or not, about an individual whose identity is apparent,
or can reasonably be ascertained, from the information
or opinion.
Under this definition all information "about"
an individual and fulfills the other requirements is "personal
information". It need not be "personal"
in the sense of sensitive and encompasses apparently mundane
information such as contact details as well as sensitive
information.
While
the definition of "personal information" is
not limited to recorded information, in practical terms
the Privacy Act's application is restricted to personal
records. This will become more apparent when the scope
of the national privacy principles are examined below.
These principles regulate the collection of information
(i.e. incorporation into or retention of a record) and
subsequent use, disclosure and security of that recorded
information. Furthermore, the access and correction rights
necessarily apply to personal records.
It
is misleading, however, to think that the ultimate purpose
of the law is to protect "personal information".
The essential purpose of the law is to protect the individual
to whom the records relate. The safeguarding of those
records is a necessary means to this end. For what is
a principal use of personal records? Surely records are
kept to form a basis of decisions about the individual.
Increasingly, with modern society's propensity and capacity
to store and disseminate personal data, organisations
will lack personal knowledge of the data subject, resulting
in a total reliance on the record (indeed, the process
may be completely automated). As a Canadian expert has
commented, "if you protect the data on which decisions
are made, you also protect the integrity, fairness and
effectiveness of the decision-making process". (Colin
Bennett 1992)
The
following aspects of the definition of "personal
information" require comment:
Format
irrelevant
Both manual and computerised records are regulated.
Identification
The information or opinion must be about an identifiable
natural person. Anonymous or de-identified data is not
covered unless it has the potential to be [re]identified.
Given the sophistication of current computer applications
this is a significant proviso.
Attribution
Furthermore, the information must be about that identifiable
individual. If A records an opinion about B, it is "about"
B. To an extent it also relates to A insofar as it indicates
his viewpoint. The legislation would be unworkable, however,
if not only the evaluated but the evaluator were treated
as data subjects. Organisations are often uncomfortable
about providing data subjects access and correction rights
to evaluative data and this is addressed below when the
national privacy principles are examined.
The
international context
Much of Australia's legislation has been developed without
reference to international sources. However, whilst addressing
local concerns the Privacy Act is based on international
sources. In particular its core, the national privacy
principles, are based on Guidelines
adopted by the OECD
in 1968 and together with the Council of Europe convention
of the same year these form the basis of privacy laws
in over 30 countries including, in our region, Japan,
New Zealand, Hong Kong and Taiwan.
The
impetus for the extension of the 1988 Privacy Act to the
Australian private sector also came from abroad in the
form of the 1995 European Union
Directive on data protection. The relevance of the
EU Directive to Australian organisations lies in its prohibition
on its member states from transferring the personal data
of its citizens-its consumers, tourists and employees-to
countries which lack an "adequate level of protection".
In his speech
introducing the Amendment Act, the Australian Attorney
General identified this as a key factor in legislating.
Europe has still to formally determine the adequacy of
the Australian Act but it has already provided a clear
indication that it is not adequate (EU2001). Should it
so rule Australia will either have to strengthen its legislation
or adopt supplementary codes of conduct, failing which
it will be up to each and every company seeking compliance
to adopt their own mechanisms such as contractual arrangements
to secure the privacy of personal data transfers to European
Union member states.
It
follows that Australian organisations trading with Europe
have to give consideration at this stage to whether their
compliance standards should adhere to those of the EU
Directive. The alternative is to have to supplement interim
measures which suffice to fulfill the present requirements
of the Australian legislation.
Other sources of privacy law in Australia
Section
3 of the Privacy Act provides:
Saving
of certain State and Territory laws
It is the intention of the Parliament that this Act
is not to affect the operation of a law of a State or
of a Territory that makes provision with respect to
the collection, holding, use, correction, disclosure
or transfer of personal information (including such
a law relating to credit reporting or the use of information
held in connection with credit reporting) and is capable
of operating concurrently with this Act.
"Law"
comprises not only legislation but the common law created
by judges under the precedent system. Many areas of law
have not been "codified" by legislation and
remain the province of judge-made case law. Unlike the
US, in English and Australian common law there is no right
to privacy as such. However, several common law doctrines
also operate to protect the privacy of personal records.
The most significant of these are those of confidentiality
and of contract.
Duty of confidence
This legal duty arises when the confider discloses information
(including but not limited to personal information) not
generally known to the confidant for a limited purpose
and on condition it not be used for extraneous purposes.
The duty most clearly arises where information is provided
in the course of a recognised legal relationship. The
duty may attach to third parties receiving the information.
Contract
The law of contract governs all agreements where there
is an intention to create legal relations supported by
mutual promises between the parties to give something
of value. Unlike the duty of confidence, only the parties
have a right of action against the other. On the other
hand, the contractual duty of secrecy may extend to information
(including personal information) which is already in the
public domain.
The protections afforded by the duty of confidence and
contract will often overlap, particularly in the context
of established legal relationships. It follows that records
generated in the course of those relationships will be
subject to secrecy requirements which are enforceable
at the suit of the parties. Examples include:
-
medical records
- banking records
- legal records
- employment records
This
is crucial because it will be noted below that the Privacy
Act exempts employment records. However, because of these
common law protections, an employer who uses or discloses
employment data for extraneous purposes unrelated to the
employment relationship will be acting illegally notwithstanding
the statutory exemption.
Scope
of application - some small businesses excluded
Unlike privacy laws in other jurisdictions, the Act does
not apply to a "small business" whose annual
turnover for the previous financial year is $3,000,000
or less unless it:
-
it is related to another business (for example
its holding company or a subsidiary) that has an annual
turnover of more than $3 million;
- provides a health service to another individual
and holds any health information except in an employee
record; or
- discloses personal information about another
individual to anyone else for a benefit, service or
advantage; or
- provides a benefit, service or advantage
to collect personal information about another individual
from anyone else; or
- is a contracted service provider for a
Commonwealth contract (whether or not a party to the
contract).
If
any of these circumstances apply to a business with an
annual turnover of $3 million or less, it is covered by
the new privacy legislation from 21 December 2002, unless
it provides a health service in which case it must comply
from 21 December 2001.
However,
in what appears to be a unique provision under Australian
legislation, an organisation fulfilling the definition
of small business operator may opt-in to the application
of the law. This attests to the increasing customer-relations
impetus for being seen to comply with fair information
standards.
The problem with this opt-in provision, however, is that
it presupposes that the statutory test is sufficiently
precise that the organisation can be confident that it
is indeed a "small business operator". This
is not the case-in particular the scope of the provisions
catching organisations collecting or disclosing personal
information for a "benefit, service, or advantage"
are very broad (extending beyond pecuniary benefits) and
widen the net far more than is presently generally appreciated.
The
national privacy principles
The national privacy principles forming the core of the
Privacy Act are primarily based on the OECD Guidelines
but also incorporate significant features of the EU Directive.
Collectively, the principles effect the following:
-
they confer a degree of control over data
about the data subject (principle 1 requiring notice
and consent; principle 2 circumscribing use and disclosure;
principle 6 conferring data subject access and correction
rights).
- the organisation becomes accountable for
the accuracy (principle 3) and security (principle 4)
of those records.
- the organisation's policies and practices
regarding personal data acquire transparency (principle
5 regarding openness)
- specific privacy concerns regarding identifiers
(principle 7); anonymity (principle 8); transborder
data flows (principle 9) and sensitive information (principal
10) are also addressed.
These
principles are often referred to as "fair information
principles". Indeed, although their application may
sometimes require close analysis, their spirit is indeed
one of simply giving the data subject a "fair go".
The
national privacy principles
These are only summarised below. For a detailed exposition,
see the Australian Privacy Commissioner's Guidelines for
interpreting these principles at www.privacy.gov.au
The
Commissioner interprets 'necessary' in a practical sense.
If an organisation cannot in practice effectively pursue
a legitimate function or activity without collecting personal
information, then the Commissioner would ordinarily consider
it necessary for that function or activity. It would not
ordinarily be acceptable for an organisation to collect
personal information on the off chance that it may become
necessary for one of its functions or activities in the
future.
1 Collection
An organisation must not collect personal information
unless the information is necessary for one or more of
its functions or activities. The collection must be by
lawful and fair means and not in an unreasonably intrusive
way.
At or before the time (or, if that is not practicable,
as soon as practicable after) an organisation collects
personal information about an individual from the individual,
the organisation must take reasonable steps to ensure
that the individual is aware of the identity of the organisation
and how to contact it; and his or her right to access
the information; the purposes for which the information
is collected; the organisations (or the types of organisations)
to which the organisation usually discloses information
of that kind; any law that requires the particular information
to be collected; and the main consequences (if any) for
the individual if all or part of the information is not
provided.
If it is reasonable and practicable to do so, an organisation
must collect personal information about an individual
only from that individual.
comment
An organisation collects personal information if it
gathers, acquires or obtains personal information from
any source and by any means. Collection includes when
an organisation keeps personal information it has come
across by accident or has not asked for.
The collection stage is critical because it may be the
only stage of the process in which the data subject
is directly involved and can therefore assert his or
her rights. The principle requires that the individual
be equipped to determine whether he should furnish the
information or decline to do so.
The Commissioner's Guidelines adopts the narrow interpretation
of 'fair' as meaning without intimidation or deception.
Principle 1 also imposes the test of relevance on the
collection of personal information. Collecting information
just because it may be useful in the future is generally
not acceptable. Even if information is relevant, it
does not follow that it need be "personal information".
As the Commissioner's Guidelines point out, de-identified
information may suffice, nor may it be necessary to
require individuals to identify themselves when they
interact with the organisation
2 Use of Data
An organisation must not use or disclose personal information
about an individual without his/her consent for a purpose
(the secondary purpose) other than the primary purpose
of collection unless the secondary purpose is related
to the primary purpose of collection (or directly related,
if involving sensitive data) and the individual would
reasonably expect the organisation to use or disclose
the information for the secondary purpose.
comment
The purpose of this requirement is to ensure fairness
and transparency and to prevent the type of "bait
and switch" that can easily result if a consumer
is led to believe that a disclosure of personal data
is necessary for a transaction when it will in fact
be used for another purpose. That different purpose
requires the individual's "consent". In his
Guidelines the Privacy Commissioner defines "consent"
as meaning:
voluntary
agreement to some act, practice or purpose. It has
two elements: knowledge of the matter agreed to, and
voluntary agreement. Consent can be express or implied.
Express consent is given explicitly, either orally
or in writing. Implied consent arises where consent
may reasonably be inferred in the circumstances from
the conduct of the individual and the organisation.
Consent is invalid if there is extreme pressure or
coercion.
In
determining whether a use falls within the "primary
purpose" and accordingly not requiring consent,
the Privacy Commissioner's Guidelines focus on whether
that use accords with what the data subject would reasonably
expect regarding her data
3
Data quality
An organisation must take reasonable steps to make sure
that the personal information it collects, uses or discloses
is accurate, complete and up-to-date.
comment
Inaccuracy is a major problem for records generally,
and the constant need for updating presents particular
problems for personal records. (A comprehensive US study
of state criminal records highlighted the extent of
the problem, finding that those that were complete,
accurate and unambiguous ranged from 49.5% for Minnesota
to a mere 12.2% for North Carolina (David Burnham 1983)
The
Privacy Commissioner's Guidelines interprets this requirement
as only requiring organisations to take reasonable steps
to confirm the accuracy, completeness and currency of
the personal information they hold at the time they
collect, use or disclose it. Relevant factors are the
likelihood that the personal data is accurate and reliable;
whether the data is prone to becoming outdated; recency
of collection; its source; and its proposed use and
potential impact on the data subject.
4
Data security
4.1 An organisation must take reasonable steps to protect
the personal information it holds from misuse and loss
and from unauthorised access, modification or disclosure.
4.2
An organisation must take reasonable steps to destroy
or permanently de-identify personal information if it
is no longer needed for any purpose for which the information
may be used or disclosed under National Privacy Principle
2.
comment
Absolute security is unattainable. The appropriate degree
of security is determined by the sensitivity of the
personal data: what is reasonable for customer records
will be inadequate for health data.
4.2
is essentially an elaboration on principle 1 regarding
the collection of relevant personal information. Its application
will be affected by the various laws stipulating minimum
retention periods.
5 Openness
An organisation must make available a document clearly
expressed policies on its management of personal information
and its practices regarding such information.
comment
Compliance with this principle requires the organisation
to review its handling of personal information. The
most obvious place to provide the resultant policy is
on the organisation's website.
6
Access and correction
If an organisation holds personal information about an
individual, it must provide the individual with access
to the information on request by the individual. If an
organisation holds personal information about an individual
and the individual is able to establish that the information
is not accurate, complete and up-to-date, the organisation
must take reasonable steps to correct the information.
If the individual and the organisation disagree about
whether the information is accurate, complete and up-to-date,
and the individual asks the organisation to associate
with the information a statement claiming that the information
is not accurate, complete or up-to-date, the organisation
must take reasonable steps to do so.
comment
Access and correction rights enable a data subject to
participate in the management of his or her personal
information. It enables the data subject to monitor
whether the data user is complying with the other data
protection principles. It also provides a crucial mechanism
in enhancing data quality as often the data subject
will be in the best position to update and otherwise
correct his personal data.
This
statutory principle is not capable of operating concurrently
with the common law duty of confidence and accordingly
overrides the latter. Accordingly, access must be provided
to personal data whether or not it was originally collected
by the record keeper from a third party on a confidential
basis.
7
Identifiers
An organisation must not adopt as its own identifier of
an individual an identifier of the individual that has
been assigned by another agency.
8
Anonymity
Wherever it is lawful and practicable, individuals must
have the option of not identifying themselves when entering
transactions with an organisation.
comment
This principle will have a particular impact on-line.
Unlike real space, cyberspace reveals no self-authenticating
facts about identity, in real space one reveal one's
gender, age, and language spoken (Lessig1999). And most
of the activities conducted on-line such as reading
news, shopping for products, searching for information,
can be done without the collection of information from
consumers. However, the trend has been for websites
to increasingly require registration and to use new
tracking techniques such as cookies and web bugs to
profile internet users (see eg www.epic.org regarding
US trends). Consumers are responding by utilising on-line
anonymisation technologies such as anonymiser or Zero-knowledge
Systems (enabling an individual to disaggregate his
or her identity into five digital pseudonyms that precludes
even the company tracing back his actual identity).
This anonymity will cease upon a purchase being made
with a credit card but that is fair enough because identification
becomes justifiable upon entering into legal relations.
9
Transborder data flows
An organisation in Australia may transfer personal information
about an individual without consent to another organisation
or individual out of Australia only if the organisation
reasonably believes that the recipient of the information
is subject to a legal obligation standards substantially
similar to the National Privacy Principles; or the transfer
relates the performance of a contract; or the transfer
is for the benefit of the individual whose consent is
impracticable to obtain but would otherwise be likely
forthcoming and the organisation has taken reasonable
steps to comply with National Privacy Principles regarding
the data.
10
Sensitive information
10.1 An organisation must not collect sensitive information
about an individual without his or her consent, or the
collection is authorised by law or falls within several
other narrow exceptions.
'Sensitive data' is defined as meaning information or
an opinion about an individual's (i) racial or ethnic
origin; (ii) political opinions; (iii) membership of a
political association; (iv) religious beliefs or affiliations;
or (v) philosophical beliefs; or (vi) membership of a
professional or trade association; or (vii) membership
of a trade union; or (viii) sexual preferences or practices;
(ix) criminal record or (x) health information about an
individual.
The
differentiation of 'sensitive' from other personal information
derives from the EU Directive. It greatly complicates
the application of a privacy law and focuses on data looked
at in isolation whereas the context rather than the categorisation
of personal data is often important in determining its
significance. Nonetheless, there is no doubting that the
categories of sensitive information identified are those
which are particularly prone to provide the basis of decisions
which are considered discriminatory.
A phased application of the principles (section 16C)
National Privacy Principles 1, 3 (so far as it relates
to collection of personal information) and 10 apply only
in relation to the collection of personal information
after 21 December 2001.
National
Privacy Principle 2 applies only in relation to personal
information collected after 21 December 2001. National
Privacy Principles 3 (so far as it relates to personal
information used or disclosed), 4, 5, 7 and 9 apply in
relation to personal information held by an organisation
regardless of whether the organisation holds the personal
information as a result of collection occurring before
or after 21 December 2001.
National
Privacy Principle 6 applies in relation to personal information
collected after 21 December 2001. That Principle also
applies to personal information collected by an organisation
before that commencement and used or disclosed by the
organisation after that commencement, except to the extent
that providing access/correction would:
(a)
place an unreasonable administrative burden on the organisation;
or
(b) cause the organisation unreasonable expense.
National
Privacy Principle 8 applies only to transactions entered
into after the 21 December 2001.
comment
The phased application of the principles presents an
organisation with a dilemma-in particular should it
quarantine its "personal information" collected
before 21 December 2001 in order to block access and
correction requests. The difficulty is that such information
immediately becomes subject to those requests upon its
subsequent use or disclosure. Also, if the original
record is amended, does it thereby become new "personal
information" in any event. Both a legal and IT
input is required in charting a course through these
difficult provisions. These difficulties are exacerbated
by the Privacy Act's usage of "personal information"
rather than "personal data", with the latter's
clearly understood concept of data fields.
Exemptions
The Privacy Act also provides for exemptions from coverage
in the following circumstances:
-
the journalism activities of media organisations;
and
- an act done or practice engaged in, by
an organisation that is or was an employer of an individual,
if the act or practice is directly related to:
(a)
a current or former employment relationship between
the employer and the individual; and
(b) an employee record held by the organisation and
relating to the individual.
Unlike
privacy laws elsewhere none of the privacy principles
are applied to exempted records. No sensible data user
should, however, cease concerning itself with such parameters
as security and data quality! This is particularly so
in view of the sensitive nature of much employment data.
A further problem - one which unfortunately characterises
the Privacy Act - is that the scope of the exemption for
employment records is unclear. In particular, it is not
apparent whether personal emails send by employees are
covered by the Act or not.
In view of these considerations, together with the undoubted
application of the common law to such records and international
(EU) requirements mentioned above, organisations need
to seriously consider whether they should endeavour to
apply the principles to employment records instead of
resorting to this "exemption".
E-commerce and privacy
There is a growing professional consensus that for e-commerce
websites, having a privacy policy is no longer optional.
In the US a privacy policy is considered a business necessity.
There the impetus for on-line privacy is market driven
whereas in Australia it is both law driven and market
driven. We have focused on legal factors above, but market
factors also deserve attention.
These are well documented by a number of recent studies.
For example, an American Express survey of 11,000 consumers
in 10 countries found that 79% cited privacy and security
as a major concern in relation to on-line shopping. The
US National Consumer League found that 57% of respondents
said that they had not bought anything on-line in the
previous months because they were worried that either
their credit card number or other personal information
would be abused (Consumers International Privacy 2001
cites these and other studies).
The
most comprehensive survey of the extent to which companies
were addressing these concerns was published earlier this
year by Consumers International and found that:
most
sites collect personal information but fail to tell
consumers how that data will be used, how security is
maintained, and what rights consumers have over their
own information.
In
the Australian context, these failures will constitute
a breach of the national privacy principles and hence
the Privacy Act.
A
website privacy policy should address consumer concerns
in terms that comply with the principles and which the
organization is prepared to comply with. Compliance is
essential because misleading privacy statements will not
only offend the privacy legislation but may also contravene
section 52(1) of the Trade Practices Act which prohibits
conduct which is "misleading or deceptive, or is
likely to mislead or deceive."
To ensure that all relevant issues are systematically
addressed in preparing the statement a four-step process
is necessary (Killingsworth 1999):
- audit of current online practices
- goal-setting
- policy development, drafting and site
plan
- implementation and maintenance
(For
more details, refer to my other paper
Website Privacy Policy Statements: An E-commerce Necessity).
Privacy seal programs
Privacy seal programs are
becoming popular. These vary in stringency from those
where an organisation is essentially licensed to sport
the trademarked seal upon completing an on-line questionnaire
to those requiring successfully completing a comprehensive
audit. As with most internet developments, the US is the
main scene of activity although the extent to which Australian
websites are subscribing to US seal programs does not
appear to be presently documented. Most US seal programs
are inadequate under Australian law as the suite of privacy
principles adopted in that country by its Federal Trade
Commission are restricted to awareness, choice, access
and security. The key standards of purpose limitation,
data minimisation and duration of storage covered by the
Australian principles are omitted. There are also local
seals based on the national privacy principles.
Studies
indicate that a privacy seal of approval encourages consumers
to make a purchase. Organisations considering adopting
a privacy seal need to consider a variety of factors,
including the adequacy of the standards the seal attests
to and the extent to which the organisation's compliance
with those standards is both initially established and
subsequently monitored by the seal provider. Whilst affecting
the price charged by the seal provider, the "brand
recognition" of the seal is not necessarily the best
guide of its adequacy in protecting standards and ensuring
customer satisfaction.
Privacy
seals may encompass both off-line and online privacy practices
or focus solely on the latter. Off-line procedures for
the handling of personal information are generally much
more complex, with various mechanisms for the collection
of personal information and differing standards of security
depending on the stage of the information cycle involved.
Legal Sanctions
It follows from the above that for most organisations
the prime incentive to comply with this legislation will
be to gain the "privacy advantage" over its
competitors. The primary sanction will be customer resistance.
Organisations also need to be aware, however, that the
Act does provide for legal sanctions against errant organisations.
Alleged or apparent contraventions will be investigated
by the Privacy Commissioner, either as a result of a complaint
or on his own initiative. Initially, as the Commissioner's
Guidelines point out, an attempt is made to conciliate:
If
an individual thinks an organisation has interfered with
their privacy they can complain to the Commissioner. When
the Commissioner receives a complaint the individual must
in most cases be referred back to the organisation to
give the organisation a chance to resolve the complaint
directly (see section 40(1A)).
If
the individual and the organisation cannot resolve the
complaint between themselves, the Office conciliates the
complaint using letters and phone calls, or in some cases,
face-to-face meetings. In the majority of cases, the complaint
is resolved this way.
Determinations
of the Privacy Commissioner
Failure to conciliate has legal consequences. Section
52 of the Act provides that after investigating a complaint,
the Commissioner may find the complaint substantiated
and make a determination that includes a declaration requiring
the organisation from desisting from a proven contravention
and to redress any loss or damage suffered by the complainant.
He may further make a declaration that the complainant
is entitled to a specified amount by way of compensation
for any loss or damage suffered by reason of the act or
practice the subject of the complaint. "Loss or damage"
includes injury to the complainant's feelings or humiliation
suffered by the complainant. The Commissioner may include
a declaration that the complainant is entitled to a specified
amount to reimburse the complainant for expenses reasonably
incurred in connection with the making of the complaint
and the investigation of the complaint.
A
determination is enforced by the Federal Court or the
Federal Magistrates Court.
It
hardly needs mentioning that the costs of legal compensation
will pale in comparison with the loss of goodwill inevitably
inflicted on a company which is subject to proceeding
under the Privacy Act!
Breaches-the need for training
The regulatory focus of the Act is on the organisation
controlling the personal data involved. A company can
only act through its employees and accordingly determining
whether there has been a contravention of the Act will
involve examining the actions of specific individuals.
However, such individuals will not be the formal focus
of the investigation or claim. Instead, the Act recognises
that specific individuals will, as part of a larger organisation,
reflect the procedures and norms provided by that organisation.
The Privacy Act treats the acts and practices of employees
(and those 'in the service of' an organisation) in performing
their duties of employment as those of the organisation
(section 8(1)(a)). This works both ways: whereas the organisation
will be in the firing line for its staff's infractions,
where it has taken reasonable steps to prevent the contravention
from occurring this will provide mitigation should there
be an investigation.
In
this context adequate staff training is vital. Management
may have a sound appreciation of the legal requirements
but if this awareness has not percolated down to the rank
and file employees the organisation remains vulnerable
to contraventions.
Conclusion
Complying with the Privacy Act will require fundamental
changes in current attitudes and practices of businesses
and other organisations. Companies adopting a systematic
approach will incur costs. To those who may be disposed
to doubt the utility of complying with the new law, or
indeed the utility of the law itself, reference to a US
study may be salutary (H.J Smith 1994). Based on extensive
interviews with executives in the banking, credit card
and insurance industries, it found that without legal
regulation, executives were afraid to confront privacy
issues. The result was policy drift. This wandering and
reactive policy making process was attributed to the various
factors. Managerial attention tended to focus on items
benefiting the company in the short term, whereas the
privacy principles are more likely to reap organisational
and customer benefits in the longer term. Frequent absence
of leadership from the top left middle managers to develop
their own localised and often divergent policies, reducing
their legitimacy and influence. However, the most serious
obstacle to the development of coherent privacy policies
was found to be the lack of clear-cut boundaries of appropriate
and inappropriate practices concerning personal information.
The result was that companies were left to plot their
own course through a thicket of conflicting views.
The Privacy Act goes a long way towards dispelling this
ambiguity. As with any piece of legislation it has its
borderline applications - this is inherent in any law.
But it does provide a set of standards where hitherto
there were none.
Selected References
Colin
Bennett Regulating Privacy: Data Protection and Public
Policy in Europe and the US (Ithaca: Cornell Uni Press
1992) 37
EU 2001: European Union article 29 Data Protection Working
Group Opinion on the level of protection of the Australian
Privacy Amendment (Private Sector) Act 2000, adopted on
26 January 2001 (PDF
here)
David Burnham The Rise of the Computer State (New
York: Vintage Books 83) 73
Consumers International 2001 Privacy@net (here)
Lawrence
Lessig Code and other Laws in Cyberspace (New York:
Basic Books 99)
Scott
Killingsworth 'Minding Your Own Business: Privacy Policies
in Principle and In Practice' 7 Journal of Intellectual
Property Law 1999, 57 (here)
H
J Smith Managing Privacy (Chapel Hill: Uni of North
Carolina Press 94)
Australian Law Reform Commission 1983 report on Privacy
(here)
This is an edited version of an address presented to
the Records Management Association at Casselden Place,
Melbourne 7 June 2001, incorporating issues arising
from the Privacy Commissioner's Guidelines issued in
September.
Copyright M F Berthold
2001 all rights reserved.
::
|
