All images are of AAR staff and partners
Allens Arthur Robinson
Privacy homeOverviewNPPs & codesComplyingLegislation & linksIndustriesNews
Home »  News »  
Print Version
Or use advanced search
News
Archive - 2005
Archive - 2004
Archive - 2003
Archive - 2002
Archive - 2001
 Feedback
 Contacts
 Glossary


Archive - 2002

Focus: Privacy

17 December 2002

Important Commonwealth private sector privacy laws, which will impose new obligations on small businesses, commence on 21December 2002. Lawyer Damien van der Toorn examines which small businesses will be covered, how they are likely to be affected, and what they should be doing to comply
View publication download pdf version (56KB)

top of page

Small business compliance time

17 December 2002

The Federal Privacy Commissioner has issued a timely reminder that from 21 December 2002 some small businesses (businesses having an annual turnover of $3 million or less) will be expected to comply with the private sector provisions of the Privacy Act 1988 (Cth). While the Privacy Act contains a general exemption for small business operators (which will continue to apply beyond 21 December 2002), small businesses which:

  • are health service providers; or
  • trade in personal information; or
  • are related to a business with an annual turnover of greater than $3 million; or
  • are contractors to Commonwealth agencies,
  • will need to comply with the Act from 21 December 2002 onwards.

The Office of the Federal Privacy Commissioner has published a number of documents detailing the impact of the Privacy Act on small business. These can be accessed from the Privacy Commissioner's website.

top of page

Consultation on Credit Reporting Determination 2002 No 1

13 December 2002

The Office of the Federal Privacy Commissioner has placed on its website a list of the recent written submissions to the Review of Credit Reporting Determination 2002 No 1 (Classes of Credit Providers) made by organisations during the consultation process. Safeguards relating to consumer credit reporting are provided by Part IIIA of the Privacy Act which governs the management of credit reports and credit worthiness information. Credit reporting determinations were additionally issued by the Commissioner with one of the determinations dealing with the classes of credit providers for the purposes of the Act. The Commissioner declared that this determination should be subject to further review following 'responses from interested consumer and credit industry bodies as to its operation.'

Of significant concern is whether the access to the credit reporting system (and the access to information of individuals contained within it) should be changed to ensure compliance with the credit reporting rules. The Consumer Protection Unit of Legal Aid Queensland stated that 'access to credit reporting should be tightened to ensure compliance with the original intention of Parliament as the current definition...is too broad.' The ACCC suggested that confining the definition of 'credit provider' is an appropriate response if certain listed conditions could not be met to guarantee compliance. Alternatively, the Australian Finance Conference submitted that there is no evidence to indicate that a 'narrowing of the classes of non-traditional credit providers' is required. This position is supported by the Australian Collectors Association which stated that changes should only be made to allow increased access. The Australian Privacy Foundation recommended that a 'survey of credit providers who have been operating under the Determination' should be urgently carried out to put interested parties in a better position to decide if and how the determination should be amended.

top of page

Department of Family and Community Services breaches the Privacy Act

9 December 2002

The Federal Privacy Commissioner has found that the Department of Family and Community Services (the Department) has breached the Privacy Act. The Department manages a website named 'The Source' and ran an online competition on it earlier this year. The website editor sent marketing emails to competition entrants on behalf of RMIT students who were undertaking a project to send spiders into space with NASA. There were no formal complaints made regarding the misuse of entrants' details but the Commissioner used its own investigative powers under Part V of the Privacy Act to examine the practices of the website operators, finding a breach of Information Privacy Principle 10.1 (ie that personal information can only be used for the particular purpose it was obtained; the equivalent restriction on private sector organisations is NPP2.1). 

The Department has apologised to the persons involved and to ensure that the breach is not repeated, it has undertaken to: complete a privacy audit of its websites, clarify the website privacy statements, destroy the database with the website visitor details, simplify links so that individuals understand which site their information is being supplied to, train staff in privacy awareness and appoint a privacy contact officer. This gives a helpful indication of the type of remedial steps the Commissioner might require of an organisation if it breaches the Act.

top of page

EFA submissions to ACA on ENUM protocol

2 December 2002

Electronic Frontiers Australia Inc (EFA), an organisation concerned with online rights and freedoms, has recently made submissions to the Australian Communications Authority about EFA's concerns with the ENUM protocol. The ENUM system converts telephone numbers into an Uniform Resource Identifier, with the current system requiring individuals' personal information to be made publicly accessible on the Internet. EFA doubts whether sufficient privacy protection can be afforded to telephone and Internet users and is concerned that the implementation of the system has serious implications for national infrastructure security. In its submissions, EFA suggests that greater attention needs to be focussed on creating privacy protective mechanisms into the ENUM's technical design. Furthermore, EFA has submitted that the relevant privacy legislation needs to be analysed and potentially amended to ensure that personal information in an ENUM database is protected.

top of page

Privacy Commissioner comments on privacy and electronic media 

14 November 2002

The Federal Privacy Commissioner has reiterated the need for organisations to exercise particular care when marketing to individuals using electronic media, such as email and SMS. In a recent address to the Australian Direct Marketing Association, the Commissioner identified organisational disclosure, customer consent and information security as the danger areas in electronic marketing. The Commissioner recommended that, in all marketing communications to an individual, an organisation should:

  • identify the source of the personal information; 
  • provide an effective means for the individual to opt-out from future communications (and record who has opted out); and 
  • clearly identify material as marketing material (for example, by inserting the term 'marketing' into the subject line of emails.

The Commissioner also reminded organisations that the Privacy Act has equal application in the electronic environment and to consider all aspects of privacy when using new media. 

top of page

EU Consults on Protection of Workers' Personal Data

13 November 2002

At the end of October the European Commission (EC) commenced consultations with employer and employee representatives with a view to establishing a European framework for the protection of workers' personal data. The EC cites the lack of employment specific regulation at the European level, the effect of technology on collection of personal data and the need to provide consistent regulations across the European Community as the key drivers of this proposal. The proposed data protection framework addresses issues including:

  • whether an employer should be able to rely on a worker's consent to collection, given the nature of the employment relationship; 
  • the need to inform and consult workers' representatives before commencing or altering data collection practices; 
  • clarifying permissible collection and use purposes in the employment context; 
  • the special requirements associated with sensitive data including health, genetic and drug testing data; and 
  • the monitoring and surveillance of workers, particularly by electronic means, and when and to what extent such activities are permissible.

The consultation paper is available from http://europa.eu.int/comm/employment_social/news/2002/oct/data_prot_en.pdf

top of page

Information Sheet on Sale of Business 

28 October 2002

The Federal Privacy Commissioner has issued a new Information Sheet to provide guidance to organisations involved in the sale or purchase of a business in relation to their obligations under the Privacy Act 1988 (Cth). The Information Sheet considers the application of relevant NPPs in the context of personal information transferring from a vendor to a prospective purchaser during the process of due diligence and then from a vendor to the actual purchaser on completion. 

The Commissioner states in the Information Sheet that vendors and prospective purchasers must take reasonable steps to protect personal information from unlawful access, modification, use or disclosure during the due diligence process. To this end, the Commissioner provides "tips" for due diligence protocols. 

The Commissioner also holds that no obligations will arise on completion if a business is sold by way of share acquisition. If, on the other hand, a company's assets are sold off, the vendor and the actual purchaser must then comply with the relevant NPPs. The Commissioner provides examples of, and tips in relation to, the application of the NPPs in this context. For example, the Commissioner notes that, where a transfer of customer information will result in changes to the way that that information is used or disclosed, a vendor organisation will need to obtain the consent of the customers for the disclosure of that information on completion and should not assume that such disclosure is within the customers' reasonable expectations. 

top of page

Model's privacy claim denied

22 October 2002

The United Kingdom Court of Appeals upheld the Daily Mirror's appeal against an earlier High Court ruling in favour of Naomi Campbell over a February 2001 report about Campbell's attendance at Narcotics Anonymous meetings. Campbell claimed that the newspaper's story and photographs amounted to a breach of confidence and a violation of the Human Rights Act (UK) and the Data Protection Act (UK). A crucial element to the appeal was the fact that Campbell publicly denied using drugs. Lord Phillips acknowledged that while celebrities' personal lives should not be 'laid bare by the media', it was in the public interest for the media to indicate that a public figure had been deceiving the public in instances where public figures had made false representations about their private lives. Publishing stories in the public interest is a journalism exemption under the Data Protection Act (UK). 

top of page

NSW Health Records and Information Privacy Act assented to

8 October 2002

The Health Records and Information Privacy Act 2002 (NSW) was assented to on 25 September 2002. The Act proposes to promote fair and responsible handling of individuals' health information by health service providers in both the public and the private sectors in New South Wales. It provides 15 Health Privacy Principles and also for the making of health privacy codes of practice. Complaints will be handled by the NSW Privacy Commissioner and ultimately the Administrative Appeals Tribunal. Like the Federal Privacy Act, there is a small business exemption (with a A$3m threshold) and an employee record exemption. The commencement of the Act is to be by proclamation in approximately 12 months, according to the NSW Privacy Commissioner. This time period is required to initiate training programs and regulations necessary to establish, for example, standard documentation and access to databases, said the Commissioner.

top of page

US companies want privacy laws relaxed

8 October 2002

The Global Privacy Alliance (GPA), a group of US companies including IBM, Oracle, VeriSign and General Motors, has submitted a position paper to the European Commission regarding the implementation of the 1998 EU Data Protection Directive. The paper outlines 4 areas where it is perceived that the free flow of information is inhibited by the privacy rules and the GPA suggests a review be undertaken of the law in relation to these areas. They are: cross-border transfers, the scope of applicable laws, information-sharing between related companies and business contact information. In particular, it is suggested that cross-border data flows be simplified, that a 'clear and workable criteria for determining the legal regime applicable to data processing activities' be established, that the transfer of data among affiliates in certain circumstances be permitted, and only truly 'personal' data be regulated rather than business contact data It was expected that the GPA's observations would be raised at the European Commission's data protection conference which took place last week. 

top of page

Amazon plans to revamp its privacy policy

27 September 2002

Amazon agrees to revise its privacy policy following meetings and discussions with US state regulators from 13 states. The revision was also prompted by customer concerns about the privacy of their personal information. Amazon will clarify the situations in which customer information is shared or sold; provide a more detailed list of the companies with which Amazon offers jointly branded or co-branded products; and to provide more information on the variety of customer information that is collected from other sources. These changes are aimed to make Amazon's privacy policy more transparent to customers although the agreement is non-binding. Critics claim that Amazon has still failed to address the issue that initiated the talks about policy change, that is whether Amazon can sell customer lists as an asset sale. Additionally customers still cannot view all their personal data and cannot delete the records. 

top of page

Privacy Commissioner releases paper on publicly available information

17 September 2002

There has been a strong public reaction to the Office of the Federal Privacy Commissioner's recent Consultation Paper discussing the application of the Privacy Act to publicly available information. The Consultation Paper was released in response to public concern regarding the use of information available from public sources such as telephone directories, electoral rolls and other public registers, and seeks to limit the extent to which personal information collected from publicly available sources can be circulated without the individual's knowledge or consent. 

The Fundraising Institute Australia has claimed that the proposals set out in the Consultation Paper would prohibit charities and commercial organisations collecting information from publicly available sources. The Deputy Commissioner has explained that the Privacy Act is not intended to prevent organisations from using publicly available sources of information, but rather is intended to make the collection more transparent to the community at large. A particular focus of the Consultation Paper is whether the collection of publicly available personal information in circumstances where an individual either has no choice about whether their information is publicly available, or may not know information about them is publicly available information, constitutes 'fair' collection. 

It is anticipated that the Consultation Paper will result in a non-binding information sheet to assist organisations apply the Privacy Act and NPPs to the collection of personal information from publicly available sources.

top of page

Final rule for US medical privacy regulation

17 September 2002

The Bush administration has released the final modifications to the new federal medical privacy regulation (the 'Privacy Rule'). Entities covered by the Privacy Rule, including health care providers, pharmacies and health plans must, among other things: notify patients of their privacy rights, obtain an individual's prior written authorisation before using health information for marketing purposes, grant individuals access to their own medical records and limit disclosure of medical information to third parties (including employers or marketing groups). 

Despite these changes, the Privacy Rule arguably makes still possible for health care providers to be remunerated for direct marketing to patients. The definition of direct marketing excludes advice from doctors and other covered entities regarding treatments and products. Under the Rule, health care providers are entitled to offer patients value-added items and services, discounts, and additional health plans, without coming within the ambit of marketing. 

There is a number of exemptions in the Rule. Entities covered by the Rule are entitled to make disclosures of protected health information to the Food and Drug Administration without authorisation from the individual, employment records are excluded from the definition of protected health information and the Rule also exempts all covered entities from the minimum necessary standards for uses and disclosures for which it has received an authorisation.

The Privacy Rule will take effect for most covered entities on 14 April 2003.

top of page

DoubleClick reaches agreement with US Attorneys General regarding its privacy compliance

2 September 2002

DoubleClick has agreed to adhere to specific requirements regarding disclosure, data storage and data usage in an agreement it has reached with the Attorneys General of New York, Arizona, California, Connecticut, Massachusetts, Michigan, New Jersey, New Mexico, Vermont and Washington in the United States. The agreement ends the investigation by those Attorneys General into the company's information gathering practices.
Under the agreement, DoubleClick will adopt privacy-related restrictions which include:

  • collecting and using user data only in a manner consistent with the representations it made at the time of collection;
  • not sharing user data collected on behalf of one of its clients with any person other than that client or as directed by that client;
  • giving consumers access to their online profiles; and
  • retaining an independent third-party firm to conduct reviews to verify that it has complied with the terms of the agreement.

In addition to these restrictions, DoubleClick agreed to pay US$450,000 for the states' investigative costs and consumer education.

top of page

Privacy Commissioner Concerned about Bundled Consents

30 August 2002

The Privacy Commissioner has expressed strong concerns over information-gathering practices referred to as 'bundled consents', which include seeking a single consent for multiple uses and disclosures of personal information, vaguely-worded privacy statements and withholding of services unless a bundled consent is given. The Commissioner is of the view that such practices are 'contrary to the spirit of the Privacy Act' and that bundled consents diminish individuals' freedom of choice in that, among other things, they should not be forced to hand over personal information to receive a service. The Commissioner's office prepared a discussion paper in July for meetings with representative bodies from sectors including the financial, insurance and superannuation areas and the Commissioner has further indicated that if the issue is not resolved by discussion, it may be considered during the 2-year review of the Act. The main points of that paper are summarised below.

Multiple uses and disclosures are bundled together

Seeking consent to uses and disclosures that are not for primary or related purposes and not giving individuals a choice about each of those additional uses goes against the spirit of the Act.

Organisations should consider using disclosure where the uses or disclosures are within the range of primary or related purposes and seek consent to uses and disclosures that fall outside that range.

Vague statements on information uses and disclosures

Relying on consent to vague disclosures to comply with NPP 2 may not be satisfactory as the consent could be uninformed.

Organisation should include more information about the proposed uses and disclosures to make the statement meaningful.

Including consent to uses and disclosures in terms and conditions to provide service

A statement may be misleading, and the consent would then be not properly informed, if the service could in fact be provided without consent to all the uses disclosed.

It should be made clear which uses and disclosures are in fact essential to the provision of the service and offer a real choice about uses and disclosures that require consent.

Referring to related organisations

When referring to related organisations a list of those organisation should be included or the reader should be referred to an accessible place where they can find that information(eg a web site).

Requiring consent to any overseas transfer of personal information without offering choice

Organisations should consider satisfying NPP 9 through other means than consent if a real choice is not offered. Alternatives include contractual provisions that give equivalent protection to the NPPs for personal information transferred overseas.

Including as a term and condition of receiving a service/product, that a person who provides personal information about another person agrees that they will tell the other person about the matters covered in the privacy statement

Organisations should consider reminding the person at the time of collecting the information that if they are providing information about another person, that person should be informed of NPP 1.3 matters, or the other person could be notified directly by the organisation collecting the information.

Using consent to broaden the listed disclosures to include all information the organisation and its related companies hold or will hold about the individual, regardless of when and how it is obtained

This practice may be improved by narrowing the consent to align it with reasonable expectations of how personal information is used or giving notice rather than requiring consent where disclosure is for the primary purpose or related purpose.

Providing opportunity to opt out of some marketing uses of personal information but not others

Such practice may be remedied by giving people a clear and easy option to take up or opt out of uses and disclosures that are not related to the purpose of collection or otherwise required.

Including as a term or condition of providing a service, consent to the collection of sensitive information, when there is no apparent reason for collecting such information

Organisations should only collect personal information that is necessary for one or more of its functions or activities. Statements should be drafted to match actual information handling needs, rather than trying to cover all bases.

top of page

The Federal Privacy Commissioner approves the Queensland Club Industry Privacy Code

12 August 2002 

The Federal Privacy Commissioner has approved the Queensland Club Industry Privacy Code. This is the second private sector privacy code to be approved following the amendments to the law which took effect on 21 December 2001. Clubs Queensland, the industry association and union of employers of all registered and licensed clubs in Queensland, drafted the code in consultation with the Office of the Federal Privacy Commissioner. The code outlines the obligations of member clubs in relation to the personal information of their members and patrons. These obligations impose at least a minimum standard consistent with the National Privacy Principles. The Federal Privacy Commissioner remains the complaint handler for the code while Clubs Queensland will be the code administrator. The code replaces the National Privacy Principles with respect to the organisations that choose to be bound by it.

top of page

Microsoft settles privacy complaint with the US Federal Trade Commission

12 August 2002

Microsoft has agreed to increase security around information it collects and improve its privacy practices, in accordance with an agreement it has reached with the US Federal Trade Commission (FTC), following an FTC investigation. The FTC focussed on 4 information security problems with Microsoft's Passport service, an online authentication service which allows customers to use a single sign-in to access multiple web sites and undertake transactions. The FTC claimed that Microsoft had made misrepresentations concerning the overall security of the Passport system and the personal information stored on it; the security of the online purchases; the kind of personal information Microsoft collects of Passport users and the extent of control parents have over the information collected by web sites participating in the Kids Passport program. The FTC found, however, that no actual security breaches had taken place or that Microsoft had improperly shared information with other companies. 

Microsoft has agreed that it will not make any further misrepresentations and will 'establish... a comprehensive information security program...that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected...'. For 5 years, Microsoft must provide the FTC with documents pertaining to the collection of personal information. Microsoft is bound by the agreement for 20 years. 

top of page


Privacy Commissioner proposes change to health information privacy law

8 August 2002 

Should you have the right to know if a relative is diagnosed with a genetic disease which you might also have the propensity to develop? Currently under the Privacy Act, a doctor or other organisation dealing with health information may not use or disclose that health information to a person other than the subject of the diagnosis unless the doctor or organisation has their consent or believes the release of the information will lessen or prevent a serious and imminent threat to an individual's health, life or safety. Where an individual may be at risk of contracting a genetic disease (for example, by having a relative diagnosed as a sufferer), however, the position is less clear. The Federal Privacy Commissioner has recently addressed this issue, saying yesterday, 'Balancing the privacy rights and wishes of the individual with the interests of their relatives (who may want to know if they are genetically predisposed to a disease) is not an easy task'.

The Commissioner went on to say that the role of the Privacy Act is to ensure the responsible handling of individuals' health information and was not designed to put people's lives at risk by restricting the flow of information, as has been recently alleged in the media. As such, the Commissioner has recommended, in a submission to the Joint Inquiry into the Protection of Human Genetic Information conducted by the Australian Law Reform Commission and the Australian Health Ethics Committee, that the Privacy Act be amended so such health information may be made available to persons who may be affected by it, but in limited circumstances, in accordance with appropriate guidelines and with the involvement of professionals such as genetic counsellors.

The Joint Inquiry is slated to release a discussion paper containing draft recommendations by this month, to hold public consultations on the paper in September and November and to deliver the final report to the Attorney General and the Minister for Health and Ageing by 31 March 2003.

top of page

Privacy web tools: P3P

1 August 2002

Bodies including the Information and Privacy Commissioner of Ontario, Canada are beginning to embrace web tools to promote individuals' privacy rights. Developed by the Worldwide Web Consortium (W3C), the P3P is being promoted as a new world wide web protocol to automate user privacy protection on the web. It is essentially an electronic filter which enables users to specify minimum privacy compliance requirements in their internet dealings. P3P's goal is to increase user trust in the web by helping users to be informed about web site practices by simplifying the process of reading privacy policies. To achieve this, P3P provides a standard way for web sites to communicate their practices around the collection, use and distribution of personal information. P3P enables key information about what data is collected by a web site to be automatically conveyed to a user and can flag discrepancies between a site's practices and the user's preferences. It also includes a mandatory access element which discloses how (if at all) users can access personal data held by a web site. Additionally, it can be used by web sites with opt-in or opt-out policies. It is not, however, a comprehensive privacy compliance tool but essentially discloses web site privacy practices in simple terms.

top of page

European Commission invites views on privacy legislation

1 August 2002 

The European Commission has launched an on-line questionnaire as part of the Interactive Policy Making Initiative (IP/01/519) in which views are invited on the implementation by Member States of the 1995 Data Protection Directive. The aim is to assess the operation of the Directive and any necessary changes by considering the views of diverse groups, including business, public authorities and private citizens. 

Two different questionnaires, one for data controllers (anybody who processes personal data) and one for data subjects (anybody whose personal data is processed), seek opinions on national data protection laws and their efficacy. 

Data subjects are asked for their opinions on the adequacy of data protection in their particular country, as well as any concerns raised by the use of their personal data. In contrast, the questionnaire for data controllers asks questions concerning that particular controller's compliance with data protection laws and their implementation of business processes in respect of those laws. 

Results of the questionnaire will be addressed by data protection experts at the Data Protection Conference later this year in Brussels, and compiled in the Commission's first report on the implementation of the Directive. 

top of page

Victorian Government acts on online photos

11 July 2002 

The Victorian Government intends to introduce reforms to make it a criminal offence to publish people's photos on the Internet without their consent. Earlier this month the Office of the Victorian Privacy Commissioner noted community concern in relation to unauthorised photos of young Victorians playing sport being published and linked to pornographic web sites.

It is not an offence to take photos or to possess photos of people in a public place. Under the Victorian Crimes Act, however, non-sexual photos of minors may fall within the definition of child pornography if the photos depict the children "in an indecent sexual manner or context". It is an offence to use an online service to transmit such "objectionable material" under Victorian law.

Currently the avenues of redress are limited to a 'take down' notice issued by the Australian Broadcasting Authority, and notifying the internet service providers or internet content hosts who are facilitating the availability of the unauthorised photos in a sexual context. 

top of page

A new Code of Practice for Hong Kong telcos   

10 July 2002 

In brief: a new Code of Practice sets out voluntary standards for the Hong Kong telecommunications industry aimed to avoid unauthorised disclosure of customer information. More

top of page

Federal Privacy Commissioner's public education campaign

5 July 2002 

As foreshadowed by the Office of the Federal Privacy Commissioner earlier this year, the Commissioner is undertaking an "advertorial" campaign to "promote an Australian culture that respects privacy". The Commissioner wants to inform Australians about what privacy is, what are a person's new privacy rights under the amended Federal Privacy Act and how that privacy can be protected by working with business, community groups and government. This public education program has already been launched in News Limited papers in several states including NSW. The next advertorial will run in Victoria on Sunday, 4 August and will include contact information for consumers with privacy concerns and, importantly, a reminder to those small businesses that must comply with the Act, of their forthcoming responsibilities after 21 December this year.

top of page

Victorian Health Records Act now in force

1 July 2002

The Victorian Health Records Act is in force as of 1 July 2002.
The new laws will affect the regulation of the privacy of health information in the Victorian public sector for the first time. It will also affect private sector organisations in Victoria but that effect will vary greatly, partly depending on whether an organisation already complies with the federal Privacy Act.

This is because, unlike the federal Privacy Act, the new Victorian Act does not exempt employee records or small businesses . So small businesses that hold health information, or any business that holds health information about its employees, may need to put into place new measures to comply with the new law.

But even Victorian businesses that already comply with the federal Privacy Act need to be aware that, although many of the new Act's Health Privacy Principles mirror the National Privacy Principles under the federal Privacy Act, there are also some significant differences. For example:

  • more of the Health Privacy Principles have a retrospective effect (that is, after 1 July, they will affect health information collected even before the Act comes into effect);
  • some of the provisions governing access to health information are different; and
  • there are provisions that will restrict the transfer of health information outside Victoria.

The Act will be administered by the Victorian Health Services Commissioner, who will have a wide range of powers, including the power to audit records of private sector organisations. The new Act also creates some new offences, and there are penalties of up to $300,000 for serious breaches of the law. 

top of page

EU Privacy legislation

25 June 2002

The European Union's Environment Council has adopted the Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector on 25 June 2002, as amended by the European Parliament in May.

The Directive now awaits the signature of the President of the European Parliament, the President of the Council and the Secretary-General of each of the two bodies.

Member States are required to implement the provisions of the Directive in their domestic laws by October 2003.

The most controversial provisions of the new Directive are the following:

  • Member States may lift protection of data privacy in order to conduct criminal investigations or to safeguard public security in circumstances where it is a necessary and appropriate measure "within a democratic society";
  • consumers will have to opt-in prior to receiving any unsolicited commercial communications, whether via email, text messages, faxes or telephone calls;
  • use of location data collected from mobile telephone networks will be subject to express consent from the individual and temporary blocks should be available;
  • cookies may only be stored on an individual's computer and data collected by those cookies may only be retrieved and processed if the individual is provided with "clear and comprehensive" information about the purpose of the cookies; and
  • an individual may refuse to have a cookie stored on their computer or may object to the processing of the information so collected. 
top of page

Europe passes snoop measure

31 May 2002

The European Parliament has passed the Communications Data Protection Directive, which supporters say is necessary to combat future terrorism. The Directive must be approved by the 15 European Union member countries before it will come into effect. 

top of page

Commissioner releases more FAQs

30 May 2002

The Federal Privacy Commissioner has released more FAQs clarifying the application of the National Privacy Principles (NPPs) and the Privacy Act. The latest FAQs highlight the fact that the new private sector provisions of the Privacy Act do not apply to local councils or state or territory governments. (The existing FAQs relate to business, government, community and health issues.)

Under Section 6C of the Privacy Act, state or territory authorities or their prescribed instrumentalities (which include local councils) are not classified as organisations under the Act and, as a result, are exempt from the NPPs. 

However, some states do have their own privacy laws that cover state and local government bodies and there is scope under the Privacy Act for certain entities to be prescribed as organisations and therefore fall within the Privacy Act. 

top of page

Compromise on Directive for the protection of personal data and privacy in electronic communications

30 May 2002

The EU has agreed the terms of the new Directive for privacy protection in electronic communications by approving lenient regulation of data retention, cookies and spam. The scheme comes in to effect by 2003. 

Data retention

The Directive will allow data protection to be lifted to conduct criminal investigations or safeguard national or public security. It obliges EU member states to require ISPs and telcos to keep track of phone calls, Internet surfing, e-mails, faxes and even pager messages, for an unlimited time, in case the data is needed for investigations into illegal activity. This will allow open-ended surveillance of all users.

Despite the broad terms of the Directive, interception of electronic communications must still comply with the European Convention of Human Rights and Fundamental Freedoms and with the rulings of the European Court of Human Rights. 

Spam

Consumers must opt-in and consent to email communication before it is sent to them. Opt-in will be mandatory for commercial e-mail, faxes or telephone calls, but not for text messages. Each member state can decide whether to impose opt-in arrangements for text messaging.

The amendments also allow data already collected to be used for direct marketing purposes, provided the individual has been given the chance to opt-out of such an arrangement.

Location data

Mobile phone location data may not be used unless express user consent has been given. Users can bar the use of data about their location.

Cookies

Storing information on a user's computer and accessing this information is allowed "...on condition that the subscriber or user is provided with clear and comprehensive information in accordance with [the Data Protection Directive about] the purposes of the processing and is offered the right to refuse such processing". That is, users will have to be informed why cookies are being sent to a web site and given the opportunity to opt out.

top of page

Information Sheet 15 - Identifiers in the health sector   

30 May 2002

The Privacy Commissioner has released new information clarifying the adoption, use and disclosure of Commonwealth identifiers. 

The handling of Commonwealth government assigned identifiers, such as Medicare and Health Care numbers, are dealt with under National Privacy Principle 7. The purpose of NPP 7 is to prevent the use of Commonwealth government assigned identifiers as common identity numbers for individuals.

Individual Identifiers are commonly used throughout the health sector, and enhance the efficiency of data management. However they also create certain privacy risks, as they can facilitate the bringing together information about an individual from different sources.

For more about how organisations can use health information see our health site.

top of page

State instrumentalities prescribed under the Privacy Act

29 May 2002

Four NSW authorities have been prescribed as organisations by the Privacy (Privacy Sector) Amendment Regulations 2002 (No 1). They are:

  • Australian Inland Energy and Water infrastructure;
  • Country Energy;
  • Energy Australia; and
  • Integral Energy Australia. 

Section 6F of the Privacy Act allows state instrumentalities to be classified and treated as organisations and become subject to the private sector amendments to the Privacy Act. 

top of page

AMWU releases model email/internet policy

28 May 2002

The Australian Manufacturing Workers' Union has released an Internet and email policy to be included in future enterprise agreements.

The policy - which is aimed at employers who attempt to regulate the use of Internet resources in the workplace - sets out a framework to clarify workers' rights.

The AMWU has also prepared a draft electronic facilities agreement to clarify delegates' rights in relation to the use of their employer's email for union or non-business purposes. This provides for delegates and employees to be able to use Internet facilities to send and receive emails or visit websites as long as this "does not detract from their job responsibilities". 

If an employer accepts the policy, they will be required to advise the union they intend to monitor a worker's emails or internet use. Under the policy, an employer may only do this if they have a reasonable belief that an employee has committed a serious offence.

For more see the Commissioner's Guidelines on workplace email, web browsing and privacy. 

top of page

EU investigates Microsoft

27 May 2002

The European Commission is investigating Microsoft's .NET Passport system to assess whether it is compatible with EU date protection law. The system stores personal information about the users on its servers so that users do not have to re-enter their personal details when they move into new websites.

Obligations placed on companies operating in the EU in regard to personal data include:

  • ensuring that data is collected for a specific, legitimate purpose; and
  • informing users of the identity of:
    - the controller of the data;
    - the purpose of collection; and 
    - the rights of the individual in relation to the data. 

Microsoft is a signatory to the Safe Harbour agreement, but this may not provide adequate protection. The commission is investigating whether European Union rules apply to databases outside the Union. They expect to report before the end of the year.

top of page

Transurban off the hook

24 May 2002

The Privacy Commissioner has given the operator of Melbourne's CityLink freeway, Transurban, a thumbs up following a recent own motion investigation of Transurban's privacy compliance by the Commissioner's office. Late last year the Commissioner announced an investigation into Transurban after up to 12,000 customers' credit card details were stolen from the company in 2000. The breach raised questions about Transurban's computer security measures and privacy practices generally. 

The Commissioner's office found that Transurban's policies and procedures were reasonable and it was the actions of an ex-employee which resulted in the disclosure. However, a risk assessment by the Commissioner's office has identified some steps which Transurban can take to reduce the risk of a further incident.

top of page

Bundled consents

23 May 2002 

The Federal Privacy Commissioner has expressed concern regarding the practice by organisations of requiring bundled consents from consumers. 

Organisations are using bundled consents to require an individual to consent to other uses of their information, which are not relevant to the transaction in question, as a condition of providing the service. 

The Commissioner said that consent for the collection, use and disclosure of one's personal information should always be given freely and voluntarily: it should not be conditional upon the individual giving consent for any other form of information handling practice. The Commissioner also flagged that this issue would be pursued through dialogue with industry organisations and would be one of the issues considered in the two year review if it remained problematic.

top of page

DoubleClick settles

21 May 2002 

The US District Court for the Southern District of New York has confirmed a preliminary settlement in a class action brought against DoubleClick for infringing the privacy rights of its users. The law suit asserted that DoubleClick was tracking users' personal information, without permission, and combining this with information about their net habits to send targeted advertising to those individuals.

The settlement requires that DoubleClick obtain opt-in consent from users before cross-checking the personal information of users against their habits. DoubleClick is also required to delete information it collects which may personally identify individual users. 

top of page

Employee records exemption

21 May 2002

The Federal Privacy Commissioner has warned both employers and recruiting employers to take care in the way that they handle access requests to a former or potential employee's record. The Commissioner indicated that neither of them will be able to avoid their privacy obligations to individuals by using confidentiality agreements when exchanging references.

While the Privacy Act provides an exemption for employers in the way that they handle a former or current employee's information in a way which is directly related to the employment relationship this exemption is not without limits.

  • It does not extend to new recruits
  • To be exempt, the employer's act in handling the information must be directly related to the current or former employment relationship. 

Recruiting employers who deny potential employees access to their records may risk violating privacy obligations.

Inaccurate references can adversely affect an individual's chances of employment and the Privacy Commissioner has indicated that it is important that employees are able to access their records to ensure that information - such as referee reports - is accurate.

top of page

Privacy Commissioner's public awareness campaign

3 May 2002 

The Office of the Federal Privacy Commissioner has started its campaign to educate the public about individual's rights under the new privacy laws by issuing "Your Privacy Rights". Your Privacy Rights summarises an individual's rights under the Privacy Act 1988 including:

  • the rights an individual has when their rights are breached;
  • how to complain;
  • the process the Commissioner will follow to resolve complaints;
  • complaint procedures and privacy laws relating to private sector organisations, Commonwealth and ACT government bodies, and credit providers and credit reporting agencies.
  • information on the collection and use of tax file numbers;
  • the use of data matching by government bodies; and
  • discrimination on the basis of spent convictions. 

The Commissioner has also issued a release entitled "My Privacy My Choice - Your New Privacy Rights", which summarises the National Privacy Principles and overviews the public bodies involved in the protection of privacy.

top of page

First private sector privacy code approved

17 April 2002

The Federal Privacy Commissioner has approved Australia's first private sector privacy code. The code, which was submitted by the Insurance Council of Australia (ICA), covers the general insurance industry. A code can only be approved by the Commissioner if, overall, its standards are at least the same as the National Privacy Principles. 

The ICA has sought to ensure that the code can operate as a compliance mechanism for:

  • organisations in the general insurance industry; 
  • organisations involved in business related to the general insurance industry; and 
  • general insurers in the conduct of other business carried on as part of their wider services. 

Organisations that choose to commit to the code do so by a formal Deed of Adoption. One aspect of the code that may encourage organisations to sign up is that complaints will in the first instance be handled by the Privacy Compliance Committee (a committee set up under the code) rather than the Privacy Commissioner. Even so, the Commissioner retains the power to review the determinations of an adjudicator appointed under an approved privacy code.

top of page

Spam under examination by the National Office for the Information Economy

9 April 2002

The National Office for the Information Economy (NOIE) will be examining ways to counter the problem of unsolicited bulk messages (spam). As part of its examination of the effectiveness of actual and possible counter-measures, NOIE is:

  • conducting an on-line questionnaire (deadline 19 April 2002);
  • consulting with the community and key stakeholder groups;
  • publishing a discussion paper; and
  • conducting round-table discussions with interested parties.

Some of the counter-measures under review include:

  • awareness raising for consumers and internet providers;
  • commercial and self-regulatory practices for Internet Service Providers;
  • enforcement of existing laws; and
  • possible new laws. 

It is expected that NOIE will make the findings of its review public by mid-year.

top of page

Minnesota Privacy Bill of Rights

9 April 2002

A Privacy Bill currently in the Minnesota Legislature would prevent Internet Service Providers from selling mailing lists or disclosing personal information about customers in Minnesota. The Bill, in its current form, automatically prohibits ISPs from disclosing personal information unless they first obtain the customers permission.

top of page

Focus: Privacy

08 April 2002

Senior Associate Jackie Lyne looks at the increased power and range of regulators of the new privacy regime in the light of a recent collaboration between two Federal bodies.
View publication download pdf version (56KB)

top of page

Colorado Supreme Court refuses to force bookstore owner to divulge buyers to police

8 April 2002 

The Colorado Supreme Court has ruled unanimously that a local Denver bookstore does not have to turn over customer sales records to police to help them determine who bought two books on how to make illegal drugs. The Court found that the First Amendment and the Colorado Constitution "protect an individual's fundamental right to purchase books anonymously, free from governmental interference". The decision overturns a ruling by a Denver state appellate court judge, which ordered the bookstore to give records of the sale to the Denver drug task force.

The Supreme Court held that a pre-seizure hearing had to be held before a search warrant could be issued on a bookstore. It was further held that the Colorado Constitution requires that the search warrant will only be issued if law enforcement officials show a sufficiently compelling need for the specific customer purchase record sought.

The police investigators in this case argued that the buyer's identity was critical to their investigation of a methamphetamine lab. The Court found that the police investigators' need for the book purchase record was not sufficiently compelling to outweigh the likely harm which would result from issuing the search warrant.

top of page

Anti-terrorism legislation a danger to email privacy protection?

2 April 2002

The Senate Legal and Constitutional Legislation Committee is currently reviewing a number of anti-terrorism Bills and is expected to release its report on Friday 3 May 2002. It is holding a public inquiry on 8 April 2002.

Among the Bills to be considered is the Telecommunications Interception Legislation Amendment Bill 2002, which some privacy experts say endangers fundamental privacy rights. If passed, the Bill will increase police powers to intercept telecommunications, in particular emails. The aim of the Bill is to trace telecommunications involving terrorism, child pornography and serious arson offences.

Civil liberties organisation Electronic Frontiers Australia (EFA) is opposing the Bill on a number of grounds. EFA's main concern is that the wording of the Bill is confusing. It will be seeking changes to the Bill to ensure that email is afforded the same legal status as telephone calls in regard to interception warrants.

top of page

Federal Privacy Commissioner's plans

April 2002

The Office of the Federal Privacy Commissioner is currently planning its key activities for the next two years.

The Office also plans to concentrate on the following issues in the next two years:

  • the Privacy Commissioner's functions under the Privacy Act;
  • the number and nature of complaints received;
  • identifying significant privacy issues for Australia and overseas;
  • implementation of the new privacy legislation by businesses, consumers and privacy service providers; and
  • the Office's community attitudes research. 

For more information see the Office's Strategic Plan.

top of page

DoubleClick publishes settlement agreement

29 March 2002

Online advertising giant DoubleClick has published a settlement agreement which, if successful, will resolve class actions pending against the company in various US states over its handling of personally identifiable consumer data.

Under the terms of the agreement DoubleClick agreed to take steps to educate consumers about its use of electronic "cookies" and its practices regarding personally identifiable data. The company has also vowed to routinely purge old data collected online. Privacy advocates are opposing the adequacy of the agreement because it does not offer to provide customers access to the data DoubleClick collects about them.

The matter will be heard before a Federal Judge in May of this year.

top of page

Biometrics & the federal privacy regime

20 March 2002 

The Federal Privacy Commissioner presented a speech entitled Biometrics and Privacy- The End of The World as We Know It or The White Knight of Privacy at a biotmetrics conference in Sydney. The speech outlined the implications of the Privacy Act for collecting and processing biometric information. Biometric information includes fingerprinting, DNA and voice, hand, face and keystroke recognition. As biometric information may be classified as personal information, the Act will apply where this is information is handled.

During his speech, the Privacy Commissioner discussed how the increasing use of biometric technology for authentication purposes has the potential to operate as 'privacy enhancing' or 'privacy intrusive' technology. 

The Privacy Commissioner outlined several benefits of biometric technology, including protection against identity theft and a reducing the number of access passwords people need to remember. However, biometric information carries privacy risks such as the potential for underhanded collection or data being used for unauthorised purposes. In the Commissioner's supporting paper he expressed the view that Australian organisations need to consider privacy enhancement when acquiring biometric technology. Meanwhile, technology developers need to be mindful of privacy protection mechanisms to ensure that personal information is adequately protected.

The Commissioner said the Act may need to be reviewed in the future to keep abreast with biometric technological change.

top of page

New UK Code of Practice for protection of employment information

20 March 2002 

The UK Office of the Information Privacy Commissioner has released the first part of a new four part Code of Practice called the Employment Practices Data Protection Code of Practice. Part 1 Recruitment and Selection explains how organisations can ensure compliance with the Data Protection Act 1998 (UK) in the context of recruitment and selection.

Part 1 of the code concerns personal information that employers collect and retain on potential, current or prior employees, agency workers, casual workers and contract workers. It gives guidance on issues such as obtaining and storing information about workers and accessing and disclosing records. It also gives benchmarks for advertising jobs, dealing with job applications, verifying details supplied by applicants, and short listing and interviewing applicants.

The three additional parts of the code, dealing with employment records, monitoring at work and medical information respectively, will be published at monthly intervals. The code will not be formally published until all four parts of the code have been completed, but the substantive content of the Code is not expected to change.

top of page

ACCC and Privacy Commission join forces

12 March 2002 

The Australian Competition and Consumer Commission (ACCC) and the Office of the Federal Privacy Commission (FPC) signed a memorandum of understanding (MOU) on 12 March 2002.

The MOU is aimed at facilitating cooperation and coordination between the ACCC and the FPC's office. The MOU:

  • provides a framework for cooperation when the responsibilities of the ACCC and the FPC overlap; and
  • enables the two Agencies to conduct joint training, education, promotion and enforcement activities. 

Each Agency may also agree to participate in the conduct of investigations or litigation through a joint task force if the Agencies agree that this is likely to be more effective than separate examinations.

The MOU will remain in force for a period of two years until 11 March 2004 and may be extended with the agreement of the two Agencies. For more, see Allens' Focus: Privacy April 2002

top of page

Pathology labs must meet privacy standards

12 March 2002

The Minister for Health and Ageing, Senator Kay Patterson, has announced that pathology laboratories that fail to meet stringent standards relating to the use of personal information and the handling of test results face being named publicly.

The comments follow the bungle by two pathology labs, one in New South Wales and the other in Victoria, that released incorrect results to a number of patients. Senator Patterson has directed her Department to work with the National Association of Testing Authorities (NATA) and the College of Pathologists to ensure that laboratories which do not meet the standards be identified and pursued, and patients and doctors be notified promptly.

 

Commissioner releases more FAQs

27 February 2002 

The Privacy Commissioner has released two more sets of FAQs:

  • Business FAQs which provide information to business about alternative dispute resolution schemes, including requirements over: 
  • collecting sensitive information about third parties; 
  • notification, use and disclosure of third party's information; and 
  • access to personal information. 
  • Community FAQs which cover the application of the NPPs and the Privacy Act to counselling services offered by charitable and welfare organisations, sporting clubs, private schools and colleges. 

Any questions for the Office of the Privacy Commissioner should be sent to privacy@privacy.gov.au. The Commissioner's office plans to update the FAQs on a regular basis.

top of page