Archive 2002
- Focus: Privacy 17 December 2002
- Small business compliance time 17 December 2002
- Consultation on Credit Reporting Determination 2002 No 1 13 December 2002
- Department of Family and Community Services breaches the Privacy Act 9 December 2002
- EFA submissions to ACA on ENUM protocol 2 December 2002
- Privacy Commissioner comments on privacy and electronic media 14 November 2002
- EU Consults on Protection of Workers' Personal Data 13 November 2002
- Information Sheet on Sale of Business 28 October 2002
- Model's privacy claim denied 22 October 2002
- NSW Health Records and Information Privacy Act assented to 8 October 2002
- US companies want privacy laws relaxed 8 October 2002
- Amazon plans to revamp its privacy policy 27 September 2002
- Privacy Commissioner releases paper on publicly available information 17 September 2002
- Final rule for US medical privacy regulation 17 September 2002
- DoubleClick reaches agreement with US Attorneys General regarding its privacy compliance 2 September 2002
- Privacy Commissioner concerned about Bundled Consents 30 August 2002
- The Federal Privacy Commissioner approves the Queensland Club Industry Privacy Code 12 August 2002
- Microsoft settles privacy complaint with the US Federal Trade Commission 12 August 2002
- Privacy Commissioner proposes change to health information privacy law 8 August 2002
- Privacy web tools: P3P 1 August 2002
- European Commission invites views on privacy legislation 1 August 2002
- Victorian Government acts on online photos 11 July 2002
- A new Code of Practice for Hong Kong telcos 10 July 2002
- Federal Privacy Commissioner's public education campaign 5 July 2002
- Victorian Health Records Act now in force 1 July 2002
- EU Privacy legislation 25 June 2002
- Europe passes snoop measure 31 May 2002
- Commissioner releases more FAQs 30 May 2002
- Compromise on Directive for the protection of personal
data and privacy in electronic communications
30 May 2002 - Information Sheet 15 - Identifiers in the health sector 30 May 2002
- State instrumentalities prescribed under the Privacy Act 29 May 2002
- AMWU releases model email/internet policy 28 May 2002
- EU investigates Microsoft 27 May 2002
- Transurban off the hook 24 May 2002
- Bundled consents 23 May 2002
- DoubleClick settles 21 May 2002
- Employee records exemption 21 May 2002
- Privacy Commissioner's public awareness campaign 3 May 2002
- First private sector privacy code approved 17 April 2002
- Spam under examination by the National Office for the Information Economy 9 April 2002
- Minnesota Privacy Bill of Rights 9 April 2002
- Focus: Privacy 8 April 2002
- Colorado Supreme Court refuses to force bookstore owner to divulge buyers to police 8 April 2002
- Anti-terrorism legislation a danger to email privacy protection? 2 April 2002
- Federal Privacy Commissioner's plans April 2002
- DoubleClick publishes settlement agreement 29 March 2002
- Biometrics & the federal privacy regime 20 March 2002
- New UK Code of Practice for protection of employment information 20 March 2002
- ACCC and Privacy Commission join forces 12 March 2002
- Pathology labs must meet privacy standards 12 March 2002
- Commissioner releases more FAQs 27 February 2002
- Canada breaches Privacy Act 25 February 2002
- Minnesota considers Internet privacy legislation 25 February 2002
- Commissioner releases FAQs 22 February 2002
- Canadian Privacy Commissioner issues statement on Blood Samples Bill 21 February 2002
- Privacy no obstacle to parents receiving school reports 20 February 2002
- Commissioner considers privacy solutions for doctors 14 February 2002
- Privacy Commissioner considers public interest determinations 14 February 2002
- EC releases FAQs on transborder data flows 13 February 2002
- EC reports on Safe Harbour agreement 13 February 2002
- Vermont's new privacy 'opt-in' laws (USA) 11 February 2002
- Canada - video surveillance and privacy rights 7 February 2002
- Attorney-General commits to privacy laws 5 February 2002
- Singapore launches voluntary Internet privacy codes 5 February 2002
- Ontario's draft privacy legislation released 5 February 2002
- Safe business shopping site ensures consumer privacy protection 4 February 2002
- Report on privacy standardisation in Europe February 2002
- Privacy group to unveil new email privacy seal program 31 January 2002
- Privacy software pre-installed on Hewlett-Packard computers 31 January 2002
- The latest on ACIF working committees 25 January 2002
- US controversy over personal data collection post Sept 11 24 January 2002
- EU issues transborder data transfer clauses 23 January 2002
- Anti-spam proposal 22 January 2002
- FTC targets telemarketers 22 January 2002
- Privacy lessons from Eli Lilly Case 18 January 2002
- Canada makes EU "approval list" 14 January 2002
Focus: Privacy
17 December 2002
Important Commonwealth private sector privacy laws, which will impose new obligations on small businesses, commence on 21December 2002. Lawyer Damien van der Toorn examines which small businesses will be covered, how they are likely to be affected, and what they should be doing to comply. View publication; download pdf version (56KB)
Small business compliance time
17 December 2002
The Federal Privacy Commissioner has issued a timely reminder that from 21 December 2002 some small businesses (businesses having an annual turnover of $3 million or less) will be expected to comply with the private sector provisions of the Privacy Act 1988 (Cth). While the Privacy Act contains a general exemption for small business operators (which will continue to apply beyond 21 December 2002), small businesses which:
- are health service providers; or
- trade in personal information; or
- are related to a business with an annual turnover of greater than $3 million; or
- are contractors to Commonwealth agencies,
- will need to comply with the Act from 21 December 2002 onwards.
The Office of the Federal Privacy Commissioner has published a number of documents detailing the impact of the Privacy Act on small business.
Consultation on Credit Reporting Determination 2002 No 1
13 December 2002
The Office of the Federal Privacy Commissioner has placed on its website a list of the recent written submissions to the Review of Credit Reporting Determination 2002 No 1 (Classes of Credit Providers) made by organisations during the consultation process. Safeguards relating to consumer credit reporting are provided by Part IIIA of the Privacy Act which governs the management of credit reports and credit worthiness information. Credit reporting determinations were additionally issued by the Commissioner with one of the determinations dealing with the classes of credit providers for the purposes of the Act. The Commissioner declared that this determination should be subject to further review following 'responses from interested consumer and credit industry bodies as to its operation.'
Of significant concern is whether the access to the credit reporting system (and the access to information of individuals contained within it) should be changed to ensure compliance with the credit reporting rules. The Consumer Protection Unit of Legal Aid Queensland stated that 'access to credit reporting should be tightened to ensure compliance with the original intention of Parliament as the current definition...is too broad.' The ACCC suggested that confining the definition of 'credit provider' is an appropriate response if certain listed conditions could not be met to guarantee compliance. Alternatively, the Australian Finance Conference submitted that there is no evidence to indicate that a 'narrowing of the classes of non-traditional credit providers' is required. This position is supported by the Australian Collectors Association which stated that changes should only be made to allow increased access. The Australian Privacy Foundation recommended that a 'survey of credit providers who have been operating under the Determination' should be urgently carried out to put interested parties in a better position to decide if and how the determination should be amended.
Department of Family and Community Services breaches the Privacy Act
9 December 2002
The Federal Privacy Commissioner has found that the Department of Family and Community Services (the Department) has breached the Privacy Act. The Department manages a website named 'The Source' and ran an online competition on it earlier this year. The website editor sent marketing emails to competition entrants on behalf of RMIT students who were undertaking a project to send spiders into space with NASA. There were no formal complaints made regarding the misuse of entrants' details but the Commissioner used its own investigative powers under Part V of the Privacy Act to examine the practices of the website operators, finding a breach of Information Privacy Principle 10.1 (ie that personal information can only be used for the particular purpose it was obtained; the equivalent restriction on private sector organisations is NPP2.1).
The Department has apologised to the persons involved and to ensure that the breach is not repeated, it has undertaken to: complete a privacy audit of its websites, clarify the website privacy statements, destroy the database with the website visitor details, simplify links so that individuals understand which site their information is being supplied to, train staff in privacy awareness and appoint a privacy contact officer. This gives a helpful indication of the type of remedial steps the Commissioner might require of an organisation if it breaches the Act.
EFA submissions to ACA on ENUM protocol
2 December 2002
Electronic Frontiers Australia Inc (EFA), an organisation
concerned with online rights and freedoms, has recently made submissions
to the Australian Communications Authority about EFA's concerns with the
ENUM protocol. The ENUM system converts telephone numbers into an Uniform
Resource Identifier, with the current system requiring individuals' personal
information to be made publicly accessible on the Internet. EFA doubts
whether sufficient privacy protection can be afforded to telephone and
Internet users and is concerned that the implementation of the system has
serious implications for national infrastructure security. In its submissions,
EFA suggests that greater attention needs to be focussed on creating privacy
protective mechanisms into the ENUM's technical design. Furthermore, EFA has
submitted that the relevant privacy legislation needs to be analysed and
potentially amended to ensure that personal information in an ENUM database
is protected.
Privacy Commissioner comments on privacy and electronic media
14 November 2002
The Federal Privacy Commissioner has reiterated the need for organisations to exercise particular care when marketing to individuals using electronic media, such as email and SMS. In a recent address to the Australian Direct Marketing Association, the Commissioner identified organisational disclosure, customer consent and information security as the danger areas in electronic marketing. The Commissioner recommended that, in all marketing communications to an individual, an organisation should:
- identify the source of the personal information;
- provide an effective means for the individual to opt-out from future communications (and record who has opted out); and
- clearly identify material as marketing material (for example, by i nserting the term 'marketing' into the subject line of emails.
The Commissioner also reminded organisations that the Privacy Act has equal application in the electronic environment and to consider all aspects of privacy when using new media.
EU Consults on Protection of Workers' Personal Data
13 November 2002
At the end of October the European Commission (EC) commenced consultations with employer and employee representatives with a view to establishing a European framework for the protection of workers' personal data. The EC cites the lack of employment specific regulation at the European level, the effect of technology on collection of personal data and the need to provide consistent regulations across the European Community as the key drivers of this proposal. The proposed data protection framework addresses issues including:
- whether an employer should be able to rely on a worker's consent to collection, given the nature of the employment relationship;
- the need to inform and consult workers' representatives before commencing or altering data collection practices;
- clarifying permissible collection and use purposes in the employment context;
- the special requirements associated with sensitive data including health, genetic and drug testing data; and
- the monitoring and surveillance of workers, particularly by electronic means, and when and to what extent such activities are permissible.
The consultation paper is available from
http://europa.eu.int/
Information Sheet on Sale of Business
28 October 2002
The Federal Privacy Commissioner has issued a new Information Sheet to
provide guidance to organisations involved in the sale or purchase of a business
in relation to their obligations under the Privacy Act 1988 (Cth). The Information
Sheet considers the application of relevant NPPs in the context of personal
information transferring from a vendor to a prospective purchaser during the
process of due diligence and then from a vendor to the actual purchaser on completion.
The Commissioner states in the Information Sheet that vendors and prospective
purchasers must take reasonable steps to protect personal information from unlawful
access, modification, use or disclosure during the due diligence process. To this end,
the Commissioner provides "tips" for due diligence protocols.
The Commissioner also holds that no obligations will arise on completion if
a business is sold by way of share acquisition. If, on the other hand, a company's
assets are sold off, the vendor and the actual purchaser must then comply with the
relevant NPPs. The Commissioner provides examples of, and tips in relation to,
the application of the NPPs in this context. For example, the Commissioner notes that,
where a transfer of customer information will result in changes to the way that
that information is used or disclosed, a vendor organisation will need to obtain
the consent of the customers for the disclosure of that information on completion
and should not assume that such disclosure is within the customers' reasonable
expectations.
Model's privacy claim denied
22 October 2002
The United Kingdom Court of Appeals upheld the Daily Mirror's appeal
against an earlier High Court ruling in favour of Naomi Campbell over a
February 2001 report about Campbell's attendance at Narcotics Anonymous meetings.
Campbell claimed that the newspaper's story and photographs amounted to a breach
of confidence and a violation of the
Human Rights Act (UK) and the Data Protection Act (UK).
A crucial element to the appeal was the fact that Campbell publicly denied using drugs.
Lord Phillips acknowledged that while celebrities' personal lives should not be
'laid bare by the media', it was in the public interest for the media to indicate
that a public figure had been deceiving the public in instances where public figures
had made false representations about their private lives. Publishing stories in the
public interest is a journalism exemption under the Data Protection Act (UK).
NSW Health Records and Information Privacy Act assented to
8 October 2002
The Health Records and Information Privacy Act 2002 (NSW) was assented to on 25 September 2002. The Act proposes to promote fair and responsible handling of individuals' health information by health service providers in both the public and the private sectors in New South Wales. It provides 15 Health Privacy Principles and also for the making of health privacy codes of practice. Complaints will be handled by the NSW Privacy Commissioner and ultimately the Administrative Appeals Tribunal. Like the Federal Privacy Act, there is a small business exemption (with a A$3m threshold) and an employee record exemption. The commencement of the Act is to be by proclamation in approximately 12 months, according to the NSW Privacy Commissioner. This time period is required to initiate training programs and regulations necessary to establish, for example, standard documentation and access to databases, said the Commissioner.
US companies want privacy laws relaxed
8 October 2002
The Global Privacy Alliance (GPA), a group of US companies including IBM,
Oracle, VeriSign and General Motors, has submitted a position paper to the
European Commission regarding the implementation of the 1998 EU Data Protection
Directive. The paper outlines 4 areas where it is perceived that the free flow
of information is inhibited by the privacy rules and the GPA suggests a review be
undertaken of the law in relation to these areas. They are: cross-border transfers,
the scope of applicable laws, information-sharing between related companies and
business contact information. In particular, it is suggested that cross-border
data flows be simplified, that a 'clear and workable criteria for determining the
legal regime applicable to data processing activities' be established, that the
transfer of data among affiliates in certain circumstances be permitted, and only
truly 'personal' data be regulated rather than business contact data It was
expected that the GPA's observations would be raised at the European Commission's
data protection conference which took place last week.
Amazon plans to revamp its privacy policy
27 September 2002
Amazon agrees to revise its privacy policy following meetings and discussions
with US state regulators from 13 states. The revision was also prompted by customer
concerns about the privacy of their personal
information. Amazon will clarify the situations in which customer information
is shared or sold; provide a more detailed list of the companies with which
Amazon offers jointly branded or co-branded products; and to provide more
information on the variety of customer information that is collected from
other sources. These changes are aimed to make Amazon's privacy policy more
transparent to customers although the agreement is non-binding. Critics claim
that Amazon has still failed to address the issue that initiated the talks about
policy change, that is whether Amazon can sell customer lists as an asset sale.
Additionally customers still cannot view all their personal data and cannot
delete the records.
Privacy Commissioner releases paper on publicly available information
17 September 2002
There has been a strong public reaction to the Office of the Federal Privacy Commissioner's recent Consultation Paper discussing the application of the Privacy Act to publicly available information. The Consultation Paper was released in response to public concern regarding the use of information available from public sources such as telephone directories, electoral rolls and other public registers, and seeks to limit the extent to which personal information collected from publicly available sources can be circulated without the individual's knowledge or consent.
The Fundraising Institute Australia has claimed that the proposals set out in the Consultation Paper would prohibit charities and commercial organisations collecting information from publicly available sources. The Deputy Commissioner has explained that the Privacy Act is not intended to prevent organisations from using publicly available sources of information, but rather is intended to make the collection more transparent to the community at large. A particular focus of the Consultation Paper is whether the collection of publicly available personal information in circumstances where an individual either has no choice about whether their information is publicly available, or may not know information about them is publicly available information, constitutes 'fair' collection.
It is anticipated that the Consultation Paper will result in a non-binding information sheet to assist organisations apply the Privacy Act and NPPs to the collection of personal information from publicly available sources.
Final rule for US medical privacy regulation
17 September 2002
The Bush administration has released the final modifications to the new federal medical privacy regulation (the 'Privacy Rule'). Entities covered by the Privacy Rule, including health care providers, pharmacies and health plans must, among other things: notify patients of their privacy rights, obtain an individual's prior written authorisation before using health information for marketing purposes, grant individuals access to their own medical records and limit disclosure of medical information to third parties (including employers or marketing groups).
Despite these changes, the Privacy Rule arguably makes still possible for health care providers to be remunerated for direct marketing to patients. The definition of direct marketing excludes advice from doctors and other covered entities regarding treatments and products. Under the Rule, health care providers are entitled to offer patients value-added items and services, discounts, and additional health plans, without coming within the ambit of marketing.
There is a number of exemptions in the Rule. Entities covered by the Rule are entitled to make disclosures of protected health information to the Food and Drug Administration without authorisation from the individual, employment records are excluded from the definition of protected health information and the Rule also exempts all covered entities from the minimum necessary standards for uses and disclosures for which it has received an authorisation.
The Privacy Rule will take effect for most covered entities on 14 April 2003.
DoubleClick reaches agreement with US Attorneys General regarding its privacy compliance
2 September 2002
DoubleClick has agreed to adhere to specific requirements regarding disclosure,
data storage and data usage in an agreement it has reached with the Attorneys General
of New York, Arizona, California, Connecticut, Massachusetts, Michigan, New Jersey,
New Mexico, Vermont and Washington in the United States. The agreement ends the
investigation by those Attorneys General into the company's information gathering practices.
Under the agreement, DoubleClick will adopt privacy-related restrictions which include:
- collecting and using user data only in a manner consistent with the representations it made at the time of collection;
- not sharing user data collected on behalf of one of its clients with any person other than that client or as directed by that client;
- giving consumers access to their online profiles; and
- retaining an independent third-party firm to conduct reviews to verify that it has complied with the terms of the agreement.
In addition to these restrictions, DoubleClick agreed to pay US$450,000 for the
states' investigative costs and consumer education.
Privacy Commissioner Concerned about Bundled Consents
30 August 2002
The Privacy Commissioner has expressed strong concerns over information-gathering practices referred to as 'bundled consents', which include seeking a single consent for multiple uses and disclosures of personal information, vaguely-worded privacy statements and withholding of services unless a bundled consent is given. The Commissioner is of the view that such practices are 'contrary to the spirit of the Privacy Act' and that bundled consents diminish individuals' freedom of choice in that, among other things, they should not be forced to hand over personal information to receive a service. The Commissioner's office prepared a discussion paper in July for meetings with representative bodies from sectors including the financial, insurance and superannuation areas and the Commissioner has further indicated that if the issue is not resolved by discussion, it may be considered during the 2-year review of the Act. The main points of that paper are summarised below.
Multiple uses and disclosures are bundled together
Seeking consent to uses and disclosures that are not for primary or related purposes and not giving individuals a choice about each of those additional uses goes against the spirit of the Act.
Organisations should consider using disclosure where the uses or disclosures are within the range of primary or related purposes and seek consent to uses and disclosures that fall outside that range.
Vague statements on information uses and disclosures
Relying on consent to vague disclosures to comply with NPP 2 may not be satisfactory as the consent could be uninformed.
Organisation should include more information about the proposed uses and disclosures to make the statement meaningful.
Including consent to uses and disclosures in terms and conditions to provide service
A statement may be misleading, and the consent would then be not properly informed, if the service could in fact be provided without consent to all the uses disclosed.
It should be made clear which uses and disclosures are in fact essential to the provision of the service and offer a real choice about uses and disclosures that require consent.
Referring to related organisations
When referring to related organisations a list of those organisation should be included or the reader should be referred to an accessible place where they can find that information(eg a web site).
Requiring consent to any overseas transfer of personal information without offering choice
Organisations should consider satisfying NPP 9 through other means than consent if a real choice is not offered. Alternatives include contractual provisions that give equivalent protection to the NPPs for personal information transferred overseas.
Including as a term and condition of receiving a service/product, that a person who provides personal information about another person agrees that they will tell the other person about the matters covered in the privacy statement
Organisations should consider reminding the person at the time of collecting the information that if they are providing information about another person, that person should be informed of NPP 1.3 matters, or the other person could be notified directly by the organisation collecting the information.
Using consent to broaden the listed disclosures to include all information the organisation and its related companies hold or will hold about the individual, regardless of when and how it is obtained
This practice may be improved by narrowing the consent to align it with reasonable expectations of how personal information is used or giving notice rather than requiring consent where disclosure is for the primary purpose or related purpose.
Providing opportunity to opt out of some marketing uses of personal information but not others
Such practice may be remedied by giving people a clear and easy option to take up or opt out of uses and disclosures that are not related to the purpose of collection or otherwise required.
Including as a term or condition of providing a service, consent to the collection of sensitive information, when there is no apparent reason for collecting such information
Organisations should only collect personal information that is necessary for one
or more of its functions or activities.
Statements should be drafted to match actual information handling needs, rather
than trying to cover all bases.
The Federal Privacy Commissioner approves the Queensland Club Industry Privacy Code
12 August 2002
The Federal Privacy Commissioner has approved the Queensland Club Industry Privacy Code. This is the second private sector privacy code to be approved following the amendments to the law which took effect on 21 December 2001. Clubs Queensland, the industry association and union of employers of all registered and licensed clubs in Queensland, drafted the code in consultation with the Office of the Federal Privacy Commissioner. The code outlines the obligations of member clubs in relation to the personal information of their members and patrons. These obligations impose at least a minimum standard consistent with the National Privacy Principles. The Federal Privacy Commissioner remains the complaint handler for the code while Clubs Queensland will be the code administrator. The code replaces the National Privacy Principles with respect to the organisations that choose to be bound by it.
Microsoft settles privacy complaint with the US Federal Trade Commission
12 August 2002
Microsoft has agreed to increase security around information it collects
and improve its privacy practices, in accordance with an agreement it has
reached with the US Federal Trade Commission (FTC), following an FTC investigation.
The FTC focussed on 4 information security problems with Microsoft's Passport service,
an online authentication service which allows customers to use a single sign-in to
access multiple web sites and undertake transactions. The FTC claimed that Microsoft
had made misrepresentations concerning the overall security of the Passport system and
the personal information stored on it; the security of the online purchases; the kind
of personal information Microsoft collects of Passport users and the extent of control
parents have over the information collected by web sites participating in the Kids
Passport program. The FTC found, however, that no actual security breaches had taken
place or that Microsoft had improperly shared information with other companies.
Microsoft has agreed that it will not make any further misrepresentations and will
'establish... a comprehensive information security program...that is reasonably designed
to protect the security, confidentiality, and integrity of personal information
collected...'. For 5 years, Microsoft must provide the FTC with documents pertaining
to the collection of personal information. Microsoft is bound by the agreement
for 20 years.
Privacy Commissioner proposes change to health information privacy
law
8 August 2002
Should you have the right to know if a relative is diagnosed with a genetic
disease which you might also have the propensity to develop? Currently under
the Privacy Act, a doctor or other organisation dealing with health information
may not use or disclose that health information to a person other than the subject
of the diagnosis unless the doctor or organisation has their consent or believes
the release of the information will lessen or prevent a serious and imminent
threat to an individual's health, life or safety. Where an individual may be
at risk of contracting a genetic disease (for example, by having a relative
diagnosed as a sufferer), however, the position is less clear. The Federal
Privacy Commissioner has recently addressed this issue, saying yesterday,
'Balancing the privacy rights and wishes of the individual with the interests
of their relatives (who may want to know if they are genetically predisposed
to a disease) is not an easy task'.
The Commissioner went on to say that the role of the Privacy Act is to ensure
the responsible handling of individuals' health information and was not designed
to put people's lives at risk by restricting the flow of information, as has been
recently alleged in the media. As such, the Commissioner has recommended, in
a submission to the Joint Inquiry into the Protection of Human Genetic Information
conducted by the Australian Law Reform Commission and the Australian Health Ethics
Committee, that the Privacy Act be amended so such health information may be made
available to persons who may be affected by it, but in limited circumstances,
in accordance with appropriate guidelines and with the involvement of
professionals such as genetic counsellors.
The Joint Inquiry is slated to release a discussion paper containing draft
recommendations by this month, to hold public consultations on the paper
in September and November and to deliver the final report to the Attorney
General and the Minister for Health and Ageing by 31 March 2003.
Privacy web tools: P3P
1 August 2002
Bodies including the Information and Privacy Commissioner of Ontario, Canada are beginning to embrace web tools to promote individuals' privacy rights. Developed by the Worldwide Web Consortium (W3C), the P3P is being promoted as a new world wide web protocol to automate user privacy protection on the web. It is essentially an electronic filter which enables users to specify minimum privacy compliance requirements in their internet dealings. P3P's goal is to increase user trust in the web by helping users to be informed about web site practices by simplifying the process of reading privacy policies. To achieve this, P3P provides a standard way for web sites to communicate their practices around the collection, use and distribution of personal information. P3P enables key information about what data is collected by a web site to be automatically conveyed to a user and can flag discrepancies between a site's practices and the user's preferences. It also includes a mandatory access element which discloses how (if at all) users can access personal data held by a web site. Additionally, it can be used by web sites with opt-in or opt-out policies. It is not, however, a comprehensive privacy compliance tool but essentially discloses web site privacy practices in simple terms.
European Commission invites views on privacy legislation
1 August 2002
The European Commission has launched an on-line questionnaire as part of
the Interactive Policy Making Initiative (IP/01/519) in which views are invited
on the implementation by Member States of the 1995 Data Protection Directive.
The aim is to assess the operation of the Directive and any necessary changes
by considering the views of diverse groups, including business, public authorities
and private citizens.
Two different questionnaires, one for data controllers (anybody who processes
personal data) and one for data subjects (anybody whose personal data is processed),
seek opinions on national data protection laws and their efficacy.
Data subjects are asked for their opinions on the adequacy of data protection
in their particular country, as well as any concerns raised by the use of their
personal data. In contrast, the questionnaire for data controllers asks questions
concerning that particular controller's compliance with data protection laws and
their implementation of business processes in respect of those laws.
Results of the questionnaire will be addressed by data protection experts
at the Data Protection Conference later this year in Brussels, and compiled
in the Commission's first report on the implementation of the Directive.
Victorian Government acts on online photos
11 July 2002
The Victorian Government intends to introduce reforms to make it a criminal
offence to publish people's photos on the Internet without their consent.
Earlier this month the Office of the Victorian Privacy Commissioner noted
community concern in relation to unauthorised photos of young Victorians
playing sport being published and linked to pornographic web sites.
It is not an offence to take photos or to possess photos of people
in a public place. Under the Victorian Crimes Act, however, non-sexual
photos of minors may fall within the definition of child pornography if
the photos depict the children "in an indecent sexual manner or
context". It is an offence to use an online service to transmit
such "objectionable material" under Victorian law.
Currently the avenues of redress are limited to a 'take down' notice
issued by the Australian Broadcasting Authority, and notifying the internet
service providers or internet content hosts who are facilitating the
availability of the unauthorised photos in a sexual context.
A new Code of Practice for Hong Kong telcos
10 July 2002
In brief: a new Code of Practice sets out voluntary standards for the Hong Kong telecommunications industry aimed to avoid unauthorised disclosure of customer information. More
Federal Privacy Commissioner's public education campaign
5 July 2002
As foreshadowed by the Office of the Federal Privacy Commissioner earlier this year, the Commissioner is undertaking an "advertorial" campaign to "promote an Australian culture that respects privacy". The Commissioner wants to inform Australians about what privacy is, what are a person's new privacy rights under the amended Federal Privacy Act and how that privacy can be protected by working with business, community groups and government. This public education program has already been launched in News Limited papers in several states including NSW. The next advertorial will run in Victoria on Sunday, 4 August and will include contact information for consumers with privacy concerns and, importantly, a reminder to those small businesses that must comply with the Act, of their forthcoming responsibilities after 21 December this year.
Victorian Health Records Act now in force
1 July 2002
The Victorian Health Records Act is in force as of 1 July 2002.
The new laws will affect the regulation of the privacy of health information
in the Victorian public sector for the first time. It will also affect private
sector organisations in Victoria but that effect will vary greatly, partly
depending on whether an organisation already complies with the federal Privacy Act.
This is because, unlike the federal Privacy Act, the new Victorian Act
does not exempt employee records or small businesses.
So small businesses that hold health information, or any business
that holds health information about its employees, may need to put
into place new measures to comply with the new law.
But even Victorian businesses that already comply with the federal Privacy Act
need to be aware that, although many of the new Act's Health Privacy Principles
mirror the National Privacy Principles under the federal Privacy Act, there are
also some significant differences. For example:
- more of the Health Privacy Principles have a retrospective effect (that is, after 1 July, they will affect health information collected even before the Act comes into effect);
- some of the provisions governing access to health information are different; and
- there are provisions that will restrict the transfer of health information outside Victoria.
The Act will be administered by the Victorian Health Services Commissioner, who will have a wide range of powers, including the power to audit records of private sector organisations. The new Act also creates some new offences, and there are penalties of up to $300,000 for serious breaches of the law.
EU Privacy legislation
25 June 2002
The European Union's Environment Council has adopted the Directive concerning the processing
of personal data and the protection of privacy in the electronic communications sector on 25 June 2002,
as amended by the European Parliament in May.
The Directive now awaits the signature of the President of the European Parliament, the President of
the Council and the Secretary-General of each of the two bodies.
Member States are required to implement the provisions of the Directive in their domestic laws
by October 2003.
The most controversial provisions of the new Directive are the following:
- Member States may lift protection of data privacy in order to conduct criminal investigations or to safeguard public security in circumstances where it is a necessary and appropriate measure "within a democratic society";
- consumers will have to opt-in prior to receiving any unsolicited commercial communications, whether via email, text messages, faxes or telephone calls;
- use of location data collected from mobile telephone networks will be subject to express consent from the individual and temporary blocks should be available;
- cookies may only be stored on an individual's computer and data collected by those cookies may only be retrieved and processed if the individual is provided with "clear and comprehensive" information about the purpose of the cookies; and
- an individual may refuse to have a cookie stored on their computer or may object to the processing of the information so collected.
Europe passes snoop measure
31 May 2002
The European Parliament has passed the Communications Data Protection Directive, which supporters say is necessary to combat future terrorism. The Directive must be approved by the 15 European Union member countries before it will come into effect.
Commissioner releases more FAQs
30 May 2002
The Federal Privacy Commissioner has released more FAQs clarifying the application of the National
Privacy Principles (NPPs) and the Privacy Act. The latest FAQs highlight the fact that the new private
sector provisions of the Privacy Act do not apply to local councils or state or territory governments.
(The existing FAQs relate to business, government, community and health issues.)
Under Section 6C of the Privacy Act, state or territory authorities or their prescribed instrumentalities
(which include local councils) are not classified as organisations under the Act and, as a result,
are exempt from the NPPs.
However, some states do have their own privacy laws that cover state and local government bodies and
there is scope under the Privacy Act for certain entities to be prescribed as organisations and therefore
fall within the Privacy Act.
Compromise on Directive for the protection of personal data and privacy in electronic communications
30 May 2002
The EU has agreed the terms of the new Directive for privacy protection in electronic communications
by approving lenient regulation of data retention, cookies and spam. The scheme comes in to effect by 2003.
Data
retention
The Directive will allow data protection to be lifted to conduct criminal investigations or safeguard
national or public security. It obliges EU member states to require ISPs and telcos to keep track of
phone calls, Internet surfing, e-mails, faxes and even pager messages, for an unlimited time, in case
the data is needed for investigations into illegal activity. This will allow open-ended surveillance
of all users.
Despite the broad terms of the Directive, interception of electronic communications must still comply
with the European Convention of Human Rights and Fundamental Freedoms and with the rulings of the
European Court of Human Rights.
Spam
Consumers must opt-in and consent to email communication before it is sent to them. Opt-in will be
mandatory for commercial e-mail, faxes or telephone calls, but not for text messages. Each member
state can decide whether to impose opt-in arrangements for text messaging.
The amendments also allow data already collected to be used for direct marketing purposes, provided
the individual has been given the chance to opt-out of such an arrangement.
Location data
Mobile phone location data may not be used unless express user consent has been given. Users can bar
the use of data about their location.
Cookies
Storing information on a user's computer and accessing this information is allowed "...on condition
that the subscriber or user is provided with clear and comprehensive information in accordance with
[the Data Protection Directive about] the purposes of the processing and is offered the right to refuse
such processing". That is, users will have to be informed why cookies are being sent to a web site
and given the opportunity to opt out.
Information Sheet 15 - Identifiers in the health sector
30 May 2002
The Privacy Commissioner has released new information clarifying the adoption, use and disclosure
of Commonwealth identifiers.
The handling of Commonwealth government assigned identifiers, such as Medicare and Health Care numbers,
are dealt with under National Privacy Principle 7. The purpose of NPP 7 is to prevent the use of Commonwealth
government assigned identifiers as common identity numbers for individuals.
Individual Identifiers are commonly used throughout the health sector, and enhance the efficiency of
data management. However they also create certain privacy risks, as they can facilitate the bringing
together information about an individual from different sources.
For more about how organisations can use health information see our health site.
State instrumentalities prescribed under the Privacy Act
29 May 2002
Four NSW authorities have been prescribed as organisations by the Privacy (Privacy Sector) Amendment Regulations 2002 (No 1). They are:
- Australian Inland Energy and Water infrastructure;
- Country Energy;
- Energy Australia; and
- Integral Energy Australia.
Section 6F of the Privacy Act allows state instrumentalities to be classified and treated as organisations and become subject to the private sector amendments to the Privacy Act.
AMWU releases model email/internet policy
28 May 2002
The Australian Manufacturing Workers' Union has released an Internet and email policy to
be included in future enterprise agreements.
The policy - which is aimed at employers who attempt to regulate the use of Internet resources
in the workplace - sets out a framework to clarify workers' rights.
The AMWU
has also prepared a draft electronic facilities agreement to clarify delegates' rights in relation
to the use of their employer's email for union or non-business purposes. This provides for delegates
and employees to be able to use Internet facilities to send and receive emails or visit websites as long as
this "does not detract from their job responsibilities".
If an employer accepts the policy, they will be required to advise the union they intend to monitor
a worker's emails or internet use. Under the policy, an employer may only do this if they have a reasonable
belief that an employee has committed a serious offence.
For more see the Commissioner's Guidelines on workplace email, web browsing and privacy.
EU investigates Microsoft
27 May 2002
The European Commission is investigating Microsoft's .NET Passport system to assess whether
it is compatible with EU date protection law. The system stores personal information about the users
on its servers so that users do not have to re-enter their personal details when they move into new websites.
Obligations placed on companies operating in the EU
in regard to personal data include:
- ensuring that data is collected for a specific, legitimate purpose; and
- informing users of the identity of:
- the controller of the data;
- the purpose of collection; and
- the rights of the individual in relation to the data.
Microsoft is a signatory to the Safe Harbour agreement, but this may not provide adequate protection. The commission is investigating whether European Union rules apply to databases outside the Union. They expect to report before the end of the year.
Transurban off the hook
24 May 2002
The Privacy Commissioner has given the operator of Melbourne's CityLink freeway, Transurban, a thumbs up
following a recent own motion investigation of Transurban's privacy compliance by the Commissioner's office.
Late last year the Commissioner announced an investigation into Transurban after up to 12,000 customers' credit
card details were stolen from the company in 2000. The breach raised questions about Transurban's computer
security measures and privacy practices generally.
The
Commissioner's office found that Transurban's policies and procedures were reasonable and it was the actions
of an ex-employee which resulted in the disclosure. However, a risk assessment by the Commissioner's office
has identified some steps which Transurban can take to reduce the risk of a further incident.
Bundled consents
23 May 2002
The Federal Privacy Commissioner has expressed concern regarding the practice by organisations of requiring
bundled consents from consumers.
Organisations are using bundled consents to require an individual to consent to other uses of their information,
which are not relevant to the transaction in question, as a condition of providing the service.
The Commissioner said that consent for the collection, use and disclosure of one's personal information
should always be given freely and voluntarily: it should not be conditional upon the individual giving
consent for any other form of information handling practice. The Commissioner also flagged that this issue
would be pursued through dialogue with industry organisations and would be one of the issues considered
in the two year review if it remained problematic.
DoubleClick settles
21 May 2002
The US District Court for the Southern District of New York has confirmed a preliminary settlement
in a class action brought against DoubleClick for infringing the privacy rights of its users. The law
suit asserted that DoubleClick was tracking users' personal information, without permission, and combining
this with information about their net habits to send targeted advertising to those individuals.
The settlement requires that DoubleClick obtain opt-in consent from users before cross-checking the
personal information of users against their habits. DoubleClick is also required to delete information
it collects which may personally identify individual users.
Employee records exemption
21 May 2002
The Federal Privacy Commissioner has warned both employers and recruiting employers to take care
in the way that they handle access requests to a former or potential employee's record. The Commissioner
indicated that neither of them will be able to avoid their privacy obligations to individuals by using
confidentiality agreements when exchanging references.
While the Privacy Act provides an exemption for employers in the way that they handle a former or current
employee's information in a way which is directly related to the employment relationship this exemption
is not without limits.
- It does not extend to new recruits
- To be exempt, the employer's act in handling the information must be directly related to the current or former employment relationship.
Recruiting employers who deny potential employees access to their records may risk violating privacy
obligations.
Inaccurate references can adversely affect an individual's chances of employment and the Privacy Commissioner
has indicated that it is important that employees are able to access their records to ensure that information -
such as referee reports - is accurate.
Privacy Commissioner's public awareness campaign
3 May 2002
The Office of the Federal Privacy Commissioner has started its campaign to educate the public about individual's rights under the new privacy laws by issuing "Your Privacy Rights". Your Privacy Rights summarises an individual's rights under the Privacy Act 1988 including:
- the rights an individual has when their rights are breached;
- how to complain;
- the process the Commissioner will follow to resolve complaints;
- complaint procedures and privacy laws relating to private sector organisations, Commonwealth and ACT government bodies, and credit providers and credit reporting agencies.
- information on the collection and use of tax file numbers;
- the use of data matching by government bodies; and
- discrimination on the basis of spent convictions.
The Commissioner has also issued a release entitled "My Privacy My Choice - Your New Privacy Rights", which summarises the National Privacy Principles and overviews the public bodies involved in the protection of privacy.
First private sector privacy code approved
17 April 2002
The Federal Privacy Commissioner has approved Australia's first private sector privacy code. The code,
which was submitted by the Insurance Council of Australia (ICA), covers the general insurance industry.
A code can only be approved by the Commissioner if, overall, its standards are at least the same as
the National Privacy Principles.
The ICA has sought to ensure that the code can operate as a compliance mechanism for:
- organisations in the general insurance industry;
- organisations involved in business related to the general insurance industry; and
- general insurers in the conduct of other business carried on as part of their wider services.
Organisations that choose to commit to the code do so by a formal Deed of Adoption. One aspect of the code that may encourage organisations to sign up is that complaints will in the first instance be handled by the Privacy Compliance Committee (a committee set up under the code) rather than the Privacy Commissioner. Even so, the Commissioner retains the power to review the determinations of an adjudicator appointed under an approved privacy code.
Spam under examination by the National Office for the Information Economy
9 April 2002
The National Office for the Information Economy (NOIE) will be examining ways to counter the problem of unsolicited bulk messages (spam). As part of its examination of the effectiveness of actual and possible counter-measures, NOIE is:
- conducting an on-line questionnaire (deadline 19 April 2002);
- consulting with the community and key stakeholder groups;
- publishing a discussion paper; and
- conducting round-table discussions with interested parties.
Some of the counter-measures under review include:
- awareness raising for consumers and internet providers;
- commercial and self-regulatory practices for Internet Service Providers;
- enforcement of existing laws; and
- possible new laws.
It is expected that NOIE will make the findings of its review public by mid-year.
Minnesota Privacy Bill of Rights
9 April 2002
A Privacy Bill currently in the Minnesota Legislature would prevent Internet Service Providers from selling mailing lists or disclosing personal information about customers in Minnesota. The Bill, in its current form, automatically prohibits ISPs from disclosing personal information unless they first obtain the customers permission.
Focus: Privacy
08 April 2002
Senior Associate Jackie Lyne looks at the increased power and range of regulators of the new privacy regime in the light of a recent collaboration between two Federal bodies. View publication; download pdf version (56KB)
Colorado Supreme Court refuses to force bookstore owner to divulge buyers to police
8 April 2002
The Colorado Supreme Court has ruled unanimously that a local Denver bookstore
does not have to turn over customer sales records to police to help them determine who
bought two books on how to make illegal drugs. The Court found that the First Amendment
and the Colorado Constitution "protect an individual's fundamental right to purchase
books anonymously, free from governmental interference". The decision overturns a ruling
by a Denver state appellate court judge, which ordered the bookstore to give records of
the sale to the Denver drug task force.
The Supreme Court held that a pre-seizure hearing had to be held before a search warrant
could be issued on a bookstore. It was further held that the Colorado Constitution requires
that the search warrant will only be issued if law enforcement officials show a sufficiently
compelling need for the specific customer purchase record sought.
The police investigators in this case argued that the buyer's identity was critical to their
investigation of a methamphetamine lab. The Court found that the police investigators' need for
the book purchase record was not sufficiently compelling to outweigh the likely harm which would
result from issuing the search warrant.
Anti-terrorism legislation a danger to email privacy protection?
2 April 2002
The Senate Legal and Constitutional Legislation Committee is currently reviewing a number
of anti-terrorism Bills and is expected to release its report on Friday 3 May 2002.
It is holding a public inquiry on 8 April 2002.
Among the Bills to be considered is the Telecommunications Interception Legislation Amendment
Bill 2002, which some privacy experts say endangers fundamental privacy rights. If passed,
the Bill will increase police powers to intercept telecommunications, in particular emails.
The aim of the Bill is to trace telecommunications involving terrorism, child pornography
and serious arson offences.
Civil liberties organisation Electronic Frontiers Australia (EFA) is opposing the Bill on
a number of grounds. EFA's main concern is that the wording of the Bill is confusing. It will
be seeking changes to the Bill to ensure that email is afforded the same legal status as
telephone calls in regard to interception warrants.
Federal Privacy Commissioner's plans
April 2002
The Office of the Federal Privacy Commissioner is currently planning its key activities
for the next two years.
The Office also plans to concentrate on
the following issues in the next two years:
- the Privacy Commissioner's functions under the Privacy Act;
- the number and nature of complaints received;
- identifying significant privacy issues for Australia and overseas;
- implementation of the new privacy legislation by businesses, consumers and privacy service providers; and
- the Office's community attitudes research.
For more information see the Office's Strategic Plan.
DoubleClick publishes settlement agreement
29 March 2002
Online advertising giant DoubleClick has published a settlement agreement which,
if successful, will resolve class actions pending against the company in various US
states over its handling of personally identifiable consumer data.
Under the terms of the agreement DoubleClick agreed to take steps to educate consumers
about its use of electronic "cookies" and its practices regarding personally
identifiable data. The company has also vowed to routinely purge old data collected online.
Privacy advocates are opposing the adequacy of the agreement because it does not offer to
provide customers access to the data DoubleClick collects about them.
The matter will be heard before a Federal Judge in May of this year.
Biometrics & the federal privacy regime
20 March 2002
The Federal Privacy Commissioner presented a speech entitled Biometrics and Privacy-
The End of The World as We Know It or The White Knight of Privacy at a biotmetrics
conference in Sydney. The speech outlined the implications of the Privacy Act for
collecting and processing biometric information. Biometric information includes fingerprinting,
DNA and voice, hand, face and keystroke recognition. As biometric information may be classified
as personal information, the Act will apply where this is information is handled.
During his speech, the Privacy Commissioner discussed how the increasing use of biometric
technology for authentication purposes has the potential to operate as 'privacy enhancing'
or 'privacy intrusive' technology.
The Privacy Commissioner outlined several benefits of biometric technology, including protection
against identity theft and a reducing the number of access passwords people need to remember.
However, biometric information carries privacy risks such as the potential for underhanded
collection or data being used for unauthorised purposes. In the Commissioner's supporting
paper he expressed the view that Australian organisations need to consider privacy enhancement
when acquiring biometric technology. Meanwhile, technology developers need to be mindful of
privacy protection mechanisms to ensure that personal information is adequately protected.
The Commissioner said the Act may need to be reviewed in the future to keep abreast with
biometric technological change.
New UK Code of Practice for protection of employment information
20 March 2002
The UK Office of the Information Privacy Commissioner has released the first part of
a new four part Code of Practice called the Employment Practices Data Protection Code of
Practice. Part 1 Recruitment and Selection explains how organisations can ensure compliance
with the Data Protection Act 1998 (UK) in the context of recruitment and selection.
Part 1 of the code concerns personal information that employers collect and retain on potential,
current or prior employees, agency workers, casual workers and contract workers. It gives guidance
on issues such as obtaining and storing information about workers and accessing and disclosing
records. It also gives benchmarks for advertising jobs, dealing with job applications, verifying
details supplied by applicants, and short listing and interviewing applicants.
The three additional parts of the code, dealing with employment records, monitoring at work and
medical information respectively, will be published at monthly intervals. The code will not be
formally published until all four parts of the code have been completed, but the substantive
content of the Code is not expected to change.
ACCC and Privacy Commission join forces
12 March 2002
The Australian Competition and Consumer Commission (ACCC) and the Office of the
Federal Privacy Commission (FPC) signed a memorandum of understanding (MOU) on 12
March 2002.
The MOU is aimed at facilitating cooperation and coordination between
the ACCC and the FPC's office. The MOU:
- provides a framework for cooperation when the responsibilities of the ACCC and the FPC overlap; and
- enables the two Agencies to conduct joint training, education, promotion and enforcement activities.
Each Agency may also agree to participate in the conduct of investigations or litigation
through a joint task force if the Agencies agree that this is likely to be more effective
than separate examinations.
The MOU will remain in force for a period of two years until 11 March 2004 and may be
extended with the agreement of the two Agencies. For more, see
Allens' Focus: Privacy April 2002
Pathology labs must meet privacy standards
12 March 2002
The Minister for Health and Ageing, Senator Kay Patterson, has announced that
pathology laboratories that fail to meet stringent standards relating to the use
of personal information and the handling of test results face being named publicly.
The comments follow the bungle by two pathology labs, one in New South Wales and the
other in Victoria, that released incorrect results to a number of patients. Senator
Patterson has directed her Department to work with the National Association of
Testing Authorities (NATA) and the College of Pathologists to ensure that laboratories
which do not meet the standards be identified and pursued, and patients and doctors
be notified promptly.
Commissioner releases more FAQs
27 February 2002
The Privacy Commissioner has released two more sets of FAQs:
- Business FAQs which provide information to business about alternative dispute resolution schemes, including requirements over:
- collecting sensitive information about third parties;
- notification, use and disclosure of third party's information; and
- access to personal information.
- Community FAQs which cover the application of the NPPs and the Privacy Act to counselling services offered by charitable and welfare organisations, sporting clubs, private schools and colleges.
Any questions for the Office of the Privacy Commissioner should be sent to privacy@privacy.gov.au. The Commissioner's office plans to update the FAQs on a regular basis.
Canada Post breaches Privacy Act
25 February 2002
Canada's Privacy Commissioner, George Radwanski, has released a finding that Canada
Post has breached the Canadian Privacy Act in relation to its National Change of Address
service (NCOA).
Canada Post asks subscribers to the NCOA service who want to have their mail redirected
to sign an authority allowing Canada Post to supply their new address to businesses who
ask for it. While subscribers can opt out of this authorisation, the process to opt out
was outlined in fine print on the back of the NCOA form.
The Commissioner found that subscribers' personal information was provided to organisations
such as list brokers, mass mailers and direct marketers for a fee. The Commissioner was
concerned about the lack of transparency and the use of implied consent.
Minnesota considers Internet privacy legislation
25 February 2002
The Minnesota State Legislature is currently considering the
Internet
Privacy and Commercial Electronic Mail Solicitation
Bill. The Bill aims to:
- require organisations to disclose to consumers the content of commercial emails in the subject line of the email;
- require persons sending spam emails to consumers to allow consumers to refuse them; and
- limit disclosure by Internet service providers of customer information.
The bill forbids email senders from misrepresenting their identities or failing
to provide accurate information in the email subject line. Furthermore, commercial and
sexually explicit email would have to be marked so it can be deleted automatically upon receipt.
The bill only affects spam originating in Minnesota.
Commissioner releases FAQs
22 February 2002
The Federal Privacy Commissioner's website now features two sets of frequently asked questions.
- Your Privacy Rights FAQs: these provide information relating to the right to access credit information, privacy in the workplace, and privacy and telecommunications.
- Health FAQs: these address issues such as the obligations of medical researchers, health service providers and individuals in dealing with private health information.
The Office of the Federal Privacy Commissioner plans to update the section on a regular basis.
Canadian Privacy Commissioner issues statement on Blood Samples Bill
21 February 2002
George Radwanski, Privacy Commissioner of Canada, has criticised the Blood Samples Bill in an opening statement to the House of Commons Standing Committee on Justice and Human Rights. The Bill proposes to introduce compulsory blood testing and compulsory disclosure of blood test results. Mr Radwanksi said he thought the bill, if passed, would violate privacy in a profound way. He said any proposed measure to limit or infringe privacy must meet four tests:
- it must be demonstrably necessary to meet a specific need;
- it must be likely to be effective in meeting that need;
- it must be proportional to the magnitude and importance of the problem; and
- there must be no less privacy-invasive alternative.
Mr Radwanksi recommended that, in the absence of evidence that the bill meets the four tests above, any proposal for compulsory blood testing be rejected. In Mr Radwanksi's opinion, such a proposal would take away a fundamental right and would amount to a draconian violation of privacy.
Privacy no obstacle to parents receiving school reports
20 February 2002
The Privacy Commissioner has
denied media reports stating that privacy laws would give students the power to stop schools from
releasing their school reports to their parents.
The Commissioner said that, in most cases, it is reasonable for schools to release student reports
to parents. A school using that information to keep parents updated is a related secondary purpose
and is likely to be within the student's reasonable expectations. This type of disclosure is
permitted under National Privacy Principle 2.1(a).
The Commissioner also commented that only exceptional cases would warrant a school refusing to
hand over a school report to parents; such cases would be handled by the
Privacy Commissioner's
Office.
Commissioner considers privacy solutions for doctors
14 February 2002
The Federal Privacy Commissioner, Mr Michael Crompton, has announced that he
will work with private sector health providers and consumer groups to ensure that the taking
of family medical histories is properly authorised under the Privacy Act.
The announcement comes after ACHA Health applied for a Public Interest Determination (PID) to
allow health service providers to take medical histories from patients in December of last year.
The Commissioner is taking steps to ensure that other parts of the Privacy Act can be used
to support the practice of taking medical histories and has issued a
temporary
PID to allow doctors to continue taking medical histories until further investigations have been made.
Privacy Commissioner considers public interest determinations
14 February 2002
The Federal Privacy Commissioner is considering the following public interest
determinations:
- the Australian Government Employees Superannuation Trust has asked for guidance on the practice of using and disclosing a Commonwealth identifier in managing, processing and allocating superannuation contributions remitted by Commonwealth and Act agencies and departments to their employee's superannuation funds. The Federal Privacy Commissioner has issued a Temporary Public Interest Determination 2001-2;
- the Commonwealth Director of Public Prosecutions has asked for guidance on whether the disclosure of certain case files to the Australian Institute of Criminology for research into serious fraud related offences is in breach of the Privacy Act. Initial public submissions are sought on this matter by the Privacy Commissioner by 27 February.
EC releases FAQs on transborder data flows
13 February 2002
The European
Commission has released a set of Frequently Asked Questions
(FAQs) on standard contractual clauses for the transfer of personal data to third
countries under Directive 95/46/EC.
The Directive requires Member States to permit transfers of personal data only to
third countries where there is adequate protection for such data. Article 26(4) of
the Directive allows the Commission to issue standard contractual clauses for the
purpose of fulfilling the requirements set down by the Directive.
The FAQs summarise the main issues of the draft Commission decision and inform individuals
and companies on how to use the standard contractual clauses.
While the FAQs should assist countries in complying with the EU transborder data protection
requirements, they are not part of the Commission Decision and do not have a legal status
of their own at this stage.
EC reports on Safe Harbour agreement
13 February 2002
The European Commission has issued its 2001 report on the privacy Safe Harbour
agreement with the USA, which concludes that all elements are in place. However,
a substantial number of U.S. organisations with self-certified adherence to the
agreement do not have the expected degree of transparency with regard to their
commitment or contents of their privacy policies.
The report also expresses concern about the privacy practices of some of the Safe
Harbour dispute resolution providers.
Vermont's new privacy 'opt-in' laws (USA)
11 February 2002
Amendments to a
bill originating from Vermont are being considered by the US Senate. If passed, the bill will
require financial institutions which have Vermont-based consumers to seek consent to most uses of
their personal information.
The
"opt-in" standard is more stringent than the requirements under the
Gramm-Leach-Bliley legislation (GLB). GLB adopts
an "opt-out" standard, which allows financial institutions to use consumer information
unless the consumer requests otherwise.
GLB does not prevent any US state from prescribing stricter privacy standards than it prescribes.
Other US states including Arkansas, California, Florida, Hawaii, Illinios, Massachusetts, Minnesota
and New York are also considering the "opt-in" standard.
Insurance trade groups have challenged Vermont's ability to make the changes at the State
level in contradiction of the GLB by filing suit. The American Council of Life Insurers,
one of the groups involved in the law suit, has been involved in challenging aspects of
regulation imposed by the GLB on insurance groups in the past.
Canada - video surveillance and privacy rights
7 February 2002
The Canadian Privacy Commissioner, George Radwanski, has
expressed
concern over a proposal by Vancouver's police department to install video surveillance
cameras in public places throughout the city.
At a public meeting hosted by the Canadian Bar Association, Radwanski was prepared to admit
that, after the events of September 11, privacy is no longer an absolute right. However
he suggested that such security measures should only be taken if:
- it is absolutely necessary to address a specific problem;
- it is likely to be effective in addressing the problem;
- it is proportional to the security benefit to be derived; and
- it is demonstrable that no less privacy invasive measure would suffice to achieve the same result.
Radwanski concluded the surveillance proposal does not meet the above criteria. He said that:
- the incidence of crime in Vancouver is not high enough to render video surveillance absolutely necessary;
- there is no evidence that video surveillance is effective in reducing crime;
- the security benefit to be derived is not proportional to the infringement of privacy that would result; and
- the focus should be on more traditional crime prevention measures like extra policing and an examination of the deeper social and economic causes of crime.
Attorney-General commits to privacy laws
5 February 2002
The Attorney-General, Mr Darryl Williams, listed privacy laws as one of his priorities
for the third term of the Howard Government in an address to senior officers of his Department.
Mr Williams plans to work on the issues of genetic privacy, employee records and children's
privacy. He also raised the issue of compliance with EU requirements and proposed that the
Australian legislation be amended to fulfil those requirements.
Singapore launches voluntary Internet privacy codes
5 February 2002
Singapore's National Internet Advisory Committee
(NIAC) has released
two voluntary codes to encourage companies to self-regulate online information and to
increase confidence in Internet use.
- The Model Data Protection Code outlines NIAC's views on what amounts to "fair information principles" and establishes minimum standards for electronic data protection to facilitate the growth of electronic commerce.
- The Industry Content Code was drawn up in consultation with industry members and sets down industry best practices to complement the regulations and codes of practice which currently govern Internet content in Singapore.
Ontario's draft privacy legislation released
5 February 2002
The first draft of Ontario's proposed privacy legislation, the Privacy of Personal
Information Act 2002, has been released. If the Bill is passed, significant changes
will be made to how private, not-for-profit and health care sectors collect, use and
disclose personal information.
Ontario will be required to comply with Federal privacy legislation in 2004 in
the absence of its own "substantially similar" privacy legislation.
Ontario's draft legislation goes beyond the Federal legislation as it:
- applies to most activities and organisations, not just commercial activities;
- includes specific health information privacy provisions, rather than protecting health privacy through general provisions of the Act; and
- incorporates the privacy principles set out in the Canadian Standards Association Model Code for the Protection of Personal Information.
The Bill aims to establish clear privacy rules across Ontario. Comments on the
draft legislation are due by 8 March 2002.
Safe business shopping site ensures consumer privacy protection
4 February 2002
BBBOnline, a subsidiary
of the Council of Better Business Bureaus
has launched a 'Safe
Shopping Site'. CBBB is a US organisation which aims to promote fair and honest
relationships between businesses and consumers, including on privacy issues. The site
gives consumers the opportunity to browse online business sites which have received
the BBBOnline 'privacy seal' or 'reliability seal'.
The 'privacy seal' indicates that the business has met website user protection
criteria, such as using an online privacy notice for consumers. The 'reliability seal'
means that the business has met criteria such as having a satisfactory complaint handling
record and operating as a business for at least one year.
Companies such as Procter & Gamble, Hewlett-Packard, Visa and Intel have the seals
on their websites.
Report on privacy standardisation in Europe
February 2002
An EU report
has called for the data privacy practices across Europe to be standardised to increase privacy
protection.
The Initiative for Privacy Standardisation in Europe (IPSE) issued the report after reviewing
the possible role of standardisation to help bodies comply with European privacy and data
protection initiatives following a period of public review.
The objective of IPSE is to analyse the activities of governments and organisations which
involve privacy protection and to determine if standardisation of these activities could provide
benefits to interested parties. IPSE also makes recommendations to European standards organisations.
The report contains an analysis of current activities and developments in European countries
with respect to the protection of personal data and provides assessment of the potential role
of standards in helping to achieve compliance with the European Data Protection Directive
95/46/EC and other privacy directives.
The report concludes that there is sufficient grounds to introduce specific standardisation
initiatives by the various European Standards Organisations, especially in respect of:
- management practices;
- data protection auditing practices,
- the development of data protection technologies;
- Privacy Enhancing Technologies (PETS); and
- consumer education.
The report is not a directive, however, and seeks only to stimulate comment and debate for subsequent action.
Privacy group to unveil new email privacy seal program
31 January 2002
Non-profit privacy group TRUSTe,
together with technology company ePrivacy Group, is set to introduce a new "Trusted
Sender" privacy seal program for commercial email. Email from companies who volunteer
to comply with TRUSTe's criteria under the new program will contain a seal of compliance.
TRUSTe has set the following criteria for certified senders:
- adhering to TRUSTe's fair information practice principles and email best practices;
- ensuring accuracy in the subject line of the e-mail;
- including an option in the message text for consumers to opt out of further communications;
- accepting accountability to TRUSTe's dispute resolution program, which allows consumers to complain about a company's email practices.
Trusted Sender will be unveiled at the Second Annual Privacy and Security Summit in Washington, DC.
Privacy software pre-installed on Hewlett-Packard computers
31 January 2002
Privacy and security software is being pre-installed onto
Hewlett-Packard
Pavilion personal computers sold in North America. Users can chose which features they
would like to activate. Some of the features include controlling and blocking cookies
that track internet surfing habits, protecting user logins and passwords, blocking on-line
ads and scanning outgoing Internet traffic for private information.
The latest on ACIF working committees
25 January 2002
The Australian Communications Industry Forum
(ACIF) has set up working committees in the areas of:
The working committees will consider and where appropriate, revise existing codes to comply with the changes which flow from the amendments to the Privacy Act.
US controversy over personal data collection post Sept 11
24 January 2002
US law-enforcement agencies are collecting more and more personal data, some bought from
data agencies, as part of the increase in vigilance against terrorism. This has sparked concerns
as personal information is being passed on without individuals' consent. Also, the information
itself may be incorrect as there is no legal requirement that data agencies check the validity
of the information they collect.
Electronic Privacy Information Center (EPIC) is one organisation concerned by these events.
On January 15, EPIC filed suit seeking disclosure of records of the sale of personal information
to law-enforcement agencies. EPIC alleges that the records consisted of transactions, communications
and contracts between law-enforcement agencies and private companies that sell personal information.
The suit followed attempts by EPIC to obtain the information through a series of Freedom of Information requests.
EU issues transborder data transfer clauses
23 January 2002
The European Commission has adopted standard contractual clauses for the transfer of personal
information to businesses located in countries which do not offer equivalent privacy protection.
Using the voluntary clauses should make it simpler for EU businesses to transfer personal
data to such countries.
Anti-spam proposal
22 January 2002
In an attempt to crack down on spamming activity in Australia, the Internet Industry Association's
cybercrime taskforce is proposing to collect internet users' phone numbers to identify spammers
and launch legal action.
While the proposal may cut down on spamming, collecting callers' IDs to filter access and
trace users may be in breach of Australia's privacy laws if caller consent is not obtained.
FTC targets telemarketers
22 January 2002
The US Federal Trade Commission (FTC) has proposed a national
"do not call" registry that would allow consumers to remove their details from telemarketers'
phone lists by phoning a central registry. Under the proposed rules, telemarketers who ignore
the national registry could face fines of up to US$11,000 per violation.
The proposed registry is one element of the Commission's proposal to modify the Telemarketing
Sales Rule (TSR), which protects consumers from unwanted and late-night telemarketing calls
and prohibits deceptive sales calls.
Privacy lessons from Eli Lilly Case
18 January 2002
Eli Lilly has agreed to settle Federal Trade
Commission charges regarding unauthorised disclosure of sensitive personal information
collected from consumers through its
Prozac.com Web site.
Under the proposed settlement Eli Lilly is required to fulfil a number of privacy obligations.
In particular Eli Lilly has to:
- designate appropriate personnel to coordinate and oversee the organisation's privacy protection program;
- identify internal and external risks to the security of personal information and address these risks using measures such as management and training of personnel, information systems for the processing, storage, transmission, or disposal of personal information, and strategies to combat attacks on information systems; and
- continually monitor and review the program and have qualified persons evaluate and suggest changes to the program where necessary.
Canada makes EU "approval list"
14 January 2002
The European Commission has added Canada to the EU privacy "approval list" after finding
that the Personal Information Protection and Electronic Documents Act 2000 offered adequate privacy
protection. Other countries recently approved include Switzerland and Hungary.
The European Commission is considering data protection laws in a number of non-EU countries
to establish whether they offer adequate protection for personal data transferred from the EU.
EU data controllers can transfer personal data to countries on the list without taking any other
steps to ensure how well it will be protected.
