1. The material in this appendix supplements the discussion of principles in Part 3 of the paper. For ease of reference, the same headings have been used (though not all of them appear).
General principles and specific standards
2. The body of this paper suggests that general principles could be supplemented by more specific standards, where necessary, for particular sectors or activities. This will sometimes be necessary but it would also be desirable to minimise the number of specific standards. Making standards for particular industries immediately creates difficulties for organisations operating across traditional industry boundaries. Standards for particular activities may also overlap with industry specific standards, making it unclear which standard applies in a particular case.
How the principles are expressed
3. The body of this paper suggests that principles for the private sector should be as simply expressed as possible. In its response to the September 1996 discussion paper from the Attorney-General's Department Telstra commented:
A principle function of any privacy regime has to be the education of both the people who give up their personal information and the people who collect that information and subsequently use and/or disclose it. This can most readily be achieved by expressing the Information Privacy Principles in plain English. It is perhaps indicative that shortly after the introduction of the current Act a number of plain English translations of the IPPs were circulated and one of the greatest difficulties that Telstra faced in introducing its initial compliance program was to explain what the IPPs meant in practice.
4. There is certainly a need for plain language but the shorter and simpler the principles are, the less specific the guidance they will give. One way of addressing this would be to supplement the principles with a commentary that makes more specific recommendations for action.
5. As a result of the Government's decision in April to apply the Privacy Act to contractors, many businesses providing services to the Commonwealth will soon be bound by the IPPs in relation to those services. So, although keeping the wording consistent with the existing IPPs is a secondary consideration, it is at least desirable to keep the content of the principles consistent.
Limits to the collection and use of personal information
Limiting the use of personal information
Uses related to law enforcement
6. The body of this paper notes that, while no private sector organisation has to provide information to any law enforcement agency unless a formal legal obligation exists, it is sometimes appropriate for organisations to assist investigations by providing personal information, even if there is no legal obligation and the subject of the information has not consented. EU directive 95/46 approaches the question in these words:
Member States shall provide that personal data may be processed [`processed' includes disclosed] only if: ... (e) processing is necessary for the performance of a task carried out ... in the exercise of official authority vested ... in a third party to whom the data are disclosed, ...[57]
7. Adoption of such a principle would relieve organisations of the need to make judgements about what is `reasonably necessary' for the enforcement of the criminal law, although they would still have to satisfy themselves that the disclosure was necessary for a task carried out in the exercise of official authority.
8. The body of this paper suggests that an organisation should be able to use personal information where, among other things, `the organisation has reasonable grounds for believing that the person or body is making the request in connection with a legitimate investigation of criminal offences'. In developing the scheme it will be necessary to define in more detail what constitutes`reasonable grounds for believing'. Organisations will need to know what they will actually have to do to satisfy themselves that `the person or body is making the request in connection with a legitimate investigation of criminal offences'.
9. Another issue is the whether requests for personal information from other government agencies should be agreed to in the absence of a formal legal requirement. The discussion in the body of the paper restricts itself to requests made as part of the investigation of criminal offences but perhaps there should be provision for organisations to cooperate with other official requests for information - for example, from revenue or social welfare agencies. Any such provisions will need to be well defined - organisations should not be able to assume that they can properly comply with any request for personal information from a government agency.
What should organisations tell the people they are collecting information about?
10. The OECD guidelines also stress the importance of openness in the handling of personal information. The Openness Principle in those guidelines says:
12. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
11. One issue that will need to be resolved is how specific the scheme should be about what organisations should tell people. The suggested principle in the body of this paper is expressed in fairly general language. It may be necessary to expand, in commentary on the principles, on what needs to be covered in different circumstances.
Exceptions to the principle
12. The body of this paper suggests that a possible form of words for the openness principle would be:
When collecting personal information from the subject of the information, an organisation should take reasonable steps to let the person know how it will use the information and the consequences for the person of providing and of not providing the information.
13. It also suggests that when the person has recently had an opportunity to find out about how their personal information will be used, it may be reasonable to excuse the organisation from going through the same process again and again. The NZ Privacy Act deals directly with this situation, in the following words:
An agency is not required to take the steps referred to in subclause (1) of this principle in relation to the collection of information from an individual if that agency has taken those steps in relation to the collection, from that individual, of the same information or information of the same kind, on a recent previous occasion.[58]
Safeguarding personal information
14. The body of this paper suggests a possible form of words for the security principle:
An organisation should take reasonable steps to protect the personal information it holds from unauthorised access.
15. At least two other issues will need further consideration.
16. First, `unauthorised access' may not be the only thing from which an organisation should protect the personal information it holds. The IPPs in the Australian Privacy Act refer to protecting personal information `against loss, against unauthorised access, use, modification or disclosure, and against other misuse'. It would be better to avoid a long list like this but it may be necessary to expand on the suggested wording above.
17. Second, organisations should obviously take reasonable precautions to protect personal information in the course of transmission between organisations. The suggested wording above is restricted to information that an organisation holds. It will be necessary to resolve whether this wording is sufficient to cover information in transmission or whether some change is needed to cover transmission.
Ensuring the quality of personal information
18. An information privacy scheme for the private sector would need to give more detailed guidance on what quality control measures are reasonable in different circumstances. In particular, any scheme must recognise that checking information is often a costly exercise and that the costs of checking must be weighed against the risk of the information being of low quality and the likely consequences if it is. This suggests a need for a `fitness for purpose' test; that is, the quality standard required will depend on the intended uses of the information. In many cases, it would be appropriate only to assess the quality of information at the time it collected and again when it is retrieved for a particular purpose, and there would be no need to set up any special arrangements for routinely monitoring or updating. The inclusion of the `reasonable steps' obligation in the suggested words that follow may adequately accommodate these concerns.
Letting people know what personal information an organisation holds
Keeping a written record of information held by an organisation
19. The body of this paper suggests that two provisions of the existing Australian IPP 5 should not be adopted in relation to the private sector: the requirement to maintain a document describing the different types of personal information an organisation holds; and the requirement to provide this document to the Privacy Commissioner on an annual basis.
20. This is consistent with the responses to the September 1996 discussion paper from the Attorney-General's Department. In his response, the then Privacy Commissioner argued for these requirements to be dropped for the private sector, and many consumer and privacy groups also acknowledged the arguments for restricting, if not abandoning, these requirements. Business groups also strongly opposed them; for example, the Australian Chamber of Commerce and Industry commented:
ACCI is especially concerned at extending principle 5.4(b). A requirement to remit a return each year to the Privacy Commissioner would place a considerable cost burden on employers. ACCI notes that the discussion paper does not canvass excluding employers below a certain size from any such requirement, which we believe would be essential.
21. By deleting these requirements the burdensome registration or licensing requirements of some European privacy laws would be avoided, while the important element of openness would be retained.
Allowing individuals to gain access to their personal information
Exceptions to a scheme of access to personal information
22. There are clearly a number of situations in which it is not reasonable to expect an organisation to provide an individual access to personal information that it holds about them, or where partial or conditional access may be appropriate. The body of this paper lists a number of areas that the discussion paper from the Attorney-General's Department identified as places where exceptions to a right of access might be appropriate. It also gives some discussion of a possible exception for opinion and evaluative material. The following sections discuss some others of the more important possibilities.
Commercial-in-confidence information
23. Access rights for individuals should not be able to compel organisations to release genuine trade secrets or the details of confidential deals. Some of the responses to the September 1996 discussion paper from the Attorney-General's Department argued that this exception should apply to any material that could prejudice the commercial position of the firm.[59] This is a very wide formulation - almost any information that implies the organisation has made a poor decision could be regarded as prejudicing its commercial position. Further debate about the scope of this exception is needed.
Unreasonable costs to the organisation
24. Individuals also carry some responsibility for facilitating the response to their access request. It would be unreasonable for an individual to approach a large and complex organisation and simply give a name and address and say `I want to see everything you hold about me'. An organisation should be able to expect some assistance from the individual to help refine the request and locate any relevant information - for instance the nature of the person's relationship with the organisation - eg employee, or customer - and a rough time frame.
25. While any scheme needs to have some provisions to stop people making unreasonable or repeated requests for inaccessible, old and voluminous information, safeguards are also needed to prevent an organisation from using such provisions as a loophole to avoid its responsibilities and to frustrate access unreasonably.
Ongoing investigations
26. There are arguments for allowing organisations to deny access to personal information where to give access would frustrate an investigation, based on well founded suspicion, of possible illegal activity. For example, in its response to the September 1996 discussion paper from the Attorney-General's Department, the Insurance Council of Australia said:
Stage-managed `burglaries and thefts', and their accompanying claims, are the subject of too frequent insurance investigations. In all of these circumstances the information held in insurance companies and brokers files can often be critical in exposing fraudulent and criminal activities. ... In these circumstances insurers and brokers need a defence against, or exceptions from, requests for access to their files.
27. The terms of any such exception is a matter for further consultation.
Other principles
28. The discussion in this paper has been based on the Information Privacy Principles in the federal Privacy Act but a number of other privacy principles have been proposed, partly in response to technological changes. They are discussed briefly below.
Public registers
29. Information technology has hugely increased the capacity for using information from public registers in ways far removed from the public purpose for which the registers are maintained. This has led to arguments for stricter controls on the use of public register information. The general public appears concerned about such use: in particular Australians are suspicious of the use of public records by private investigators, direct mail companies, private individuals and the media.[60]
30. In its response to the September 1996 discussion paper from the Attorney-General's Department, the Australian Privacy Charter Council argues for some restrictions on the use of public register information:
Public registers should not be exempted entirely from the principles. It is important that the basic collection, use and disclosure principles should be applied to public registers containing personal information, particularly when they are compiled using compulsory powers. There should be limits on secondary uses which go beyond the purpose of the register and the reasonable expectations of the individuals concerned.
31. On the other hand, organisations that carry out investigations argue that public register information should be freely available for their use. For example, in its response to the September 1996 discussion paper from the Attorney-General's Department the Institute of Mercantile Agents says:
Our main concerns rest in ... the need for clear definition as to the entitlement of [members of the Institute] to make enquiries, in particular to gain legitimate access to public database information ...
32. This issue may be better addressed by the governments whose legislation requires the registers to be kept than by self-regulatory restrictions applying to the organisations that use the information.
Anonymity
33. Related to limitations on the collection of personal information is the idea that where possible people should be able to go about their business anonymously. The privacy principles in the Australian Privacy Charter use these words:
People should have the option of not identifying themselves when entering transactions.[61]
34. This principle is primarily applicable to the design of information systems; once a system is in place its informational requirements are often inflexible. The popularity of anonymising features on the Internet suggests both that many people see maintaining anonymity as an important part of defending their information privacy and that in the electronic environment it is often feasible to restrict the collection of identified information while still providing people and organisations the confidence they need to transact their business.
35. While the option of anonymity clearly does give people an opportunity to protect their privacy, a qualification like `where possible' or `where practicable' seems necessary to accommodate situations where the effectiveness of a system requires the collection of personal information.
No disadvantage
36. The central idea here is that a person should not have to pay to exercise their privacy rights. In his response to the September 1996 discussion paper from the Attorney-General's Department, Kevin Ratcliffe used these words:
People should not have to pay to exercise their rights of privacy nor be denied goods or services nor offered them on a less preferential basis. The provision of reasonable facilities for the exercise of privacy rights should be a normal operating cost.
37. One obvious application of this principle is in the ability of organisations to charge for giving people access to their personal information (discussed under Allowing individuals to gain access to their personal information above). In advocating the no-disadvantage principle the Australian Privacy Charter Council suggests that:
There may need to be a qualified right to cost recovery in exceptional circumstances where an organisation is put to significant cost to provide access to personal data.
38. Loyalty schemes are a more difficult case. Membership of a scheme can entitle a member to discounts on the cost of goods, but membership is conditional on providing personal information about oneself and agreeing to receive marketing material from participating firms. The consequences of a `no disadvantage' principle need to be carefully assessed in this context. This is a matter for further discussion.
Collection with consent
39. In their responses to the September 1996 discussion paper from the Attorney-General's Department, some business groups argued that any collection of personal information should be regarded as legitimate provided the subject of the information has given their free and informed consent. In its response the Life, Insurance and Superannuation Association said:
There will clearly be other instances where a collecting organisation may wish to collect information that is not directly relevant to its functions or those of its related entities. ... We accept that it is a fundamental principle of privacy that, generally speaking, an individual has the right to control dealings with his or her personal information. We therefore recommend that the Act[62] reflect the individual's entitlement to so choose by providing that an individual may agree to provide any personal information to a collecting organisation, regardless of whether that information is relevant to a function of that collecting organisation.
40. There would appear to be little problem with any collection to which the person involved has given free and informed consent, but consumer organisations and others are concerned about the imbalances in market power and social circumstances which may affect individuals' ability to give such consent. It would not seem unreasonable to require at least some link to be demonstrated between the information being collected and one of the purposes of the collector. A collection principle along the lines proposed in Part 3 of this paper - permitting collection that makes a direct contribution to a legitimate purpose of the organisation - would give an organisation a good deal of scope to collect information even if it were not going directly to use the information itself, or where the precise nature of the use has yet to be determined.
Data-matching
41. Data-matching usually involves the computerised examination of personal information files held by different organisations, to identify individuals whose information displays interesting inconsistencies or compatibilities. It involves the creation of composite files about individuals without consent and is, therefore, a potentially privacy-intrusive practice. There are a number of principles that could serve to minimise the risk to personal privacy posed by data-matching activities, including:
no permanent dossiers should be generated from matched information;
information provided to an organisation for the purpose of data-matching should be used only for that purpose;
a decision to take action in relation to positive matches should be taken as soon as practicable after the matching procedure is run; and
no action adverse to the subject of the information should be taken without affording them a chance to respond to the matching organisation.
42. The desirability of such principles and how they might apply in the private sector context is a matter for further discussion.
Unique identifiers
43. A unique identifier is a string of characters, usually a number, used to identify particular individuals. If the same identifier is used by different organisations, it can be a very effective tool for bringing together information about a single individual from a number of different sources. This raises privacy concerns, as the Australia Card debate of the late 1980s demonstrated. Of course, organisations must be able to use unique identifiers to manage their affairs and identify their clients; this is often an essential tool for ensuring high data quality and providing a high standard of service. But it is less easy to see why unrelated organisations should be able to use a consistent person-numbering system.
44. The Australian Privacy Commissioner has pioneered the development of guidelines for the conduct of data-matching, which are currently in use in Commonwealth government administration. The New Zealand Privacy Act includes a privacy principle for unique identifiers which applies to both the public and the private sector.[63]
(1) An agency shall not assign a unique identifier to an individual unless the assignment of that identifier is necessary to enable the agency to carry out any one or more of its functions effectively.[64]
(2) An agency shall not assign to an individual a unique identifier that, to the agency's knowledge, has been assigned to that individual by another agency, unless those 2 agencies are associated persons within the meaning of section 8 of the Income Tax Act 1976.
(3) An agency that assigns unique identifiers to individuals shall take all reasonable steps to ensure that unique identifiers are assigned only to individuals whose identity is clearly established.
(4) An agency shall not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which the unique identifier was assigned or for a purpose that is directly related to one of those purposes.
45. These principles may serve as a basis for discussion in the Australian context.
[57]Article 7 of Directive 95/46 of the European Parliament on `the protection of individuals with regard to the processing of personal data and on the free movement of such data', adopted in October 1995.
[58]Principle 3(3) in section 6 of the NZ Privacy Act.
[59]For example, the Australia Bankers Association.
[60]Privacy Commissioner (Australia), Community Attitudes to Privacy (Information Paper Number 3), Sydney, 1995, pages 14 and 15.
[61]Australian Privacy Charter Council, Australian Privacy Charter, Principle 10.
[62]This submission was made in response to a proposal for extending the reach of the Privacy Act to the Australian private sector.
[63]Information Privacy Principle 12
[64]This includes private sector organisations.