1. This Appendix contains some further material in support of the case made in Part 1 of this paper for the need for information privacy protection and attention to fair information practices in the private sector. For ease of reference, the same headings are used in those cases where there is additional evidence or discussion.
Do we need a privacy scheme for the private sector?
2. This is clearly a threshold issue. The following sections discuss the main arguments for and against.
What does business think?
3. For example, Optus recognised:
... that there are a basic set of underlying privacy principles which should apply irrespective of whether the party which collects and uses the information is a Government or private body. The safeguards or controls attach to the information because of its personal or sensitive nature, and not because of the identity or character of the party in whose hands the information is held.
What does the public think?
4. Professional survey research for the Privacy Commissioner in 1994 indicated that nearly nine in ten people believe that they should have advance notice when personal information is being collected and that they should be asked permission before their personal data can be passed from one organisation to another. More than nine in ten think that when personal information has been collected they should be told exactly what it will be used for.[44]
5. So far as regulation is concerned, people generally do not believe that they should bear all the responsibility for protecting their own personal privacy; the vast majority believe that government has a role to play in this area.[45] Surveys suggest that there is wide popular support for information privacy protections supported by governments.
Do privacy concerns undermine public confidence in new technology?
6. New information technologies clearly have huge commercial potential. Generally, Australia has high take-up rates for new technology, but there is still evidence that people are wary about entrusting personal details to complex systems that they do not understand. Professional survey research commissioned by the Privacy Commissioner indicates that: nearly 80 per cent of people think computers have made it easier for confidential personal details to fall into the wrong hands; only a small minority believe there are adequate safeguards for personal information kept on computer; and only one in five is confident they understand how new technologies could affect their personal privacy.[46] This result is consistent with the results of a recent US survey, which indicates that privacy is one of the most pressing issues for Internet users. Twenty-six per cent nominated intrusions on privacy as their greatest concern in using the Internet, second only to censorship (34 per cent).[47]
7. Whether or not these concerns are justified, they obviously affect the willingness of consumers to embrace new technologies that involve the collection and processing of personal information. It is difficult to quantify the impact that a self-regulatory information privacy scheme would have on these perceptions; the impact would obviously depend on the nature of the scheme. But if a scheme were well publicised and were robust enough to assure consumers that they could exercise some control over the use of their information in sophisticated IT systems, it seems certain that public resistance to such applications would be reduced.
Is there a real problem?
8. Apart from the complaints and enquiries received by the Privacy Commissioner, Privacy Committees of New South Wales and South Australia and other bodies, there is a regular flow of media reports of cases of the harm or distress that poor information privacy practices can inflict on individuals. For example there were more than 500 separate `privacy' items in national newspapers in the first six months of 1997[48], and the Privacy Commissioner recorded more than 50 media enquiries in the same period.
Are people complaining?
9. The Privacy Commissioner's complaint figures do not include the many complaints that are successfully dealt with between the complainant and the agency involved. Also, some complaints containing a privacy element are handled by the Commonwealth Ombudsman or the various administrative review tribunals.
10. Of the approximately 15,000 enquiries received by the Privacy Commissioner each year from the public significant numbers relate to private sector activity outside the jurisdiction of the Act. They included, in 1996/97, the following:
Direct Marketing 426
Listening Devices 245
Optical Surveillance 228
Health Records 233
Insurance 141
Debt collecting 62
Employment 325
Other Private Sector 523
Total 2183
11. While not all of the matters enquired about would be covered by an information privacy regime, most would be.
12. Complaint and enquiry volumes do not reflect the level of concern shown by survey results. There are a number of likely reasons for this. Firstly, the level of awareness of where and how to complain is relatively low. Secondly, many privacy intrusions, while irritating, do not cause sufficient actual harm for people to consider it worthwhile to pursue time-consuming complaint processes - this does not mean they think that they are trivial or that nothing should be done, as the survey findings clearly show. Thirdly, and significantly, people are not always in a position to tell that their personal information has been mishandled. For example, if a person is denied a service on the basis of inaccurate information collected from a third party, they may never find out why they were rejected. Poor information privacy practice may have resulted in unjustified disadvantage but the individual does not know enough to be able to complain even it were justified.
What can go wrong in the real world
13. Some further examples of people being disadvantaged or inconvenienced by poor information privacy practices follow.
Mr A visits a chiropractor for a treatment but decides not to return for more treatments. The office's receptionist reads his medical file and contacts him on her own. It turns out she is an independent salesperson for a health product company. She noticed that he had the same ailment as she had, and having been helped by this product, she contacted him to interest him in purchasing the product.
An elderly woman, who lives in a seniors complex, receives several calls from a particularly aggressive research organization. They call her unlisted number every evening demanding that she comply, even though she has told them she does not want to participate in the survey, which is on the subject of health.
Ms C spends some time at an alcoholism rehabilitation centre. Some years later the records of her stay are on file with her doctor, marked `Confidential: Do Not Reproduce.' She is involved in litigation with an insurance company, in a matter unrelated to her residence at the rehabilitation centre. The insurance company subpoenas some of her medical records. Despite the label on the rehabilitation-related records, her doctor's office sends them to the insurance company and to other doctors involved in the suit.
A real estate agency places an advertisement in a daily newspaper to publicise its success in achieving property sales. A couple who have purchased a property together have their names published without authorisation. They found the publication of their names distressing and said the advertisement had caused considerable embarrassment because family, friends and work colleagues learned that they had bought a property jointly, after they had chosen not to tell anyone of the purchase.
Mr A is retired after 25 years in the rail industry. He agrees to appear in court as an expert witness on railroad switches, which is his area of specialty. Counsel for the defendant asks him nothing about switches, but questions him about his mental health. Years earlier, he had been hospitalized in a psychiatric ward and had later told his employer. It turns out the employer had released this information to the defendant's lawyer, who used it to intimidate and discredit him. Afterwards, Mr A calls his former employer and asks to see his employment file; he is told it cannot be found.
A person is approached in the street and asked to participate in a `confidential market research survey'. They answer the questions, mostly about investment, and give their name and telephone number, which they are assured is required only for quality control. Next day, they are contacted by a salesperson from a finance company.
Will the costs of a scheme outweigh its benefits?
14. If a fair information practices scheme is to be effective, with remedies and compliance monitoring as well as best practice standards, then there are likely to be some costs. There are, however, offsetting savings.
15. In 1993, New Zealand enacted an information privacy law that applies to all organisations in NZ. At the time, many businesses were concerned about compliance costs but this concern has turned out to be largely unwarranted, with private sector peak organisations representing banks, insurance companies and human resource specialists all reporting minimal costs.[49] The NZ Privacy Commissioner has commented:
Those who have taken the trouble to apply their minds to the [NZ Information Privacy Principles] have found that they are sensible and practical. While there is room for opinion on how they might be improved, silly outcomes have not occurred when the principles have been applied intelligently to particular situations.[50]
16. In relation to the principle of giving individuals access to information about them, the operation of Freedom of Information legislation in the public sector has shown that public access can enhance efficiency by improving information management practices.[51]
17. The footnote in the section on Commercial Benefits from Compliance refers to Canadian experience. In 1993 Quebec passed the Act Respecting the Protection of Personal Information in the Private Sector. Experience there suggests that businesses can often gain from sound data protection, either through cost reduction or increased productivity.[52]
One manufacturing company expected the new legislation to cost $500,000. Instead, it cost nothing. For example, it was found that Human Resources conducted security checks on every new employee although only a very small minority needed security clearances. Most of the information collected was unnecessary.
A public utility found that customer relations staff took a few thousand hours per year to read outdated information in customers' files, not to mention the 30 seconds to three minutes of employee time taken to write each of 40,000 notations monthly. Only a tiny proportion were relevant to customer service.
Facilitating trade
18. As part of the safeguards for the information privacy of their citizens, a growing number of countries are now placing legal restrictions on the transfer of personal information to jurisdictions where the law does not guarantee adequate standards of information privacy protection.
19. In 1995 the European Parliament adopted directive 95/46 on `the protection of individuals with regard to the processing of personal data and on the free movement of such data', which embodies many of the OECD principles.[53] National laws implementing the directive are meant to be in place by October 1998. Article 25 says that data should not be transferred to a non-EU country unless that country ensures an adequate level of protection. Article 26 allows for transfers to countries that do not have an adequate overall level of protection, provided other specified conditions are met. While it remains unclear as to how these provisions will be applied, the first indications from the European Commission are that the Europeans will be requiring quite a high standard of protection, including both standards and enforcement mechanisms and remedies, before allowing personal information to be transferred to third countries.[54]
20. Apart from the formal legal obstacles to trade that lack of privacy protections may pose for Australian businesses, there is a risk that neglect of the issue may give Australia a reputation as an unreliable destination for personal information, making foreign organisations wary about including Australia in information networks where personal information is involved. Other information intensive businesses could be deterred from investing or locating in Australia.
Is information privacy in the private sector sufficiently protected by existing schemes?
21. In relation to the common law, there have been a number of cases where actions for defamation have been successfully brought to protect a person' reputation damaged through the publication of a photograph of, or information about, an individual. The common law also recognises an equitable principle of breach of confidence, but this requires firstly, that the information must be confidential; secondly, that the information must have been passed to another person in circumstances where it was recognised that there was an obligation of confidence; and thirdly, that there was an unauthorised use of the information. The courts have generally taken a narrow view of the sorts of information and circumstances to which a duty of confidence applies, and it therefore only offers a very limited and partial alternative to privacy principles.
22. Sectoral codes already in existence in Australia which have an information privacy element include:
The Code of Banking Practice includes some information privacy provisions; it restricts the collection of information about sensitive personal information like political, social or religious beliefs, and re-enforces the common law duty of confidence by requiring consent for external disclosures. The non-disclosure provision is however weakened by the very broad exemption "where the interests of the Bank require disclosure". The Code also provides some access and correction rights, but these are limited to basic customer identification details of address, occupation, marital status, age and sex together with account details including balances and statements.[55]
The General Insurance Code of Practice provides that where an insurer rejects an insurance claim, that insurer shall promptly advise the claimant of that decision and the reasons for it, however the insurer is not required to disclose any confidential information supplied by third parties, or the identity of those third parties. Thus, while the code protects the privacy of third parties, it contains no express provisions that protect the privacy of the person making the insurance claim.
The Australian Direct Marketing Association's Standards of Best Practice provides that mailing list owners should identify, on request, the source of a prospective customer's name and address and that adequate security standards are maintained. They do not set standards in relation to, for example, data quality or notification of intended uses.[56]
The new Telecommunications Act requires the development of codes of practice covering a number of issues including privacy. It remains to be seen if the full range of privacy principles is covered in these codes, and if privacy issues are taken into account in the development of other industry codes under the Act.
[44]Privacy Commissioner; Community Attitudes to Privacy; August 1995; page 2 and 3.
[45]Privacy Commissioner; Community Attitudes to Privacy; August 1995; page 3.
[46]Privacy Commissioner; Community Attitudes to Privacy; August 1995; page 2.
[47]Georgia Tech's Graphics, Visualisation and Usability Centre, Seventh World Wide Web User Survey, reported in J Hilvert, `Censorship, privacy are prime concerns', The Australian (newspaper), 17 June 1997, page 4 and available on the Web at http://www.gvu.gatech.edu/user-surveys/.
[48]As identified by Media Monitors - these included coverage of public sector privacy issues and of the debate about regulation.
[49]Interviews by staff of the Australian Privacy Commissioner with New Zealand peak bodies, June 1997.
[50]Privacy Commissioner (NZ), Report of the Privacy Commissioner for the year ending 30 June 1996, Annual, Wellington, 1996, page 4.
[51]Australian Law Reform Commission and the Administrative Review Council, Open Government: a review of the Freedom of Information Act 1982; Canberra; 1995; pages 15-6.
[52]Peladeau, P; `Data Protection Saves Money'; in Privacy Journal, June 1995, page 3 and 4.
[53]European Parliament, Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Brussels, 1995.
[54]First Orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy, Discussion Document adopted by the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, 26 June 1997.
[55]Australian Bankers Association, Code of Banking Practice, 1993
[56]The Australian Direct Marketing Association is also participating in a working group, convened by the Australian Consumer and Competition Commission, that is developing a `Distance Selling Code of Practice' for consideration by Federal, State and Territory Ministers with responsibility for consumer affairs.