What is `information privacy'?
1 Information privacy concerns the handling of `personal information', that is, information about a particular person or information that can be used to identify a particular person. The collection and use of personal information is essential to businesses, non-profit organisations, consumers and government: it is a very valuable resource. But it differs from other resources in two ways. It can be shared and used by more than one person at the same time, and it can be used for an unlimited number of different purposes. These characteristics give rise to the fundamental ideas behind information privacy: that organisations handling personal information have a responsibility to do so fairly, and that the subjects of personal information retain some rights in relation to the way it may be used (or collected or stored or disclosed) by others.
Privacy in the information age
2 The growth of computer technology in the last thirty years has allowed a massive expansion in the volume of information held and has made it easier to access, process and match it. Many people are concerned about the increased potential for privacy intrusion that accompanies technological change. Survey research for the Privacy Commissioner indicates that nearly 80 per cent of people think computers have made it easier for confidential personal details to fall into the wrong hands and that very few believe there are adequate safeguards for personal information kept on computer.[1] Yet it is equally clear that Australia's prosperity and our capacity to produce high quality goods and services depends to a large extent on the smarter use of information. We must deal adequately with people's concerns about privacy if we are to gain the maximum benefits from the information society. If an information privacy scheme were robust enough to assure consumers that they could exercise some control over the use of their information in sophisticated IT systems, it seems likely that public resistance to such applications would be reduced.
Information privacy protection in Australia and overseas
3 Most attempts to draft information privacy principles are based on the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (see Appendix C). Most European countries have passed laws, applying to public and private sectors, that embody the OECD principles. In the Asia-Pacific region, New Zealand, Hong Kong and Taiwan have laws that apply to the public and private sectors. Japan, Canada and the US at a federal level have laws that apply to the public sector, with some sectoral or regional laws affecting the private sector.
4 In 1988 the Commonwealth Privacy Act was enacted; it includes 11 principles (see Appendix D), based on the OECD guidelines, which apply to Commonwealth and ACT government agencies. There is no similar legislation in any State or the Northern Territory, although the South Australian, West Australian and Tasmanian governments have drafted Information Privacy Principles to apply to their own handling of personal information. New South Wales and South Australia have Privacy Committees with limited functions. In other States, complaints about breaches of privacy by State government agencies are usually handled by the State Ombudsman. All States and the ACT have Freedom of Information legislation which provides rights of access to personal information held by government bodies.
5 It is clear that information privacy concerns will continue to feature prominently in discussions about government policy for the new information economy, both in domestic and overseas jurisdictions. It is desirable that policy responses avoid both an insular, domestic focus and fragmented approaches across jurisdictions.
Do we need a privacy scheme for the private sector?[2]
What does business think?
6 The responses to the discussion paper from the Attorney-General's Department suggest that many Australian businesses recognise the importance of information privacy. Business respondents differed about the best way of protecting information privacy. Some thought that a legislated scheme would give the most certainty and consistency. Others thought that a self-regulatory scheme would be simpler, cheaper and more flexible. However, business unanimously supported the concept of a simple scheme that minimises compliance costs, overlap with other regulation and differences between jurisdictions.
What does the public think?
7 Studies conducted on behalf of the Privacy Commissioner since 1990 have suggested strong public support for some central information privacy principles. For example, nearly nine in ten people believe that they should be told before personal information is being collected and that they should be asked permission before their personal data can be passed from one organisation to another.[3] Similar results emerged from a survey carried out for Mastercard in 1996.[4] However, people understand the role that information plays in the economy: more than half do not object to companies using personal details as long as they know about it, and can stop it.[5]
Is there a real problem?
8 There is significant evidence that unfair information privacy practices create real problems for real people in Australia.
People are complaining
9 In 1996-97 the Privacy Commissioner received 499 formal written enquiries relating to possible breaches of the Act. In addition, the Commissioner receives around 15,000 enquiries from the public each year, many of them complaints about information privacy intrusions in the private sector, which are outside the scope of the Act.
10 In 1995-96, the Telecommunications Industry Ombudsman received 1,350 complaints about privacy. The New South Wales Privacy Committee receives between 2,000 and 3,000 enquiries per year, accepting around 10 per cent as formal complaints. The South Australian Privacy Committee covers only the SA public sector; it receives around 900 enquiries each year, excluding Freedom of Information enquiries.
11 These figures probably understate the level of public concern because people are not always in a position to tell that their information has been mishandled or may not be aware of where to complain.
What can go wrong in the real world?
12 Here are some examples of people being disadvantaged or inconvenienced by poor information privacy practices.[6] Others are included in Appendix A.
A woman gives birth in hospital, but the baby dies within a few days. For weeks afterwards the woman receives at her home `congratulations' from a range of baby product companies which have bought details of new mothers from the hospital.
Ms B contacts a real estate agency expressing an interest in buying a property in a certain area. She tells the agent how much she is prepared to pay. Without her authorisation, the agent distributes a circular to houses in the area in which he gives details of her name, the fact that she wants to buy a house and her ceiling price. Ms B is embarrassed by the disclosure because some people in the area know her. She also believes that the disclosure of the amount she was prepared to pay adversely affected her bargaining power.
A man has difficulty in obtaining insurance over a number of years. He eventually finds that he has been mistakenly confused with someone else with the same name who has a record of insurance fraud and has been placed on a `blacklist' which is accessed by all insurance companies. It takes him another two years to have his details removed.
A company decides to check the credentials of a job applicant with authorities in his country of origin, without first discussing it with him. It transpires that he has been admitted to Australia as a refugee on the basis of persecution by a non-democratic government. The enquiry alerts the authorities to his whereabouts and status and leads to action against his relatives and confiscation of property owned by him in his homeland.
How can market forces protect privacy?
13 Some argue that, in the private sector, people can choose an organisation that provides a level of privacy protection they find acceptable; so competition between businesses will provide the right level of protection without regulation. Good privacy protection for customer and employee information often makes good business sense. It is useful in building trust and loyalty between customer and firm and in minimising complaints. These commercial incentives have already convinced some firms to pay close attention to information privacy.
14 However, in order to choose an organisation that will protect their information privacy, consumers need good information about what will be done with the personal information they provide. If they do not have it, they cannot make informed decisions about this aspect of the transaction. There are other factors which suggest that the right conditions need to be established for market forces to be able to deliver satisfactory outcomes in relation to information privacy.
15 First, for some businesses, the commercial advantage to be gained from unconstrained collection, use or disclosure of personal information seems to be greater than the customer relations benefits of good privacy protection. For example, a direct selling campaign may be prepared to irritate thousands of people approached by mail or phone, provided just a few sales are made.
16 Second, while many markets in Australia approximate the competitive model, many do not. In some industries, businesses dominate particular geographical areas. In others, information handling practices are common across an industry, offering consumers no real choice.
17 There is an emerging consensus, in relation to the new information economy in general, that government needs to foster a policy management framework, and promote markets for consumer control, confidence and choice. A recent report to the Clinton administration in the United States suggests, as a principle for international discussion and agreement, that:
where governmental involvement is needed, its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce.[7]
18 Fair information practices would seem to be an area where business would benefit from government involvement to facilitate the establishment of a consistent and predictable framework, even if there is no need for actual legislative action.
Will the costs of a scheme outweigh its benefits?
19 The level of compliance costs that attach to a scheme of privacy protection will depend on the way the scheme is formulated. Low cost schemes have been designed elsewhere. However, if Australia is to adopt a scheme which delivers best practice in information privacy, there will be some costs.
Types of compliance costs
20 Information privacy principles require organisations to provide people with information about how their personal information will be handled. Some firms may need to redesign forms or change the way they collect personal information over the telephone. Provided there is an adequate phase-in period, the costs should be small.
21 Another principle is that people should have access to their own personal information. Experience in the public sector and overseas indicates that most requests will be simple and easily met. This paper suggests that businesses should be able to charge reasonable fees to cover the location and copying of personal information, and to decline unreasonable requests.
22 The principles in this paper would put some limits on how an organisation can use personal information. If a business currently relies on uses that are inconsistent with privacy principles, compliance could mean a loss of revenue. It is hard to estimate the size of this effect. The use limitations in this paper do not aim to deny business reasonable latitude. Revenue loss should be limited to firms engaged in plainly unacceptable practices.
23 If organisations need to change their practices there may be extra training costs. If there is an adequate phase in period, training in fair information practices should be able to be included in standard training for customer relations and other functions at little additional cost. If a single set of principles is widely agreed to, generic training materials should also reduce costs.
24 Any scheme will involve costs to cover the development of specific industry standards, the monitoring of complaints, education activities etc. If the scheme is well designed and accepted, costs should not be high and no single organisation should have to bear a heavy burden. It would be expected in a self-regulatory scheme that the organisations covered would contribute to these costs. The extent to which governments may contribute is a matter for further discussion.
Impact on different types of organisation
25 For a small business with uncomplicated holdings of personal information, compliance costs would be practically nil. Very rarely someone might ask to see payroll or invoice records that relate to them. Apart from that there would be no impact. Responsible businesses in personal information intensive industries already pay attention to privacy issues and, provided there is an adequate phase-in period, compliance costs should be quite manageable; for example, no business would be obliged to reprint millions of forms. The only businesses likely to feel a significant impact are the small minority that are currently handling large amounts of personal information in an irresponsible way, without regard for individuals' wishes or expectations.
Commercial benefits from compliance
26 In some cases the adoption of information privacy principles will improve business performance. There are numerous examples of organisations making significant cost savings by addressing issues of data quality and security, and reviewing the need for personal information, for the first time as a result of having to comply with fair information practices.[8] Neglect of information privacy can also mean lost revenue - a 1996 survey indicates that 45 per cent of Australians have been asked, in connection with purchase of a good or service, for personal information that they regard as excessive; of these 61 per cent discontinued the transaction.[9]
Facilitating trade
27 It is desirable that public policy in relation to the new information economy is clearly informed by an international perspective, and linked to positions adopted by international forums. A recent US Federal Government paper outlines a range of options for the protection of information privacy in electronic environment.[10]
28 In 1995 the European Parliament adopted a policy that European Union countries should not allow personal data to be transferred to a non-EU country that does not ensure an adequate level of privacy protection.[11] Transfers may be allowed to countries without an adequate overall level of protection, provided other conditions (like detailed clauses in contracts) are met. The recent US government paper acknowledges:
No discussion of [on-line] privacy can be complete without appropriate consideration of the EU Directive and its implications for international trade in the Information Age.[12]
29 The Hong Kong data protection law of 1995 also restricts the transfer of personal information to jurisdictions without a comparable degree of protection.
30 Adoption of a robust information privacy scheme by Australian businesses would make it easier to convince overseas authorities that personal information will be protected in Australia.
Is information privacy in the private sector sufficiently protected by existing schemes?
31 The Australian common law recognises no general right to privacy. Defamation law and actions for breach of a duty of confidence can apply in a limited range of circumstances, but litigation is slow and expensive and not a realistic option for most people affected by privacy intrusions.
32 Some statute law offers limited privacy protection: Part IIIA of the Privacy Act protects personal information used by credit reporting agencies; there are prohibitions on telecommunications interception; listening devices laws limit the use of `bugs'; telecommunications laws provides for binding codes of practice regarding privacy. But the coverage is patchy and many of the laws focus on the security of personal information, which is only one part of the information privacy package.
33 There are already many industry codes of practice in Australia, some containing an information privacy element. None deals with the full range of information privacy issues. This is not to say that the information privacy parts of existing codes are not useful or that they should be abandoned in favour of specialised privacy codes, but it does suggest that more consistent protection could be achieved if benchmark standards were accepted in all sectors. These standards could then be picked up in existing sectoral codes or guidelines. Other sectors where information privacy is clearly an issue operate without agreed guidelines, for example, mercantile agents and private investigators have rules of thumb for acceptable practice but these are nowhere written down. This does not mean that these sectors are privacy black spots, but it suggests that a more proactive approach is needed to satisfy concerns and provide remedies for abuses.
The need for a new initiative
34 There is a general domestic and international consensus that information privacy concerns must be addressed urgently as part of a framework to facilitate the growth of the new information economy and to ensure consumer confidence in electronic commerce and electronic service delivery.
35 There are a variety of views about the most appropriate response, but no-one is arguing that nothing needs to be done, and there are clear demands for consistency and the avoidance of a patchwork of different requirements. The Federal Government has invited the Privacy Commissioner to assist business in the development of voluntary codes of conduct to meet privacy standards. The remainder of this paper sets out a proposal for a National Scheme for Fair Information Practices in the private sector.
[1] Privacy Commissioner, Community Attitudes to Privacy, August 1995, page 2.
[2] Further evidence and examples in support of this Part are provided in Appendix A.
[3] Privacy Commissioner, Community Attitudes to Privacy, August 1995, page 2 and 3.
[4] Mastercard International, Privacy and Payments, 1996, page 15.
[5] Privacy Commissioner, Community Attitudes to Privacy, August 1995, page 3.
[6] These are composite examples based on actual experience.
[7] Information Infrastructure Task Force, A Framework for Global Electronic Commerce, July 1997.
[8] See for example, Peladeau P, Data Protection Saves Money, in Privacy Journal, June 1995, pages 3-4. Also, Interviews by staff of the Australian Privacy Commissioner with New Zealand peak bodies, June 1997.
[9] Mastercard International, Privacy and Payments, 1996, page 15.
[10] National Information Infrastructure Task Force (US), Options for Promoting Privacy on the National Information Infrastructure, April 1997.
[11] European Parliament, Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Brussels, 1995.
[12] National Information Infrastructure Task Force (US), Options for Promoting Privacy on the National Information Infrastructure, April 1997.