1 / 49

“Laws too gentle are seldom obeyed; too severe, seldom executed.” Benjamin Franklin

Presentation by Karen Curtis Privacy Commissioner Privacy – It’s not rocket science Australian Institute of Administrative Law Privacy Seminar 20 May 2005. “Laws too gentle are seldom obeyed; too severe, seldom executed.” Benjamin Franklin. Outline What is privacy? Areas of responsibility

kiara
Télécharger la présentation

“Laws too gentle are seldom obeyed; too severe, seldom executed.” Benjamin Franklin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presentation by Karen CurtisPrivacy CommissionerPrivacy – It’s not rocket scienceAustralian Institute of Administrative LawPrivacy Seminar20 May 2005

  2. “Laws too gentle are seldom obeyed; too severe, seldom executed.” Benjamin Franklin

  3. Outline • What is privacy? • Areas of responsibility • Contemporary issues and global trends • Review Private Sector Provisions

  4. What is privacy?

  5. Privacy – 4 elements • Physical • Territorial • Communications • Information

  6. Privacy in Australia • Commonwealth Privacy Act 1988 • IPPs • NPPs • Part IIIA Credit • Other Commonwealth Statutes • State and Territory Legislation • Common Law

  7. Privacy is about control of personal information • Consent • Choice • Openness • Data Quality • Data Security

  8. Major Areas of Responsibility

  9. Areas of Responsibility • IPPs • NPPs • Approval private sector codes • Data matching • Spent convictions • s. 135AA National Health Act • s. 309 Telecommunications Act

  10. Contemporary privacy issues and international trends

  11. Some recent headlines: • Snapping over snap (Sun Herald 15/5/05) • Airport tightens up amid passenger fears (Australian Financial Review 14/5/05) • Qantas push for cameras (Australian 13/5/05) • Cupidity agreements (AFR, 13/5/05) • Warning new database should protect GP privacy (Medical Observer, 13/5/05)

  12. Democrats seek to outlaw spyware (AAP Newswire 12/5/05) • The great data heist (Fortune Magazine, May 05) • National identity program fast-tracked by funding (Australian Financial Review 12/5/05) • Face-spotting device (Australian Financial Review 12/5/05) • Complaints on phone firms soar (West Australian 9/5/05) • RFID: a smart way to shop (B&I Magazine, 6/5/05)

  13. Issues for the year ahead . . . • Review Private Sector Provisions • Identity management • HealthConnect and Medicare smartcard • Technology development • Biometrics • RFID

  14. Global Trends • Aggregation of data • Increasing use of genetic data • Use of biometric identifiers • Greater use of technologies that allow for surveillance/monitoring • Movement of information via the internet What are the implications for privacy?

  15. Aggregation of data • May enhance business efficiency • But can lead to unnecessary storage of PI • Can increase the risk of identity fraud • Danger that incorrect data is stored • Risk that organisations learn more about an individual than the individual intended • Adverse decisions for individuals

  16. When databases go wrong… ChoicePoint unwittingly sells personal information on 145,000 people to criminals LexisNexis reveals unauthorised users accessed 310,000 of their identity files Brought to you by California’s new security-breach notifi-cation laws.

  17. Increasing use of genetic data • A special type of PI: • it is shared familial or collective information • may be predictive of the future health of a person and their relatives • Raises issues about ‘who else has a right to know?’ National Geographic Genographic Project set to investigate the genetic roots of modern humans Does genetic information require additional or different privacy protection? ALRC Report

  18. Use of biometric identifiers Biometrics can offer enhanced identity security when used responsibly • they also reduce anonymity • beware of function creep • illusions of 100% success rate USA and Australia to issue passports embedded with biometric identifier chips Key to good biometric management: OPENNESS, ACCOUNTABILITY and CHOICE where possible

  19. Greater use of technologies that allow for surveillance/monitoring • Electronic transactions leave digital trails (which can be tracked) • More than 70% of virus writers are now writing Spyware under contract Some solutions? Pseudonymity for e-transactions Encryption technology to enhance confidentiality Anti Spyware software

  20. Movement of information via the internet • Blurring of national boundaries and jurisdictions • Laws to regulate movement of information around the net (eg. Spam Act 2003) Multi-pronged approach for privacy: • Laws • Co-operation between countries • Individuals take action (with privacy enhancing technology such as Anti-Spyware, Spam screening software, public key infrastructure etc)

  21. Contemporary issues: closer to home… • E-health systems • SmartCards • Identity management A privacy friendly approach: • Gives the individual as much choice as possible • Avoids centralised databases • Has accountability mechanisms • Assesses privacy impacts early

  22. Report on: The Review of the Private Sector Provisions of the Privacy Act

  23. Overview • Process • Main findings • Key recommendations • Where to from here

  24. Terms of reference Received 14 August 2004 Do the private sector provisions meet their objects? • National consistent scheme • Meeting international concerns • Recognises individual interests • Recognises other competing interest eg free flow of information and business efficiency Did not include: • Genetic information • Employee records • Children’s privacy • Electoral roll information and political exemption

  25. Consultation • Issues paper released 27 October 2004 • Steering committee • Stakeholder reference group • National consultations • Meetings with telco and health stakeholders • 136 written submissions • Community attitudes research Report submitted to Attorney on time – 31 March 2005

  26. How are provisions operating? • No fundamental flaw • Some objectives generally met • Others not: eg national consistency • Business generally satisfied – consumer sector less so • 85 recommendations don’t indicate dissatisfaction – are ways to improve elements in light of experience and external factors

  27. Recommendations • Things we suggest the Government consider doing • Things the Office could or will do • Some things State and Territory Governments might consider doing • Many have resource implicationsfor the Office

  28. Wider review recommended • Principles may be out of date in light of new technology and global developments • Do we need two sets of privacy principles? • Where should the balance of interests lie in relation to research, including medical research? • Should the privacy act apply to deceased persons?

  29. National consistency • Objective not achieved in this area particularly: • Health • Employee privacy • Tenancy data base regulation • Telecommunications • Causes include: • Ambiguity in words in Privacy Act • Filling vacuum created by exemptions • Developments in new technologies • Two sets of principles – IPPs and NPPs

  30. National consistency Recommendations • Remove constitutional ambiguity • Work with COAG • Mechanisms to address inconsistencies caused by exemptions • Single set of principles in the Privacy Act • Power to make binding codes

  31. National consistency • Telecommunications • Clarify relationship between Telco Act and Privacy Act and Spam Act • ISPs and directory producers covered • Health • Finalise National Health Privacy Code • Consider adopting as schedule to Privacy Act • Tenancy databases • Ensure covered by Privacy Act • Possible binding code

  32. International issues • Australia not yet found adequate • But no broad business push for adequacy – most using contractual provisions Recommendations • EU work valuable, also APEC • Further assistance with NPP 9

  33. Protecting individual privacy Control over personal information • Provide for short notices in NPP 5.1 • Make templates on short notices • Date privacy notices • Further advice on bundled consent Direct marketing • General right to opt-out even if primary purpose • Reasonable steps to tell people where information came from • Consider do-not-call register

  34. Awareness of privacy • Low levels of awareness impacting on business and individuals • Awareness ‘lynch pin’ of scheme Recommendations • Education programs to raise community awareness of privacy rights and obligations • Collect demographic information and remove any barriers to access

  35. Access to records Recommendations • Adopt AHMAC approach to intermediaries, transfer of health records and access when service ceases to operate • Guidance to clarify that ‘serious threat to therapeutic relationship’ could meet ‘serious threat to life or health’ test • Guidance on fees for access • Amend NPP 6 to require reasonable steps to notify if record found to be inaccurate

  36. Complaints handling and compliance • Support for approach to compliance • Mixed views about level of compliance • Concern about delays in complaint handling • Identified need for • greater transparency and fairness in complaints process • better ways to deal with systemic issues

  37. Complaints handling and compliance Recommendations • Consider making determinations earlier and more often in process • Promote use of audits in private sector • Consider merits review of PC’s decisions • Powers to require organisations to address systemic issues • Enforceable remedies for own motion investigations

  38. Business efficiency • Business support for current balance (less so for consumers) • Support for principles based approach • Support for codes, but simpler approval process wanted • Concern about lack of consumer awareness of business privacy obligations • Mixed views from business about small exemption

  39. Business efficiency Recommendations • Measures to increase business awareness, including PCO network • Retain small business exemption but: • Use ABS definition ie 20 employees or fewer • Cover ISPs, directory providers and tenancy data bases • Remove consent exception to exception to exemption

  40. Research • General concern that research, including medical research is hindered by Privacy Act • Reasons include: • Nationally inconsistent provisions • NPPs and IPPs different • NPPs unclear and too strict about consent • When is information de-identified? • Complexity of reporting obligations • No provision for non-medical research

  41. Research Need for wider public debate about appropriate balance between individual and public interest in privacy, and public interest in having research? Recommendation • Wider review needed • Office to clarify application of NPP 2 in relation to management, funding and monitoring of a health service • Office and NHMRC to simplify reporting process

  42. Other social interests Recommendations • Decision making incapacity • Alternative dispute resolution schemes • Large scale emergencies • Private investigation

  43. Technologies • Major developments since OECD guidelines developed – internet, data mining, biometrics, e-Health • Support for technological neutrality • But some gaps identified eg GPS, mcommerce, spyware, e-authentication, surveillance • Definition of personal information may no longer be adequate to protect privacy

  44. Technologies cont’d Recommendations • Wider review of NPPs and definition of PI to see if remain relevant • Need to address global privacy in light of reach of new technology • Consider specific enabling legislation for electronic health records • More guidance about what is PI • Possible use of binding codes

  45. Clarifying application of NPPs Recommendations • NPP 1.3(d) • NPP 1.3 and 1.5 – no steps may be reasonable steps • NPP 1.5 clarify meaning of someone else • NPP 2 – guidance to clarify issue of primary and secondary purpose in case of health care. • NPP 3 – guidance to indicate that proportional approach to be taken • NPP 7 – regulation to address Centrelink issues • NPP 10 – amend to take into account family history PID 9 and 9A • NPP 10.2 – amend to include ‘as authorised by law’ and clarify meaning of binding rules

  46. Other recommendations • Private sector contracting • Protecting outsourced information • Clarify application to contractors • Sale and purchase of business • Consider amending NPPs to take into account • Media exemption • Clarify application • More guidance and consultation with ABA

  47. Where to from here • Report released by Attorney-General on 18 May 2005 • Government will prepare response • Office will begin work on recommendations relating to it • Amendments usually involve consultation process

  48. It’s about balance Senator George Georges said when he resigned from the ALP over not supporting the Australia Card . . . “I believe strongly in the rights of the individual to exist without unnecessary bureaucratic interference by the state”(10 December 1986) And most of us do!

  49. Presentation by Karen CurtisPrivacy CommissionerPrivacy – It’s not rocket scienceAustralian Institute of Administrative LawPrivacy Seminar20 May 2005

More Related