500 likes | 648 Vues
Presentation by Karen Curtis Privacy Commissioner Privacy – It’s not rocket science Australian Institute of Administrative Law Privacy Seminar 20 May 2005. “Laws too gentle are seldom obeyed; too severe, seldom executed.” Benjamin Franklin. Outline What is privacy? Areas of responsibility
E N D
Presentation by Karen CurtisPrivacy CommissionerPrivacy – It’s not rocket scienceAustralian Institute of Administrative LawPrivacy Seminar20 May 2005
“Laws too gentle are seldom obeyed; too severe, seldom executed.” Benjamin Franklin
Outline • What is privacy? • Areas of responsibility • Contemporary issues and global trends • Review Private Sector Provisions
Privacy – 4 elements • Physical • Territorial • Communications • Information
Privacy in Australia • Commonwealth Privacy Act 1988 • IPPs • NPPs • Part IIIA Credit • Other Commonwealth Statutes • State and Territory Legislation • Common Law
Privacy is about control of personal information • Consent • Choice • Openness • Data Quality • Data Security
Areas of Responsibility • IPPs • NPPs • Approval private sector codes • Data matching • Spent convictions • s. 135AA National Health Act • s. 309 Telecommunications Act
Some recent headlines: • Snapping over snap (Sun Herald 15/5/05) • Airport tightens up amid passenger fears (Australian Financial Review 14/5/05) • Qantas push for cameras (Australian 13/5/05) • Cupidity agreements (AFR, 13/5/05) • Warning new database should protect GP privacy (Medical Observer, 13/5/05)
Democrats seek to outlaw spyware (AAP Newswire 12/5/05) • The great data heist (Fortune Magazine, May 05) • National identity program fast-tracked by funding (Australian Financial Review 12/5/05) • Face-spotting device (Australian Financial Review 12/5/05) • Complaints on phone firms soar (West Australian 9/5/05) • RFID: a smart way to shop (B&I Magazine, 6/5/05)
Issues for the year ahead . . . • Review Private Sector Provisions • Identity management • HealthConnect and Medicare smartcard • Technology development • Biometrics • RFID
Global Trends • Aggregation of data • Increasing use of genetic data • Use of biometric identifiers • Greater use of technologies that allow for surveillance/monitoring • Movement of information via the internet What are the implications for privacy?
Aggregation of data • May enhance business efficiency • But can lead to unnecessary storage of PI • Can increase the risk of identity fraud • Danger that incorrect data is stored • Risk that organisations learn more about an individual than the individual intended • Adverse decisions for individuals
When databases go wrong… ChoicePoint unwittingly sells personal information on 145,000 people to criminals LexisNexis reveals unauthorised users accessed 310,000 of their identity files Brought to you by California’s new security-breach notifi-cation laws.
Increasing use of genetic data • A special type of PI: • it is shared familial or collective information • may be predictive of the future health of a person and their relatives • Raises issues about ‘who else has a right to know?’ National Geographic Genographic Project set to investigate the genetic roots of modern humans Does genetic information require additional or different privacy protection? ALRC Report
Use of biometric identifiers Biometrics can offer enhanced identity security when used responsibly • they also reduce anonymity • beware of function creep • illusions of 100% success rate USA and Australia to issue passports embedded with biometric identifier chips Key to good biometric management: OPENNESS, ACCOUNTABILITY and CHOICE where possible
Greater use of technologies that allow for surveillance/monitoring • Electronic transactions leave digital trails (which can be tracked) • More than 70% of virus writers are now writing Spyware under contract Some solutions? Pseudonymity for e-transactions Encryption technology to enhance confidentiality Anti Spyware software
Movement of information via the internet • Blurring of national boundaries and jurisdictions • Laws to regulate movement of information around the net (eg. Spam Act 2003) Multi-pronged approach for privacy: • Laws • Co-operation between countries • Individuals take action (with privacy enhancing technology such as Anti-Spyware, Spam screening software, public key infrastructure etc)
Contemporary issues: closer to home… • E-health systems • SmartCards • Identity management A privacy friendly approach: • Gives the individual as much choice as possible • Avoids centralised databases • Has accountability mechanisms • Assesses privacy impacts early
Report on: The Review of the Private Sector Provisions of the Privacy Act
Overview • Process • Main findings • Key recommendations • Where to from here
Terms of reference Received 14 August 2004 Do the private sector provisions meet their objects? • National consistent scheme • Meeting international concerns • Recognises individual interests • Recognises other competing interest eg free flow of information and business efficiency Did not include: • Genetic information • Employee records • Children’s privacy • Electoral roll information and political exemption
Consultation • Issues paper released 27 October 2004 • Steering committee • Stakeholder reference group • National consultations • Meetings with telco and health stakeholders • 136 written submissions • Community attitudes research Report submitted to Attorney on time – 31 March 2005
How are provisions operating? • No fundamental flaw • Some objectives generally met • Others not: eg national consistency • Business generally satisfied – consumer sector less so • 85 recommendations don’t indicate dissatisfaction – are ways to improve elements in light of experience and external factors
Recommendations • Things we suggest the Government consider doing • Things the Office could or will do • Some things State and Territory Governments might consider doing • Many have resource implicationsfor the Office
Wider review recommended • Principles may be out of date in light of new technology and global developments • Do we need two sets of privacy principles? • Where should the balance of interests lie in relation to research, including medical research? • Should the privacy act apply to deceased persons?
National consistency • Objective not achieved in this area particularly: • Health • Employee privacy • Tenancy data base regulation • Telecommunications • Causes include: • Ambiguity in words in Privacy Act • Filling vacuum created by exemptions • Developments in new technologies • Two sets of principles – IPPs and NPPs
National consistency Recommendations • Remove constitutional ambiguity • Work with COAG • Mechanisms to address inconsistencies caused by exemptions • Single set of principles in the Privacy Act • Power to make binding codes
National consistency • Telecommunications • Clarify relationship between Telco Act and Privacy Act and Spam Act • ISPs and directory producers covered • Health • Finalise National Health Privacy Code • Consider adopting as schedule to Privacy Act • Tenancy databases • Ensure covered by Privacy Act • Possible binding code
International issues • Australia not yet found adequate • But no broad business push for adequacy – most using contractual provisions Recommendations • EU work valuable, also APEC • Further assistance with NPP 9
Protecting individual privacy Control over personal information • Provide for short notices in NPP 5.1 • Make templates on short notices • Date privacy notices • Further advice on bundled consent Direct marketing • General right to opt-out even if primary purpose • Reasonable steps to tell people where information came from • Consider do-not-call register
Awareness of privacy • Low levels of awareness impacting on business and individuals • Awareness ‘lynch pin’ of scheme Recommendations • Education programs to raise community awareness of privacy rights and obligations • Collect demographic information and remove any barriers to access
Access to records Recommendations • Adopt AHMAC approach to intermediaries, transfer of health records and access when service ceases to operate • Guidance to clarify that ‘serious threat to therapeutic relationship’ could meet ‘serious threat to life or health’ test • Guidance on fees for access • Amend NPP 6 to require reasonable steps to notify if record found to be inaccurate
Complaints handling and compliance • Support for approach to compliance • Mixed views about level of compliance • Concern about delays in complaint handling • Identified need for • greater transparency and fairness in complaints process • better ways to deal with systemic issues
Complaints handling and compliance Recommendations • Consider making determinations earlier and more often in process • Promote use of audits in private sector • Consider merits review of PC’s decisions • Powers to require organisations to address systemic issues • Enforceable remedies for own motion investigations
Business efficiency • Business support for current balance (less so for consumers) • Support for principles based approach • Support for codes, but simpler approval process wanted • Concern about lack of consumer awareness of business privacy obligations • Mixed views from business about small exemption
Business efficiency Recommendations • Measures to increase business awareness, including PCO network • Retain small business exemption but: • Use ABS definition ie 20 employees or fewer • Cover ISPs, directory providers and tenancy data bases • Remove consent exception to exception to exemption
Research • General concern that research, including medical research is hindered by Privacy Act • Reasons include: • Nationally inconsistent provisions • NPPs and IPPs different • NPPs unclear and too strict about consent • When is information de-identified? • Complexity of reporting obligations • No provision for non-medical research
Research Need for wider public debate about appropriate balance between individual and public interest in privacy, and public interest in having research? Recommendation • Wider review needed • Office to clarify application of NPP 2 in relation to management, funding and monitoring of a health service • Office and NHMRC to simplify reporting process
Other social interests Recommendations • Decision making incapacity • Alternative dispute resolution schemes • Large scale emergencies • Private investigation
Technologies • Major developments since OECD guidelines developed – internet, data mining, biometrics, e-Health • Support for technological neutrality • But some gaps identified eg GPS, mcommerce, spyware, e-authentication, surveillance • Definition of personal information may no longer be adequate to protect privacy
Technologies cont’d Recommendations • Wider review of NPPs and definition of PI to see if remain relevant • Need to address global privacy in light of reach of new technology • Consider specific enabling legislation for electronic health records • More guidance about what is PI • Possible use of binding codes
Clarifying application of NPPs Recommendations • NPP 1.3(d) • NPP 1.3 and 1.5 – no steps may be reasonable steps • NPP 1.5 clarify meaning of someone else • NPP 2 – guidance to clarify issue of primary and secondary purpose in case of health care. • NPP 3 – guidance to indicate that proportional approach to be taken • NPP 7 – regulation to address Centrelink issues • NPP 10 – amend to take into account family history PID 9 and 9A • NPP 10.2 – amend to include ‘as authorised by law’ and clarify meaning of binding rules
Other recommendations • Private sector contracting • Protecting outsourced information • Clarify application to contractors • Sale and purchase of business • Consider amending NPPs to take into account • Media exemption • Clarify application • More guidance and consultation with ABA
Where to from here • Report released by Attorney-General on 18 May 2005 • Government will prepare response • Office will begin work on recommendations relating to it • Amendments usually involve consultation process
It’s about balance Senator George Georges said when he resigned from the ALP over not supporting the Australia Card . . . “I believe strongly in the rights of the individual to exist without unnecessary bureaucratic interference by the state”(10 December 1986) And most of us do!
Presentation by Karen CurtisPrivacy CommissionerPrivacy – It’s not rocket scienceAustralian Institute of Administrative LawPrivacy Seminar20 May 2005