Information Policy Conference address
Presentation by Timothy Pilgrim, Privacy Commissioner, at OAIC Information Policy Conference (15 November 2011)
The coming together of privacy with the functions of FOI and information policy is crucial in the context of open government, especially when you consider how much of the information held by government is about the personal affairs of members of the community.
Indeed, government agencies are custodians of highly sensitive information about people’s financial and taxation affairs, their family and medical history, and the evaluation of their eligibility for a benefit or suitability for employment.
Responsible information management by government therefore requires that individual privacy is properly protected.
At the same time, individuals must also have the right to access personal information that government holds about them, and to comment upon or correct any item of information which they feel is incorrect, incomplete or out-of-date.
Privacy is recognised as a human right under the United Nations International Covenant on Civil and Political Rights (ICCPR) to which Australia is a party, and privacy rights have been protected in Australia for over two decades by the Privacy Act 1988.
The administration of that Act by the OAIC, alongside the FOI Act, draws attention to the need to strike an appropriate balance between protection of personal information and open government.
This balance is also reflected in ICCPR. While one clause supports the right to have access to one's own personal information and to have it amended if it is incorrect (Article 17), another clause guarantees a right to freedom of expression, which expressly includes freedom to seek information (Article 19(2)). The challenge for the OAIC is to foster a culture of openness that also protects the privacy of individuals.
As the flow of personal information grows exponentially through the use of new technologies that enable it to be moved around the globe in seconds, privacy law must adapt and keep pace with the way that personal information is handled by government agencies and private sector organisations.
It is in this context that a key focus for the OAIC over the past 12 months has been the proposed reforms to the Privacy Act.
Privacy law reform
At the same time as Australia's FOI laws and open government practices have been reformed, a substantial overhaul of privacy laws is also underway.
You may recall that in 2008, following an extensive period of consultation, 295 recommendations for amendments to the Privacy Act were made by the Australian Law Reform Commission in its three volume Report No. 108.
Given the size of this report, the Government decided to respond in a two-stage process. A first stage response to 197 of the 295 recommendations contained in the ALRC report was released in October 2009 and the Government is still in the process of implementing these changes.
In terms of progress to date, an exposure draft of 13 proposed Australian Privacy Principles (or APPs) was released by the Federal Government earlier this year. The APPs are structured to reflect the information life cycle – from collection, through to use and disclosure, and access and correction.
The APPs are intended to replace the existing two sets of principles in the Privacy Act. The IPPs which apply to Australian Government Agencies and the NPPs that apply to private sector organisations. It is anticipated that a single set of principles will simplify privacy obligations in Australia and reduce confusion and duplication.
One aspect of the reformed APPs includes making the Privacy Act the primary vehicle for people to access and correct the personal information held on them by Australian government agencies. As you know the FOI Act is currently the way in which people exercise those rights.
Another significant change include a new requirement on government agencies to consider how they collect sensitive information – that is, information relating to ethnic origins, political opinions, religious or philosophical beliefs, sexual preferences, criminal records and health information. This is a category of personal information that does not currently appear in the IPPs which apply to Australian government agencies.
Further, Australian government agencies will also need to apply a new transborder data flow principle which will make entities, covered by the Privacy Act accountable for any disclosure of personal information outside Australia, unless one of a number of exceptions applies.
Other changes on the horizon are new laws to strengthen the powers of the Commissioners.
By way of example, under the current Act, we are unable to impose a penalty on an agency or organisation when we have initiated an investigation on our own motion, that is, without a complaint from an individual. Currently, in such circumstances, we work with the agency or organisation to ensure ongoing compliance and better privacy practice.
The Government has indicated that it intends to make amendments so that the Commissioners can:
- make an enforceable determination on an own motion investigation;
- accept undertakings from agencies or organisations and, if necessary, enforce those (through a court); and
- seek (through a court) a civil penalty for serious or repeated offences.
At the end of the day, we would rather not have to use such powers. Our recent experiences in relation to the Google Street View and Vodafone cases show how agreed undertakings can operate successfully. Nevertheless, additional powers for the Commissioners will provide added credibility for enforcement of privacy law, reinforce the significance of privacy compliance, and give everyone an even greater incentive to take privacy more seriously.
Other recommendations still to be considered are the introduction of mandatory data breach notification laws and the review of exemptions from the Privacy Act applicable to small business, employee records, political parties and media organisations.
In terms of proposed refinements to the journalism exemption, vigorous debate continues alongside another significant recommendation proposed by the ALRC – and that is a statutory cause of action for breach of privacy. This would give individuals, in certain circumstances, a right to sue for serious invasion of privacy. You would have seen an issues paper on this subject recently released by the government.
This is an extremely interesting debate. A statutory right to privacy could reinforce the concept that privacy is a human right that warrants specific recognition and protection within the Australian.
It could also complement the existing, legislative-based privacy protections afforded to individuals and address some of the gaps that presently exist in both the common law and legislation.
However, the right to privacy is not absolute: it should always be balanced with other human rights and social interests. One of these is freedom of expression. The public interest in continuing to allow the community to be informed about matters of public concern is an important consideration to balance against the right to privacy.
It is also very important that Australia has an independent and active media, and that Australians continue to enjoy freedom of expression. Any changes to the law will therefore need to strike a balance between privacy and freedom of expression.
As I understand it the issues paper had already been viewed almost 4,500 times and downloaded by more than 800 individuals. In response the Minister announced that he would extend the deadline, it will certainly be interesting to see the various views once the consultation period comes to a close at the end of this week.
It is likely that privacy issues will continue to feature prominently in news headlines as the statutory cause of action is discussed. This continues a trend in media interest sparked by continuing incidents of data breaches and events surrounding the News of the World.
In regard to data breaches, the OAIC has investigated a number of significant cases in the past year involving high-profile organisations, such as Google, Vodafone, the Sony PlayStation Network, Telstra and First State Super to name a few. Issues to emerge from these investigations include organisations allow the use of shared logins and passwords for staff, making a broad range of detailed customers’ personal information available to any number of individuals and delays in organisations notifying customers after they have become aware of a data breach incident. Some organisations have fallen victim to hackers, a much more insidious occurrence that can have profound consequences for the individuals whose personal information is affected.
Widespread media reporting of such events have contributed to a growing recognition that privacy protection is a critical concern in the community. A number of these cases also highlighted the globalisation of the flow of personal information.
This was a key issue discussed at the International Conference of Data Protection and Privacy Commissioners held a fortnight ago in Mexico City. At that forum, which was attended by over 750 delegates and over 70 privacy authorities were represented, the Commissioners resolved to implement process to enable better coordination of the investigation of major data breaches that impact across international jurisdictions.
All of this reinforces that there is certainly is a lot going on in the privacy sphere.
However, returning to the theme of this conference, the personal information of Australian citizens held by government agencies can be an extremely useful resource to enable good policy development and research that can have considerable benefits to the whole community. However, its use must be done so sensitively and in a way that respects the privacy of those individuals whose personal information has been entrusted to those government agencies.
Back to the main conference page