Connecting with Confidence: A Public Discussion Paper

Submission to the Department of Prime Minister and Cabinet (November 2011)

Submission by Timothy Pilgrim, Australian Privacy Commissioner

Contents

• Key messages
• The OAIC
• Coverage of the Privacy Act
• Comments on the Discussion Paper
  • What kind of behaviours should be regulated?
    • Freedom of communication and the internet
    • The relationship between privacy and freedom of communication
  • How to discourage anti-social behaviours and encourage accountability?
    • Clear community policies
    • Moderation
    • Accountable identities
  • Building public trust through transparency
    • Privacy by design: Privacy Impact Assessments
    • Open government and engaging the community
  • The need for a mandatory data breach reporting requirement
    • Obligations under the Privacy Act
    • Obligations under other legislation
    • Is a mandatory data breach requirement necessary?
  • How can individuals protect themselves online?

Key messages

The Office of the Australian Information Commissioner (the OAIC) thanks the Department of Prime Minister and Cabinet for the opportunity to comment on the Connecting with Confidence: A Public Discussion Paper[1] (the Discussion Paper).

In this submission, the OAIC makes the following comments in relation to the Discussion Paper:

• In discussing the possibility of regulating online behaviour, and encouraging responsible and productive online interactions, the Government and regulators should be clear that the behaviour of individuals proposed to be regulated is unlawful behaviour, and not behaviour that is merely ‘uncivil' or ‘offensive'.
• Online communities have developed a number of methods of self-regulation that promote positive interaction, reduce anti-social, malicious and abusive behaviour, avoid undesirable outcomes (including privacy intrusive conduct), and encourage accountability in ways that can be privacy enhancing.
• Agencies and organisations can build public trust in their online operations by being transparent about their privacy and data protection mechanisms.
• The development of public trust and transparency would be improved by strengthening data breach notification requirements under the Privacy Act.
• Education is the key to empowering individuals (and, by extension, small businesses) to protect themselves from cyber threats, including threats to their privacy online.

The OAIC

The OAIC was established by the Australian Information Commissioner Act 2010 (Cth)[2] (the AIC Act) and commenced operation on 1 November 2010.

The OAIC is an independent statutory agency headed by the Australian Information Commissioner.  The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.

The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010.

The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.

The Commissioners of the OAIC share two broad functions:

• the FOI functions, set out in s 8 of the AIC Act - providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth)[3], and
• the privacy functions, set out in s 9 of the AIC Act - protecting the privacy of individuals in accordance with the Privacy Act 1988 (Cth)[4] (the Privacy Act) and other legislation.

The Information Commissioner also has the information commissioner functions, set out in s 7 of the AIC Act.  Those comprise strategic functions relating to information management by the Australian Government.

Coverage of the Privacy Act

The Privacy Act regulates the handling of ‘personal information', being:

‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion'. [5]

Specifically, the Information Privacy Principles (the IPPs), set out in s 14 of the Privacy Act, regulate the way that most Australian, ACT, and Norfolk Island Government agencies (agencies) handle personal information.[6]  The IPPs cover the collection, storage, security, use, disclosure, access and correction obligations of the agencies covered by the Privacy Act. 

The National Privacy Principles (the NPPs) are set out in Schedule 3 to the Privacy Act and regulate the way that private sector organisations (organisations) handle personal information.  The NPPs cover the collection, storage, security, use, disclosure and access and correction obligations of organisations covered by the Privacy Act.  In general, the NPPs apply to all businesses and non-government organisations with an annual turnover of more than $3 million, all health service providers, and a limited range of small businesses.[7]

Individuals (acting in a non-business capacity) are not subject to the Privacy Act.[8]

Comments on the Discussion Paper

The Discussion paper poses a number of questions which are relevant to the OAIC's functions.  The OAIC's comments on those questions are set out below.

What kind of behaviours should be regulated?

Page 10 Issue: A growing portion of our lives and civic experience is conducted in the online environment. This environment has a unique set of characteristics, including anonymity, and allows people to interact socially unhindered by geographic distance. Question: How can we promote a concept of digital citizenship, reach agreement on acceptable online behaviour and encourage people to assume greater responsibility for that behaviour?

Page 11 Issue: The online environment can create a sense of dislocation from our actions; the ability to act anonymously online can embolden bullies and sometimes abusive, offensive or illegal behaviour can go unchecked. Question: How can governments, the private sector, the NFP sector and the broader Australian community work together to promote responsible and accountable digital citizenship and reduce harassing and malicious online behaviour?

Page 11 Issue: Social networking sites are almost entirely facilitated by the private sector. Although many of the larger sites have some capacity to monitor and limit abusive behaviour, some others do not. Question: How can the owners of social networking sites be more engaged in meeting community expectations that their platforms will not be used for abusive or illegal activities?

The OAIC notes that the Discussion Paper refers to ‘acceptable' online behaviour.

The internet is a vast, layered and varied space.  It does not have a homogenous ‘culture' or a single frame of reference.  Rather, it may be better characterised as a network of communities which are not necessarily defined by geographic or national characteristics. 

The Privacy Act currently regulates the behaviour of agencies and organisations with respect to the handling of the personal information of the Australian community, but does not apply to the behaviour of individuals.  The OAIC notes that the Government is currently considering the introduction of a statutory cause of action for a serious invasion of privacy that may possibly address areas that are not the subject of the current privacy law reform process, including the acts and practices of individuals.[9]  

The OAIC is of the view that any cause of action should be formulated in a way that recognises that the right to privacy is not absolute and that it must be balanced against competing rights including the right to freedom of expression.

Similarly, the OAIC considers that regulators should be clear that the behaviour proposed to be regulated, as contemplated by the Discussion Paper, is unlawful behaviour, and not behaviour that is merely ‘uncivil' or ‘offensive'.  Such concepts are not universal - they are context specific and will vary from community to community; for example, subjects and language that are appropriate on a forum aimed at adults may not be appropriate on a forum aimed at children.  As such, concepts such as ‘civility' and ‘propriety' may not be practical or appropriate matters for government regulation.

The OAIC considers that attempts to regulate such behaviour, which could be seen to constitute an unreasonable curtailment of civil liberties, could at the same time have the unintended consequence of intruding on personal privacy.  Such actions could reduce the value of the internet as a public forum, and may be contrary to the expectations of the Australian community regarding the internet.

Strategies to enable online communities to be self-regulating are discussed below at ‘How to discourage anti-social behaviours and encourage accountability'.

Freedom of communication and the internet

One of the defining characteristics of the internet is the unprecedented opportunity it offers for communication, interaction with communities on a local, national and international scale, and free and open public debate.

The OAIC recognises that the freedom of expression and the freedom to communicate are essential to any civil society, and are a crucial component of a robust democracy.  In that regard, the OAIC notes Australia's treaty obligations under Article 19 of the International Covenant on Civil and Political Rights (the ICCPR)[10], which Australia ratified on 13 August 1980:[11]

1. Everyone shall have the right to hold opinions without interference.
2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.
3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:
   1. For respect of the rights or reputations of others;
   2. For the protection of national security or of public order (order public), or of public health or morals [emphasis added].

Article 19(3) recognises that the freedom of expression is not an absolute freedom, but must be balanced with competing rights and considerations, including privacy.[12]

While the ICCPR has not been enshrined in Australian legislation, the construction of the freedom of expression as non-absolute has been adopted by the courts.  For example, in James v Commonwealth (1936) 55 CLR 1, the Privy Council, hearing an appeal from the High Court of Australia, observed that '[f]ree speech does not mean free speech; it means speech hedged in by all the laws against defamation, blasphemy, sedition and so forth; it means freedom governed by law...' (at [56]) [emphasis added].

The courts have taken a similar approach to the freedom of communication.  Freedom of communication has been long accepted as the subject of an implied Constitutional guarantee; see, for example, Australian Capital Television Pty Ltd and Ors v Commonwealth Of Australia (No 2) - (1992) 108 ALR 577.

The relationship between privacy and freedom of communication

Privacy protections enable and facilitate freedom of communication.

Anonymity is a core component of privacy - privacy risks can be greatly reduced when individuals are allowed to remain anonymous.  Currently, the Privacy Act (NPP 8) requires organisations to provide individuals with the option of not identifying themselves when interacting with an organisation, where this is lawful and practicable.  The Government is currently considering extending this requirement to Government agencies, and providing for the use of pseudonyms by individuals in certain circumstances.[13]

The ability to interact and communicate anonymously facilitates freedom of communication.  In particular, anonymity enables individuals to express controversial or minority opinions without fear of reprisal.  This concept was explored by the US Supreme Court in McIntyre v Ohio Elections Commission 514 U.S. 334 (1995).  In that decision, Justice Stevens, speaking for the majority, noted:

The decision in favor of anonymity may be motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of one's privacy as possible.  Whatever the motivation may be... the interest in having anonymous works enter the marketplace of ideas unquestionably outweighs any public interest in requiring disclosure as a condition of entry (at [II])... Anonymity is a shield from the tyranny of the majority (at [VI]).

Further, inadequate or absent privacy protections may deter individuals from freely communicating, or using certain communications channels - for example, if there is a risk associated with the disclosure of the information to be communicated, such as embarrassment or identity theft.

The OAIC does not contend that any and all communications should be able to be made anonymously or pseudonymously; notably, NPP 8 only requires that individuals have the option of interacting anonymously where ‘practicable and lawful'. 

The OAIC considers that:

• the risk that anonymous communications will enable anti-social behaviour in online forums can be mitigated by active and responsive moderation[14], and
• that this risk can be mitigated in a way that allows individuals to participate online in a privacy conscious manner.

This issue is discussed in more detail below.

How to discourage anti-social behaviours and encourage accountability?

The OAIC notes that, over the 20 year history of the internet, online communities have developed a number of methods to promote positive interaction, reduce anti-social, malicious and abusive behaviour, avoid undesirable outcomes (including privacy intrusive conduct), and encourage accountability.

Clear community policies

Online communities often have policies that set out what is and is not acceptable in that particular community.  Ideally, such policies are in plain English and clearly expressed.  Successful communities establish clear, enforceable consequences associated with breaching those policies, such as temporary or permanent bans on further participation.

Moderation

A successful ‘real life' community meeting is characterised by ground rules and regulatory mechanisms.  Those rules and mechanisms are intended to facilitate communication and limit inappropriate behaviour in those meetings.

Online communities can sometimes be distinguished from offline communities by a lack of regulatory mechanisms.  Such communities can be dominated by low quality discussion, and anti-social or abusive behaviour.

However, successful online communities employ filtering mechanisms that replace the real world regulatory mechanisms.  Moderation - the active monitoring of online forums by site operators or users who have the power to delete comments and suspend or ban users who breach the policies of the community - is one such filtering method.  For example, moderators may delete comments that contain defamatory or abusive material, or that is privacy invasive.

Effective moderation can be enabled by technology.  For example, some websites allow users to ‘flag' comments for review by moderators, where those comments are perceived to breach community policies.  This can alleviate the need for moderators to read every comment, allowing even large, heavily trafficked sites to be moderated by a small number of staff.  Further, appropriate moderator software tools can enable moderators to respond quickly and effectively.

Accountable identities

The OAIC notes that the Discussion Paper expresses the concern that anonymous communication channels may be exploited by those seeking to engage in anti-social and illegal behaviour.

As discussed, that risk of abusive or anti-social behaviour can be mitigated by appropriate moderation.  However, moderation is facilitated by the use of accountable identities - an identity that all of an individual's contributions in an online forum can be associated with.

Sufficient accountability can enable moderators to enforce community policies effectively (by for example, banning a specific user).  

In situations where there is no fixed community or no over-arching moderation system, the use of accountable identities may be sufficient to allow individuals to filter out the contributions of poorly behaved users.

Persistent pseudonyms

Accountability does not necessarily require participants in online discussions to disclose their ‘real world' identities (i.e., personal information such as their names).  Rather, individuals can participate under a persistent pseudonym that is attached to all their contributions - a specific, accountable identity to which anti-social behaviour, or behaviour not in accordance with the policies of the community, may be traced.  

The use of persistent pseudonyms can enable individuals to engage in online forums in a privacy conscious manner, while enabling those individuals to be held accountable by their communities.

For example, the micro-blogging service Twitter[15] does not require users to submit personal information, such as real names, to create an account.  Unlike other popular social networking sites such as Facebook[16] or Google+, Twitter users may participate under a pseudonym.  However, Twitter users are able to choose which other users' posts they wish to read, and to block posts and messages from specific users with a single click. This allows sufficiently effective filtering on an individual level such that higher level moderation in unnecessary.  Importantly, the necessary accountability is supplied by persistent pseudonyms, rather than by real world identities.

Reputation

Individuals who have invested time and effort in building credibility and influence may be reluctant to damage that credibility through poor behaviour.  Again, the identity to which the reputation is attached need not be a real world identity.  For example, online auction site eBay[17] permits users to buy and sell goods online under persistent pseudonyms.  Each user is rated on each transaction, and the ratings contribute to an overall feedback rating that is publically viewable.  eBay users are therefore encouraged to behave well, as a low feedback score may discourage other users from transacting with them, and building credibility for a new account can be time consuming (and expensive).  

Case Study: Metafilter (www.metafilter.com) Founded in 1999, Metafilter is a community ‘weblog' that anyone can contribute a link or a comment to: A typical weblog is one person posting their thoughts on the unique things they find on the web.  This website exists to break down the barriers between people, to extend a weblog beyond a single person. Metafilter has approximately 50 thousand user accounts[18], and receives over 11.5 million pageviews from 3.5 million unique users every month.[19] Metafilter employs a comprehensive moderation system: Metafilter is moderated by 3 full time moderators, with 2-3 part time moderators. The site has clear, succinct positing and commenting guidelines.[20] [21] Metafilter users can flag posts or comments that they consider breach the community's posting and commenting guidelines. Flagged posts are brought to the attention of the moderators for resolution. This ‘crowdsourced' regulation system allows Metafilter to operate effectively with a small number of moderators. The moderators review flagged items and may issue warnings, delete posts or comments that breach the community policies, or suspend or ban user accounts. Metafilter includes a subsite, Metatalk, where users can discuss, amongst other things, site policies and their operation, and the actions of a specific user or moderator. This allows community members to be active participants in developing the community's standards and regulatory system. Metafilter is free to read, but in to order comment, users must create an account.  A user's account name is associated with all content posted by that user, providing sufficient accountability to enable effective moderation by moderators and other users. Accounts may be created under pseudonyms. Users have the choice to include personal information such as name, age, occupation, and interests in their profiles, but it is not a requirement. Account creation requires payment of a $5 (USD) lifetime membership fee.  This small barrier to participation acts as a filter - users who are not interested in being an engaged member of the community, or are only interested in being abusive or malicious (‘trolls') are generally unwilling to pay the fee.  The cost barrier also discourages users from creating multiple or additional accounts to circumvent bans imposed by the moderators.

Metafilter has been observed to be characterised by a sense of community, high quality discussion, and robust debate.[22]

These attributes are not often found in unmoderated forums.  For example, YouTube is a website on which users can upload, share, view, and comment on video.  YouTube, as a site, does not appear to have a clear commenting policy or employ comment moderators.[23]  Account creation is free.  Individual users can opt to moderate comments on their own channels.  However, many, if not most, users permit unmoderated commenting.  As a consequence, Youtube comment threads have been observed to contain poor quality discussion, and abusive and anti-social behaviour.[24] [25] 

Building public trust through transparency

Page 11 Issue: Governments are progressively implementing online services in response to community expectations. However, many individuals do not trust their private data will be appropriately managed. Question: How can governments improve citizens' and businesses' trust that their private data will be secured and only used for agreed purposes?

In the OAIC's experience, agencies can develop and enhance public trust in Government information handling by being transparent about their information processes (for example, by providing easily accessible, plain-English privacy policies), and having robust and comprehensive complaints handling processes.

Privacy by design: Privacy Impact Assessments

The OAIC considers that it is essential to build privacy protections into new projects and initiatives, including implementing online services, from the outset.

One way in which this can be achieved is through the carrying out of a Privacy Impact Assessment (PIA).

A PIA is a tool that can help agencies identify and respond to the privacy ramifications of new or existing projects and initiatives, and build in privacy protections at an early stage. 

PIAs can be particularly helpful in addressing public concerns relating to privacy, including information security concerns. 

Generally, a PIA should:

• describe the personal information flows in a project
• analyse the possible privacy impacts of those flows
• assess the impact the project as a whole may have on the privacy of individuals and
• explain how those impacts will be eliminated or minimised.

For large or long term projects, the conduct of a PIA may be an iterative process, with a number of PIAs carried out at various stages of development or as the project design evolves.

PIAs may be carried out internally, or by an external privacy consultant. In some cases, the use of an external consultant may enhance, or be seen to enhance, the objectivity and rigor  of the PIA. 

A PIA can be released to the public to assist an agency to be more transparent in its processes, to facilitate public consultation, and to help inform the public of the measures being taken to protect their personal information.

The OAIC has prepared a Privacy Impact Assessment Guide to assist agencies and organisations to undertake PIAs.  The guide may be downloaded from the OAIC's website: http://www.privacy.gov.au/publications/pia06/index.html

Open government and engaging the community

The OAIC notes that the Government has committed to the principles of Open Government,[26] including the following:

• "Informing: strengthening citizen's rights of access to information, establishing a pro-disclosure culture across Australian Government agencies including through online innovation, and making government information more accessible and usable;
• Engaging: collaborating with citizens on policy and service delivery to enhance the processes of government and improve the outcomes sought; and
• Participating: making government more consultative and participative."

The OAIC considers that effective engagement with the community, including public consultation regarding proposed personal information handling practices and privacy protections relating to new projects and initiatives, is essential in developing public trust in agencies.  

The need for a mandatory data breach reporting requirement

Page 16 Question: How can we improve and encourage the reporting of data breaches in Australia?

Obligations under the Privacy Act

Security is a basic element of information privacy.[27]  In Australia, this principle is reflected in the Privacy Act in both the IPPs and the NPPs. 

The OAIC notes that the Privacy Act does not currently impose a mandatory requirement for agencies or organisations to notify the OAIC or the public about a data breach.

However, agencies and organisations are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.  This requirement is set out in IPP 4 for public sector agencies and NPP 4 for private sector organisations.[28]

Section 18G(b) of the Privacy Act imposes equivalent obligations on credit reporting agencies and all credit providers.  Similarly, guideline 6.1 of the Tax File Number Guidelines 1992[29] requires Tax File Number (TFN) recipients to protect TFN information by such security safeguards as are reasonable in the circumstances.

Depending on the circumstances, the reasonable steps to be taken by agencies and organisation may include the preparation and implementation of a data breach policy and response plan.  Notifying individuals, who are or may be affected by a data breach, and the OAIC, may also be a reasonable step.

Obligations under other legislation

Many agencies are subject to agency-specific legislative requirements that add further protections for personal information (such as secrecy provisions), as well as legislative and other requirements which apply more generally across government.[30]  These other requirements can include the Australian Government's Protective Security Policy Framework[31] and the Information Security Manual.[32]

Organisations may also be subject to additional obligations through sector-specific legislation in respect of particular information they hold.  For example, Part 13 of the Telecommunications Act 1997 (Cth)[33] sets out obligations on the telecommunications industry in relation to the handling of certain telecommunications-related personal information.  Some organisations may also have common law duties relating to the confidentiality of particular information.  

These additional obligations need to be considered by agencies and organisations when taking steps to prevent or respond to data breaches.  To that end, the OAIC has published a guide to handling personal information security breaches.[34]  The OAIC is currently reviewing that guide.

Is a mandatory data breach requirement necessary?

In its 2008 report titled ‘For Your Information: Australian Privacy Law and Practice'[35] (Report 108), the ALRC recommended that the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a ‘real risk of serious harm' to the affected individuals (recommendation 51-1). 

The OAIC strongly supports that recommendation.  While the OAIC considers that notification of data breaches will generally be a reasonable step required by IPP 4 or NPP 4, the OAIC considers that a mandatory notification requirement would strengthen this position and help clarify the data protection obligations of agencies and organisations.

The Government has advised that it will consider the ALRC's recommendation in its second stage response to Report 108. 

How can individuals protect themselves online?

Page 16 Question: How can consumers be encouraged to take more responsibility to protect their information? Question: What information would help consumers and small business better protect themselves and enhance their trust and confidence online?

 

Page 20 Question: How can citizens better protect themselves from cyber threats?

The OAIC has commented in detail on this topic in submissions to parliamentary committees, including:

• Inquiry into Cyber Safety Issues Affecting Children and Young People - Submission to the Joint Select Committee on Cyber Safety[36] (July 2010; paragraphs 18-23), and
• The adequacy of protections for the privacy of Australians online - Submission to Senate Standing Committee on Environment, Communications and the Arts[37] (August 2010; paragraphs 43-47).

The OAIC reiterates the views expressed in those submissions that education is the key to empowering individuals (and, by extension, small businesses) to protect themselves from cyber threats, including threats to their privacy online.  

In that respect, the OAIC considers that there is a role for Government in providing individuals with easily accessible and understood education resources regarding cyber safety and security.  For example, the OAIC promotes secure and safe online behaviour, and secure information exchange by advising individuals on social networking, online privacy tools, and internet privacy.[38]  Similarly, the Cybersmart website, developed by the Australian Communications and Media Authority, provides resources and practical advice to help children, adolescents and parents safely enjoy the online world.[39]

---

Footnote

[1] http://cyberwhitepaper.dpmc.gov.au/white-paper

[2] www.comlaw.gov.au/Details/C2010A00052

[3] www.comlaw.gov.au/Series/C2004A02562

[4] www.comlaw.gov.au/Series/C2004A03712

[5] Privacy Act, s6(1).

[6] See definition of ‘agency', Privacy Act, s6(1).

[7] See definition of ‘organisation', Privacy Act, s6(1).

[8] Privacy Act, s7B(1).

[9] See Issues Paper - A Commonwealth statutory cause of action for serious invasion of privacy: www.dpmc.gov.au/privacy/causeofaction

[10] www2.ohchr.org/english/law/ccpr.htm#art19

[11] http://treaties.un.org/Pages/ViewDetails.aspx?src=TREATY&mtdsg_no=IV-4&chapter=4&lang=en

[12] See Article 17: www2.ohchr.org/english/law/ccpr.htm#art17

[13] Australian Law Reform Commission Report 108: For Your Information: Australian Privacy Law and Practice (2008), Chapter 20: www.alrc.gov.au/publications/report-108; Enhancing National Privacy Protection: Australian Government First Stage Response to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (October 2009),  recommendation 20-1: www.dpmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.pdf; Exposure Draft: Australian Privacy Principles, Draft APP 3: www.aph.gov.au/Senate/committee/fapa_ctte/priv_exp_drafts/guide/exposure_draft.pdf

[14] Moderation refers to the active monitoring of online forums and the removal of inappropriate content (such as privacy invasive information).  Moderation can be performed either by the site operator or by site users.

[15] http://www.twitter.com/

[16] http://www.facebook.com/

[17] http://www.ebay.com/

[18] http://vimeo.com/11916466

[19] www.metafilter.com/about.mefi

[20] www.metafilter.com/guidelines.mefi

[21] http://mssv.net/wiki/index.php/What_Is_A_Good_Comment

[22] See, for example, www.time.com/time/specials/packages/article/0,28804,1918031_1918016_1917970,00.html, or
http://wweek.com/portland/article-17721-the_blogfather.html 

[23] However, YouTube does have a clear policy and moderators for uploaded videos:  www.youtube.com/t/community_guidelines?gl=GB&hl=en-GB

[24] See, for example, www.time.com/time/magazine/article/0,9171,1570810,00.htm: "Web 2.0 harnesses the stupidity of crowds as well as its wisdom. Some of the comments on YouTube make you weep for the future of humanity just for the spelling alone, never mind the obscenity and the naked hatred", and
www.guardian.co.uk/technology/blog/2009/nov/03/youtube-funniest-comments: "YouTube comments are a hotbed of infantile debate and unashamed ignorance".

[25] A live comparison of contemporaneous comments from Metafilter and Youtube is available from: http://comments.thatsaspicymeatball.com/

[26] www.finance.gov.au/e-government/strategy-and-governance/gov2/declaration-of-open-government.html

[27] See the ‘security safeguards principle' in the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980): www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.
The Privacy Act was enacted to implement the OECD guidelines in Australia, as recognised in the preamble to the Act.

[28] The OAIC has provided further guidance on compliance with the information security principles elsewhere, including the following:

Guidelines to the Information Privacy Principles (principles 4-7) (for Australian and ACT Government agencies): www.privacy.gov.au/government/guidelines/index.html.

Guidelines to the National Privacy Principles (for private sector organisations):
www.privacy.gov.au/publications/nppgl_01.html.

Information Sheet 6-2001:  Security and personal information
Provides information for organisations on compliance with NPP 4:  www.privacy.gov.au/publications/IS6_01.html.

[29] www.oaic.gov.au/publications/guidelines/Guidelines-TFN.pdf

[30] See the OAIC's Guidelines to the Information Privacy Principles (principles 4-7) for a brief overview of existing guidance on security standards for agencies: www.privacy.gov.au/government/guidelines/index.html.

[31] www.ag.gov.au/www/agd/agd.nsf/page/Protective_Security_Policy_Framework

[32] www.dsd.gov.au/publications/Information_Security_Manual_2010.pdf

[33] www.comlaw.gov.au/Series/C2004A05145

[34] www.privacy.gov.au/materials/types/guidelines/view/6478

[35] www.alrc.gov.au/publications/report-108

[36] www.privacy.gov.au/materials/types/submissions/view/7111

[37] www.privacy.gov.au/materials/types/download/9558/7122

[38] www.privacy.gov.au/topics/technologies

[39] http://www.cybersmart.gov.au/