The Privacy
Amendment (Private Sector) Bill 2000 reflects the federal government’s
approach to data protection that is based upon the premise of a ‘light
touch’ legislative regime.
The Bill gives
limited effect to the National Principles for the Fair Handling of
Personal Information, which provide a basis for business to develop
practices to ensure the protection of individual privacy. The National
Principles set out standards about how businesses and other private sector
organisations should collect personal information, how that information
can be used and disclosed, and how it should be maintained accurately and
securely.
Under the Bill,
private sector organisations will be bound by the National Principles
unless they have their own privacy code that has been approved by the
Privacy Commissioner. A code will only be approved by the Commissioner if
it provides at least as much privacy protection as the National
Principles.
Advertisement
However, as
presently drafted, the Bill is inadequate to protect the privacy of
Australians’ personal information. Among the many criticisms of the Bill
- it will have no effective application to existing databases; the
enforcement mechanisms are too weak; and it does little to protect
families in this electronic age. It’s not a ‘light touch’, but a
‘feather touch’.
The first area of
deficiency relates to the treatment of information in existing databases.
The Bill specifically provides that Privacy Principle 2 – which relates
to the use and disclosure of personal information – will not apply to
existing databases. This means that the information privacy horse has
bolted, it is riding away with the personal information of Australians,
and the federal government is not prepared to take any action to halt its
progress.
For example, the
legislation will not affect the use of information held in a massive
database by Axciom containing the personal information of some 15 million
Australians. It has been reported that the information was collected from
merging personal information obtained from numerous internet sites. It
will remain possible to sell that information even though Australian
citizens unquestionably did not consent to their personal information
being used for that purpose.
The Bill also
provides that Privacy Principle 6 – which relates to access and
correction of personal information – will not apply to existing
databases. Accordingly, any Australian citizens who suffer damage as a
result of inaccurate information currently held on them will be unable to
do anything about it.
For example,
inaccurate information held on a database regarding somebody’s financial
affairs could significantly impede that person’s ability to rent a
property or even to obtain finance for a business venture. It will also
mean that information held in the controversial private criminal history
database CrimeNet will not be subject to correction on request. The damage
that could be caused to an individual’s reputation by such a database
speaks for itself.
The second area of
deficiency is in respect to enforcement. While the privacy Commissioner
has power to recommend compensation for privacy breaches, there is no
provision in the legislation for civil penalties to be available to punish
corporations who engage in particularly serious breaches. If experience
under the Privacy Act 1988 – which currently only applies to the
activity of Commonwealth departments and agencies – is any guide,
Australians can anticipate that any recommendations for compensation made
by the Privacy Commissioner will be extremely conservative.
Advertisement
At an individual
level, damage sustained because of a breach of privacy can sometimes be
relatively minor. For instance, disclosing that somebody has booked a
particular movie or play through an online booking agency may have little
effect on the reputation of that person. However, such a practice may
reflect a far more intrusive and systematic breach of privacy with a
considerably greater public impact. In April this year, it was reported
that hackers in the United States had extracted subscribers’ phone
numbers and log in names directly off an ISP's terminal server. Severe
penalties should be available to deter organised abuses of privacy of this
kind.
A third area in
which the legislation is deficient lies in the fact that there is no
special treatment of information collected from children. This compares,
for instance, to the United States Children's Online Privacy Protection
Act 1998 – which requires that operators of commercial web sites and
online services directed to children:
-
provide parents
with notice of their information collection practices;
-
obtain parental
consent before collecting, using or disclosing personal information
about a child, with certain limited exceptions;
-
obtain new
consent from parents when information practices change in a material
way;
-
allow parents to
review personal information collected from their children;
-
allow parents to
revoke their consent, and delete information collected from their
children at the parents request;
-
not require a
child to provide more information than is reasonably necessary to
participate in an activity; and
-
maintain the
confidentiality, security and integrity of information collected from
children.
Discuss in our Forums
See what other readers are saying about this article!
Click here to read & post comments.