What is privacy?

 
Privacy may be defined as the claim of individuals, groups or institutions to determine when, how and to what extent information about them is communicated to others (Westin AF, Privacy and Freedom New York: Atheneum, 1967, page 7).
 
Privacy is your right to control what happens with personal information about you.
 
In Australia there is no general right to privacy.
 
Some protection is afforded through the operation of certain Federal and State legislation, together with the law of contract, tort and confidential information.
 

Privacy and the Internet

 
The use of the Internet can affect the privacy rights a person has in his or her identity or personal data. Internet use and transactions generate a large amount of personal information which provide insights into your personality and interests.
 
Privacy issues relating to identity include the possible appropriation of a person’s email identity and address.
 
  • Ease of access to and the appropriation of email addresses has led to the practice of sending vast amounts of unsolicited e-mails (spam).
 
  • Identification through email and website transactions and the ability to locate people’s physical addresses easily through national and international directories have raised new privacy concerns.
 
Privacy issues relating to personal data arise from
  • insecure electronic transmissions,
  • data trails and logs of email messages,
  • online transactions and the
  • tracking of web pages visited.
 
Privacy invasion issues arise from data matching (the process of wholesale cross checking of data from one source against another source such as tax and social security data) and personal profile extraction processes which use this data alone or in combination with other publicly available data.
 
The first half of Roger Clarke’s article Introducing PITs and PETs: Technologies Affecting Privacy [1] also highlights some of the privacy concerns arising from the Internet and technology generally.

The regulators: Privacy Commissioners

Where?

  • federally (http://www.privacy.gov.au), in
  • NSW (http://www.lawlink.nsw.gov.au/pc.nsf/pages/index) and
  • Victoria (http://www.privacy.vic.gov.au),
  • but currently not in other states.
  •  
Privacy Commissioners have certain responsibilities under relevant Commonwealth and State privacy legislation. Their functions include:
  • handling complaints by individuals who feel their privacy rights may have been breached;
  • assisting governments and private sector bodies (where applicable) comply with relevant privacy legislation;
  • providing information advice to the public about their privacy rights; and
  • policy development.
 
More information about the role of the Privacy Commissioners can be obtained from:
  • Federal – http://www.privacy.gov.au/about/index.html
  • New South Wales  http://www.lawlink.nsw.gov.au/pc.nsf/pages/whatwedoindex
  • Victoria – http://www.privacy.vic.gov.au/dir100/priweb.nsf.
 

Public sector Commonwealth legislation

Privacy Act 1988 (Cth)

The Privacy Act 1988 (Cth) [2] embodies eleven Information Privacy Principles (IPPs). Federal and ACT government departments and agencies must comply with these principles.
 
The IPPs prescribe how ‘personal information’ must be handled by an organisation.
 
Personal information under s 6 of the Privacy Act is defined as:
 
 Information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
 
Despite this definition in the Privacy Act, it is not always clear what is ‘personal information’.
 
The general principle is that any information about an individual whose identity is apparent, or can reasonably be ascertained from the information, is ‘personal information’.
 
Where it is possible for information that is not personally identifiable to be easily correlated with information that is personally identifiable, the original information may be viewed as personal information.
 
For example, the Privacy Commissioner may judge an ISP to be in possession of personal information, if that ISP collects information about websites visited by a subscriber. Although the information by itself is not identifiable of an individual, it may be easily correlated with other information initially supplied to the ISP by the subscriber to enable the person’s identity to be established.
 
More information about the IPPs can be gained from the Office of the Federal Privacy Commissioner’s Guidelines to the IPPs. [3]

Private sector business must comply with the Act as follows:

 
  • credit providers and credit-reporting agencies must comply with credit reporting rules in the Act and in the legally binding code of conduct dealing with credit rating information of individuals;
  • all organisations that store and use tax file number information must comply with tax file number guidelines issued by the Privacy Commissioner (s 17 Privacy Act).
 
There are other obligations of private sector bodies generally after 2001 (see below).
 

Private sector Commonwealth legislation

Privacy Amendment (Private Sector) Act

The Privacy Amendment (Private Sector) Act 2000 (Cth) [4] (PSA) took effect on the 21 December 2001.
 
The PSA establishes 10 National Privacy Principles (NPPs) as the minimum privacy standards for the private sector.
 
The NPPs deal with the same main issues as the IPPs:
    • collection,
    • use,
    • disclosure,
    • storage and
    • security of information and
    • rights to access this information.
 
They do however, differ slightly to the IPPs to reflect the different issues that operate in a commercial environment, such as provisions relating to direct marketing.
 
The NPPs require organisations to allow individuals to deal with them anonymously provided this is lawful and practicable.
 
For example, this would require electronic road toll systems and payphone providers to provide an anonymous payment option such as cash or prepaid cards.
 
Personal information for the purposes of the NPPs is the same definition used in the public sector that is contained in s 6 of the Privacy Act. Apart from their application, the major difference between the IPPs and NPPs is NPP number seven and eight.

NPP Guidelines

With the advent of this new law directed at the private sector, the Office of the Federal Privacy Commissioner (OFPC) has released the National Privacy Principle Guidelines (the NPP Guidelines). [5]
 
The advisory Guidelines give an indication to the factors the Commissioner may take into account when handling a privacy complaint, while also providing organisations with further information on how to comply with the NPP’s.
 
The OFPC has also published numerous information sheets about specific NPPs to further aid organisations on complying with this legislation. [6]

PKI Guidelines

The Office of the Federal Privacy Commissioner has also released Guidelines relating to the use of Public Key Infrastructure in relation to Government handling of personal information. [7]

Health

The Commissioner has other privacy responsibilities arising under the National Health Act 1953.
 
In light of the sensitivity of health information, the Commissioner has also released Guidelines on Privacy in the Private Health Sector to aid health organisations in complying with relevant privacy legislation and standards. [8]  

Electronic medical records

NSW HRIPPAbackflip?
 

Application of the NPPs

 
As of 21 December 2001, private sector organizations (defined to include partnerships, trusts and individuals) will be required to comply with the NPPs unless they have in place a code of practice approved by the Privacy Commissioner.
 
The Commissioner will not register codes that provide a lower level of privacy protection than what is provided by the NPPs (see http://www.privacy.gov.au/business/codes for more information about Privacy Codes).

Exemptions :

Small business operators

  • Small business operators with an annual turnover of $3m or less. To qualify, an entity must:
      • have an annual turnover of $3 million or less;
      • not be related to a business with an annual turnover of greater than three million dollars;
      • not provide a health service and hold health records;
      • not disclose personal information about an individual for a benefit, service or advantage;
      • not provide a benefit, service or advantage to collect personal information; or
      • not be a contracted service provider for a Commonwealth contract (even if the entity is not a party to the contract).

Media organizations ‘in the course of journalism’

  • Acts done or practices engaged in by media organizations ‘in the course of journalism’: This phrase is not defined and is intended to apply to all media regardless of its mode and method of delivery. Internet news site providers will be exempt from the legislation.

    Employee records

  • Employee records where:
      • the organisation is or has been an employer of the individual in question and the act or practice is directly related:
      • to a current or former employment relationship between the employer and the individual, and
    • is an employee record held by the organisation and relating to the individual.
 
Employee record is defined and includes
o        health information,
o        personal and emergency contact details,
o        the employee’s membership of a professional or trade association and
o        the employee’s taxation, banking or superannuation affairs.
 
This appears to be a subset of the items that might exist on an employee’s employment record. Great care should thus still be taken with employee records.

Contract with a State or Territory

  • Acts and practices of organisations performed in relation to a contract with a State or Territory instrumentality where that contract involves handling personal information. Such acts and practices will be covered by State or Territory privacy standards.

Members of Parliament

  • Various further exemptions exist for members of Parliament and others in relation to practices relating to elections or referendums.

Complaints and enforcement

 
Complaints about infringements of privacy rights can be made to the Privacy Commissioner who has discretion to investigate or take other action.
 
The remedies available under the Privacy Act vary significantly from those in the various State jurisdictions.
 

The Privacy Commissioner has the power to:

  • investigate a complaint made to the Privacy Commissioner;
  • investigate a complaint that a code adjudicator has referred to the Privacy Commissioner;
  • to hear appeals from a decision of a code adjudicator;
  • investigate all complaints made about a federal Government contractor;
  • investigate an act or practice that may be a breach of privacy (even if no complaint has been made);
  • seek an injunction from the Federal Court to restrain or prohibit a person from engaging in conduct that does or would breaching the Privacy Act. No undertaking as to damages is required if application is made by the Commissioner; and
  • make a determination that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the breach of privacy (ss 52(1) and 55A Privacy Act). The loss or damage includes injury to the complainant’s feelings or humiliation suffered by the complainant. Whilst such a determination of the Commissioner is not binding or conclusive between any of the persons involved, the complainant or the Commissioner may subsequently initiate proceedings in the Federal Court to obtain an order enforcing the determination.

    Appeal?

 
No appeal to a court or tribunal on the merits is available from decisions of the Privacy Commissioner.

Other Commonwealth laws concerning privacy

Spent Convictions

The Commonwealth Spent Convictions Scheme came into force on 30 June 1990 under the Crimes Act 1914 (Cth) [9] . The scheme entitles a person to not disclose (if requested) certain criminal convictions after ten years (or five years in the case of juvenile offenders) and provides protection against unauthorised use and disclosure of this information. It covers minor convictions for federal, state and foreign offences. The protection varies according to the type of offence. The scheme also covers pardons and quashed convictions.

 Data Matching

Data Matching Program (Assistance and Tax) Act 1990 (Cth) [10] regulates the way tax file numbers are used in matching data held by the Australian Tax Office with data supplied by applicants for social security benefits and other forms of financial assistance.

National Health Act

The National Health Act 1953 (Cth) [11] , under which the Commissioner is required to issue guidelines covering the storage, use, disclosure and retention of individuals’ claims information under the Pharmaceutical Benefits Scheme and the Medicare program.

 Telecommunications Act

The privacy of telecommunications is regulated by the Telecommunications Act 1997 (Cth) [12] (and the Telecommunications Interception Act 1979 (Cth) [13] ).

State and Territory privacy laws: New South Wales

Privacy and Personal Information Act

The Privacy and Personal Information Act 1998 (NSW) [14] sets up the NSW Office of the Privacy Commissioner [15] and
 
confers on the Commissioner powers concerning research, advice and handling complaints about breaches of privacy.
 
The NSW Information Privacy Principles (IPPs) are similar to the Federal IPPs.
 
They apply to the NSW public sector and include an obligation for the development and implementation of Privacy Management Plans. These standards regulate the way public sector agencies deal with personal information.

NSW Privacy Commissioner

The NSW Privacy Commissioner may investigate and conciliate complaints about breaches of privacy by organisations and individuals who are not public sector agencies.
 
In NSW there is a merits review of certain decisions of the Privacy Commissioner to the NSW Administrative Decisions Tribunal.
 
The NSW Privacy Commissioner’s website provides a detailed overview of the Privacy and Personal Information Act 1998 (NSW) and the IPPs. [16]

Health Records and Information Privacy Act

The Health Records and Information Privacy Act [17] provides privacy protections for medical information.

State and Territory privacy laws: Victoria

Information Privacy Act

The Information Privacy Act 2000 (Vic) [18] creates the office of a Privacy Commissioner in Victoria. [19]
 
The Commissioner may undertake research and monitor developments in data processing and computer technology (including data matching and data linkage) to ensure any adverse effects on personal privacy are minimised.
 
The Act sets out its own set of 10 Information Privacy Principles. These are almost identical to the federal NPPs which apply to the private sector but in Victoria apply only to the public sector.
 
An individual or organisation whose interests are affected by a decision of the Privacy Commissioner to serve a compliance notice may apply to the Victorian Civil and Administrative Tribunal for review of the decision.

Surveillance Devices Act

The Surveillance Devices Act 1999 (Vic) [20] regulates data surveillance devices and their use by law enforcement officers.

Health Records Act

The Health Records Act 2001 [21] establishes privacy protections for medical information.

State and Territory privacy laws: Queensland

 
It is expected that Queensland will introduce state privacy legislation within the next five years. Currently, Queensland has an administrative privacy regime based on Queensland Information Standard 42 – Privacy. [22] This standard applies to all Queensland Government agencies and while it does not have the full force of law it seems to have achieved widespread compliance. The core of IS42 is a set of Information Privacy Principles which mirror the Commonwealth IPPs.

Other State privacy legislation

 
There are various other State and Territory provisions which deal with listening devices, health records and credit reporting agents but these are dated and have little application to privacy issues arising on the Internet. There is however legislation regulating data surveillance devices in the Northern Territory (Surveillance Devices Act 2000).

Other relevant laws

 
The laws of nuisance and breach of confidence may sometimes be used to provide a remedy for invasions of privacy of personal information. Actions for defamation and breach of copyright may also be relevant in certain circumstances.

Nuisance

The law of nuisance may provide limited scope for protection against intrusive information collection practices:
  • Nuisance is a remedy against unreasonable intrusion upon the enjoyment of land.
  • Telephone harassment constitutes an action in nuisance and a breach of the tort of intentional infliction of emotional distress (Khorasandjian v Bush [1993] 3WLR 476).
  • Automatic video surveillance of a Sydney
    backyard has also been held to be an actionable nuisance (Raciti v Hughes [1995] NSWSC, unreported 19 Oct 1995, Young J).
  • If email is shown to be an integral part of the enjoyment of the home (similar to the telephone) harassment by email may constitute a nuisance. Currently (as at 4 April 2003) in the United States the California Supreme Court is faced with the issue of deciding whether excessive emailing by a third party to a company’s internal email system can constitute a trespass to goods (see Howard Mintz, ‘Ex-Intel worker's case goes to high court’ The Mercury News [23] ).

Breach of confidence

An action for breach of confidence can be used to protect personal information if the required elements of the action are present.
  • The information imparted must be confidential and imparted in circumstances imposing an obligation of confidence.

  • Whether a confidential relationship between an individual and an organization can be established will depend on the terms of the relationship (generally in contract).

  • The terms of a website’s privacy policy may indicate the nature of the relationship.
  • Confidence is not breached where the unauthorised disclosure is made in the public interest. The defence requires the court to balance the public interest in maintaining confidentiality against the public interest in disclosure.

Non-legislative measures to protect privacy:

Privacy seals

Many sites now carry a privacy seal of approval issued by an operator of an online seal program. ‘Trust-e’ seals are the most widely used. [24] The use of the seal on the site indicates that the operator claims to have met a series of privacy requirements that are mandated by the organisation providing the seal. In the case of TRUSTe, it signifies the site operator has agreed to comply with ongoing oversight and consumer resolution procedures based on the US Federal Trade Commission principles.

Privacy seals have no legal effect. They simply indicate to visitors that privacy representations made by a website are backed by a third party.

Privacy statements on websites

 
The Privacy Amendment (Private Sector) Act 2000 (Cth) requires organisations to set out their policy on personal information management in a publicly available document. Every organisation that collects personal information is required to have a privacy policy. Organisations must take ‘reasonable steps’ to advise any person who asks what sort of personal information it holds, for what purposes and how it collects, holds, uses and discloses that information.
 
Privacy policy statements need to be accurate and reflect the actual practices of the organisation. If not, legal action may be taken under trade practices legislation for misleading and deceptive conduct. It is important not to leave out significant facts as silence can also be construed to be misleading or deceptive.

Anonymity tools

 
Different approaches to anonymity exist. There are cloaking technologies such as Pretty Good Privacy or suites of software such as Freedom Security & Privacy Suite [25] that claim they can provide untraceable encrypted email and anonymous browsing and chat. Some of these technologies have created concern for law enforcement agencies but currently would not of themselves be illegal in Australia. Other examples of anonymity tools include ECash and anonymous remailers (See Roger Clarke’s Introducing PITs and PETs: Technologies Affecting Privacy. [26] )
 
Another online identity protection option is the use of intermediary-operated services in the data transfer process. Each intermediary is only aware of the identity of the intermediary that it directly receives data from or directly transfers data to, and the system is such that it is unable to track the data originator or receiver.
 
In the above article Clarke draws attention to the inherent problems anonymity technologies create for law enforcement agencies. He notes that complete anonymity – while favouring individual freedom – may tip the balance towards creating an environment where e-crime could prosper. In response to this concern, some commentary advocates the use of ‘pseudonymity’ measures: where very substantial privacy protections are provided for individuals' identities, but where those protections may be breached when particular conditions are fulfill. 
 

[1] http://www.anu.edu.au/people/Roger.Clarke/DV/PITsPETs.html
[2] http://scaletext.law.gov.au/html/comact/6/3324/top.htm
[3] http://www.privacy.gov.au/publications/index.html
[4] http://scaletext.law.gov.au/html/comact/10/6269/top.htm
[5] http://www.privacy.gov.au/publications/nppgl_01.html
[6] http://www.privacy.gov.au/publications/index.html
[7] (Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to communicate or transact with individuals http://www.privacy.gov.au/publications/pki.doc)
[8] http://www.privacy.gov.au/publications/hg_01.html
[9] http://scaletext.law.gov.au/html/pasteact/0/28/top.htm
[10] http://scaletext.law.gov.au/html/pasteact/0/445/top.htm
[11] http://scaletext.law.gov.au/html/pasteact/0/173/top.htm
[12] http://scaletext.law.gov.au/html/pasteact/2/3021/top.htm
[13] http://scaletext.law.gov.au/html/pasteact/0/464/top.htm
[14] http://www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464
[15] http://www.lawlink.nsw.gov.au/pc.nsf
[16] http://www.lawlink.nsw.gov.au/pc.nsf/pages/generalinfo
[17] http://www.austlii.edu.au/au/legis/nsw/consol_act/hraipa2002370
[18] http://www.austlii.edu.au/au/legis/vic/consol_act/ipa2000231
[19] http://www.privacy.vic.gov.au
[20] http://www.austlii.edu.au/au/legis/vic/consol_act/sda1999210
[21] http://www.austlii.edu.au/au/legis/vic/consol_act/hra2001144/
[22] http://www.governmentict.qld.gov.au/02_infostand/standards/is42.pdf
[23] http://www.corpwatch.org/article.php?id=6208
[24] http://www.truste.org
[25] see www.freedom.net
[26] http://www.anu.edu.au/people/Roger.Clarke/DV/PITsPETs.html