One World. One Firm. Connected.

1
One World. One Firm. Connected.
2
Privacy

• Tim Dixon
• Baker McKenzie Sydney
• Chair, Australian Privacy Foundation
• National Scholarly Communications Forum Round
  Table on Privacy
• August 9 2002

3
Overview

• What privacy is about
• How privacy is protected under Common Law
• Different models of privacy legislation
• Privacy in Australia
• Privacy legislation in the electronic age

4
Privacy has become a significant human rights
issue

• Privacy is an important issue to consumers
• Increasingly, Australians expect that their
  privacy should be respected by any organisation
  they deal with
• Consumers especially dislike intrusive marketing
  practices and sharing of personal information

5
New insights into the extent of privacy concerns

• Privacy Commissioners Community attitudes
  research project July 2001
• Around 9 in 10 people want control of their
  personal information
• 42 have refused to deal with a business because
  of privacy concerns
• 14 say they have refused to deal with government
  agencies
• Most sensitive information is financial details
  (59), income (42), health (25)

6
(No Transcript)
7
Global framework

• Australia is one of the last industrialised
  countries to implement privacy law
• Privacy is recognised in international human
  rights instruments
• ICCPR, UN Declaration of Human Rights
• 1980 OECD Guidelines
• European Convention on Human Rights, EU Directive

8
Changing legal context of privacy in Australia

• No general right of privacy
• Privacy Act 1988 has covered Commonwealth
  agencies since 1989
• Privacy Amendment (Private Sector) Act 2000 came
  into effect December 2001
• general coverage of private sector and
  non-government organisations
• New state privacy laws in Victoria and NSW
• coverage of universities

9
Privacy Amendment (Private Sector) Act 2000

• Applies to organisations, defined broadly
• Covers the handling of personal information (ie
  identifying or potentially identifying
  information) in a record that is not generally
  available
• Requires compliance with National Privacy
  Principles

10
Important caveats!

• Anything authorised by law almost always
  overrides privacy principles
• Law enforcement activities override privacy
  principles
• Privacy agencies are generally not well funded
• Broad exemptions exist
• Enforcement powers are limited

11
Enforcement

• Allows for development of industry codes
• Complaints go to Privacy Commissioner (or to code
  administrator)
• PC can review a code authority decision
• Variety of measures available, including
  unlimited monetary compensation
• Most complaints likely to be resolved without
  payouts

12
A look at the National Privacy Principles

• Please note
• These are general principles
• There are lots of exceptions
• There are lots of references to what is
  reasonable and practicable
• There is a long history of interpreting privacy
  principle overseas which will avoid absurd
  outcomes

13
NPP 1 Collection

• Organisations must inform individuals of their
  information practices when they collect personal
  information
• Collection must be lawful and fair and not
  unreasonably intrusive
• Collection should be from the individual and not
  a third party

14
NPP 2 Use and disclosure

• Information should only be used for a secondary
  purpose if
• the individual gives consent, or
• the use is related to the primary purpose of
  collection and it is within the reasonable
  expectations of the individual

15
NPP 3, 4 Data quality and security

• Information must be kept accurate, complete and
  up to date
• Organisations must take reasonable steps to keep
  information secure
• Organisations should de-identify information if
  there is no reason to maintain identifiable
  information any longer

16
NPP 5 Openness

• Organisations must have a privacy policy
• Privacy policy must explain how the organisation
  manages personal information
• The policy must be made available on request

17
NPP 6 Access and correction

• Organisations must allow individuals access to
  their personal information and a right to correct
  it
• Exceptions for
• frivolous or vexatious requests
• it relates to a commercially sensitive decision
  making process
• several other situations

18
NPP 9 Transborder data flows

• Information should only be transferred overseas
  if
• the individual consents, or
• the information is protected by contract or law,
  or
• the transfer is necessary to perform a contract,
  or
• other exceptional conditions apply

19
NPP 10 Sensitive information

• Special provisions apply to a class of sensitive
  information
• eg information relating to union membership,
  health, sexual preference, religious belief
• Individual consent, legal requirement or other
  exceptional conditions are required before this
  information is collected

20
The future

• Privacy will be to the information economy of
  the next century what consumer protection and
  environmental concerns have been to the
  industrial society of the 20th century.
• Marc Rotenburg, Director,
• Electronic Privacy Information Centre (US)