Skip to content.

Home

Allens Arthur Robinson

Archive 2003

Return to top

New anti-spam legislation passed

2 December 2003

On Tuesday, 2 December, the Federal Government passed national anti-spam legislation in the form of the Spam Bill 2003 and the Spam (Consequential Amendments) Bill 2003. The anti-spam legislation is designed to tackle the proliferation of unsolicited emails and other electronic messages, such as SMS. While the legislation is unlikely to have much of an impact on the bulk of spam, which originates from overseas, it will have important implications for businesses operating in Australia and engaged in direct email and SMS marketing or who otherwise offer goods and services over the Internet. Those businesses will need to review their existing compliance programs to ensure they comply with the new legislation as well as their concurrent obligations under the Privacy Act (in respect of mail addressed to individuals) .

The Spam Bill includes the following key features:

  • an opt-in regime (based on consent) for commercial electronic messaging;
  • a requirement that commercial electronic messages contain a functioning unsubscribe facility, as well as information about the person who authorised the sending of the messages;
  • a prohibition on electronic address-harvesting software and address lists generated using such software; and
  • a flexible range of civil sanctions, including warnings, infringement notices and court-ordered penalties.

There will be a 120-day grace period after the Spam Bill receives royal assent for businesses to bring their practices into line with the new requirements. This means that businesses should target late April 2004 for compliant practices assuming a pre Christmas royal assent.

Return to top

ACA to set new rules protecting telecommunications customer information

21 November 2003

The Australian Communications Authority (ACA) has announced its intention to establish new rules to protect customer information held by Australia's telecommunications companies.

The rules will form part of an industry standard which aims to clarify how the telecoms industry can make use of customer information. Significantly, the new standard will have a broader application than the existing industry code, as it will cover all producers of public number directories, and not just those who source their data from the Integrated Public Number Database (IPND), the national database containing information on all telecommunications consumers in Australia.

The issue of collecting and using publicly available information such as telephone directories has previously been addressed by the Privacy Commissioner in Information Sheet 17. However, unlike the Commissioner's guidelines, the ACA standard will be mandatory and enforceable under the Telecommunications Act 1997, with the result that telecom industry participants will be required to meet the stricter obligations imposed by the ACA.

The ACA plans to release a discussion paper in the next few weeks, to be followed by a period of public consultation. The new standard is expected to come into effect next year.

Return to top

New Issues Paper on Residential Tenancy Databases

20 November 2003

An Issues Paper has been released seeking input on the operation of Residential Tenancy Databases (RTDs) in Australia.

RTDs are privately owned, electronic databases that collect information on tenants to assist property managers and landlords assess risk and identify potential problem tenants. The Issues Paper recognises that RTDs can be a legitimate tool for minimising risk and reducing costs generally in the rental property market. However there are also issues about whether they are used fairly, maintained accurately and monitored correctly. Hence the operation of RTDs, and their regulation, will be of interest to the real estate industry, tenants, housing organisations, RTD operators, landlords, State and Territory Governments as well as the Australian Government.

A working party consisting of Commonwealth, State and Territory officials as well as the Office of the Privacy Commissioner is to report on the role and operation of RTDs and develop, if necessary, options for a nationally consistent framework of regulation for RTDs. The Privacy Commissioner has encouraged submissions from key stakeholders and the broader community on matters raised in the Issues Paper.

The Issues Paper can be located at http://www.consumer.gov.au/html/latest_news.htm. Submissions can be made to the Treasury until 24 December 2003 (see the Issues Paper for more detail on how to do this).

Return to top

European Court of Justice rules on identifying people on an internet site

19 November 2003

The European Court of Justice (ECJ) has recently ruled that a Swedish woman who published personal data on her personal web site to give information to her church parishioners breached the European Data Protection Directive (95/46).

The personal data posted on the webpage included the names and phone numbers, as well as the occupations and hobbies, of the woman's fellow church volunteers. Permission had not been sought from any of the parties whose information had been posted. In one case, there was a note about a parishioner who was working only part-time because of a foot injury.

The Swedish Court of Appeal referred a number of questions concerning the interpretation of the Directive to the ECJ.

The ECJ found that the act of referring to various persons and identifying them by name on an internet page constituted the processing of personal data within the meaning of the Directive. Further, this was not an act which amounted to 'personal or household use' of the information so as to fall within one of the exemptions in the Directive.

The ECJ also found that the details of the parishioner's foot injury constituted 'health' information, which is given special protection in the Directive.

The Swedish Court of Appeal had also asked for guidance as to whether the woman's actions breached the Directive's provisions about the cross-border transfer of personal data. The ECJ decided that, given the state of development of the internet at the time the Directive was drawn up, the Directive could not be construed to mean that the loading of data onto an internet page constituted the 'transfer of data to a third country'.

Return to top

Changes to South Australian surveillance legislation proposed to deal with mobile phone cameras

12 November 2003

A Bill amending the South Australian Listening and Surveillance Devices Act 1972 (SA) (the Act) has been tabled in the South Australian parliament. The Bill aims to address the privacy issues arising from the development and use of surveillance devices such as mobile phones with visual recording, reception and transmission facilities.

The Act currently regulates, among other things, the use of 'listening devices' by prohibiting a person from intentionally using a listening device to overhear, record, monitor or listen to any 'private conversation', whether or not the person is a party to the conversation without the consent, express or implied, of the parties to the conversation. There is a maximum penalty of $10,000 fine or imprisonment for 2 years for breach of this prohibition. The Act also contains a prohibition against the communication or publication of any information or material derived from such an improper use of a listening device.

The proposed amendments to the Act will extend these prohibitions in relation to listening devices to include 'surveillance devices' in the context of 'private activities' which are defined as any activity carried on by a person in circumstances that may reasonably be taken to indicate that any party to the activity desires it to be observed only by the parties to the activity, but does not include an activity carried on in a public place or in any circumstances in which any party to the activity ought reasonably to expect that the activity may be observed.

Return to top

New EU Privacy Regulations

11 November 2003

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) come into force in the UK on 11 December 2003. The Regulations implement the European Commission Privacy and Electronic Communications Directive which was issued on 12 July 2002. These Regulations provide an additional level of privacy protection to that afforded by the UK Data Protection Act 1998 for UK citizens. The new Regulations apply to any person who sends, or instigates the sending of, direct marketing communications to individuals in the UK, other than communications sent directly to companies and employees of companies. However, partnerships and employees of partnerships are protected by the new Regulations as they are not classified as 'corporate subscribers'.

The regulations cover the use of unsolicited email and text messaging for direct marketing as well as the use of cookies. There is some question over the meaning of 'unsolicited', for example, whether emails sent to a company's existing database of users are unsolicited. The restrictions on sending communications to individuals suggest that even though a customer may request communications from that company, the Regulations will still apply to each communication.

Email and text messaging

In contrast to the opt out regime of the Data Protection Act, the Regulations impose an opt in regime on all direct marketing communications.

Direct marketing communications can only be sent to an individual if one of two cases applies.

The first case is where the recipient has notified the sender that he or she consents to receiving an electronic communication sent or instigated by the sender. This may make if difficult for direct marketing companies to 'rent' email lists from other companies (even where the consumer has consented to receiving other offers) since the consent is not being given to the sender, nor is the new message instigated by the original sender who has received the consent.

The second case, described as a 'soft opt-in', is where the recipient has a pre-existing business relationship with the sender. Personal information such as email addresses and phone numbers must have been obtained from the recipient in the course of 'a sale or negotiations for the sale of a product or service' to the recipient. This applies to all personal information held about a recipient by the sender, regardless of when it was collected. The content of each communication must be in respect of the sender's 'other similar products and services.' As yet, there is little guidance on what constitute similar products.

In addition to complying with the opt in procedures, all electronic direct marketing communications must give the recipient the choice of opting out of any further communications. Also, the identity of the sender must not be disguised or concealed. Similar provisions will become a requirement in Australia for bulk electronic communications if the Spam Bill 2003, currently before the Senate, is passed in its current form.

Cookies

Cookies, and other 'spyware' software which can collect information from a user's computer will be prohibited unless entities disclose to users of a website 'clear and comprehensive information about the purposes of the storage of, or access to,…personal information'. The webhost must also give the user the option of refusing the cookie (or refusing to allow the entity to have access to the information.) An additional paragraph in a company's privacy policy may be sufficient to comply with this requirement. The rules will not apply where the cookie is 'strictly necessary' to provide the user with a service that he or she has requested.

Penalties

The regulations will be enforced by the Information Commissioner of the UK. Sanctions include 'enforcement orders' (to stop an illegal practice) and fines of up to £5000. The regulations also provide individuals with a cause of action to sue for any damage suffered by reason of the contravention of the Regulations.

Return to top

Victorian Bill to impact significantly on telemarketing

21 October 2003

Victoria is set to provide new controls on telemarketing agreements (as specifically defined in the legislation) with the introduction of a bill amending the Fair Trading Act 1999. The bill arises out of a report to the Minister for Consumer Affairs which found that, in some cases, consumers can be put under as much pressure to purchase goods and services through telemarketing as they can be through traditional door-to-door sales.

Where the new regime applies, telemarketers will be required to cease negotiations with a person, and not contact that person again for 30 days, upon request from that person. The hours in which telemarketers may call are also to be restricted, barring calls after 8pm on weekdays and 5pm on weekends; calls would be prohibited on public holidays.

The telemarketer must also provide a purchaser with a written copy of any agreement, as well as a notice informing the purchaser of their right to a compulsory cooling-off period of 10 days, within 5 days of making the agreement. A failure to do so will mean that the purchaser has a right to an extended cooling-off period of 6 months. There is also a requirement to get the customer's 'explicit informed consent'.

The rules would be backed up by penalties of up to $24,000 for bodies corporate and will make some non-conforming agreements unenforceable

The new laws are likely to have a very significant impact on how telemarketers can operate in Victoria.

Return to top

Privacy Commissioner issues new FAQ for financial advisors

14 October 2003

The Federal Privacy Commissioner has issued guidelines in the form of a FAQ regarding the privacy obligations of financial advisors to their clients when they transfer between financial dealer groups.

The Commissioner emphasised that 'openness' and 'choice' are the two privacy considerations central to a consideration of how to deal with clients' information upon transfer of an advisor. Clients should be made aware of what will happen with their records and they should also be given a choice about whether their personal information should remain with the original dealer group, or whether it should be transferred with the financial advisor to another group. The FAQ from the Commissioner suggests that in order to comply with the National Privacy Principles:

  • advisors and/or dealer groups should write to affected clients and explain the change in business circumstances clearly, explicitly asking clients what they wanted done with their records;
  • it is necessary to explain to clients what would happen to their records if they did not respond to such an inquiry;
  • at least two attempts should be made to contact clients and this would demonstrate, in most circumstances, that a reasonable effort had been made to seek the clients' views; and
  • in some circumstances it may be necessary to publish a notice in a local newspaper.

The FAQ is not law or a ruling, but provides guidance in relation to complying with the NPPs in these circumstances (see http://www.privacy.gov.au/faqs/bf/q10.html).

Return to top

Government tackles spam

24 September 2003

Senders of unsolicited electronic junk mail (commonly referred to as 'spam') will face tough penalties of up to $1.1 m for each day they send messages, if the Government's anti-spam legislation is passed. The Bill was tabled in the House of Representatives on 18 September 2003. Whilst the Spam Bill 2003 is aimed at Australian-originating spam (or spam which otherwise has an 'Australian link'), the Government hopes it will provide an impetus for other jurisdictions, particular Europe and the US, to take similar measures. The Government says the legislation will be underpinned by a multi-layered anti-spam strategy, including public awareness campaigns, industry codes, international cooperation and promoting anti-spam filters. Although the main penalty provisions prohibit spam, the Bill also regulates the sending of general commercial electronic messages, either solicited or unsolicited.

The introduction of the Bill follows two public reports on the issue of spam, as well as industry and public consultation.

Notable features of the Bill include:

  • an 'opt-in' (consent based) regime for commercial electronic messaging;
  • a requirement that commercial electronic messages contain a functioning unsubscribe facility as well as information about the person who authorised the sending of the messages;
  • a prohibition on electronic address-harvesting tools; and
  • a flexible range of civil sanctions, including warnings, infringement notices and court-ordered penalties.

The Bill provides limited exceptions for messages sent by Government bodies, registered political parties, religious organisations and charities.

The Internet Industry Association has welcomed the introduction of the Bill but hopes to be able to influence its implementation.

Return to top

New international resolution on privacy notices approved

18 September 2003

The 25th International Conference of Data Protection and Privacy Commissioners has approved an Australian resolution calling for the development of a new, standardised format for communicating privacy material to individuals.

The conference recognised that organisations collecting individuals' personal information, especially by way of websites and forms, are often so concerned to comply with their privacy obligations that they swamp individuals with privacy-related material. As a result, it is often difficult for those individuals to recognise their key rights with regard to their personal information. The format to be developed is to provide a means for organisations to condense privacy material down to its essentials, while still complying with their legal obligations. The format will also recommend the use of simple, direct and unambiguous language.

The resolution suggests that the format include the following key principles:

  • the name and contact details of the organisation collecting the information;
  • what information is being collected, how it is being collected, and the purposes of collection;
  • whether the information will be disclosed to others and if so, to whom and for what purposes;
  • a summary of individuals' rights regarding access, correction and deletion;
  • the privacy choices that individuals have over the information collected and how to exercise them; and
  • the independent supervisory body to which individuals may complain if they think their rights have been breached.

Further information on the resolution and some interesting background material is available at http://www.privacy.gov.au/news/rescom.html.

Return to top

Market & Social Research Privacy Code

2 September 2003

The Federal Privacy Commissioner, Malcolm Crompton, has approved a new privacy code for the market and social research industry. The Market and Social Research Privacy Code took effect from 1 September, and was jointly developed by the Association of Market Research Organisations (AMRO) and the Market Research Society of Australia (MRSA).

Although the Code only applies to businesses that are members of AMRO, it will be of broad importance since, according to the MRSA, AMRO-member businesses generate more than 90% of the turnover in the market research industry.

The new Code applies more onerous privacy standards to research organisations that collect information from survey participants than do the National Privacy Principles in the Privacy Act 1988 (Cth). For example, in addition to their other rights, survey participants will be able to opt to have their information de-identified, destroyed or deleted. This is intended to encourage participation in market and social research, by providing a level of assurance for participants that their privacy will be protected. According to the MRSA, market and social researchers wanted to distance themselves from telemarketing organisations in this respect.

While the Federal Privacy Commissioner will handle privacy complaints that are not resolved to the satisfaction of the complainant within 30 days, AMRO will be responsible for administering the Code, and may expel members who do not adhere to it. Subscription to the Code will be a requirement of AMRO membership.

Return to top

Victorian Attorney-General calls for national taskforce to deal with mobile phone cameras

11 August 2003

Victorian Attorney-General Rob Hulls is calling for a national taskforce to tackle the use of mobile phone cameras and the publishing of indecent photographs of children on websites.

Mr Hulls said that there is a need for urgent work to be done at the national level to stop these emerging privacy issues. The increasing use of mobile phone cameras provides opportunities for the exploitation of children in ways not contemplated by past lawmakers.

The Victorian Attorney General planned to raise both issues at the Standing Committee of Attorneys-General meeting in Canberra, which started on 7 August 2003.

He said that while the Federal Government is working with the internet industry to develop a code of practice to address this issue, there was also a need for a national approach by lawmakers to ensure that the Australian statutes are adequate.

The Victorian Law Reform Commission is currently working on a privacy reference, which includes the need, if any, for controls over the taking and production of photographs in the context of current and emerging methods of surveillance.

Return to top

Development of an Australian tort of invasion of privacy

16 July 2003

A recent decision of the District Court of Queensland has established the possibility that a tort of invasion of privacy may be developing in Australia. Damages of $178,000 were awarded to the plaintiff, the Mayor of Maroochy Shire Council, against the defendant, an acquaintance who, it was alleged had stalked and harassed the plaintiff for eight years.

Judge Skoien held that the elements of a cause of action for invasion of privacy would be established if there was:

  • 'a willed act by a person;
  • which intruded on the privacy or seclusion of another;
  • in a manner that could be considered highly offensive to a reasonable person of ordinary sensibilities; and
  • which causes the person ... mental, psychological or emotional harm or distress, or which prevents or hinders the person from doing any lawful act.'

The defendant has lodged an appeal against the decision in the Queensland Court of Appeal.

Return to top

US do-not-call website

4 July 2003

The US Federal Trade Commission (FTC) launched its national 'do-not-call' registry on 27 June 2003. The aim of the registry is to assist consumers to restrict telemarketing calls at home. Since then, more than 10 million consumers have registered their telephone numbers.

After 10 Ocotber 2003, if a telemarketer calls a number listed on the registry, they may receive penalties of up to US$11,000 per call.

The amended Telemarketing Sales Rule (TSR), which created the registry, requires telemarketers to search the registry every three months and to update their call lists accordingly. If a consumer receives a telemarketing call after they have registered their telephone number and it has been in the registry for three months, the consumer can file a complaint with FTC.

However, some types of calls are exempt from the TSR. For example, charities, political organisations and telephone surveyors are permitted to call consumers. In addition, organisations that have an established business relationship with a consumer can call for up to 18 months after that consumer's last purchase, payment or delivery, and organisations to which a consumer has made an inquiry or submitted an application can call that consumer for three months, unless, of course, the consumer requests the organisation not to. Consumers who place their number on the registry may also give written permission to particular companies that they want to hear from and, in any event, a consumer who does not have their number on the registry can still prohibit an organisation from calling by asking the consumer to put them on the organisation's 'do-not-call' list.

Further information about the registry can be found at:  https://www.donotcall.gov/default.aspx

The Australian Direct Marketing Association (ADMA) also has a free 'do-not-contact' service. This service allows consumers to have their name and contact details removed from marketing lists used by ADMA members, which include banks, insurance companies, publishers, catalogue and mail order companies and charities. Consumers can opt out of receiving not only telephone calls but also advertising mail, emails and mobile communications from both member and some non-member companies.

Further information about the ADMA service can be found at: http://www.adma.com.au/asp/index.asp?pgid=1999

Return to top

New UK regulations hit back at cookie monsters

2 July 2003

Following the European Commission's Directive on Privacy and Electronic Communications adopted in July 2002, the UK is expected to implement changes later this year in the law regarding, among other things, the use of cookies. Cookies are small pieces of information placed on a user's computer by most commercial websites, which record information about that user's internet use to help the website tailor the presentation of web content to the user.

Amid privacy fears over their misuse, the new regulations aim to regulate cookies by requiring those who use them to provide internet users with information about how the cookie will be used. Usually this information would be provided along with the website's other privacy statements, although it need not be provided before the cookie is sent. Additionally, the UK regulations require websites to give users at least one opportunity to reject the website's cookie. Websites may be exempt from these requirements where the cookie is technically necessary to facilitate a transmission or an online service requested by the user.

The new regulations will operate in tandem with already existing laws, such as the Regulation of Investigatory Powers Act 2000, the Data Protection Act 1998, and the Computer Misuse Act 1990, and are designed to be technology neutral - that is, they are designed to apply not only to cookies, but also to future means of accessing information on a user's computer.

Return to top

WA Government proposing new privacy laws

18 June 2003

The WA Government has released a public discussion paper proposing new laws on privacy. The discussion paper is available at http://www.ministers.wa.gov.au, together with a more detailed Policy Research Paper examining approaches to privacy protection nationally and in other Australian states and territories. Public submissions about the proposed new laws can be made until 30 June 2003.

The proposals relate to the collection, storage and use of personal information by WA state and local government agencies and private contractors doing government work and would also cover health information collected by the private sector. WA Attorney General Jim McGinty says the competing goals of keeping personal information confidential, and releasing or sharing information where it is in the public interest to do so, must be balanced. 

The key proposals include: 

  • a set of principles governing the storage, collection, security, use, disclosure and correction of personal information; 
  • creation of an office of Privacy and Information Commissioner for the p urpose of administering the new Privacy Act and the FOI Act
  • creating an individual complaints mechanism; and
  • creating criminal offences for serious, flagrant or repeated violations of information privacy principles or privacy codes.

The WA government's proposals take into account the Gordon Inquiry's findings (relating to family violence in indigenous communities) about coordination and sharing information between Government agencies in order to protect vulnerable people.

Return to top

Monitoring in the workplace

11 June 2003

The United Kingdom Information Commissioner has published the third part of the Employment Practices Data Protection Code (theCode), 'Monitoring at Work'. The Code is designed to aid compliance with the Data Protection Act 1998 (UK) (theAct) and provides guidance for employers on monitoring employees' internet and email use.

The Act requires that the benefits of monitoring employees outweigh any 'adverse impact'. The Code recommends that this is best determined by an 'impact assessment' that considers, among other things: the purposes behind the monitoring; alternatives to monitoring, or to the type of monitoring suggested; and whether the monitoring is justified. The Code also recommends that an impact assessment consider any likely adverse impact on the employee(s) or others, such as customers, having regard to: the likely intrusion into employees' private lives; the extent to which the employee will be aware of the monitoring; who will see the information; and whether the monitoring will be perceived as 'oppressive' or 'demeaning'.

The Code makes a number of good practice recommendations to ensure compliance with the Act including that covert monitoring should only be used for suspected criminal activity, where notification would hinder the detection of the activity.

Return to top

EU considers international data transfers within multinationals

10 June 2003

The EU Data Protection Working Party has noted in its Working Document on Binding Corporate Rules for International Data Transfers that the procedure for international data transfers within multinational corporate groups could be simplified.

The Working Party considered that the complexity of the current procedures regulating transfers outside the EU could inhibit multinational corporations from functioning efficiently.

At present, international transfers of personal data from an EU Member State are only permitted if a Safe Harbour agreement exists with the recipient country, the transfer is within one of the allowed exceptions, such as where the individual consents to the transfer, or there is an alternative safeguard, such as a binding contract with the recipient.

The Working Party is now proposing a further alternative safeguard that would allow transfers to take place between separate parts of a corporate group where certain binding and enforceable corporate rules are in place. Those corporate rules would include general data protection principles as well as specific requirements to, among other things, guarantee an adequate level of compliance, carry out audits, have complaints procedures, and give data subjects the same rights and remedies as if their data had not left the EU.

Return to top

Health Privacy Project releases factsheet about US health information privacy requirements

6 June 2003

The US Health Privacy Project (the HPP) is an independent non-profit organisation that aims to increase public awareness of health information privacy issues in the US. The HPP released a factsheet, Myths and Facts about the HIPAA Privacy Rule (the factsheet) on 6 June 2003 to assist health care organisations to comply with the US Standards for Privacy of Individually Identifiable Health Information (the Privacy Regulation).

The Privacy Regulation is a US Federal regulation, issued by the US Department of Health and Human Services, that sets compulsory national standards for the protection of health information. It applies to health plans, health care clearing houses and to health care providers who conduct certain electronic health care transactions.

The Factsheet clarifies the operation of the Privacy Regulation. Some interesting extracts include:

  • it is not necessary to obtain consent to transfer a patient's medical records from one doctor's office to another for treatment purposes;
  • health care providers can disclose medical information to a family member, friend or other person identified by the patient where that information is directly relevant to that person's involvement with the patient's care or payment related to that patient's care;
  • in most cases the Privacy Regulation does not mandate any disclosure of patient information, except to the individual patient or to the Department of Health and Human Services for use in certain investigations;
  • the Privacy Regulation permits but does not mandate disclosure of patient information for certain uses including for treatment, payment, health care operations or uses under other applicable laws;
  • aggrieved patients can complain to the Secretary of Health and Human Services, who may impose civil penalties and criminal sanctions, but patients will not be able to sue health care providers directly for non-compliance;
  • use or disclosure of medical information is still permitted for health related marketing; and
  • a health care provider does not have a right to refuse treatment if a patient does not acknowledge receipt of a notice of privacy practices for health related information.

Health care providers and health plans have been required to comply with the Privacy Regulation from 14 April 2003. The Privacy Regulation is available at http://www.hhs.gov/ocr/hipaa/finalreg.html

Return to top

Indian privacy laws to be strengthened to encourage outsourcing

3 June 2003

The government of India is proposing to upgrade its data protection laws to encourage US and European firms to outsource business to it.

US and European firms frequently outsource IT-enabled services to India because of its cheap labour costs. However, the European Union's 1995 Data Protection Directive restricts European firms from transferring data to countries with less stringent data protection laws and there are concerns, which are shared in the US, about the level of data security in developing countries such as India.

It is anticipated that the draft legislation, which is being prepared by the Indian Ministry of Information Technology and the National Association of Software and Service Companies, will come into effect within a year.

Return to top

Report released on Protection of Human Genetic Information

29 May 2003

Following the Federal Government's tabling of the Report on the Independent Review of Part 1D of the Crimes Act 1914 (Cth) in relation to Forensic procedures, the Australian Law Reform Commission (ALRC) and the Australian Health Ethics Committee (AHEC) released their Joint Inquiry Report: Essentially Yours: The Protection of Human Genetic Information in Australia (the Report) on 29 May 2003.

In their Report, the ALRC and AHEC make a number of ethical and regulatory recommendations in respect of the testing and use of human genetic information. Key privacy-related recommendations include:

  • amending s6 of the Privacy Act to define 'health information' to include genetic information about an individual 'which is or could be predictive of the health of the individual or any of his or her genetic relatives';
  • amending 'sensitive information' in s6 of the Privacy Act to include human genetic test information;
  • amending the Privacy Act to ensure that it extends to protection of genetic information held by small businesses;
  • introducing Commonwealth, State and Territory legislation to cover the collection, storage, use and transfer of genetic samples; and
  • amending the Privacy Act to provide individuals and their families with particular rights of access to their genetic samples.

The Report also makes a number of recommendations on harmonising Commonwealth, State and Territory information and health privacy legislation in relation to human genetic information.

The Report is available at http://www.austlii.edu.au/au/other/alrc/publications/reports/96/

Return to top

Implementation of the European Data Protection Directive

19 May 2003

In a recent report, the European Commission claims that the 1995 Data Protection Directive has generally achieved its goal of protecting citizens' privacy rights while allowing for the free movement of data around the European Union.

However, in its Report on the Transposition of Directive 95/46/EC on data protection, the European Commission also noted that late implementation of the Directive in some Member States had reduced its benefit. Only four Member States, including the UK, implemented the Directive within the October 1998 deadline set by the Directive. The Commission took five other Member States - France, Germany, Ireland, Luxembourg and the Netherlands - to the European Court of Justice in December 1999. The Directive was implemented by Germany, the Netherlands and Belgium in 2001 and Luxembourg implemented the Directive in 2002 after the Court found against it. France has still not yet implemented the Directive while Ireland has only recently passed legislation aimed at bringing its data protection laws into line with the Directive.

The Report establishes a work plan aimed at improving implementation in the Member States and ensuring greater consistency between Member State legislation. The full Report can be found at: http://europa.eu.int/.

Return to top

Focus: Consumer Compliance and eCommerce

15 May 2003

As consumers become more aware of their rights under the Privacy Act, it is imperative that financial institutions ensure they comply with publicised privacy policies. In April 2003, the Privacy Commission investigated two incidents involving the mishandling of financial information of customers. Senior Associate Lorien Beazley reports. View publication

Return to top

Report on the use of DNA material for law enforcement purposes

15 May 2003

The Federal Privacy Commissioner has indicated his support for the implementation of recommendations contained in the Report of Independent Review of Part 1D of the Crimes Act 1914 (Cth). Part 1D of the Act deals with the way in which DNA can be collected from criminal suspects and then stored and used by all Australian law enforcement agencies to solve crimes. Under the Act, a national database system is established whereby the States and Territories can submit DNA profiles of convicted offenders and also DNA profiles of samples collected from unsolved crime scenes. DNA can then be taken from crime scenes and compared with DNA profiles on CrimTrac to find potential suspects or matched with profiles from other crimes scenes.

The States and Territories need their own legislation to implement the processes for collection and submission of DNA profiles to the national CrimTrac database; however, to date, NSW is the only state that has implemented legislation. The Commonwealth legislation is required to underpin the operation of CrimTrac and to ensure that 'the law enforcement agencies will be using DNA in a transparent and accountable way across Australia'.

The terms of reference of the review included review of any issues relating to privacy or civil liberties. The Report made recommendations regarding accountability and external scrutiny of the CrimTrac system and the necessity of involvement of the Privacy Commissioners from each state. 

The Report considered the uses to which DNA information should be put and the sort of information that should be identified from DNA. As not all uses of DNA are currently known, the Report recommended that legislation should circumscribe the purposes for which the DNA samples can be used. The Report recommended that the legislation should specifically exclude the testing of DNA information for the purpose of detecting phenotypically expressed information including health or medical conditions. The Report also recommended that the legislation prohibit linking the matching outside any database that is not regulated by statute for law enforcement purposes. A summary of the Report is available at http://www.privacy.gov.au/news/media/03_4.html.

Return to top

Section 95 Guidelines review completed

14 May 2003

Guidelines issued under section 95 of the Commonwealth Privacy Act 1988, which concern the use of personal information in medical research (the Guidelines), have been found in a recent review to be generally successful and effective. The joint review was carried out by the Office of the Federal Privacy Commissioner and the Australian Health Ethics Committee, which is constituted under the National Health and Medical Research Council.

The Guidelines operate to assist medical researchers who propose to use personal information, the use or disclosure of which might otherwise be in breach of an Information Privacy Principle under the Privacy Act. The Guidelines do so by providing parameters for Human Research Ethics Committees (HRECs) to review such research proposals with reference to both privacy and public interest considerations.

The review found, among other things, that the Guidelines were a useful resource for HRECs. It also found, however, that there is a need for refinement of the scope of the term 'medical research' and that it is necessary to ensure that HRECs are properly registered under the Guidelines and comply with the National Statement on Ethical Conduct in Research Involving Humans.

The Australian Health Ethics Committee and the Commissioner noted in conclusion that a further review of the Guidelines during 2005, or earlier if the opportunity arose, would be appropriate.

Return to top

Use of workplace video surveillance cameras may infringe privacy laws

30 March 2003

The Privacy Commissioner of Canada recommended the removal of a company's digital video cameras after finding their use in breach of the Personal Information Protection and Electronic Documents Act. The Act provides the collection, use and disclosure of personal information is only permissible where a reasonable person would consider the purposes appropriate in the circumstances. Here the purpose was to reduce vandalism and theft, but the following circumstances prevented the method from being reasonable:

  • there had been relatively few incidents of vandalism or theft;
  • there was no evidence the cameras were effective in achieving the purpose;
  • there may have been other ways to achieve the same end; and 
  • there were concerns that the cameras could be used to collect employees' personal information, including conduct and work performance, which could then be used for disciplinary purposes.

Similar arguments may be mounted in Australia subject to the exemption of Acts or practices directly related to current or former employment relationships or employee records.

In Australia, however, we must also consider the question of the various state surveillance statutes (for example, the Workplace Video Surveillance Act 1998 (NSW) and the Listening Devices Act 1972 (SA)) in conjunction with the Privacy Act.

Return to top

Strong privacy and security policies are required to prevent the inadvertent release of private information

30 March 2003

The Ontario Information and Privacy Commissioner has emphasised the requirement that companies implement and communicate to employees strong policies for the protection and destruction of personal information records after the inadvertent release of a woman's personal health information on the back of real estate flyers. It is uncertain exactly how copies of the records ended up being used as paper for the flyers, but its very occurrence reinforces the need for personal information to be securely kept and destroyed.

Return to top

83% of spam contains hidden tracking codes

30 March 2003

Research carried out by network security experts Iomart for OUT-LAW.COM, the IT and e-commerce legal service for international law firm, Masons, demonstrates that 83% of spam contains tracking codes that allow the senders to record and log the email addresses of anyone who opens the email (or uses a preview pane to view the email before opening it), confirming the existence of the address. More spam is then sent to identified accounts. The best method of prevention of increased spam is immediate deletion of all spam mail.  

Return to top

Microsoft to change its .NET password system to protect personal data

1 February 2003

The European Union's Working Party on data protection has recently been working with Microsoft to develop changes to Microsoft's .NET Passport, an online authentication system. Systems such as these allow users who have provided some form of personal identification information, to register with certain websites and navigate through them without having to provide more identification or a password for each site. The European Commission praised the cooperation of Microsoft, which has agreed to incorporate data protection measures into .NET Passport, which users will primarily see as more information and choice as to what data they wish to provide and what Microsoft will do with it.

Return to top

Statistical overview

8 January 2003

The Office of the Federal Privacy Commissioner has released statistics outlining information regarding the enquiries and complaints that have been received since the introduction of the new privacy provisions on 21 December 2001. The most significant issue that has been dealt with by the Commissioner is improper disclosure falling under National Privacy Principle (NPP) 2.1. Issues involving refused access (NPP 6.1 and NPP 6.2), direct marketing (NPP 2.1), data quality issues (NPP 3), data security issues (NPP 4), unnecessary collection (NPP 1.1), unlawful collection (NPP 1.2) and improper use (NPP 2.1) were also the focus of complaints to the Commissioner. The majority of complaints were received during February and March this year Many more enquiries were made over the telephone than in writing. The Commissioner has clearly been active in answering enquiries and resolving complaints during the first year of the legislation's extension to the private sector.

Return to top