Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2016
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Review Draft of Chapter 5, pp. 119-148, of Wright D. & deHert P. (eds.), `Privacy Impact Assessment', Springer, 2012
Version of 30 September 2010
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2010
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/PIAsAust-11.html
Privacy impact assessment (PIA) has a long history in Australia, and some degree of maturity has been achieved. This chapter provides historical background to privacy laws in Australia and the emergence of PIAs as a tool of government and business. It then evaluates the available guidance documents and indicates likely directions of future development.
Privacy laws in Australia are in the process of being significantly weakened. As a result, merely complying with privacy laws will provide organisations with no assurance that their schemes will be acceptable to citizens and consumers. PIAs are therefore highly likely to assume increasing importance, as government agencies and corporations alike seek understanding of how to avoid negative media coverage and public opposition.
In Australia, assessments of the privacy impact of new projects can be traced back to about 1990. The momentum has been markedly greater since about 2000, and several guidance documents exist.
The purpose of this chapter is to review the development of PIAs in Australia, and the adequacy of the guidance documents published by Australian government agencies. In order to set the scene for that analysis, it is first necessary to clarify the features of PIAs as the term is used in this chapter.
The term privacy impact assessment (PIA) is used to refer to activities of widely varying scope. A number of definitions of the term were catalogued in Clarke (2009).
In a guidance document published in 1998, this author defined a PIA as "a process whereby the potential impacts and implications of proposals that involve potential privacy-invasiveness are surfaced and examined" (Clarke 1998a, 1998b). Those documents made clear that the scope was much more than an audit of compliance with the law, and that the activity needed to address all dimensions of privacy. Consultation was described as being central to the process: "The objectives of a PIA cannot be achieved if the process is undertaken behind closed doors. In a complex project applying powerful technologies, there are many segments of the population that are affected. It is intrinsic to the process that members of the public provide input to the assessment, and that the outcomes reflect their concerns".
The term is used in this chapter in a manner that sustains the key elements identified in 1998, and precludes narrow interpretations of the nature of mere legal compliance checks:
Privacy impact assessment (PIA) is a systematic process that identifies and evaluates, from the perspectives of all stakeholders, the potential effects on privacy of a project, initiative or proposed system or scheme, and includes a search for ways to avoid or mitigate negative privacy impacts
In Clarke (2009), distinctions were drawn between a PIA and several other business process methods. These features are presented in revised form in Exhibit 1.
These features are reflected in the sections below that outline the history of PIAs in Australia and provide critiques of the available guidance documents.
This section focusses on the conduct of privacy impact assessments, with consideration of PIA guidance documents for the most part deferred until later. The development path can be usefully separated into the periods before and after 2000. The third sub-section summarises the position in 2010 in each of the nine jurisdictions of the federation together with the complex situation in non-government sectors.
The earliest activity in Australia that has been identified as being of the nature of a PIA was the 'program protocol' required from 1990 onwards by the Data-Matching Program (Assistance and Tax) Act and expressed in Schedule 1 of the Act. These requirements were specific to the so-called 'Parallel Data-Matching Program' (Clarke 1994).
Generic guidelines for data matching programs, which also had a program protocol at the core, were published subsequently (OAPC 1992). The most recent revision was in February 1998, so they have remained unrevised for over a decade. The generic guidelines were not, and still are not, in any way binding on the agencies that conduct them. The next activity that has been located is an April 1993 strategy devised by this author as part of a consultancy assignment for a smartcard-based loyalty scheme for Card Technologies Australia Ltd (subsequently re-structured as the NASDAQ-listed Catuity Inc.).
The earliest mention of the term 'PIA' found in Australian sources appears to be a 1995 acknowledgement by the Telecommunications Industry Ombudsman that PIAs had a role to play (referred to in Dixon 1997). Articles published by the Deputy New Zealand Privacy Commissioner in the Australian Privacy Law & Policy Reporter provided a stimulus to developments (Stewart 1996a, 1996b). In mid-1996, Stewart organised a discussion session on PIAs in Christchurch (Flaherty 2000). See also NZPC (1997) and Stewart (1999).
Also in 1996, this author conducted assignments for the Australian Commission for the Future in relation to smartcard-based payment schemes generally, and for MasterCard International's smartcard-based electronic cash trial (whose international pilot was run in Canberra). Soon afterwards, a call was made by a research group, the Communications Law Centre, for PIAs to be conducted in relation to "any new system, technology or practice which may affect personal privacy" (Dixon 1997). The call invoked Stewart's publications, Flaherty's work in British Columbia, and the Australian Privacy Charter (APC 1994).
During 1998, this author undertook further assignments relating to patient data linkage by the N.S.W. Health Commission, the then-emergent Australian Business Number and Register, and a proposed multi-purpose smart identification card for Centrelink. On the basis of the experience accumulated to that point in time, descriptions of the PIA process were published at lesser and greater depth, in Clarke (1998a, 1998b).
The tempo picked up from this time onwards. As indicated in Waters (2001), "there [was] nothing particularly new or radical about PIAs -- just a new name for a technique of assessment which privacy regulators and consultants have been performing for years. It is essentially just a systematic appraisal of the privacy implications of a new proposal. Some appraisals are limited to assessing compliance with specific privacy rules or standards, but others range more widely over all privacy issues of concern to affected individuals, whether or not they are currently subject to privacy law". A hard-copy collection of 'Approaches, Issues And Examples' was published as Stewart (2001), and a further paper appeared as Stewart (2002).
In December 2001, the then federal Privacy Commissioner, Malcolm Crompton, issued guidelines relating to a specific category of projects, which included a recommendation that a PIA be performed (OAPC 2001). Although non-binding, those guidelines have been heeded in a number of subsequent projects performed by government agencies. By 2003, the Commissioner had submitted to a Parliamentary Committee that "Commonwealth agencies [should] be required to undertake privacy impact assessments at the beginning of the development of new proposals and initiatives involving the handling of the personal information of the Australian community. These assessments should be published ..." (OAPC 2003, pp. 19-20).
As further discussed below, the Commissioner's Office developed draft PIA Guidelines during 2003-04, and, following a consultation period, published them (OAPC 2006). During their launch in August 2006, the then Attoney-General (Phillip Ruddock) said that "as a matter of good business practice, I strongly encourage government agencies to use the guide to assist them in playing a larger role in promoting privacy compliance" (AG 2006). This was reinforced in April 2007, when the head of the Attorney-General's Department wrote to all agency heads in relation to privacy issues generally, extolling the benefits of using PIAs early in the project life-cycle (interview with OAPC, 2007).
During the period 2004-2010, PIAs became a mainstream activity among a range of Commonwealth government agencies, but use of the technique remains much more muted in other contexts. The following section provides a summary of the situation.
Australia is a resource-rich nation that occupies the world's largest island and/or smallest continent. It has a population of 22 million people, who live primarily in urban areas, and primarily around the eastern seaboard. The country is a federation - the Commonwealth of Australia, formed in 1901 - which comprises one national and eight subsidiary geographical jurisdictions. There are 6 States (whose formation as colonies occurred between 1788 and 1851), and 2 Territories (which were given self-government by Commonwealth statutes in 1978 and 1988). Each of the nine Crowns is empowered to regulate its own public sector. However, the Commonwealth Parliament retains the power to over-ride the Territory Parliaments, and has occasionally done so, relevantly in relation to euthanasia laws.
For the purposes of privacy law, a tenth context needs to be recognised - the non-government sectors. A major component is 'the private sector' comprising for-profit business enterprises - including corporations, unincorporated businesses including sole traders, partnerships and trusts, and many cooperatives. There are also a great many not-for-profit organisations, large and small - including charities, associations, clubs, unions, political parties and some cooperatives. The third non-government segment is the public. The privacy impact of the behaviour of individuals has become much more significant as their ability to electronically publish information emerged in the mid-1990s through web-sites, and exploded from 2000 through blogging, then social networking services and since about 2005 micro-blogging ('tweeting').
Under the Australian Constitution, the non-government sectors are subject to aspects of both Commonwealth law and the laws of the States and Territories. In relation to some sectors and activities, one is clearly relevant and the other clearly not; but in a number of contexts there is considerable uncertainty as to which law would prevail in the likely event of conflict between laws.
The following sub-sections provide brief overviews of each of the ten contexts, including the size and nature of the jurisdictions, the history and status of privacy law, and the situation in 2010 relating to PIAs. The analysis incorporates and updates ICO (2007) and Clarke (2008), and reflects Clarke (2010a).
The Commonwealth public sector is subject to the Privacy Act 1988, which embodies in s. 14 the Information Privacy Principles (the IPPs), and which created the Privacy Commissioner and the Office of the Australian Privacy Commissioner (OAPC). From the viewpoint of privacy advocates, it was a weak instrument, but somewhat better than nothing at all. With the passage of time and of a vast fleet of subsequent laws that over-ride the protections it provided, it has atrophied into a very weak instrument.
Most of the functions of the Privacy Commissioner are specifically limited to information privacy, in particular as defined by the Privacy Principles in the Privacy Act. However, seven of the 24 are expressed openly, and empower and require the Commissioner to consider all dimensions of the privacy of individuals, not merely the privacy of personal information. These functions are the examination of proposed enactments (s.27(1)(b)), research into IT (c), provision of advice (f), examination of proposals for data matching or data linkage (k), educational programs (m), reports and recommendations (r), and anything incidental or conducive to those six functions (s). The first four Commissioners during the two decades from 1989 to 2010 largely avoided the exercise of these functions outside the narrow realm of privacy of personal data as limited by the Privacy Principles.
A further consideration is occasional hints that a tort of privacy might emerge. However no court of any consequence has ever handed down a significant decision. A Law Reform Commission Report recommended a common law right of action (ALRC 2008), but the media wilfully misrepresented the proposal as an attack on freedom of the press, and neither the current nor any future Government appears to have the capacity to withstand media assaults; so the chances of a right of action emerging remain very low.
In APF (2010a), a considerable array of laws is identifed, which provide incidental protections for various aspects of privacy. See also the OAPC's web-site.
The notion of a PIA emerged in 1990, and PIAs and PIA guidance documents were apparent under that name from 1998 onwards. A PIA guidance document published by the Privacy Commissioner (OAPC 2006, 2010a) has had considerable influence, and is discussed in the following section.
A central agency, the Australian Government Information Management Office (AGIMO, cf. GCIO) conducted PIAs on the succession of sub-projects conducted within the then Australian Government Authentication Framework (AGAF) program (since re-named the Government eAuthentication Framework - NeAF), and urged conduct of a PIA at critical points within smartcard projects. Centrelink conducted a multi-phase PIA relating to speaker authentication. In addition, at least some Divisions within a range of Commonwealth Government agencies have undertaken PIAs, including the Attorney-General's Department, the Australian Bureau of Statistics (ABS) and the Departments of Health and of Human Services (DHS). Lists of exemplars are to be found in Appendix E within ICO (2007, pp. 15-17).
The Commonwealth public sector provides a particularly telling example of how the mis-handling of the PIA notion can be extremely costly (APF 2007). In April 2006, the then Coalition Government committed $1 billion to the development of an Access Card scheme. The two most senior project executives promptly resigned, citing privacy, information security and accountability concerns. Many independent commentators, experts, newspaper-editors and letter-writers expressed similar concerns.
A PIA was prepared by consultants (although it appears to have actually been a Privacy Issues Analysis), but it was suppressed. A Consumer and Privacy 'Taskforce' was announced on 24 May 2006, whose effect, and presumably intention, was to shield the Minister and the agency from contact with privacy advocates. The Taskforce released an Issues Paper, held public briefings, and delivered a report in November 2006, some of which appeared to be strongly expressed. But it made extremely weak recommendations. Despite that, the Minister simply rejected the recommendations that did not fit to his agenda.
The privacy advocacy community continued to be held at distance from the agency. In March 2007, however, a Senate Committee Report (SFPAC 2007) was scathing, recommending withdrawal of the Bill, substantial changes, and re-submission of the complete package of legislation. This was highly exceptional in that the Government Senators joined in the attack, along with the Opposition and minor parties. The Bill was allowed to lapse, and after the election in November 2007, the incoming Labor Government closed the still-large office.
Estimates of the public funds wasted were in excess of $50 million, but this appeared to exclude the substantial costs associated with the hundreds of staff who had been assembled. Private sector costs also ran into many tens of millions, because scores of companies had responded to several very large tenders, but only (relatively) small preliminary consultancy contracts were ever let. The many misconceptions inherent in the project would have been detected at an early stage if the agency had conducted a first-phase PIA and engaged with civil society.
Constitutional powers in relation to non-government organisations are somewhat complex. The Commonwealth has enacted in respect of the for-profit and not-for-profit sectors generally - but with exemptions for and associations. The States and Territories appear to have generally accepted that jurisdictional claim. Some States and Territories have, however, passed privacy law in respect of particular activities, particularly the health care sector, which intersects and may conflict with the federal law.
The credit reporting sector nationwide was subjected to specific provisions enacted in 1989. They are contained in ss. 18A-18B and Part IIIA (ss. 18C-18V) of the Privacy Act. Ever since their enactment, these provisions have been the subject of lobbying by the monopoly credit reference company and the financial services sector. The pleas had met with very limited success. The ALRC's 2008 Report, however, gifted the industry an opportunity to at last achieve its desires. If the industry is successful in having the provisions changed, the level of intrusiveness into personal data, and the amount of harm caused by errors in the industry, can both be expected to leap.
In 2000, the for-profit and not-for-profit sectors nationwide were brought under the Privacy Act through changes embodied in the Privacy Amendment (Private Sector) Act 2000. This created in Schedule 3 the National Privacy Principles (the NPPs), which are significantly different from the IPPs that apply to the Commonwealth public sector. The Privacy Commissioner's limited oversight powers apply to this segment of the Act as well. The NPPs are much longer than the public sector IPPs (3300 words cf. 1600 words). This is because government agencies can, and frequently do, override the IPPs through legislation that they ask their Minister to put before Parliament, whereas the private sector has less direct access to the Parliament and hence demanded that a vast array of privacy-invasive practices be authorised as part of the NPPs.
During the decade following 2000, there was considerable unrest among consumers about electronic marketing practices. Consultative processes conducted by the Department of Communications resulted in regulation firstly of unsolicited email by the Spam Act 2003, and secondly of unsolicited tele-marketing calls by the Do Not Call Register Act 2006. The Do Not Call Register attracted more than 200,000 registrations in the first 24 hours it was open, passed 2 million registrations within the first six months, and stood at 5 million in mid-2010, even though the law exempts categories of organisations widely regarded as abusing the medium, including charities, researchers and politicians.
In the telecommunications sector more generally, the Telecommunications Act and the Telecommunications (Interception and Access) Act include provisions relating to security and privacy. The privacy-protective aspects of these laws are utilised much more effectively by the Telecommunications Industry Ombudsman (TIO) and the Australian Communications and Media Authority (ACMA) than by the Privacy Commissioner (ACCAN 2010).
A range of additional provisions apply in particular non-government contexts, and fall outside or at the boundary of the Privacy Commissioner's purview. Victoria, NSW and the ACT all have laws specifically relating to health care data, and it is far from clear to what extent each of the conflicting laws applies to any given activity by any given organisation. The confusion may not be of much consequence, however, because there are very limited sanctions, and little or no enforcement is undertaken.
A further area of conflict of laws is outsourced service providers to State and Territory governments, and public-private partnerships. Toll-road operators have blatantly played the federal and state Commissioners off against one another. Despite formal complaints, the Commissioners have steadfastly avoided resolving the question of which privacy laws and which principles apply.
Relevant laws are identified in APF (2010a), and on the OAPC's web-site.
The OAPC's purview includes both the public and the non-government sectors, and its Guide has been relevant to corporations since it was first published in 2006. Amendments in 2010 were designed to make clearer the Guide's applicability to business enterprises (interview, 2010).
PIAs have been conducted in the for-profit and not-for-profit sectors, but are still not widespread. Few have been widely publicised, and the author is aware of no published reports. Areas in which projects are known to the author to have been conducted include toll-roads, transport ticketing, consumer eCommerce applications and participant authentication in health records systems. Coles-Myer was reported in 2006 as having applied the IPPs to a project to produce a data warehouse relating to retail customers. Given the range of organisations whose operations are seriously privacy-invasive, the PIA notion has a long way to go.
N.S.W. is a State of c. 800,000 sq.km. (20% larger than France). It has a population approaching 7 million, almost 75% of whom live in the Newcastle-Sydney-Wollongong conurbation. Its Parliament suffers the lowest repute of the nine in Australia, and its government agencies are widely regarded as being large bureaucracies of at best modest competence. Reforms are few, and proceed very slowly.
The Privacy Committee Act 1975 (NSW) created a complaints-investigation and research organisation of broad scope. That statute was rescinded in 1998, when the Privacy and Personal Information Protection Act (PPIPA) was prepared by the bureacracy for the bureaucracy and passed by the Parliament. It embodies a set of Information Protection Principles in ss. 8-19. It created a Privacy Commissioner and an Office, Privacy NSW. The law is perhaps the least privacy-protective of such statutes anywhere in the world, and the Commissioner perhaps the weakest.
A N.S.W. Health Records and Information Privacy Act was passed in 2002. It affects both public and private sector organisations active in the N.S.W. health care sector. Despite its highly permissive nature, it was inconvenient to the conduct of a major trial of electronic health records in the Hunter Valley called HealtheLink so the Government simply suspended the inconvenient Principle. Privacy protections in N.S.W. are nominal rather than real.
Relevant laws are identified in APF (2010a), on the Privacy NSW web-site, and on the OAPC web-site.
No guidance document has ever been published for NSW government agencies, despite statements of intention that date from about 2004, and supportive submissions to Parliamentary Committees and the ALRC. Privacy NSW has advised that it is aware that a few agencies have conducted PIAs (interview, 2007). Despite this, and mention in various discussions of PIAs in the health and education spheres, no evidence of any PIA report or process has ever been located.
Victoria is a State of c. 230,000 sq.km. (about the same as the U.K.). It has a population of 5 million, 75% of whom live in the capital city, Melbourne.
In 2006, Victoria became only the second Australian jurisdiction to provide a degree of generic protection of human rights in the form of the Charter of Human Rights and Responsibilities Act. Under s.13, "a person has the right (a) not to have his or her privacy, family, home or correspondence unlawfully or arbitrarily interfered with; and (b) not to have his or her reputation unlawfully attacked". The statutory protection is very weak, however, and it is not clear that it has had, or ever will have, any effect on privacy-invasive behaviour.
The Information Privacy Act was drafted by a Data Protection Advisory Council formed by the Minister for Multimedia in 1996. (The author of this paper was a member of that Council). Despite a change of Government in the meantime, the Bill was passed virtually unchanged in 2000. It is a straightforward implementation of the OECD Guidelines, and the approach is therefore dated but mainstream. It established a set of Information Privacy Principles, and a Privacy Commissioner and Office, referred to as Privacy Victoria or OVPC.
The Victorian Health Records Act was passed in 2001. This includes a set of Health Privacy Principles which is highly permissive of data disclosures. The law is administered by the Health Services Commissioner (HSC). The law encompasses both public and private sector organisations active in the Victorian health care sector.
A further, highly specialised Office was created by the Commissioner For Law Enforcement Data Security Act 2005 to address the public disquiet about rampant leakage of personal data from Victoria Police records. The Commissioner (CLEDS) has powers relating to management practices for law enforcement data.
Relevant laws are identified in APF (2010a), on the OVPC web-site, and on the OAPC web-site.
The Privacy Commissioner has published two editions of a PIA guidance document (OVPC 2004, 2010). This is examined in a later section.
AWAITING CLARIFICATION FROM VicHSC
The application of the PIA Guide in the health care sector is unclear. HSC's site provides no guidance in relation to PIAs in the health care sector, and does not point to the OAPC's Guide.
It is understood that only a small number of PIAs have been performed by Victorian government agencies, that few have been notified to the Commissioner, and that not only have there been almost no PIA Reports published, but most have been conducted in secrecy. Informally, it is understood that a PIA was performed in relation to a pilot health smartcard scheme, but the project as a whole did not proceed to implementation.
The only published documents appear to be those relating to a student database and identifier project conducted by the Department of Education & Training (DET). A preliminary report was published in 2006, citing a Privacy Issues Analysis performed by this author in 2005, followed by another in 2007 and finally VicDET (2010). However, these were not PIAs as the term is properly used, but merely data protection law compliance checks.
Queensland is a State of c. 1.8 million sq.km (equivalent to Spain, France, Germany and Poland combined), ranging from lush coastal lands via rich agricultural country to semi-desert. It has a population of 4 million, of whom about 55% live in the Brisbane-Gold Coast-Ipswich conurbation.
Despite various Parliamentary reports, generic privacy legislation and a statutory privacy protection body took a very long time to emerge. From 2001 to 2010, unenforceable codes existed in the form of Government Standards 42 (QGCIO 2001a), and 42A (QGCOI 2001b) for the Department of Health. The Standards reflected the federal National Privacy Principles (i.e. those applicable to the private sector nationally), and applied to almost all agencies excluding local government. A small Privacy Unit existed within the Department of Justice and Attorney-General. It is unclear whether and if so to what extent the Standards and the Unit influenced agency practices.
An Information Privacy Act was passed in 2009. This created an Information Commissioner, and, subordinate to that role, a Privacy Commissioner. The first Privacy Commissioner was appointed in May 2010.
Relevant laws are identified in APF (2010a), and on the OAPC web-site.
The Privacy Unit declared in 2005-07 that it was developing a PIA guidance document. A newsletter in December 2005, at that time available on the privacy.qld.gov.au web-site, stated that "[a] Privacy Impact Assessment (PIA) Annotated Questionnaire has been piloted in some Queensland Government agencies in relation to proposed programs and initiatives. Work continues on the questionnaire in relation to expanding use of the PIA process to assess proposed legislation or legislative amendments. PIA guidelines will be available in February 2006 as a decision-making and privacy assessment tool complimentary [sic] to the PIA annotated questionnaire". Further issues of the newsletter in March and December 2006 stated that documents were "in the final drafting stage and will be made available online shortly". No copy of them has ever been located. The last available copy of the page in the Internet Archive in July 2008 suggests that the document may never have been released. In any case, it is apparent from the web-page that the process was a mere standards compliance check, not a PIA.
At some time during 2010, the old domain of privacy.qld.gov.au was deleted, and visitors redirected to the Office of the Information Commissioner's site. The existing documents were not transferred, and appear to have been simply withdrawn, without a transition period to the new regime.
Slow emergence of the PIA concept was apparent, however. An obscure document of the Government CIO stated that "The implementation of classification processes will have security and privacy implications and a privacy impact assessment should be conducted when any new business processes are being developed, or during the modification of business process to ensure the privacy principles are followed" (QGCIO 2008, p. 56). However, the concept remained limited to compliance with the then Standard 42/42A, and no evidence has been located to suggest that any agency ever took any notice of the CIO's exhortation.
Some months after the effective formation of the new ICO, there was no information on the web-site concerning PIAs. The Privacy Commissioner was understood, however, to be placing priority on the development and publication of a guidance document (interview, 2010).
It is understood that a PIA was performed for the Department of Transport in relation to the proposed smartcard-based driver's licence, but it appears not to have been published. No evidence has been found of any other Queensland government agency having performed a PIA on any project or initiative.
Western Australia is a State of c. 2.3 million sq.km (and is the second-largest sub-national entity in the world, to the Sakha Republic, i.e. Western Siberia). It is the size of two-thirds of Russia west of the Urals, or close to Spain, France, Germany and the whole of Scandinavia combined. Most of it is desert or semi-desert. It has a population of about 2 million, about 75% of whom live in the capital city, Perth.
The State has no generic privacy laws, and it appears that no agency has ever had any substantive function that approximates to a privacy oversight role. Relevant laws are identified in APF (2010a), and on the OAPC web-site.
The Office of eGovernment has, however, recognised the risks that privacy-invasiveness entails for the adoption of electronic forms of government service delivery. A PIA was conducted in relation to a proposed whole of government employee identifier (WA-DPC 2007), following a Privacy Issues Analysis by this author (WA-DPC 2005, pp. 84-91).
No evidence has been found of any other PIA being performed in Western Australia.
South Australia is a State of c. 1 million sq.km (equivalent to France, Germany, Belgium and The Netherlands combined), most of it arid or semi-arid. It has a population of 1.5 million, over 70% of whom live in the capital city, Adelaide.
The State has no generic privacy laws. Relevant laws are identified in APF (2010a), and on the OAPC web-site.
A Cabinet Administrative Instruction (SADPC 1989) established a set of Information Privacy Principles and requires agencies to comply. Although nominally binding, it is unclear by what means and by whom it could be enforced. A Privacy Committee of S.A. exists, under proclamation of Government. It is run out of the State Records Office, and appears to have no budget. Moreover, its primary function appears to be to approve exemptions to the non-statutory principles. It is unclear whether the Instruction applies to local government.
The documents of the Privacy Committee of S.A. make no substantive reference to privacy impact assessment. The Executive Officer of the Committee advised that the South Australian Government does not have a centralised program for Privacy Impact Assessment (Interview, 2007). However, "the Privacy Committee, supported by State Records, does use a rudimentary questionnaire for programs that require Privacy Committee approval, exemption from the Information Privacy Principles, or require consideration of complex personal information handling issues. It is a working document that is adapted to suit the situation at hand. It may be formalised later, and adopt components from other jurisdictions' structured PIAs".
The Department of Health Code of Fair Information Practice (SADOH 2004) makes reference to a PIA methodology tool. Health and the Department of Families and Communities are understood to have mandated PIAs for use in the early planning stages of projects involving personal information (interview with the Privacy Committee, 2007). The PIA Guidelines are broader than information privacy alone, but the PIA Proforma is limited to the Information Privacy Principles. Searches on the web-sites do not locate the documents, however, and it is unclear whether any use has been made of them.
The only evidence found of any S.A. government agency having performed a PIA on any project or initiative was a 1-line mention in a 157-page report on a S.A. Vaccine Safety Data Linkage Project (SAVeS).
Tasmania is an island State of c. 90,000 sq.km (much the same as Portugal, and twice the size of Switzerland). Much of the island is mountainous and forested. It has a population of close to 0.5 million, about 40% of whom live in the capital city, Hobart.
The Personal Information Protection Act 2004 came into effect on 5 September 2005. It applies to the public and local government sectors and the University of Tasmania. The Act is a weakened form of the OECD model. It did not create a statutory office responsible for privacy matters, nor did it assign such responsibilities to any existing agency.
A complaints-handling function was created, and assigned to the Ombudsman. The practice in the State has been to consolidate all forms of review in the Ombudsman's Office, including freedom of information (FOI), police and health matters. The Ombudsman has no powers to enforce decisions. The privacy powers are not mentioned on the Ombudsman's home-page. The Annual Reports are almost devoid of substantive information about privacy, and mentions of privacy on the web-site are apparent only well down the menu-hierarchy.
Relevant laws are identified in APF (2010a), and on the OAPC web-site.
The sole mention of the expression 'PIA' that has been located was a mis-use of the term in a report on a consultation process relating to a highly privacy-intrusive proposal for checking people working with children and other vulnerable people.
The Australian Capital Territory (ACT) was formed in 1911 by transfer of the area from the State of N.S.W. It was required to govern itself by the Australian Capital Territory (Self-Government) Act 1988. It has a well-educated and high-income urban population of about 320,000.
The A.C.T. is one of only two jurisdictions in Australia that has enacted a Bill of Rights - the Human Rights Act 2004. In s.12, the Act provides people with a right to not have their privacy, family, home or correspondence interfered with unlawfully or arbitrarily. The Act is administered by a Human Rights Commissioner (HRC), who has a small staff. There is nothing on the HRC's site to suggest that privacy is seen as a significant element of its responsibilities. The law and the Office adopt the weakest possible approach to the protection of human rights, and they have to date had no detectable impact on privacy protection in the Territory.
A decade before the Human Rights Act was passed, the Territory chose to adopt the Commonwealth Privacy Act 1988. OAPC is supposed to perform the functions of an ACT Privacy Commissioner, but there is little evidence of anything actually being done.
In 1997, the ACT enacted a Health Records (Privacy And Access) Act, which applies to organisations in both the public and private sectors.
Relevant laws are identified in APF (2010a), and on the OAPC web-site.
There is no evidence that the Privacy Commissioner has ever communicated the existence and relevance of its Guide to A.C.T. agencies. There is no mention of the A.C.T. on the OAPC's web-site, and there is no mention of the Guide on the A.C.T. government's web-site.
No evidence was found of any A.C.T. government agency having performed a PIA on any project or initiative. There are many projects for which a PIA would be appropriate. In addition to the government handling a great deal of personal data relating to its residents generally, the Department of Corrective Services prepared to impose continuous RFID-based tracking on prisoners in its facility, without any form of PIA. (However, it appears that the project fell victim to budgetary constraints).
The Northern Territory (NT) was part of the colony of South Australia until 1901, after which it became a Territory of the Commonwealth of Australia. It was granted self-government by the Northern Territory (Self-Government) Act 1978. NT is c.1.4 million sq.km (about the same as Portugal, Spain, France and Germany combined). It is mostly desert or semi-desert, and has a population of 200,000, about one-third indigenous, a big proportion of whom are widely and very thinly dispersed. About 50% of the population lives in the capital city, Darwin.
In 2002, the Northern Territory implemented the Information Commissioner model by means of the Information Act. This was a pragmatic approach to cost-minimisation in administering a tiny population scattered across a vast area. The architect of the statute had been deeply involved in the preparation of the Victorian Information Privacy Act, and the privacy aspects of the N.T. statute are accordingly a clean and practical application of the (now badly dated) OECD 1980 provisions. The Act created a single statutory post of Information Commissioner, covering both FOI and privacy functions. The same appointee has since had added to their functions the role of Commissioner for Public Interest Disclosures (Whistleblowers).
Relevant laws are identified in APF (2010a) and on the OAPC web-site.
No written guidance has been provided to agencies concerning PIAs. However, the Commissioner encourages agencies to discuss matters with the OIC, and some success has been achieved in this area. A 'Tip of the Day' during Privacy Awareness Week in May 2010 suggested conducting a PIA "if your workplace is planning a major project", and pointed to the Commonwealth and Victorian PIA Guides.
No evidence was found of any NT government agency having performed a PIA on any project or initiative. The OIC was involved in discussions about an initiative referred to as 'Territory Services' (Interview, 2007). This was considering a common shopfront as a way to reduce the number of government offices and consolidate citizen-facing resources. Because this had significant privacy implications, the Commissioner recommended that a PIA be performed, and provided the team developing the initiative with copies of the Australian and Victorian PIA Guidelines.
Under s.160 of the Act, a review is required after 5 years, which might have extended to PIA matters. The first review is more than 2 years overdue, however, and there is no evidence of commencement.
The preceding section has shown that the Commonwealth public sector - which is responsible for a great many of the inherently most privacy-invasive systems in the country - is the sole context in which significant progress has been made. Much more limited progress has been made in the private sector and in Victoria. In the other seven jurisdictions, the conduct of PIAs is at least muted and in many cases non-existent. In those jurisdictions, the performance of parliaments and central government agencies alike has been severely lax, reflecting the sub-professional standard of public services in some States and Territories and/or the low priority accorded by public servants to people's privacy.
The conduct of a PIA is, however, non-obvious and non-trivial. Guidance is necessary, to assist organisations to achieve the benefits and avoid the pitfalls. Guidance documents emerged in various countries from the early 1990s onwards, as traced in Clarke (2009). The first set published in Australia were by this author (Clarke 1998a, 1998b). Guidance documents were subsequently published by two privacy oversight agencies in Australia, in one case (OVPC 2004, 2009) intended specifically for the agencies of a single State, and in the other (OAPC 2006, 2010a) for agencies of the Commonwealth government, for organisations in the non-government sectors, and perhaps for agencies of the ACT government.
The purpose of this section is to consider the two available guidance documents that have been published by privacy oversight agencies. It commences by providing an overview of a set of evaluation criteria, and then applies that set to the guidance documents published by the OVPC and the OAPC.
In Clarke (2010b), a set of criteria for PIA guidance documents is proposed, and applied to a dozen documents published by agencies in ten countries. The criteria are listed in Exhibit 2. The cited paper provides a detailed discussion.
The following sub-sections apply the above criteria, and identify the strong and weak aspects of the two Guides published by Australian oversight agencies.
In 2004, the Victorian Privacy Commissioner published a 'Privacy Impact Assessment Guide' (OVPC 2004). The Australian Privacy Foundation expressed serious reservations about it, stating that "the document may be a guide for Privacy Law Compliance Audit, but not for Privacy Impact Assessment" (APF 2005, p. 2). In 2009, the Commissioner published a significantly amended version (OVPC 2009). An assessment of the 2009 version against the criteria outlined in Exhibit 2 gives rise to the following observations.
There is no formal requirement to conduct a PIA, but the Guide exists, is readily discoverable, and reflects both the human rights and privacy laws that apply to Victorian government agencies. It is comprehensive, extending beyond legal requirements to encompass public concerns and implications for all dimensions of privacy. It stresses the importance of public consultation. It adopts a checklist approach, but the checklists incorporate advice on the process needed to satisfy the requirement.
The Privacy Commissioner has communicated the existence of the PIA Guidelines through its network of privacy officers in government agencies, conducted training sessions, and mentioned the PIA Guidelines in various presentations. It is understood that the Department of Justice used the Guide as a basis for a practical document suitable for practitioners in the Department's organisational sub-units. This appears to have been one of the stimuli for the upgrade of the Guide in 2009.
There are some limitations. At several points, it would be feasible for an agency to interpret a PIA as being a Report, rather than as a process. The Guide contemplates the possibility of a PIA being conducted by an independent organisation such as a consultancy. This would have the effect of shielding the agency from the relevant public, and prevent assimilation of information by the agency's executives and staff. The Guide lacks visibility in the health care sector, which is subject to a separate Commissioner who appears to place no emphasis on PIAs.
Despite these qualifications, (OVPC 2009) represents one of the three most comprehensive and practical guidance documents available in any jurisdiction, anywhere in the world, along with ICO (2007a) and MBS (1999).
The potential impact of this guidance document is very substantial, because it applies to the large federal public sector - which is the source of a large number of proposals that are inherently highly privacy-intrusive - to the non-government sectors throughout Australia, and in principle at least to the A.C.T. public sector. There are accordingly benefits in tracing the considerable history behind the current, 2010 version.
In December 2001, the then Australian Privacy Commissioner, Malcolm Crompton, issued 'Guidelines for Agencies using PKI to communicate or transact with individuals' (OAPC 2001). Public Key Infrastructure (PKI) is the means whereby digital signature schemes are supported. Guideline 3 stated that "Agencies should undertake a Privacy Impact Assessment before implementing a new PKI system or significantly revising or extending an existing PKI system" (p. 29). A PIA was depicted as "a method of identifying privacy risks so that these can be highlighted and addressed when ... systems or ... business applications are being designed, implemented, revised or extended. A PIA may be part of a larger risk assessment and management procedure. Properly done, this assessment will include an understanding of which parties will bear what risks" (p. 35).
Throughout the world, the extent of implementation of PKI schemes has fallen far below the inflated expectations of the mid-to-late 1990s, for reasons explained in Clarke (2001). On the other hand, many of the government projects involving PKI that have been conducted in Australia have taken at least some account of the OAPC's document.
Work on general PIA Guidelines during Crompton's period as Privacy Commissioner culminated in the release by his successor, Karen Curtis, of a draft for public consultation in 2004. The Guide was based on considerable research into the experiences of and guidance provided in other jurisdictions, particularly New Zealand, Canada and Ontario, and on experience within Australia. It was published in final form two years later (OAPC 2006).
Under the current statutory regime, the performance of a PIA is not mandatory. However, the Commissioner's communications with agencies and the private sector in relation to schemes that have privacy implications routinely contain segments of text along the following lines: "The Office suggests that a privacy impact assessment be undertaken as part of the further development of the proposal. The Office has released a Privacy Impact Assessment Guide for Australian Government and ACT Government agencies" (interview with OAPC, 2007).
During 2006-07, the Guide attracted 23,000 hits and downloads (interview, 2007), and it quickly became common for Requests for Tender for consultancy support for PIAs to explicitly require that the Guide be at least reflected, and in many cases complied with. On the other hand, many agencies do not yet perform PIAs as a matter of course, even for projects with significantly privacy-invasive features.
In 2010, a lightly-revised version of the Guide was published (OAPC 2010a). This was intended to be more obviously applicable to the private sector as well as government agencies (interview, 2010). An assessment of the 2010 version against the criteria outlined in Exhibit 2 gave rise to the following observations.
PROVISIONAL PENDING RESPONSE FROM OAPC:
The OAPC's Guide scores reasonably well against many of the criteria outlined earlier in this paper. It is process-oriented and practical, and indicates the need for broad scope.
There are, however, some weaknesses that result in it being a less appropriate basis for conducting PIAs than the Victorian Guide, the UK Handbook and the Ontario Guidelines. Most critically, although it recognises the significance of the views of the affected public, it fails to provide clear advice on how to treat them as stakeholders, lacks practical advice on consultation processes, and fails to mention advocacy groups as a means of gaining an appreciation of the views of the relevant public.
The Guide is strongly problem-oriented (frequently mentioning 'impacts' and 'issues'), but creates only limited momentum towards solutions - the word 'solution' only appears twice, the concept of avoidance only four times, and the concept of mitigation not at all.
It is entirely feasible to interpret the Guide as requiring an assessment of broad scope, and some PIAs conducted using it have extended beyond information privacy, and beyond extant data protection law. Unfortunately, narrow interpretations are also possible, and some agencies have performed what they have called 'PIAs', but which were no more than checks of compliance with the Information Privacy Principles. Examples include a cut-down Privacy Impact Checklist published by the Department of Defence (DoD 2008), a Report by Medicare (2009), and a Report for the Attorney-General's Department (AG 2009).
Further concerns are that there appears to be no web-page that explains PIAs, why a guidance document has been published, and who it is for. In addition, the document is not as easy to find within the Business sub-site as would be desirable. Even within the document, there is only weak encouragement for agencies and corporations to apply the Guide.
It appears quite possible that more PIAs - as the term is used in this paper - have been performed in Australia than in any other country. On the other hand, the vast majority of them have been performed in the federal public sector, and there remain some shortfalls even in that context. The evidence presented in the preceding sections shows inadequate application of the excellent Victorian Guide, significant shortfalls in the non-government sector, and abject failure in the other seven Australian jurisdictions. This section considers the prospects for improvements.
There is substantial in-principle support for the conduct of PIAs among privacy oversight bodies. For example, a submission by Privacy NSW to a Committee reviewing N.S.W. legislation stated that: "We believe that PIAs are the best means by which government agencies can aim for best privacy practice as well as legislative compliance. It is our submission that ideally, a PIA would be a statutory requirement for any new Bill, regulation, or project significant enough to require Cabinet consideration" (NSWPC 2004, p. 31). No progress has been made within NSW, but the Office's submission to the ALRC review was emphatic: "Privacy legislation should make it mandatory for all Commonwealth agencies and private organisations to provide and publish Privacy Impact Assessments (PIAs) for all new programs, policies and draft legislation which impacts on the handling of 'personal information'" (NSWPC 2007, p. 12).
Similarly, the Northern Territory Commissioner's submisson to the ALRC on the matter said that "The preferred approach would be to allow the [OAPC] to consider the need for a privacy impact assessment, discuss the issue with the agency, and direct that an assessment be undertaken if necessary" (NTOIC 2007, p. 25). The Victorian Privacy Commissioner submitted to a Senate Inquiry into DNA that "It is essential to conduct a Privacy Impact Assessment before biometrics are introduced" (OVPC 2005, p. 4).
In Victoria, the scope exists for the application of the Privacy Commissioner's clear and helpful guidance document more assiduously, and far more frequently, than has been the case in the past. Further impetus could arise from a review of inappropriate arrangements for the passing of personal data from Victoria Police to various organisations (CLEDS 2010): "The Commissioner [for Law Enforcement Data Security] highlights the need for Victoria Police to undertake an Information Sharing Risk Assessment - made up of a proportionality assessment, a Privacy Impact Assessment, a security Threat and Risk Assessment and a Human Rights Impact Assessment - for all major information sharing initiatives".
The Victorian document is visible to privacy oversight and central agencies in other jurisdictions. In Queensland, the Privacy Commissioner appointed in mid-2010 is understood to regard publication of a guidance document as a priority (interview, 2010), although whether it will achieve any greater application than the phantom guide of some years earlier is unclear. The other jurisdictions, however, show no signs of overcoming their torpor. There appears to be no commitment in N.S.W. (which is culpable, given that it is the largest State), nor in the A.C.T. In the Northern Territory, resource-constraints hinder the performance of PIAs. In Western Australia, South Australia and Tasmania, there appears not even to be any prospect of meaningful privacy laws.
A further spectre hangs over privacy protection in the States and Territories. As discussed below, the ALRC recommended the creation of a single set of 'Unified Privacy Principles' (UPPs), and their adoption in all jurisdictions. As is explained below, these will be a lowest common denominator, and much weaker than the strongest of the provisions that are currently in place. Compliance checks in 5-10 years' time will likely be against very weak legal requirements.
During the period 2005-10, the tenure of Karen Curtis, the OAPC was markedly close to government and business, and hostile to civil society. Among many other deficiencies, Curtis undermined the Office's independence by entering into Memoranda of Understanding (MoUs) with particular agencies. The Office accepted funding from those agencies in return for the performance of a fundamental function of the Office under s.27(1)(f): "to provide ... advice to [an] agency ... on any matter relevant to the operation of this Act". Advice provided to agencies has been unpublished, and unavailable to civil society. Advocacy organisations were kept at arm's length by both OAPC and the agencies that the Office consulted with.
Moreover, such PIA processes as the Office induced agencies to undertake were generally conducted behind closed doors and excluded public participation, or an intermediary was introduced in order to buffer the agency from the public and public interest advocates. The OAPC's guidance document has many good features, but if they are not even respected by the oversight agency that issued them, they are unlikely to gain any currency among agencies more generally.
The organisation is in transition from an independent Office to a subsidiary segment of the Information Commissioner's Office (ICO). With effect from November 2010, many functions of the Privacy Commissioner are functions of the Information Commissioner. The ICO's perspective is much broader and there is a considerable risk that the low valuation of privacy that was established under Curtis' regime will become entrenched.
It remains to be seen whether the new Commissioner, Timothy Pilgrim, previously Curtis' Deputy, will recover the credibility of the Office. To do so, there is a need to avoid compromise of the Office's intended independence from government and business, to accord civil society recognition at the same level as government and business, to promote effective PIAs far more actively than in the past, to stress the importance of direct consultation with the public, and to strengthen the Office's PIA guidance document by overcoming the shortfalls against the evaluation criteria outlined earlier in this paper.
The Australian Law Reform Commission's Report on its review of the Privacy Act (ALRC 2008) made two Recommendations in relation to PIAs:
The Privacy Act should be amended to empower the Privacy Commissioner to:
The Office of the Privacy Commissioner should develop and publish Privacy Impact Assessment Guidelines tailored to the needs of organisations. A review should be undertaken in five years from the commencement of the amended Privacy Act to assess whether the power in Recommendation 47-4 should be extended to include organisations.
Superficially, this appears to represent progress in the use of PIAs in at least government, and perhaps also business. On closer inspection, however, the picture is not so positive.
Firstly, despite mentioning important aspects of PIAs in the text, the notion of a PIA reflected in the ALRC's Recommendations was seriously deficient, because it was treated as a product rather than a process ("provide ... a [PIA]"). The expression fails to reinforce the need for consultation with affected parties. It also fails to specify the publication of both information in advance of consultation and the PIA Report.
Secondly, the refusal to recommend that the power to require a PIA extend to the private sector ignored both submissions and a Senate Committee recommendation. It stated that "the strongest argument in favour of not directing organisations to undertake a PIA is that the [OAPC] has not yet issued voluntary guidelines for private sector PIAs" (para. 47.82). Yet the Privacy Commissioner needed to make very few changes to deliver a workable version for private sector organisations (OAPC 2010a), and could have easily done so during the 28-month course of the ALRC study.
Added to that, the ALRC's recommendation to wait for a further 5 years was simply irresponsible. The problem has been apparent for 40 years, it has worsened considerably as technology and rationalist management have exploded, and it has very clearly not been solved, and will not be solved, without parliamentary intervention.
Among the ALRC's 294 recommendations (many of them multi-partite), was a proposal to consolidate the two current, very different sets of principles into Unified Privacy Principles (UPPs), and apply them across all of the ten contexts discussed earlier (ALRC 2008, 18.1, 18.2). Clearly, both the public and private sectors would argue that they should not have the more onerous requirements of the other set thrust upon them. The effect would therefore inevitably be that the less onerous of the two alternatives will be selected in every case. In addition, three State Privacy Commissioner would be expected to argue for minimal inconsistency with their existing Principles, and separate Commissioners who administer vast numbers of exceptions created for health services would be expected to argue the same. Further, the enormous complexity of the new scheme provides great scope for additional loopholes to be created and disguised.
The conventional processes of policy formation and preparation of legislation in Australia involve only the recognised stakeholder groups, that is to say government agencies and industry associations. Public interest advocacy groups may be permitted to make submissions, but they are entirely excluded from the detailed discussions that give rise to legislative drafting instructions. The policy agency and its favoured advisers have control over the agenda. They are in a position to devise weakenings of the Privacy Principles, and are able to do so out of public view. If the proposal to create the UPPs is enacted, it is inevitable that the privacy protections in Australia will be greatly weakened.
Hence, even if the ALRC's sole positive proposal in relation to PIAs is implemented, it will represent only the tiniest step forward in privacy protection in Australia, and will be swamped by the reductions in privacy protections achieved by means of the consolidation of privacy principles.
In CSA (2009, pp. 86-87), the Government signalled its agreement with the ALRC's Recommendations in relation to PIAs:
The Government agrees that a Privacy Impact Assessment (PIA) is a best practice tool which can provide a valuable evaluation of how a project or policy may impact on an individual's privacy and possible solutions to address those issues. In line with the principles-based approach of the Privacy Act, PIAs allow agencies and organisations to consider how to best put the Privacy Principles into practice and it is appropriate that PIAs are voluntary in nature.
The Government supports this recommendation. It is important that the Privacy Commissioner have the discretion to direct an agency to undertake a PIA where it is considered that it is crucial to ensuring that a policy or project is appropriately balanced against an individual's right to privacy. This is in line with the Privacy Commissioner's role in enforcing the requirements of the Privacy Act and with the strong need to ensure that Government policy is appropriately balanced against privacy requirements.
This discretionary power is not intended to reduce the voluntary nature of PIAs nor mean that PIAs should only be conducted where there is a direction from the Privacy Commissioner. It will still be necessary for agencies to determine when developing a policy whether it will impact on privacy and whether a PIA is required. This is intrinsically linked with the agency's obligation to comply with the Privacy Principles.
At the time of writing, no draft legislation to give effect to the Government's commitment had yet emerged, 4-1/2 years after the ALRC commenced its review, over 2 years after it published its Report, and 1 year after the Government published its response.
In June 2010, however, an Exposure Draft of what are now referred to as the Australian Privacy Principles (APPs) was released (SFPAC 2010). The draft was produced without civil society involvement. The draft 'Principles' comprise in excess of 6,000 words (compared with the 1,600 of the IPPs and the 3,300 of the NPPs). The majority of the wordage authorises exceptions to the Principles, which undermine privacy and advantage business and government.
The government agency that negotiated the draft buffered itself from privacy advocacy groups during their preparation, but also subsequently. The sole channel for public submissions is a Senate Committee; and the Committee handling the matter (Finance and Public Administration) is attuned to government efficiency, and intrinsically hostile to privacy interests. Given that background, it is of little surprise that civil society identified vast problems with the draft (CLPC 2010, APF 2010b).
For many years, there has been ongoing slow filtration of the PIA notion through agencies, corporations and consultancies. The technique is projected as being a positive approach to risk management, and as being supported by all central agencies and opposed by none. Guidance documents of good quality exist, and a small number of consultancies are experienced in assisting organisations to apply them. Public interest advocacy organisations press for PIAs to be conducted. Some Senate Committees inceasingly expect legislation that comes before them to have been the subject of a PIA, and query the absence of public consultation if none has been performed.
A significant incentive for the conduct of effective PIAs is the visibility of project failures due at least in part to privacy issues. Some agencies have tried to avoid PIAs, or have conducted sham processes by interposing another organisation between themselves and the public. Those agencies have failed to understand the messages, and have suffered negative media coverage and ignominious project failures. On the other hand, agencies that have conducted effective processes have assimilated the public's views, found ways to address the risks, avoided negative publicity, and brought their projects to successful conclusions.
Government agencies and the business sector are endeavouring to grossly weaken privacy protection in Australia through a new set of 'Principles' and accompanying legislation, with the expectation that this will be to the advantage of business and government activities. If they are successful, organisations will indeed find it very easy to achieve compliance with such exception-ridden privacy laws.
In the emergent, very-soft-touch regulatory context, agencies and corporations in Australia will be free to design and implement privacy-abusive schemes. They will include features that extend beyond the threshold of acceptability to the categories of people who they deal with and affect. They will encounter both push-back from the citizens and consumers that they seek power over and negative media coverage. Public relations disasters will occur more often. The incidence of scheme rejection and loss of investment will increase.
To cope with these problems, organisations will appreciate the need for risk management. They will discover a ready-made technique called privacy impact assessment. Hence, in the emergent context of privacy-hostile law, the significance of PIAs in Australia looks set to increase.
ACCAN (2010) 'Communications privacy complaints: In search of the right path' Cyberspace Law & Policy Centre. UNSW, Sydney, September 2010, at http://www.cyberlawcentre.org/privacy/ACCAN_Complaints_Report/report.pdf
AG (2009) 'Privacy Impact Assessment - The AusCheck Amendment Bill 2009 and the national security background check', Attorney-General's Department / Salinger Privacy, Canberra, 3 March 2009, at http://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(712B446AA84F124A6F0833A09BD304C8)~AusCheck+PIA+-+Final+report.pdf/$file/AusCheck+PIA+-+Final+report.pdf, mirrored here
ALRC (2008) 'For Your Information: Australian Privacy Law and Practice' ALRC Report 108, Australian Law Reform Commission, August 2008, at http://www.alrc.gov.au/publications/report-108
APF (2007) 'The Federal government calls it a 'Human Services Access Card'. We call it for what it is: a National ID Card System' Australian Privacy Foundation, 2007, at http://www.privacy.org.au/Campaigns/ID_cards/HSAC.html
APF (2010a) 'Resources - The Law' Australian Privacy Foundation, current as at August 2010, at http://www.privacy.org.au/Resources
APF (2010b) 'Submission re Exposure Draft of Australian Privacy Amendment Legislation', Australian Privacy Foundation, August 2010, at http://www.privacy.org.au/Papers/Sen-APPs-100818.pdf mirrored here
Clarke R. (1994) 'Matches Played Under Rafferty's Rules: The Parallel Data Matching Program Is Not Only Privacy-Invasive But Economically Unjustifiable As Well' Xamax Consultancy Pty Ltd, November 1993, at http://www.rogerclarke.com/DV/PaperMatchPDMP.html. Versions published in Privacy Law & Policy Reporter 1,1 (February 1994), and in Policy (Autumn 1994)
Clarke R. (1998a) 'Privacy Impact Assessments', Xamax Consultancy Pty Ltd, February 1998, at http://www.rogerclarke.com/DV/PIA.html
Clarke R. (1998b) 'Privacy Impact Assessments' Xamax Consultancy Pty Ltd, February 1998, at http://www.xamax.com.au/DV/PIA.html
Clarke R. (2001) 'The Fundamental Inadequacies of Conventional Public Key Infrastructure' Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001, at http://www.rogerclarke.com/II/ECIS2001.html
Clarke R. (2008) 'Privacy Impact Assessment in Australian Contexts' Murdoch eLaw Journal 15, 1 (June 2008), Preprint at http://www.rogerclarke.com/DV/PIAAust.html
Clarke R. (2009) 'Privacy Impact Assessment: Its Origins and Development' Computer Law & Security Review 25, 2 (April 2009) 123-135, PrePrint at http://www.rogerclarke.com/DV/PIAHist-08.html
Clarke R. (2010a) 'Triumph of the Bureaucracies: How Privacy Law in Australia Succumbed to Administrative Convenience' Xamax Consultancy Pty Ltd, August 2010, at http://www.rogerclarke.com/DV/APLVAC.html
Clarke R. (2010b) 'An Evaluation of Privacy Impact Assessment Guidance Documents' Xamax Consultancy Pty Ltd, August 2010, at http://www.rogerclarke.com/DV/PIAG-Eval.html
CLEDS (2010) 'Review of Victoria Police Major Project Development MOUs under s11(1)(e) of the Commissioner for Law Enforcement Data Security Act 2005 Commissioner for Law Enforcement Data Security' Commissioner for Law Enforcement Data Security, August 2010, at http://www.chiefexaminer.vic.gov.au/retrievemedia.asp?Media_ID=60421, mirrored here
CLPC (2010) 'Necessary improvements to the Australian Privacy Principles', Cyberspace Law & Policy Centre at UNSW, August 2010, at https://senate.aph.gov.au/submissions/comittees/viewdocument.aspx?id=9b3bffed-935d-4ea7-8a8a-123433c9eaec mirrored here
CSA (2009) 'First Stage Response to the Australian Law Reform Commission Report 108', Cabinet Secretary to the Australian Government, October 2009, at http://www.pmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.pdf, mirrored here
DoD (2008) 'Defence Privacy Impact Checklist', Department of Defence, Canberra, February 2008, at http://www.defence.gov.au/fr/Privacy/defence-piachecklist-Feb08.doc, mirrored here
ICO (2007a) 'Privacy Impact Assessment Handbook' Information Commissioner's Office, Wilmslow, I.K., December 2007, at http://www.ico.gov.uk/upload/documents/pia_handbook_html_v2/index.html, mirrored here
ICO (2007b) 'Appendix E: Jurisdictional Report for Australia' to 'Privacy Impact Assessments: International Study of their Application and Effects' Information Commissioner's Office, Wilmslow, I.K., December 2007, at http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/lbrouni_piastudy_appe_aus_2910071.pdf, mirrored here
MBS (1999) 'Privacy Impact Assessment Guidelines' 1999, revised 2001, Management Board Secretariat, Government of Ontario, at http://www.accessandprivacy.gov.on.ca/english/pia/index.html, mirrored here
Medicare (2009) 'Privacy Impact Assessment (PIA) - Increased MBS Compliance Audits' Medicare Australia, Canberra, 28 April 2009, at http://www.health.gov.au/internet/main/publishing.nsf/Content/C010759A8FB2E35DCA25759300011241/$File/Privacy%20Impact%20Assessment%20for%20the%20IMCA%20initiative.pdf, mirrored here
OAPC (1992) 'The use of data matching in Commonwealth administration - Guidelines' Office of the Australian Privacy Commissioner, rev. February 1998, at http://www.privacy.gov.au/publications/dmcomadmin.pdf, mirrored here
OAPC (2001) 'Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to Communicate or Transact with Individuals' Office of the Australian Privacy Commissioner, December 2001, at http://www.privacy.gov.au/materials/types/download/8809/6609, mirrored here
OAPC (2003) 'Submission to the Joint Committee of Public Accounts and Audit (JCPAA) on Management and Integrity of Electronic Information in the Commonwealth' Office of the Australian Privacy Commissioner, January 2003, at http://www.privacy.gov.au/publications/jcpaasubs.doc
OAPC (2006) 'Privacy Impact Assessment Guide' Office of the Australian Privacy Commissioner, August 2006, at http://www.privacy.gov.au/publications/PIA06.pdf, mirrored here
OAPC (2010a) 'Privacy Impact Assessment Guide' Office of the Australian Privacy Commissioner, May 2010, at http://www.privacy.gov.au/materials/types/download/9509/6590, mirrored here
OAPC (2010b) 'Privacy Laws' Office of the Australian Privacy Commissioner, resource current at August 2010, at http://www.privacy.gov.au/law
OVPC (2004) 'Privacy Impact Assessments - A Guide', Office of the Victorian Privacy Commissioner, August 2004, at http://www.privacy.vic.gov.au/dir100/priweb.nsf/download/FFC52F3B3A208C34CA256EF800819403/$FILE/OVPC_PIA_Guide_August_2004.pdf, mirrored here
OVPC (2005) 'Submission to the Commonwealth Senate Legal and Constitutional Committee on its Inquiry into the Privacy Act 1988 (Cth)' Office of the Victorian Privacy Commissioner, March 2005, at http://www.privacy.vic.gov.au/dir100/priweb.nsf/download/ED6E90678C836311CA2570110019833A/$FILE/Sen%20Leg%20Con%20Ctte%20sub.pdf
OVPC (2007) 'Privacy & Related Legislation in Australia' Office of the Victorian Privacy Commissioner, Resource current at December 2007, at http://www.privacy.vic.gov.au/dir100/priweb.nsf/content/2A43C5DD5A412761CA256FA400110051?OpenDocument
OVPC (2009) 'Privacy Impact Assessment Guide', Edition 2, May 2009, with supporting documents 'Privacy Impact Assessment Report template and Accompanying Guide to the template, at http://www.privacy.vic.gov.au/privacy/web.nsf/download/B595F5F2FDFD2135CA2575AC0012BC0E/$FILE/OVPC%20Privacy%20Impact%20Assessment%20Guide%20Edition%202%20May%202009.pdf, mirrored here
QGCIO (2001a) 'Information Standard No 42 - Information Privacy' Queensland Government CIO, 2001, at http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/Information%20Standards/Current/is42.pdf, mirrored here
QGCIO (2001b) 'Information Standard No 42A - Information Privacy for the Queensland Department of Health' Queensland Government CIO, 2001, at http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/Information%20Standards/Current/is42a.pdf, mirrored here
QGCIO (2008) 'Queensland Government Information Security Classification Framework' Queensland Government CIO, Version 1.0.1, April 2008, at http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/QGISCF%20v1.0.1.doc
SADOH (2004) 'Code of Fair Information Practice' South Australian Department of Health, July 2004, at http://www.health.sa.gov.au/Portals/0/Health-Code-July04.pdf, mirrored here
SADPC (1989) 'Cabinet Administrative Instruction No. 1 of 1989: PC012 - Information Privacy Principles Instruction' South Australian Department of Premier and Cabinet, 1989, at http://www.premcab.sa.gov.au/pdf/circulars/Privacy.pdf, mirrored here
SFPAC (2007) 'Human Services (Enhanced Service Delivery) Bill 2007 [Provisions]', Senate Finance and Public Administration Committee, March 2007, at http://www.aph.gov.au/senate/committee/fapa_ctte/access_card/report/index.htm, mirrored here
SFPAC (2010) 'Australian Privacy Principles - Exposure Draft' Senate Finance and Public Administration Committee, June 2010, at http://www.aph.gov.au/Senate/committee/fapa_ctte/priv_exp_drafts/guide/exposure_draft.pdf, mirrored here
VicDET (2010) 'Privacy Impact Assessment Report - The Ultranet' Salinger Privacy, for the Department of Education and Early Childhood, Melbourne, March 2010, at http://www.eduweb.vic.gov.au/edulibrary/public/ultranet/ultranet-pia.pdf, mirrored here
Waters N. (2001) 'Privacy impact assessment - traps for the unwary' Privacy Law & Policy Reporter 7, 9 (February) 176, at http://www.austlii.edu.au/au/journals/PLPR/2001/10.html
WA-DPC (2005) 'Identity & Access Management Framework' W.A. Department of the Premier & Cabinet, Perth, v.2, September 2005, at http://www.publicsector.wa.gov.au/SiteCollectionDocuments/WA_IAM_Framework_rpt_V2.0.pdf, mirrored here
WA-DPC (2007) 'Proposed Western Australian Government Number - Privacy Impact Assessment ' W.A. Department of the Premier & Cabinet, Perth, June 2007, at http://www.publicsector.wa.gov.au/SiteCollectionDocuments/FINALWAGNPIA.pdf, mirrored here
This chapter draws on the earlier papers published as Clarke (2008) and Clarke (2009).
Roger Clarke is a 40-year veteran of the IT industry. For the last 20 years, he has specialised in strategic and policy aspects of eBusiness, information infrastructure, and dataveillance and privacy, as Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.
He has been a Board member of the Australian Privacy Foundation since its establishment in mid-1987, and has been its Chair during 2006-10. He has been a member of the Advisory Board of Privacy International since 2000. He was a member of the Victorian Data Protection Advisory Council in 1996, and of the federal Attorney-General's 'Core Consultative Group' in 2000, and has performed consultancies for various organisations mentioned in this paper. In 2009, he was the second person to be awarded the Australian Privacy Medal, following Justice Michael Kirby.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 7 August 2010 - Last Amended: 30 September 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PIAsAust-11.html