Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2016
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Notes for a Presentation to the Queensland Council for Civil Liberties (QCCL), Brisbane, 15 March 2011
Version of 14 March 2011
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2011
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/QCCL-110315.html
QCCL invited the Queensland Privacy Commissioner, Linda Matthews to speak at a QCCL event. They invited me, in my role as APF Chair, as second speaker at the event.
I propose to briefly identify some privacy issues that have attracted media coverage in Queensland during the last year, and then highlight some important points about the process of privacy protection.
The aphorism is that 'privacy doesn't matter until it does'. Most of the time, privacy is out of sight and out of mind, but when it bobs up it can generate a great deal of angst. And the issues that do bob up above the surface are enormously varied.
EFA's public discussion list for privacy issues has been operating since 1997, and runs at between 1500 and 2000 postings each year. Most of the issues that arise are of national interest, but some are geographically specific. The list does not have a public archive, but my private copy shows about eight specifically Queensland issues during the last 12 months. I also checked the APF's policy-index for Queensland.
One of the big items was access by Queensland Police to GoCard records for purposes beyond reasonable grounds for expecting that the data would materially assist in a criminal investigation.
On the one hand, the matter came to public attention, there was actually, at long last, an oversight agency with responsibility in the area, and the Privacy Commissioner investigated it and reported on it only four months later. On the other hand, the Police breached the law, yet the only retribution meted out was the gentlest of wet fish slaps. Yes, it signals to the bureaucrats that there's a privacy law in Queensland, but they're hardly quaking in their boots about the consequences.
Another report was about a ruling by the United Nations Human Rights Committee. It upheld a complaint against the Queensland law that permits continued detention of sex offenders after the expiry of their sentences. This provision of the Dangerous Prisoners (Sexual Offenders) Act is not just obnoxious to human rights, but in breach of Australia's international obligations as well.
Multiple instances of excessive data collection arose. In the private sector, The Wharf Tavern on the Sunshine Coast has been scanning photo IDs. The Commonwealth Privacy Commissioner, whose purview this falls under, has issued an Information Sheet, but has taken no action to stop the malpractice. It's very probably a breach of the Privacy Act, but the Act was designed to be unenforceable and the Commonwealth Privacy Commissioner's hoping to keep it that way.
Similar problems exist in the public sector, and fall under the Queensland Privacy Commissioner's purview. An important example is the ongoing epidemic of widespread publication of criminal record data to employers. In particular, this State leads the nation in breaching the privacy of volunteers through its Screening and Registration scheme. It's been reported that volunteers' details are collected on a central database, but the business processes of the relevant agency are opaque.
Another perennial problem is lack of security resulting in data breaches. Recently, these have included a Mount Isa hospital dropping patients' records on the street, and, last week, Brisbane's CityCycle Bike Hire leaking email-addresses.
There was a(nother) recent attempt to impose 'moral minority' views on other people, by posting photos of men entering a Toowoomba brothel on a social networking website. NSW of course had a more serious instance of unjustified publication of such images, in this case of the State's Transport Minister leaving a gay massage parlour. The oversight agency, ACMA, earned widespread opprobrium, even from the self-interested media, after bending over backwards to find Channel 7 not even deserving of the wet fish slap.
What we used to call 'the media industry' are sorely in need of more precise guidance, and penalties for serious breaches. The APF has argued for significantly more detailed Codes. The media is now all of us, and us prosumers also need guidance and a regulatory framework as we post text in Wikipedia, images on Picasa and Facebook, and videos on YouTube.
The last three issues that I'll highlight demonstrate some serious problems with the processes of privacy protection, here in Queensland, as elsewhere in Australia.
One situation is actually less bad in Queensland than in the other States. The national security extremist push has been grossly impacting on privacy in many areas. One of them is Automated Number Plate Recognition (ANPR). The privacy argument is not that it's an evil technology, but that its use has to be justified not assumed, and that it must apply 'blacklist-in-camera' architecture, and be implemented as a targeted program, not mass surveillance. Only relevant data must be collected and only relevant data must be retained, and Crimtrac's CEO Ben McDevitt must be actively denied the opportunities he seeks to build a UK-style national surveillance database.
The Queensland Parliament's Travelsafe Committee held what is to date the only public assessment of ANPR, and published a reasonable report. We need published information, and public consultation processes, and Parliamentary processes based on facts, not on misinformation and downright lies by government agencies hidden from view in suppressed documents and secret meetings.
In a second, and long-running saga, the Department of Transport has long wanted to find one or more sponsors to pay for the Queensland Driver's Licence. That of course means that they have to offer some inducements in return - that's how so-called 'public-private partnerships' work. The problem is that the personal data of drivers is the main thing that the private sector would like from the Department.
The Department consulted with the APF, and separately with me in my capacity as an eBusiness and smartcard consultant, way back in 2003. Yet, despite an explicit undertaking from the Premier's Parliamentary Secretary, the Department did not consult with the APF when it conducted a PIA. The first we knew of it was after the PIA Report was published, in September last year (7 years after our initial comments).
It's no wonder that the Department worked very hard to avoid any meaningful public involvement, because all that its so-called 'PIA process' comprised was a check of of its proposal's legal compliance. And the report was published only as a scan, not as text, and as a protected document that precludes the extraction of quotations.
When the Queensland Privacy Commissioner publishes her Guidelines for the conduct of PIAs by agencies of the Queensland government, the APF trusts that they will reflect best practice around the world. Some of the key features of best practice are:
A further area of serious concern relates to the scope for public-private partnerships to completely escape privacy oversight. Toll-road operators in three States have been permitted by Parliaments and Privacy Commissioners to deny the freedom of anonymous travel on major thoroughfares, by only implementing payment mechanisms that inherently involve the disclosure of identity. The APF has previously taken this up with operators of Melbourne and Sydney toll-roads. When I hired a car at Eagle Farm last month to drive to around Brisbane and down to the Gold Coast on business, I discovered that I had been trapped into carrying a spy-device in the car.
Yet worse, the operator claims not to be subject to Queensland privacy law (because the company is in the private sector) and the Commonwealth Privacy Commissioner, in its usual pro-business, pro-government, anti-privacy manner, has declared the operator not to be subject to the Commonwealth Privacy Act because it's under contract to a State government. So it's subject to no privacy oversight at all.
We would like to say that we look forward to reports by the four Privacy Commissioners to relevant Ministers and Parliaments, drawing attention to this yawning gap in privacy protections. Subsequently, we would expect public statements by the Privacy Commissioners to the media, showing that the Commissioners are aware of the problem, but have no power to deal with it and have drawn it to the attention of the relevant Ministers and Parlament.
But to date such actions by Privacy Commissioners have been lamentably lacking. Will the Queensland Commissioner take up this particular cudgel on behalf of the people of Queensland?
Privacy extends across many dimensions, affecting:
And the reasons why privacy matters vary from the psychological, through the social and economic, to the philosophical and the political.
Further, as the various examples from Queensland news reports of the last year suggest, this amorphous thing loosely called 'the right to privacy' extends from the fairly trivial level of a right not to be embarrassed, via considerations like a right not to invite identity fraud, up to critical human rights such as freedom of travel and freedom of interference with one's body.
Privacy protection is an exercise in balance among multiple interests. Nomatter which specific issue is tackled, reasonable balance-points will only be achieved through informed and open processes.
What is commonly lacking, throughout Australia, is sufficient power in the hands of the public. Privacy Commissioners must take full advantage of all of the limited scope that Parliaments give them, and of every one of the limited powers that their statutes provide.
It's not a cushy job, and I wish Queensland's Privacy Commissioner much enjoyment, and much courage, in dealing with agencies and Ministerial staff, and in working both for and with Queenslanders generally, QCCL in particular, and the APF.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University. He has also been a Board member of the Australian Privacy Foundation since its establishment in 1987, and its Chair 2006-11.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 13 March 2011 - Last Amended: 14 March 2011 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/QCCL-110315.html