Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 31 July 1998
© Xamax Consultancy Pty Ltd, 1998
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/VicDPSub.html
This submission relates to the Discussion Paper on 'Information Privacy in Victoria: Data Protection Bill' ( MMV 1998), published in early July.
With two major qualifications, and some additional areas of concern, I express strong support for the regime described in that document. It is urgent that the matter be progressed, both as a means of protecting the information privacy of Victorians, and to ensure that Victorians have the confidence to adopt electronic commerce and electronic service delivery.
In addition, I fully concur with the strong desire expressed in the document for a national, statutory scheme for the private sector, in order to avoid inconsistencies between jurisdictions, and resulting unnecessary expenses for businesses that operate across State and Territory borders. If, however, the Commonwealth does not act immediately to provide such a scheme, then Victoria should lead the nation by implementing this regime.
The remainder of this document focuses exclusively on the proposal's weaknesses.
The Discussion Paper states that "the approval process will involve the Privacy Commissioner certifying that ... the code is substantially achieving the privacy objectives of the legislation" (p.17, my emphasis). This is an extremely weak formulation, and is likely to result in opposition to the Bill by privacy and consumer advocates.
A further serious weakness is embodied in the statement that "It is expected that voluntary codes will also set up complaint-handling processes that provide for appeals" (p.15, my emphasis). It is critical that this be a firm requirement.
There is a remarkable contrast between these weak formulations and the wording used in the Victorian Government's Regulatory Efficiency Legislation, announced on 20 May 1998, whereby business will be able to obtain approval for alternative compliance mechanisms (ACMs). The Government's statement referred to "stringent safeguards", such that "an ACM would have to meet the objectives at least as effectively of any regulation as it replaces", and would not be approved if it compromised the objectives of the regulation it replaced ( LRCV 1997).
That wording is excellent, because it provides business associations with the opportunity to propose alternative approaches to regulation that would cost their members less time and money, but does not do so at the cost of undermining established consumer and public protections.
The code approval criteria in the Data Protection Act need to be amended to use the wording from the Government's Regulatory Efficiency Legislation: it is essential that the Privacy Commissioner be precluded from approving a code unless it provides equivalent protection to the statutory scheme for which it is to be substituted. Among other things, this includes that it provide for ultimate recourse to the Privacy Commissioner and Victorian Civil and Administrative Tribunal (VCAT), in the same way in which the statutory scheme provides access.
The Discussion Paper proposes that the Privacy Commissioner's determinations in respect of complaints not be binding. This is equivalent to the very weak feature that has been in the N.S.W. Privacy Committee Act since its enactment in 1975. It stands in stark contrast to the power of the Commonwealth Privacy Commissioner to enforce determinations through the Federal Court.
It is absolutely essential that this legislation provide an enforceable regime. It is critical that determinations be enforceable through the District Court or the Victorian Civil and Administrative Tribunal (VCAT), by application of the Privacy Commissioner, or of an aggrieved individual, or of an aggrieved organisation, and that the Privacy Commissioner not have the power to prevent an aggrieved party from making such an application.
The initial draft of the Privacy Commissioner's National Privacy Principles (NPPs), although generally an appropriate basic expression of information privacy principles, embody significant deficiencies. Most of these are documented in Clarke (1998a).
Among the NPP's omissions are the failure to address justification for privacy-invasiveness; pseudonymity; freedom from surveillance; and workplace privacy.
NPP features that fall seriously short of community expectations include unjustifiable special treatment for the direct marketing industry, and for law enforcement and national security agencies; logging of disclosures; and protections relating to identifiers. Very strong submissions have been made to the Privacy Commissioner to the effect that Principles 2.1(c), (g) and (h) represents serious and unacceptable compromises to privacy, and must be deleted.
The Discussion Paper addresses this question in part ("it is possible that the Privacy Commissioner will amend the principles ..."). This does not satisfactorily address the problem of what to do in the event that the Privacy Commissioner fails to amend the NPPs so as to overcome these important weaknesses.
I submit that the wording of the Principles needs to depart from the wording of the NPPs in these specific matters, should the Privacy Commissioner's fail to amend the NPPs.
The fifth paragraph on p.11 states that the regime "will not apply to businesses that are required to comply with data protection principles under" various statutes. This is an excessive exemption, because some of these statutes may provide only partial coverage of privacy, and hence the risk exists that organisations could be accidentally exempted from important requirements.
The phrasing needs to be qualified by a clause such as "to the extent that those principles are equivalent to those expressed in the Data Protection Act".
The Discussion Paper proposes that the Privacy Commissioner be provided with some powers in respect of privacy matters other than information privacy. This is a highly desirable feature; but the powers need to be clear, and to be sufficient to enable the public, government agencies, Ministers and the Parliament to be well-informed. It is important that the powers in relation to privacy matters other than information privacy not become lost or diffused during the formal drafting of the Bill.
Moreover, it is vital that the Privacy Commissioner be provided with an investigations power in relation to privacy matters other than information privacy. A determinative power is less important in this case, because the long experience of the N.S.W. Privacy Committee has shown that (at least to date) the vast majority of such matters can be satisfactorily handled through conciliation alone.
The NPPs fail to address the need for organisations to justify:
The appropriate approach to justification is through the conduct of cost-benefit analysis techniques ( Clarke 1995) or privacy impact assessments ( Clarke 1998b). These provide a basis for consultation with the Privacy Commissioner, with stakeholders, and with the public generally.
I urge that the Victorian regime include provisions that require organisations to provide justification for privacy-invasive systems, features and exceptions and exemptions.
The various references in the Discussion Paper are inconsistent on the question of whether the Privacy Commissioner will have the power to conduct random audits. It is important that this power be provided, as indicated on p.18.
It is stated that periodic review and amendments would be a task for the Privacy Commissioner, but that this "will not be required by law". It is essential that the privacy-protections and privacy-protective processes be adaptive, in order to ensure response to the ongoing rapid and substantial developments in technology and in organisational practices. The regime proposed contains no other adaptive mechanisms, and hence it is important that periodic review by the Privacy Commissioner be required by law.
There is provision for a Code to replace the statutory scheme in whole, but not in part. It is highly desirable that provision be made for a Code to replace the statutory scheme in part, e.g. by re-stating one or more particular Principles more specifically, but adopting the remaining principles from the NPPs; or nominating an organisational and/or industry sector complaints procedure, but leaving the principles and the statutory appeals procedures in place.
The Discussion Paper does not appear to mention the provision to the Privacy Commissioner of a power to revoke a Code. It is essential that the Privacy Commissioner has the power to revoke a Code, and of course that there be some form of appeal against such a decision.
The Discussion Paper envisages that the investigative function should require a trigger, namely an 'allegation'.
It is highly desirable that the Privacy Commissioner be empowered to investigate any matter, on his or her own volition, subject only to the organisation concerned being within-scope, and the matter involving a possible breach of an NPP.
The Discussion Paper fails to require that Ministers and agencies consult with the Privacy Commissioner on government initiatives that have implications for the privacy of Victorians. This will result in Bills reaching Parliament which will fail to achieve public confidence. It is urged that consultation be made a responsibility of agencies, as well as a power of the Privacy Commissioner.
The privacy-protective regime described in the Discussion Paper has many excellent features. It has three very serious weaknesses, which would undermine public acceptance if they were not addressed, together with a number of additional weaknesses of consequence.
Clarke R. (1995) 'Computer Matching by Government Agencies: The Failure of Cost/Benefit Analysis as a Control Mechanism', Informatization and the Public Sector (March 1995) ', at http://www.anu.edu.au/people/Roger.Clarke/DV/MatchCBA.html#CBA
Clarke R. (1998a) 'Serious Flaws in the National Privacy Principles', Privacy Law & Policy Reporter 4, 9 (March 1998), at http://www.anu.edu.au/people/Roger.Clarke/DV/NPPFlaws.html
Clarke R. (1998b) 'Privacy Impact Assessments', April 1998, at http://www.anu.edu.au/people/Roger.Clarke/DV/PIA.html
LRCV (1997) 'Regulatory Efficiency Legislation: Report', Law reform Commission of Victoria, October 1997, at http://home.vicnet.net.au/~lawref/relr/title.html
MMV (1998) 'Discussion Paper on 'Information Privacy in Victoria: Data Protection Bill' Multimedia Victoria, July 1998, at http://www.mmv.vic.gov.au/DIR0123/mmv_www.nsf/649fa0154efb3af54a2565a5000786f4/45d3b0ae31c62ce84a25663900001916/$FILE/priv.pdf
Go to Roger's Home Page.
Go to the contents-page for this segment.
Send an email to Roger
Created: 31 July 1998
Last Amended: 31 July 1998
|These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).|
| The Australian National University|
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Consultancy Pty Ltd, ACN: 002 360 456|
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916