Karen Curtis has the tough job overseeing the Federal Privacy Office and National Privacy Principles. She is among the experts who gave Rob O'Neill this how-to guide to managing privacy in your organisation.
The Golden Rule, to treat others as you would expect to be treated yourself, is accepted by so many religions and philosophies around the world that it can almost be considered universal. It is also the simplest of guides when dealing with issues of privacy.
Beth Wilson, Victoria's Health Services commissioner, has her own version, which she urges people to apply when making everyday decisions about sharing information.
"Ask yourself would you want your mum's, brother's or sister's information to be treated like this," she says.
To suggest the privacy regulation has become a battleground of Australian federalism, with states competing with the Commonwealth for jurisdiction, would perhaps be going too far. But there is little doubt the states and the Commonwealth approach issues of privacy differently.
The result is a mesh of requirements and jurisdictions that affect different industries in different places in different ways. The activities of most organisations will be governed by at least two sets of laws and two sets of administration. Some will be governed by more than that.
For organisations operating Australia-wide, up to eight different sets of rules may apply.
Confusing? Not necessarily, say the experts.
Federal Privacy Commissioner Karen Curtis says since the Privacy Act was extended to include the private sector, business has mostly complied. This is especially the case in larger organisations and organisations in the financial services industry.
"They were used to doing it and aware of the potential brand damage if they didn't do it right," Ms Curtis says.
John Dickie, acting privacy commissioner of NSW, says Australia's multilayered privacy regime may appear complex but in practice it works well. In general, NSW's privacy principles are the same as the federal principles, he says, and on top of that there are 15 health information principles.
Privacy New South Wales deals mostly with the state public sector, except when it comes to health information, where jurisdiction is across both state and private providers. "That may be where there is some confusion," he says.
Federal legislation also covers health. To alleviate that, Mr Dickie's state office works closely with Ms Curtis's federal office, he says. A memorandum of understanding is in place to demarcate the first point of contact for consumers and providers.
Despite that, achieving greater national consistency is one theme that emerged in a review of the private sector laws Ms Curtis presented to government in March.
One example of the different ways states treat privacy is Victoria's health privacy system. In Victoria there is specific legislation covering the health sector, the Health Records Act 2001. Health Services Commissioner Beth Wilson says the Government did not want to lump health in with other privacy legislation because it was "so different and so private". Ms Wilson says privacy issues in health can range from slight offences such as people with knowledge of someone's medical condition gossiping at a reception desk or in the supermarket. However, IT can magnify the possibility of a breach of privacy.
Technological developments are the main reasons for the introduction of privacy legislation because it has become so easy for someone to press a button and transmit private health information that affects, for instance, how people are treated in their future employment. But IT enhances privacy if it is done well, she says.
An incident that highlights how sensitive health information is occurred in Victoria when a complicated case of late-term abortion sees private medical records provided by the coroner to National Party Senator Julian McGauran and then into the public domain.
Ms Wilson is vocal in her condemnation of that sharing of private medical information. She says it turned the woman into a scapegoat.
"What has happened here is a stark reminder to us all about why patients' rights to privacy must be protected. No one who has been involved with this case has been unmoved; it has taken quite a toll on a number of people," she said last year.
Ms Wilson says Australia's privacy commissioners do not have jurisdiction over the case and Democrat Senator Natasha Stott Despoja has taken that matter up and asked for changes to the legislation.
Like Ms Curtis, Ms Wilson concludes the law hasn't caused the disruption some predicted. There are still complaints about the dual state and federal regime, but "the differences between them are far fewer than the similarities", she says.
The laws have even served to increase consistency by bringing private and public sector health providers into line.
Apart from improving national consistency, another driver of Ms Curtis' review was that the European Union is yet to announce it is satisfied with Australia's calibre of privacy protection.
The federal Privacy Act, passed in 1988, grew out of the Australia Card debate over a national identity card system. The Australia Card failed but the Hawke government found it still had to meet OECD civil and political rights guidelines.
The Privacy Act was passed, covering at first just Commonwealth agencies. In 1991, amendments extended jurisdiction to credit providers and reporters. Then in 1995 the European Union stepped into the picture, directing privacy law was to apply in all EU nations. EU businesses dealing with non-EU businesses had to ensure those businesses were regulated by privacy law in their countries of origin or covered by contract.
That provided the impetus to bring the private sector into the federal system, but also for states to introduce their own legislation. The act was extended to include parts of the private sector from December 21, 2001 by requiring private-sector businesses with more than $3 million in turnover to comply with 10 national privacy principles (see panel at right).
Some of the 85 recommendations contained in Ms Curtis' review are specific to the operations of her office, some are designed to boost consistency, and some require specific legislative changes.
"It's very important to have national consistency for privacy," she says. "Inconsistency adds to the cost of compliance and is confusing for business and individuals."
She also recommends a broader review, covering more than just the private sector provisions, to determine whether the laws and principles are meeting Australia's needs in the 21st century.
What are the compliance pain-points for business?
Ms Curtis says 65 per cent of complaints her office receives are about the private sector. Since 2001, 26 per cent of those complaints relate to improper disclosure and 11.6 per cent to improper use; 18 per cent of complaints come from the financial services industry, and 12 per cent from health and pharmacy. Telecommunications and internet service providers contributed 8.8 per cent of complaints, she says, but that's an area that is growing.
Burgeoning use of mobile phones and other technologies means there is more personal data being held by more different types of businesses. Privacy, Ms Curtis says, is really about protecting that data.
Credit reporting agencies, debt collectors and tenancy databases produced 8.2 per cent of complaints and the insurance industry delivered 6.6 per cent.
IN NSW, common complaints Mr Dickie has to deal with include people who believe their address has been tracked via their car registration number. People sometimes think this information came from the Roads and Traffic Authority but mostly this is not the case, he says.
Some complaints come out of education where the address of one parent is given to another when the two are estranged and one is seeking to avoid contact.
Another, that seems to fall between the cracks in the current legislation, is home security cameras that are trained onto a neighbour's house.
"It causes a fair bit of angst," Mr Dickie says.
Ms Curtis emphasises training as the most effective means to minimise compliance issues. It is something the banks have managed well, she says.
"Others have done it as a one-off. It's good practice to go back and review what you do and see that you are complying and training," she says. "That is one thing I think business will need to continually do."
She also recommends organisations appoint a privacy contact officer. These do not have to be full-time positions, but add clarity about responsibilities and points of contact. She would like to develop a network of these people for the private sector as has already been done for the public service.
One issue she has to deal with is what she describes as "risk aversion". Organisations holding information refuse to release information that can be released.
That's an issue that resonates with Ms Wilson, too. She says one of the main issues she faces is educating people that privacy and secrecy are not the same. Some people play it so safe they refuse to release any information at all.
"That's not what it's meant to be about," she says. "It's meant to facilitate good communications, not prevent communications. It requires a bit of skill from health workers."
As with the federal legislation, NSW privacy law is also under review. The law is being studied by the state attorney-general with a report to Parliament expected either this or next session.
One developing issue is new anti-terrorism legislation. Mr Dickie says he is not aware of any impact on privacy from the impending laws but he would expect to have a chance to comment on anything that affects his role at the state level.
Ms Curtis says she has statutory responsibility under the Privacy Act to look at laws that affect privacy and will be examining any new laws for their impact on personal information.
The best starting place for anyone seeking to understand Australia's privacy regime is the 10 National Privacy Principles introduced by the Privacy Amendment Act 2000. These apply to parts of the private sector and all health providers. A separate set of 11 principles applies to the Commonwealth and ACT public sector. There are also other acts and other sets of principles in state law, summarised below.
The principles, in brief, are:
1. COLLECTION
An organisation must not collect personal information unless the information is necessary for its functions or activities, and the collection must be lawful and not unreasonably intrusive. The individual must be made aware or the organisation collecting, the purpose for the collection, and to whom the information will be disclosed.
2. USE AND DISCLOSURE
An organisation must not use or disclose personal information about an individual for a purpose other than collection, unless the purposes are related or the individual has consented to the disclosure. If it's not sensitive information it can be used for direct marketing, subject to some restrictions. Health information can be used for the purpose of compiling statistics. All information can be disclosed if that is required in law.
3. DATA QUALITY
An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
4. DATA SECURITY
An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
5. OPENNESS
An organisation must set out in a document policies on its management of personal information. The organisation must make the document available to anyone who asks for it. On request, an organisation must let a person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
6. ACCESS AND CORRECTION
If an organisation holds personal information, it must provide an individual with access to that information on request, except where that would be unlawful, pose a threat to the life or health of the individual or would impact on the privacy of another individual. It must also take reasonable steps to correct the information if the person can establish it is not accurate.
7. IDENTIFIERS
An organisation must not adopt as its own identifier of an individual an identifier assigned by a government agency (a name or Australian Business Number excluded).
8. ANONYMITY
Wherever possible, individuals must have the option of not identifying themselves when entering transactions with an organisation.
9. TRANSBORDER DATA FLOWS
An organisation in Australia can transfer information about an individual to someone in a foreign country only if they are subject to a law or scheme similar to the National Privacy Principles, the individual consents or the transfer is necessary for the performance of a contract involving the individual.
10. SENSITIVE INFORMATION
An organisation must not collect sensitive information about an individual unless the individual has consented or the collection is required by law or the collection is necessary to prevent or lessen a serious threat to the life or health of an individual.
Other federal legislation with privacy provisions include the Telecommunications Act 1997, National Health Act 1953, Data Matching Program Act 1990 and the Crimes Act 1914. The federal Privacy Commissioner has some function under these acts.
SOURCE: OFFICE OF THE PRIVACY COMMISSIONER