Privacy Commissioner speech on what’s ahead in 2012

December 16, 2011 |

The Privay Commissioner has posted his presentation to the iappANZ summit on 30 November 2011. It is found here.

The speech,as it relates to privacy, provides:

Firstly, I will read you a quote about community perceptions of privacy.  As I am reading it, I would like you to see if you can work out when you think this quote was written.

“Recent inventions and business methods call attention to the next step which must be taken for the protection of the person….photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life, and numerous mechanical devices threaten to make good the prediction that what is whispered in the closet shall be proclaimed from the house tops.”

Given recent media reporting of the impact of new technologies on people’s privacy, and incidents like the News of the World phone hacking scandal, you could be forgiven for thinking that this quote is contemporary.

You may be surprised to learn that it is actually from the late 19th Century.  These words were written by Samuel D Warren and Louis D Brandeis (who later become a US Supreme Court judge), and show the impact of the emergence of new technologies, such as instantaneous photographs, and the rise of the newspaper enterprise on people’s privacy.

They also quoted Justice Cooley, who a few years previously had pioneered the idea of a right to privacy-a right to be “let alone”.

Jumping nearly 80 years later from Warren and Brandeis and across the Pacific to Australia, in 1969 Sir Zelman Cowen, an eminent Australian jurist and scholar, delivered six lectures entitled The Private Man – as part of the ABC’s annual Boyer lecture series in which he observed that:

” … A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars.”

Privacy – a human right

In the late 1970s and 80s,  Australia made a conscious decision to consider the legal standing of privacy as a party to the International Covenant on Civil and Political Rights, of which Article 17 states:

No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

and

Everyone has the right to the protection of the law against such interference or attacks.

This recognition of privacy as a human right and deserving of the protection of law is one of the reasons why we have the Privacy Act.

Privacy in a changing world

As you can see, for many years, community concerns about privacy have kept pace with emerging technologies.

More recently, however, some have proclaimed that “Privacy is dead!” as people embrace new information-sharing technologies with abandon.

Does the unprecedented take up of social networking sites indicate that privacy is no longer a matter of concern for the community?

From my experience as Australian Privacy Commissioner, I can say definitively that Australians do care about their privacy. This has been shown by the results of the Community Attitudes to Privacy survey, which the Office has run in previous years and will be running again in 2012.

While it is true that many people are sharing a great deal more information about themselves online, it is also true that there is a growing awareness that in a world of mass databases and online data storage, data breaches are possible on a larger scale than ever before.

In fact, I would argue that in a rapidly changing world, community concern about privacy protection is a determined constant.

For example, in Australia:

  • Our media devotes more column inches to privacy related stories now than at any time in recent memory.
  • More people are coming to the OAIC to complain about alleged interferences with their privacy than for many years.
  • And more and more, we are hearing calls for our privacy laws to be strengthened.

At the same time the Australian Government is seeking to respond to the challenges posed by technological change and increasing community concern about privacy.

The Australian Government is canvassing a range of possible privacy law reforms, including the introduction of mandatory data breach notification and a statutory cause of action for serious invasion of privacy.  The Government has also signaled that it intends to strengthen the powers of the Privacy Commissioner.

This is why I am here to speak to you today.

Privacy law reform

In 2006, almost 20 years after the Privacy Act was introduced, the Government asked the Australian Law Reform Commission (ALRC) to conduct an inquiry into how well Australia’s privacy framework was functioning.

In 2008, after significant public consultation, the ALRC concluded its inquiry with the release of its report, For Your Information: Australian Privacy Law and Practice, with 295 recommendations for reforms to the Commonwealth privacy regime.

In its consultations, the ALRC found that Australians care about privacy.  They want a simple, workable system that provides effective solutions and protections.  Australians also want the considerable benefits of the information age, such as shopping and banking online, and communicating instantaneously with friends and family around the world.

While the ALRC report concluded that the Privacy Act had worked well, it called for refinements to bring it up to date.  These included:

    • a new set of harmonised privacy principles to cover both the public and private sector
    • provisions introducing comprehensive credit reporting to improve individual credit assessments and supplement responsible lending practices
    • provisions relating to the protection of health information
    • a review of the exemptions to the Act
    • mandatory data breach notification
    • a statutory cause of action for a serious invasion of privacy.

Given the significant size of the ALRC‘s report, the Australian Government decided to respond in a two-stage process.  It released its first stage response to 197 of the 295 recommendations contained in the Report in October last year, and is in the process of implementing these changes.  These include the harmonised set privacy principles, credit reporting and strengthening and clarifying the Commissioners’ powers and functions.

Many of you have probably heard me speak about these areas on a number of occasions in the past.  Because of this, I would like to discuss two of the recommendations that were to be considered in the second stage of the Government’s response-data breach notification and a statutory cause of action.

Current law and data breach notification

There have been several significant data breaches covered by the media in recent times – among them Google Street View, Telstra, Vodafone, Dell, Epsilon and Sony – many of them notable because of the large numbers of people affected and the sensitivity of the information disclosed.

In the last financial year, organisations and agencies came to us on 56 occasions to let us know that they had been subject to a data breach.  This is called ‘data breach notification’, or DBN.  This was an increase from 44 in the previous year.  We also initiated 59 own motion investigations – and it is highly likely that among these are matters that should well have been DBNs.

These cases provide not only an insight into how companies are using our personal information, but also how data breaches can occur.

While the Privacy Act does not impose an obligation on organisations to notify individuals whose personal information has been compromised, the Act does require that agencies and organisations take reasonable steps to maintain the security of the personal information they hold. Failure to do so constitutes a breach under our current laws.

Despite the current absence of a legal requirement for DBN, it is my view that notification should be considered as a matter of course in any situation where a data breach has the potential to harm individuals whose information has been disclosed.

Support for DBN was not, however, unanimous during the ALRC‘s consultation process.

For example, some stakeholders argued that there was simply no need for a data breach notification requirement and that there are sufficient ‘commercial incentives’ for organisations to secure data.

In response to these claims, the ALRC emphasised that the provisions are not aimed at ‘punishing’ bodies when a breach occurs.

Rather, the rationale for DBN laws is that notifying people that their personal information has been breached can help to minimise the damage caused by the breach.

Notification acknowledges the fact that a data breach potentially can expose an individual to a serious risk of harm.

By arming individuals with the necessary information, they have the opportunity, for example, ‘to monitor their accounts, take preventative measures such as new accounts, and be ready to correct any damage done’.

I would argue that in many cases, there is serious potential for harm as a result of data breach, and prompt notification of a breach after it has occurred may prevent further harm from occurring.

Importantly, as we have seen with recent DBNs, notification also plays a role in keeping the community informed of the privacy practices of organisations.

Prompt notification is an important way of reducing the harm that data breach can cause to individuals.

It protects an individual’s personal information from any further exposure or misuse, and encourages organisations to be transparent about their information-handling practices.

Before I discuss a data breach that could have been better handled, I will give you some background about the OAIC‘s approach to privacy enforcement and proposals to strengthen our enforcement powers.

Commissioner’s powers

Under the current Privacy Act, we are unable to impose a sanction on an organisation when we have initiated an investigation on our own motion, without a complainant.  Our role is to work with the organisation to ensure ongoing compliance and better privacy practice.

The Government has not yet released exposure draft legislation in this area, but it has stated that it intends to make amendments so that the Commissioner can:

  • make an enforceable determination on an own motion investigation
  • accept undertakings from agencies or organisations and, if necessary, enforce those (through a court).

The Government has also agreed in principle to the Commissioner being able to seek (through a court) a civil penalty for serious or repeated privacy breaches.

Additional powers will provide added credibility for enforcement of privacy law, reinforce the significance of privacy compliance, and give departments and agencies an even greater incentive to take their privacy responsibilities seriously.

Overseas experience has indicated that regulators with the power to pursue large penalties will often do so.  The United States is perhaps the best example of this.  One of the most notorious data breaches in the US has been the disclosure by ChoicePoint, a large identification and credential verification organisation, of sensitive information it had collected on 145,000 individuals.  In this case, a Federal Trade Commission investigation led to the imposition of a $15 million fine.

As it stands, the Privacy Act only gives me the power to make determinations on complaints we receive from individuals.  In these complaints, we usually adopt a conciliation-focused approach.

However, I should let you know that for particularly serious privacy breaches, or where conciliation is not appropriate, we are prepared to use our power to make determinations directing how complaints should be resolved.  Our determinations are enforceable in the Federal Court.

I recently held a hearing and will soon be issuing the first determination under section 52 of the Privacy Act in seven years.  The determination arises from a complaint by an individual against a private sector organisation.  I hope to make the determination and publicly release my findings within the next week.

Recently the OAIC has been changing the way it handles particularly serious or high profile complaints.

We have started to publish investigation reports to increase transparency in our investigation process and to help organisations and agencies to better understand their privacy responsibilities.

There are now three investigation reports available on our website that provide information about investigations into incidents involving Vodafone, Telstra and Sony.

Sony PlayStation Network incident

The most recent report we published was the report about the Sony PlayStation Network investigation, which concluded in September.

We opened this investigation in April after a media report stated that an unauthorised person accessed personal information of approximately 77 million customers of the Sony PlayStation Network, including customers in Australia.

It was alleged that individuals’ names, addresses and other personal data potentially including credit card details had been compromised by the incident.

Our investigation looked at Sony’s data security practices.

We concluded that Sony had not breached the Privacy Act when it fell victim to a cyber-attack because it had taken reasonable steps to protect its customers’ personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place.

However, while I found no breach of the Privacy Act by Sony, I was concerned about the time that elapsed-seven days-between Sony becoming aware of the incident and notifying customers and the OAIC.

Immediate or early notification that financial details have been compromised can limit or prevent financial loss for individuals, by enabling them to re-establish the integrity of their personal information.

Evidence shows it can be very difficult for individuals to re-establish the authenticity of their identity when their personal information has been stolen and used fraudulently

I raised this concern publicly, both in a media release and in my investigation report, by stating that I would have liked to have seen Sony act more swiftly to let its customers know about this incident.

While there is no requirement in Australian law for organisations to notify individuals or the OAIC of a data breach, I strongly recommended that Sony reviews how it applies the OAIC‘s Guide to handling personal information security breaches.

If ever your organisation finds itself in the same position as Sony, I strongly encourage you to review the OAIC guidance material on data breaches, and if appropriate, to notify individuals or the OAIC of the breach.

Statutory cause of action

The final matter that I would like to discuss today is the ALRC‘s recommendation that there be a statutory cause of action for serious invasion of privacy.

This recommendation was originally scheduled to be considered in the second stage of the Government’s response to the ALRC report, but the Government decided to bring forward its consideration of this issue.

The ALRC‘s proposed statutory cause of action would be applicable in situations where there was a serious invasion of privacy and where there was a reasonable expectation of privacy.

The ALRC also proposed that the court should take into account whether the public interest in maintaining the claimant’s privacy outweighs other matters of public interest or public concern and the public interest in allowing freedom of expression.

A few months ago, the Australian Government released an Issues Paper seeking submissions on a statutory cause of action.

The consultation period closed on 18 November, and the OAIC made a submission that is available our website if you would like to read it.

In our submission, we acknowledged that a statutory cause of action for invasion of privacy may complement the Privacy Act reforms that are underway by addressing areas that are not the subject of the current privacy law reform process, including the acts and practices of individuals.

However, we believe it is critical that any cause of action is formulated in a way that recognises that the right to privacy is not absolute: it must be balanced against competing rights including the right to freedom of expression.

One of our concerns with the ALRC proposal is that a cause of action through the courts may pose access to justice issues and therefore deliver limited benefits.

We suggest that consideration be given to a proposal whereby an individual alleging a privacy invasion initially complains to the OAIC under a model similar to that currently used for complaints of privacy interference in breach of the Privacy Act.

An option to proceed to court could be available in limited circumstances, such as permitting the OAIC to refer a question of law to the Federal Court for guidance.

This option would also allow a party to commence court proceedings where the OAIC declines to make a determination following an unsuccessful conciliation.

Given the OAIC‘s current role in privacy regulation and complaints, consideration should be given to creating intervener and amicus curiae roles for the Australian Information Commissioner in relation to privacy invasion actions in the courts.

This would mean that if the Court gave special leave to do so, the Commissioners could act as “friends to the court” who assist the court on points of law in a particular case.

We look forward to seeing other responses to the Issues Paper, and seeing the Government’s response, in due course.

It is likely that privacy issues will continue to feature prominently in news headlines as the statutory cause of action is discussed.

The media response to the Issues Paper has been mixed.  For example, some recent newspaper articles have raised concerns that a statutory cause of action could impact upon on free speech.

I would just like to repeat that privacy rights are not absolute – as I mentioned earlier, they must be balanced against other important rights and ideals, one of which is the freedom of the expression.

It is very important that Australia has an independent and active media, and that Australians continue to enjoy freedom of expression.  Any changes to the law will need to strike a balance between privacy and freedom of expression.

Through the issues paper and the submissions it receives, I am confident that the Government will ensure that the views of the media and the wider community are heard as these reforms progress.

So what’s ahead for privacy in 2012?

As you can see, there has been a great deal of activity in the privacy sphere during 2011. So how will be the privacy landscape look in 2012?

In the year ahead, as the Australian Government’s privacy law reforms progress, we may see further debate over how Australia’s privacy framework should develop.  We may also see further discussion of a statutory cause of action for serious invasion of privacy, following on from the recent Issues Paper.  We will also be conducting the Community Attitudes to Privacy Survey to take stock of Australians’ perceptions of privacy, building on research we have conducted in previous years.

As I mentioned earlier, we have also changed the approach we take to high profile matters, and are now publishing investigation reports on serious or high profile investigations, and we are prepared to use our determination power.

I would encourage you to be prepared for the possibility of stronger powers for the Commissioners, possibly including the ability to accept enforceable undertakings and to impose civil penalties, as well as greater use of the Commissioners’ existing determinations power.

In this environment, I would encourage you all to review your business practices to make sure that they continue to be relevant as the privacy landscape evolves.

As technology rapidly evolves, and vast amounts of data are transported instantaneously across jurisdictions, it is likely that privacy protection will continue to be a matter of community concern in Australia and around the world.

Whether it’s the development of instantaneous photographs, as was the case in the 1890s, or the emergence of social networking sites, cloud computing and new technologies enabling the transfer and storage of masses of personal information, or even new technologies that we haven’t yet contemplated, individuals will continue to care about their privacy and their right to be let alone.

This is why privacy is a human right, protected by the International Covenant on Civil and Political Rights.

Ultimately, privacy is about what we think, what we believe and value, what we want and what we want to do … basically, who we are – it is the detail of what makes us unique.

It is also about having the greatest ability to control who gets to know these things about us.

But it can’t be an absolute in the society in which we live-and in that sense, privacy law reform is about trying to find the balance.

Observations

This speech and recent developments signals a change of approach by the Privacy Commissioner to complaints and breaches.  The first Determination in “D”, previously blogged here, in almost 8 years is significant in itself.  The Commissioner’s decision to make his reports more transparent is more than welcome.  It is long overdue.  To describe the previous determinations, reports and general information coming from the Privacy Commissioner as opaque makes the meaning of the word, well, opaque.  No solid reason is given for this change of approach but perhaps the fairly regular critisism by privacy professionals in the past, the heightened interest in the subject and the likely new powers and responsibilities made a new approach necessary, not just desirable.  Giving the Privacy Commissioner powers to enforce privacy breaches means more transparency is required.

The Commissioner’s comments on a statutory right to privacy are in line with the submissions.  The Commissioner prefers to act as a gatekeeper, dealing with all complaints and resolving them if possible.  If the Privacy Commissioner fails to resolve a complaint then a party could commence proceedings.  This is broadly similar to a parties having to undergo compulsory mediation before the Small Business Commissioner in retail tenancy disputes. If not resolved the SBC gives a certificate and the parties can issue in the Victorian Civil and Administrative Tribunal.  It is a system that has its advantages and disadvantages, but generally functions quite well.  The problem with the Commissioner’s approach is that he has a particular approach to privacy issues which are in many ways inconsistent with a person having a right to privacy.   Whereas the SBC merely acts as a mediator the Commissioner adopts a more regulatory and administrative approach to privacy breaches.  That is inconsistent with mediation prior to litigation.

The Commissioner’s proposal to have a right as intervener in cases in an amicus curiae capacity has little to recommend it.  The Commissioner envisages his role to assist the court on points of law in particular cases.  This presupposes the Commissioner having particular expertise that the courts would find useful in their their deliberations.  While the Commissioner is practised in the operations of the Privacy Act and been exposed to many different fact situations whether that knowledge would provide an insight into the application of a tort is another thing.  The approach taken by the Privacy Commissioner is likely to be very different to the court in testing the evidence and considering the element of a tort.  Confusion is the likely outcome.  Where the Commissioner focuses on privacy not being absolute, hardly an issue of controversy, and the need to balance privacy and freedom of speech may differ from the court’s consideration of the elements – that there was a reasonable expectation of privacy, that the act was a breach (by whatever configuration eg highly offensive to a person of ordinary sensibilities) and then considering the defences which may, or may not, involve issues of freedom of expression under whichever formulation the act provides.  There is a subtle but important difference to the approaches.

The Privacy Commissioner should have a right to commence an action under a statutory right of privacy much as the ACCC can bring actions for misleading and deceptive conduct in the Consumer law field or ASIC can bring actions against directors in the under the Corporations Act.  Properly deployed this should be a strong and effective way of deterring privacy breaches and setting down strong policy messages.  The Privacy Commissioner should also have the discretion to bring an action on behalf of a party where costs preclude that party from bringing an action himself or herself.  This may obviate the costs barriers that the Commissioner refers to and which concerns him.  There should also be scope for pre litigation mediation before the Commissioner but only where the parties both agree.  That should not be a gatekeeping role for the commissioner but gives him a role in alternate dispute resolution, as a mediator not regulator or administrator (that is keeping his philosophy in his other suit).

There was an interesting exchange between the Australian Privacy Foundation and the Privacy Commissioner arising out of a conference held by the Office of the Information Commissioner in November.  Both items of correspondence are set out in the APF site:

The APF letter,dated 20 November :

Dear John and Timothy
Congratulations on an interesting and well organised conference last week, which I attended on behalf of the Australian Privacy Foundation (APF). The event successfully advanced two of the three OAIC functions – freedom of information/open government and government information policy, which was clearly the declared objective, encapsulated in the title of the conference – Public Sector Information – A National Resource.
I would however like to raise a concern which I would have put to you in the OAIC update session had there been time for questions. It is the same concern as APF and others raised in the meeting between yourselves and NGO representatives last year, and in representations on the OAIC legislation.
As you know, there is a view, which we share, that the ‘new’ government information policy function is not appropriate for an independent rights/watchdog body, and sits particularly uneasily alongside the privacy functions. While there are clearly strong public interests in sharing and re-use of government information, these are essentially part of an Executive Government agenda. They often conflict directly with some of the fundamental information privacy principles expressed not only in the existing IPPs and NPPs, but also in the proposed APPs. These principles include data minimisation, limitation of use to the primary purpose of collection, and strictly limited retention – all of which are clearly in tension with the promotion of data sharing and re-use.
We have suggested that the inherent tension between these two functions can be addressed by a clear affirmation by OAIC that for personal information, the otherwise admirable default presumption of openness should be reversed. OAIC guidance should clearly indicate that where government agencies hold personal information (other than about public officials in the course of their duties), the starting point should be limited use and disclosure, with secondary uses, release and sharing needing to be justified in accordance with one of the many relevant exceptions provided in the Privacy Act for other private and public interests. It is disappointing not only that this message did not clearly emerge from the conference, but also that it is absent from much of the guidance material emanating from OAIC since its inception.
In too many of the OAIC publications, privacy is mentioned only as a secondary constraint or factor, and often only in the limited context of disclosure, rather than reflecting the full ‘information life cycle’ scope of privacy principles. Choice of expression can be significant – the new Issues Paper launched at the conference talks of ‘protecting personal information’ (Limits to openness, page 6). This runs the risk of reinforcing the still common misconception that privacy is only about non- disclosure, security and confidentiality. Protection of privacy, under information privacy laws both in Australia and overseas, is not synonymous with protection of personal information, as many of the principles deal with threshold issues including collection limitation, data minimisation, and proportionality. APF will separately make a submission on Issues Paper No 2, but these comments will give you advance notice of at least one issue we will be raising.
In retrospect, we should have raised these concerns more vigorously in the context of the Principles on open public sector information issued by OAIC earlier this year. This clearly laid the foundation for the unfortunate promotion of an overriding presumption of openness as the default position even for personal information, with ‘protection … against inappropriate or unauthorised use, access or disclosure’ relegated to only one of nine ‘asset management’ requirements.
You will gather from the above that the APF fears that our concerns about the risks to privacy protection in the new regulatory framework are being borne out in practice.
It may be that a strong privacy message has been an unintended casualty of the understandable enthusiasm of the new office for its new functions.
We seek your re-assurance that there is no deliberate playing down of the importance of the full range of privacy principles, including collection limitation, data minimisation, and proportionality, and their necessary limiting role in relation to data sharing and re-use.
A related matter is the public presentation or ‘branding’ of the privacy function. As we have said before, there is a risk that 20+ years of hard won, but still limited, public recognition of the Privacy Commissioner as the official responsible for privacy protection in Australia (re-inforced more recently in NSW, Victoria and Queensland will be wasted if OAIC (and its State counterparts) move towards promoting the Information Commission(er) as the privacy ‘watchdog’. We recognise that the legislation requires this to be the official position at least in some contexts, but it is entirely within your discretion to maintain the Privacy Commissioner brand in public communications, thereby building the efforts of previous Commissioners. We urge you to do so.
On a separate point, it was also disappointing that you did not expressly recognise civil society as stakeholders. On two occasions you mentioned agencies, academic and the private sector as stakeholders represented at the conference. While there may have been few NGO representatives attending, it would have been re-assuring to hear that OAIC recognises the importance of engagement with civil society. In recent years in the privacy sphere, the various international fora (OECD, Council of Europe, APEC and the International Commissioners’ Conference) have expressly provided for civil society input – in some cases through formal structures (e.g. the OECD CSISAC, and the annual Public Voice event preceding the Commissioners’ Conference).
Privacy regulators at these events have expressly acknowledged the contribution of civil society to better policy development and improved outcomes. In the context of the open government function and objective, there is arguably an even wider range of civil society organisations with a direct interest than in the privacy sphere. Express public recognition of civil society as stakeholders may seem a small thing but would, I suggest, engender greater confidence that OAIC has a balanced approach to consultation and input. In this respect we also look forward to resumption of regular meetings with privacy and consumer NGOs on privacy matters.

And the response dated 2 December:

Thank you for your letter of 20 November 2011, and for your sentiments about the success of the Information Policy Conference hosted by the Office of the Australian Information Commissioner (OAIC). Though we do not agree with most of the concerns you express about the importance attached to privacy protection since the OAIC was established, we are pleased that you have set out the APF’s concerns so that we can respond to them in writing.
It will be simpler if we respondto the issues in the same order as in your letter.
1.    We disagree that the conference addressed two of the three OAIC functions (information policy and freedom of information) but not the third (privacy). The conference theme, program andspeakerfacultyweredirectedtooneonlyoftheOAlC’s functions-information policy. Freedom of information was mentioned prominently by the Minister in the opening speech and by the FOICommissioner in his brief report on the OAlC’s development, but otherwise was mentioned only in passing. Privacy was equally mentioned by many speakers as an important element of information management and policy. It was also addressed through an update on privacy developmentsdelivered by the Privacy Commissioner who specifically noted its place in information policy.
2.    You express the view that ‘the “new” government information policy function is not appropriate for an independent rights/watchdog body’. This was Parliament’sdesign, but naturally we support it and believe that the wisdom of this step has been demonstrated in the development and work of the OAIC in the first year. We have been struck by the degree of interest in and outside government for the more comprehensive focus that we can bring to information policy issues. The fact that our first information policy conferencewas’sold out’ and attended by close to 300 people is an indication of this interest. We have had similarly strong support for many of the other initiatives that we have commencedover the past year that have addressed all aspects of information management in government. Another exciting element of the new information policy framework is the creation of an independent Information Advisory Committee to provide advice to the OAIC and government on information policy and practice. In short, we feel that Australia is at the forefront in implementing a new approach to information policy rather than going backwards.
3.    We do not understandthe view you put that a privacyfunction sits uneasilywith an information policy function. Nor do we agree that there is a direct conflict between an open government/open data program and privacy protection. There are a host of reasons why information should be shared and re-used, and there are equally a host of reasons why certain categories of information should be protected or managed securely. Just as there is a need to protect personal information there is equally a need to protect information relating to national security, law enforcement, business confidentiality, budgetary management and so on. In the Parliament’s view (which we share) the best way of striking an appropriate balance between the competing objectives and tensions is to integrate all aspects of information policy and management in a comprehensive new scheme.
We note with interest a recent comment from the NSW Information Commissioner that ‘We have received an overwhelming response from right to information and privacy practitioners keen to attend our “Overlap between information access and privacy rights” seminar on 15 December 2011. The seminar was fully subscribed within 40 minutes of the invitation being issued.’ That example confirms our broader experience that the integration of open government policy and privacy protection is a welcome step that has accentuated rather than marginalisedthe importance of privacyissues.
It follows that we disagree with your suggestion that the OAIC should affirm ‘that for personal information, the otherwise admirable default presumption of openness should be reversed’. That would contradict the larger message we have sought to convey that there is a need to identify that information management is a complex and important task in which an appropriate balance has to be struck between a range of different principles and practical considerations. Nor does your suggestion sit easily with the legislative framework for information management that sets out the criteria that the OAIC must apply. We refer, for example, to the objects clause in the Freedom of Information Act 1982 ss 3, 3A; to the personal privacy exemption in the FOIAct (s 47F) which provides that personal information is exempt only if it would be an ‘unreasonable disclosure’ and would be contrary to the public interest; to the requirement in the Privacy Act 49SSs29thatthe OAIC ‘have due regard for … societal interests that compete with privacy, including the general desirability of a free flow of information … and the recognition of the right of government and business to achieve their objectives in an efficient way’; and to the detailed requirements of the Information Privacy Principles and National Privacy Principles asto how personal information should be managed.
We reject your assessment that OAIC publications tend to mention privacy only asa secondary constraint or factor and do not reflect ‘the ful! “information life cycle” scope of privacy principles’. It is true that some publications make only a brief reference to protecting personal information and do not elaborate on the other points you mention (such as secondary uses, collection limitation, data minimisation and proportionality). In the same vein, most of our publications contain only a brief summary of other relevant and crucial considerations, such as national security, archival retention, IT security and administrative efficiency. The depth of analysis is a style and presentation issue, not a prioritisation issue. We feel that this is clear upon a fair reading of our publications. OAIC publications that are specifically focussed on privacy issues appropriately go into the topic in greater depth.
6.    You believe that ‘a strong privacy message has been an unintended casualty’ of the new information policy scheme; you seek the OAlC’s ‘reassurancethat there is no deliberate playing down of the full importance of privacy principles’; and you urge that we ‘maintain the Privacy Commissioner brand in public communications’. We reject this premise. The privacy promotion role of the former Office of the Privacy Commissioner has continued unabated in the OAIC. This is clear from the annual report, public submissions to government, and media and other statements reported on the OAIC website. It should be apparent to anyone following the work of the OAIC that each of the three Commissioners has a distinct public profile. Indeed, the media has reported statements by the Privacy Commissioner far more numerously than statements by the other two Commissioners.
7.    We were surprised at your comment that we have not ‘expressly recognised civil society as stakeholders’. It is true that we have not used the term ‘civil society’. It is a term that has less currency in Australia than in some other countries. But on numerous occasions and frequently in publications we speak about ‘the community’, ‘the public’, ‘non-government organisations’ and specific groups such as academics, the media and business. Again, we think afair analysis of our work will show that we have emphasised the importance of engagement and consultation between government and external stakeholders, and have ourselves respected that principle. Indeed, in defining open government we have made the point that ‘civic engagement and collaboration’ is a third theme along with ‘public access to government held information upon request’ and ‘open data through proactive publication of public sector information’.
We are happy to follow upon the suggestion at the end of your letter to hold further discussions about your concerns. We have no objection to this reply being posted on the APFwebsite if you wish to follow that practice on this occasion.

 

Leave a Reply