VIEWS: 1 PAGES: 4 POSTED ON: 4/3/2010
Privacy Aware Spring 2009
Vol 8 No 3 Spring 2009 n Response to ALRC Privacy Outsourcing – Who Looks After Privacy? Recommendations Helen Versey Privacy Commissioner When the Information Privacy Act was drafted it Access by individuals to their own information n Portable Storage was recognised that government is outsourcing held by a service provider is a recurrent issue. its functions more and more. Therefore the Act Organisations that have outsourced services often Devices policy made provisions to ensure that individuals are simply pass on a Freedom of Information (FoI) development not disadvantaged by an organisation which request to a service provider who, if from the private guide released outsources to a contracted service provider. This sector, invariably responds by stating they are not means that, unless an organisation has entered subject to FoI and therefore refuse the application. into certain binding contractual arrangements with However organisations not subject to FoI, but bound n New Zealand its contracted service provider, it will be liable for to comply with the IPPs by contract, are subject Privacy in any breach of the Information Privacy Principles to IPP 6 which gives similar rights to individuals to (IPPs) by the service provider. access and correct their own information. A better Schools Guide I am aware that many public sector agencies practice is to deal with potential access applications include a clause in their contracts seeking to bind through the contract, and to assist service providers, service providers to the IPPs and thus pass on especially small agencies with limited resources, to n Children, liability to them. However, there can be problems respond appropriately to such an application. Young People with this approach, especially with organisations Increasingly, outsourcing is to organisations and Privacy that ‘wash their hands’ of the actions of the service outside Victoria. If this is the case, organisations providers. need to remember that to effectively pass liability Conference 2010 Some outsourcing organisations provide for a breach, compliance with the IPPs needs to personal information that they have collected to the be capable of being enforced. This applies to n Privacy, Myspace, service providers. While the disclosure is almost complaints by individuals under the Act as well as certainly for the primary purpose of collection, are any compliance notice the Privacy Commissioner Youtube and the individuals given notice that their information may decide to serve. If there is no practical means Facebook: Can was to be disclosed in this manner? of doing this, then the outsourcing organisation will the Law Cope? It is also worth reflecting on IPP4 which requires remain responsible. an organisation to take reasonable steps to protect Finally – if I receive a complaint and the the personal information it holds from misuse, loss, outsourcer and provider are unable to agree if there unauthorised access, modification or disclosure. is a binding contract, it is not the responsibility It may not be enough to simply make the service of the complainant or this Office to unravel the provider liable if there is a data security breach. A contractual obligations. If there is a doubt about the better approach is to be satisfied that the service effectiveness of the contract then the principle that provider has proper systems in place to protect the the outsourcing organisation remains responsible information. This may include assisting the service will apply. That is what the Act intended – individuals provider to understand the obligations that they are should be able to enforce their rights whatever signing up to by providing guidance to them. arrangements government chooses to make. n 1 Response to ALRC Privacy Recommendations Dr Anthony Bendall Deputy Commissioner Among the major reforms are improvements to the structure, clarity and consistency of the On 14 October 2009, the Cabinet Secretary in its August 2008 report For Your Privacy Act 1988 (Cth). The redrafted Privacy and Special Minister of State, the Hon. Information: Australian Privacy Law and Act will include an objects clause to guide Senator Joe Ludwig, announced the Practice. Of these 197 recommendations: interpretation, compliance and the exercise of Australian Government’s first stage of the Government has accepted 141 , either powers and functions. Definitions will also be reforms in response to 197 of the Australian in full or in principle; 34 are accepted with clarified and brought up-to-date. Law reform Commission (ALRC)’s qualification; 20 are not accepted; and 1 295 recommendations contained two recommendations are merely noted. continued on Page 2 Portable Storage Devices Policy Development Guide Released Jon Armstrong Technology Director Privacy Victoria The Commissioner concluded by such as distinctions between corporate has released promising to produce a checklist to and personal PSD use; remote use; Use of Portable assist organisations to develop tailored encryption; and enforcement. Where no Storage Devices: policies and procedures to protect their IT technical controls are in place the policy will be the only means of protecting a guide to policy environments. In the end, we decided to against PSD misuse, and must therefore development. PSDs such as USB keys are go further, with the checklist forming part of be written in a way that is meaningful to extremely useful devices in the workplace, a broader PSD policy development guide. all users. but present organisations with a major The guide includes the following elements: • GOVeRnAnCe: policies are only effective security risk that needs to be addressed. • SCOPe: organisations need to understand if taken seriously by senior management; their risk management profile, in order regularly reviewed; and impose consistent In the Summer 2008-09 edition of Privacy to determine the level of controls to standards on associated organisations Aware, the Privacy Commissioner introduce. existing policies and legal such as service providers. discussed the nature of the privacy and obligations, user types, policy audience security risks surrounding the use of PSDs and the role of service providers all fall While the guide provides an approach (‘From little things big things grow’). This under this initial analysis. to policy development that is aimed at article was a means of announcing the • TeCHnICAL COnTROLS: where technical Portable Storage Devices, the methodology release of Use of Portable Storage Devices controls have been employed to protect can translate to other areas of technology - Privacy Survey, a major undertaking to against PSD misuse, policies need to use within organisations. And perhaps assess the preparedness of Victorian public incorporate sufficient information about beyond technology, to other privacy risks. sector organisations for the inherent risks these controls in order that users will Privacy Victoria is contemplating releasing associated with uncontrolled use of PSDs. understand the limitations automatically other policy development guides in future, The survey report found that organisations imposed on them. where prevailing issues suggest it would be were not sufficiently prepared, whether • POLICy FRAMeWORk: the policy itself appropriate. The guide can be downloaded through technical or policy controls. should incorporate a number of topics at www.privacy.vic.gov. n ALRC Privacy Recommendations continued from Page 1 A Single Set of Privacy Principles The reformed Privacy Act will also include Following the introduction of a unified set of • Seek civil penalties for serious or repeated a single set of privacy principles to privacy principles at the national level, the breaches of the Privacy Act. protect personal information held by Australian Government will work with States both Australian Government agencies and Territories, including Victoria, with As previously announced, the Australian and private sector organisations. This the ultimate aim being a consistent set of Privacy Commissioner will be part streamlined single set of privacy principles privacy standards for Commonwealth, State of the new Office of the Information will replace the existing Information and Territory public sectors and the private Commissioner, wherein the Privacy Privacy Principles (IPPs), which only apply sector. Additional national consistency Commissioner and the FOI Commissioner to agencies and the national Privacy issues are among the matters to be will operate under the leadership of the Principles (nPPs) which only apply to some considered in the Government’s second Information Commissioner, who will be the private sector organisations. stage response. agency’s CeO. The single set of privacy principles will be The Government response also sets out a The Australian Government has indicated structured in a way which better reflects range of additional powers and functions that it is preparing exposure draft legislation the information life cycle. The principles will for the Australian Privacy Commissioner to to implement the announced changes. The deal with anonymity and pseudonymity, investigate and resolve complaints and to exposure draft will be released in early 2010 openness (privacy policies and practices), promote and enforce compliance. This will for further consultation. The second stage collection, notification, use and disclosure, include new powers to: of the Government’s response will consider data quality and security and access to • Require agencies (initially, not private the remaining 98 recommendations of the and correction of personal information. sector organisations) to conduct privacy ALRC. These include the most contentious The principles will also contain specific impact assessments where appropriate; issues, including: requirements for matters such as use and • Undertake ‘privacy performance • The removal of exemptions for ‘small’ disclosure for direct marketing, handling of assessments’ (i.e. audits) of private sector businesses and private sector employee government identifiers, cross border data- organisations’ activities (this augments an records; flows (outside of Australia), health and credit existing audit power over the public sector); reporting information (including, for the first • The introduction of a statutory cause of • Handle complaints and gather information time, limited positive credit reporting). action for serious invasion of privacy; and more effectively, compel appearances or production of documents and accept • Mandatory serious data breach 2 enforceable undertakings; and notifications. n New Zealand Privacy in Schools Photo David taylor Guide The new Zealand Privacy Commissioner has released a guide Children, Young People and to the new Zealand Privacy Act for principals, teachers and boards of trustees. The book, Privacy in Schools, was written by kathryn Dalziel, author of a 1995 book Privacy Conference 2010 called The Privacy Act for Schools. Privacy Victoria has released a Call for does this impact on their lives? Children The 2009 book updates that guide, Papers for a national one-day conference on and young people are prone to risk-taking recognising that “in 2009, mobile Children, young people and privacy to be behaviour, and much of this behaviour now technologies and the use of the held in Melbourne on 21 May 2010. occurs online. How can we help young internet (both by students and in people protect themselves without first the classroom) have created new Before the information technology revolution, understanding the psychology of risk-taking? challenges for privacy protection. privacy protection was in many ways a part of everyday life. Public registers were leather Recent Australian research states that In addition there are new systems bound books located in municipal offices and “Children and young people have a high level for managing student enrolment, kept under the careful gaze of their keepers, of awareness of cybersafety risks and the key health records, and immunisation telephones were fixed and not mobile and messages for staying safe online” and yet programmes.” communication between friends, lovers, the same research states that “The tendency schools, employers and marketers was via toward risky behaviour rises with age.” 1 Education and Privacy: handwritten or typed letters protected by the Post and Telegraph Act. The only mention of Conference Issues two fundamental aspects ‘Big Brother’ was in George Orwell’s 1984 • What does privacy mean to children and of human development and the only reality TV was the broadcast of young people today? and human dignity. major sporting events. Social networking was • What does the law say about who can know a dance, a party or ‘drinks down the pub’. what about children and young people? • What is the impact of the surveillance society In the Foreword to the book, But today things are vastly different. Privacy on them? Ms Dalziel writes ”Schools rely laws grant people privacy rights but when • What are the potential risks to their personal on information about people. are children and young people capable information, their health, their security and The moment a school collects of applying these rights to themselves? In even their lives, from the use of information information about a student, or a Victoria there is no legal age at which a child technologies? has privacy rights, and some children are student’s family, there may be issues • What can educators, policy and law makers, more mature than others of the same age. about the way the information is parents and even young people themselves Most parents want to know everything about do to educate and support children and collected, how it is stored, how it is their children, while some parents think their young people about privacy protection, and used and how it is disclosed. Good teenagers live in a kind of “twilight zone” empower them to do what they need to information handling is a foundation keeping everything to themselves, behind protect their privacy? stone of the trust that needs to exist closed doors or on password protected • Who has what role and how are those roles between everyone who participates computers. How do educators, health legitimised and disseminated? in the life of the school. Of course professionals and law enforcement officials, most schools are attuned to the The Children, young people and privacy one to name a few, know when to ‘draw the needs of their students, their family day conference aims to explore these and privacy line’? or caregivers, and their staff, so other related issues. Held during education handling information well usually Described as the ‘e-generation’ or ‘digital Week 2010, the conference is sponsored by comes naturally to them. But, as with natives’, children and young people are being the Victorian Department of education and all personal relationships, situations born into, growing up in, and have only ever early Childhood Development. The Call for can arise where finding the ‘right’ known, a totally connected world. They are Papers for the conference can be accessed answer is not so straightforward.” surveilled on an unprecedented scale. How at www.privacy.vic.gov.au. n The book can be accessed at Click and Connect - Young Australians’ Use of Online Social Media Australian Communications 1 3 www.privacy.org.nz. n and Media Authority, July 2009 Privacy, Myspace, Youtube and Facebook: Can the Law Cope? On Tuesday 1 September, the Hon Michael individual control over personal data and kirby AC CMG, former Justice of the an entitlement, where appropriate, to High Court of Australia and renowned retrieve information that is false, damaging international privacy advocate, delivered or presented in a wrong light. Captured the inaugural Privacy Victoria Oration at the images have a measure of permanency Australian Centre for the Moving Image, which is something that fleeting memories Federation Square, Melbourne. The first lack. Video voyeurism may simply be a of September is the date that the Victorian generational shift, but it may be necessary Information Privacy Act came into force in to protect immature users against 2001. irrevocable decisions that haunt them for the hon Michael the rest of their lives. Until now, the usual Kirby AC CMG Mr kirby’s wide ranging address can be answer given to such complaints is an delivered the listened to at www.privacy.vic.gov.au. A appeal to the ‘binary’ distinction between inaugural Privacy transcript in text form, without introductory public and private space. If it gets into Victoria oration in remarks, is also available. the public space, it is said to be beyond Melbourne on 1 September 2009 These are excerpts from Mr kirby’s address: control. Once there, it has become public property. If you put it there, you cannot “Media reports constantly bombard us with really complain. even if you did not put technology is expanding every day. And in stories of privacy issues in the new social it there, but were in public when the its regulation, Australia is a small player. networking outlets of the internet. For many information was captured, you are said to of the problems that are presented, the law ... I applaud the role that the Victorian have no legitimate complaint. offers no, or no effective, solution... Charter of Rights & Responsibilities plays I do not pretend that it is easy to in also safeguarding privacy and ensuring The media is full of stories of this kind and safeguard privacy in the current age. But that law-makers and officials build privacy those experts who have examined them surrendering the endeavour as just too concerns into the laws and policies of this agree that there is a need to enhance user difficult to achieve is not an option. The State. In this respect, Victoria is certainly awareness (often in inexperienced, young internet is exciting and overwhelmingly a leader in Australia. Good citizens know and immature persons) of the decisions beneficial. It leaps the borders of this that privacy is an attribute of fundamental they make that may affect them seriously, world. It binds our species together as human rights and freedoms. It is an down the track. Quite clearly, the new never before. It provides an outlet for assertion that, within limits that are set facilities in cyberspace are fulfilling a huge freedom fighters everywhere. We have by law, individuals have an entitlement need that old media and earlier networks seen these features recently in Burma, to protect their personal being, their did not adequately serve. But somehow Iran and many other places. We should be immediate family and relationships, their the new facilities must be promoted positive and optimistic about the value of individual space and their information under conditions that assure respect for the new technology. In any case, the new penumbra...” n Be Aware Copyright held by the Office of the Victorian Privacy Commissioner unless otherwise indicated. Permission to GPO Box 5057 Melbourne Victoria 3001 Australia Privacy Aware is published four times reproduce work of others should be DX 210643 Melbourne a year by the Office of the Victorian separately sought. Privacy Commissioner. The material Level 11, 10-16 Queen Street in Privacy Aware is intended only to One of the purposes of this newsletter Melbourne Victoria 3000 inform. It should not be relied on as is to increase public access to Australia legal advice. Material is compressed information about privacy. Articles and simplified for newsletter purposes in which the Office of the Victorian Local telephone 1300 666 444 and should not create expectations Privacy Commissioner holds copyright Local fax 1300 666 445 about how the Privacy Commissioner may be copied for non-commercial www.privacy.vic.gov.au may deal with any specific matter in use. The material should be used firstname.lastname@example.org particular circumstances under the fairly and accurately and Privacy Information Privacy Act 2000 (Vic). Aware should be acknowledged as Privacy Victoria accepts no liability for the source. The authors of material, loss or damage that may be suffered where known, should be credited, by any person or entity that relies on consistent with moral rights provisions information in this newsletter. of copyright law. 4
"Privacy Aware Spring 2009"