; Privacy Aware Spring 2009
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Privacy Aware Spring 2009


Privacy Aware Spring 2009

More Info
  • pg 1
									Vol 8 No 3
Spring 2009

n    Response to
     ALRC Privacy
                                      Outsourcing – Who Looks After Privacy?
     Recommendations                  Helen Versey Privacy Commissioner
                                         When the Information Privacy Act was drafted it           Access by individuals to their own information
n    Portable Storage                 was recognised that government is outsourcing             held by a service provider is a recurrent issue.
                                      its functions more and more. Therefore the Act            Organisations that have outsourced services often
     Devices policy                   made provisions to ensure that individuals are            simply pass on a Freedom of Information (FoI)
     development                      not disadvantaged by an organisation which                request to a service provider who, if from the private
     guide released                   outsources to a contracted service provider. This         sector, invariably responds by stating they are not
                                      means that, unless an organisation has entered            subject to FoI and therefore refuse the application.
                                      into certain binding contractual arrangements with        However organisations not subject to FoI, but bound
n    New Zealand                      its contracted service provider, it will be liable for    to comply with the IPPs by contract, are subject
     Privacy in                       any breach of the Information Privacy Principles          to IPP 6 which gives similar rights to individuals to
                                      (IPPs) by the service provider.                           access and correct their own information. A better
     Schools Guide                       I am aware that many public sector agencies            practice is to deal with potential access applications
                                      include a clause in their contracts seeking to bind       through the contract, and to assist service providers,
                                      service providers to the IPPs and thus pass on            especially small agencies with limited resources, to
n    Children,
                                      liability to them. However, there can be problems         respond appropriately to such an application.
     Young People                     with this approach, especially with organisations            Increasingly, outsourcing is to organisations
     and Privacy                      that ‘wash their hands’ of the actions of the service     outside Victoria. If this is the case, organisations
                                      providers.                                                need to remember that to effectively pass liability
     Conference 2010
                                         Some outsourcing organisations provide                 for a breach, compliance with the IPPs needs to
                                      personal information that they have collected to the      be capable of being enforced. This applies to
n    Privacy, Myspace,                service providers. While the disclosure is almost         complaints by individuals under the Act as well as
                                      certainly for the primary purpose of collection, are      any compliance notice the Privacy Commissioner
     Youtube and                      the individuals given notice that their information       may decide to serve. If there is no practical means
     Facebook: Can                    was to be disclosed in this manner?                       of doing this, then the outsourcing organisation will
     the Law Cope?                       It is also worth reflecting on IPP4 which requires     remain responsible.
                                      an organisation to take reasonable steps to protect          Finally – if I receive a complaint and the
                                      the personal information it holds from misuse, loss,      outsourcer and provider are unable to agree if there
                                      unauthorised access, modification or disclosure.          is a binding contract, it is not the responsibility
                                      It may not be enough to simply make the service           of the complainant or this Office to unravel the
                                      provider liable if there is a data security breach. A     contractual obligations. If there is a doubt about the
                                      better approach is to be satisfied that the service       effectiveness of the contract then the principle that
                                      provider has proper systems in place to protect the       the outsourcing organisation remains responsible
                                      information. This may include assisting the service       will apply. That is what the Act intended – individuals
                                      provider to understand the obligations that they are      should be able to enforce their rights whatever
                                      signing up to by providing guidance to them.              arrangements government chooses to make. n              1

Response to ALRC Privacy Recommendations
Dr Anthony Bendall Deputy Commissioner                                                               Among the major reforms are improvements
                                                                                                     to the structure, clarity and consistency of the
On 14 October 2009, the Cabinet Secretary       in its August 2008 report For Your                   Privacy Act 1988 (Cth). The redrafted Privacy
and Special Minister of State, the Hon.         Information: Australian Privacy Law and              Act will include an objects clause to guide
Senator Joe Ludwig, announced the               Practice. Of these 197 recommendations:              interpretation, compliance and the exercise of
Australian Government’s first stage of          the Government has accepted 141 , either             powers and functions. Definitions will also be
reforms in response to 197 of the Australian    in full or in principle; 34 are accepted with        clarified and brought up-to-date.
Law reform Commission (ALRC)’s                  qualification; 20 are not accepted; and
295 recommendations contained                   two recommendations are merely noted.                                            continued on Page 2
                               Portable Storage Devices Policy
                               Development Guide Released
                               Jon Armstrong Technology Director
                               Privacy Victoria       The Commissioner concluded by                         such as distinctions between corporate
                               has released           promising to produce a checklist to                   and personal PSD use; remote use;
                               Use of Portable        assist organisations to develop tailored              encryption; and enforcement. Where no
                               Storage Devices:       policies and procedures to protect their IT           technical controls are in place the policy
                                                                                                            will be the only means of protecting
                               a guide to policy      environments. In the end, we decided to
                                                                                                            against PSD misuse, and must therefore
    development. PSDs such as USB keys are            go further, with the checklist forming part of
                                                                                                            be written in a way that is meaningful to
    extremely useful devices in the workplace,        a broader PSD policy development guide.               all users.
    but present organisations with a major            The guide includes the following elements:
                                                                                                         •	 GOVeRnAnCe: policies are only effective
    security risk that needs to be addressed.         •	 SCOPe: organisations need to understand            if taken seriously by senior management;
                                                         their risk management profile, in order            regularly reviewed; and impose consistent
    In the Summer 2008-09 edition of Privacy
                                                         to determine the level of controls to              standards on associated organisations
    Aware, the Privacy Commissioner                      introduce. existing policies and legal             such as service providers.
    discussed the nature of the privacy and              obligations, user types, policy audience
    security risks surrounding the use of PSDs           and the role of service providers all fall      While the guide provides an approach
    (‘From little things big things grow’). This         under this initial analysis.                    to policy development that is aimed at
    article was a means of announcing the             •	 TeCHnICAL COnTROLS: where technical             Portable Storage Devices, the methodology
    release of Use of Portable Storage Devices           controls have been employed to protect          can translate to other areas of technology
    - Privacy Survey, a major undertaking to             against PSD misuse, policies need to            use within organisations. And perhaps
    assess the preparedness of Victorian public          incorporate sufficient information about        beyond technology, to other privacy risks.
    sector organisations for the inherent risks          these controls in order that users will         Privacy Victoria is contemplating releasing
    associated with uncontrolled use of PSDs.            understand the limitations automatically        other policy development guides in future,
    The survey report found that organisations           imposed on them.                                where prevailing issues suggest it would be
    were not sufficiently prepared, whether           •	 POLICy FRAMeWORk: the policy itself             appropriate. The guide can be downloaded
    through technical or policy controls.                should incorporate a number of topics           at www.privacy.vic.gov. n

    ALRC Privacy Recommendations                                                                                                 continued from Page 1

    A Single Set of Privacy Principles
    The reformed Privacy Act will also include        Following the introduction of a unified set of     •	 Seek civil penalties for serious or repeated
    a single set of privacy principles to             privacy principles at the national level, the         breaches of the Privacy Act.
    protect personal information held by              Australian Government will work with States
    both Australian Government agencies               and Territories, including Victoria, with          As previously announced, the Australian
    and private sector organisations. This            the ultimate aim being a consistent set of         Privacy Commissioner will be part
    streamlined single set of privacy principles      privacy standards for Commonwealth, State          of the new Office of the Information
    will replace the existing Information             and Territory public sectors and the private       Commissioner, wherein the Privacy
    Privacy Principles (IPPs), which only apply       sector. Additional national consistency            Commissioner and the FOI Commissioner
    to agencies and the national Privacy              issues are among the matters to be                 will operate under the leadership of the
    Principles (nPPs) which only apply to some        considered in the Government’s second              Information Commissioner, who will be the
    private sector organisations.                     stage response.                                    agency’s CeO.

    The single set of privacy principles will be      The Government response also sets out a            The Australian Government has indicated
    structured in a way which better reflects         range of additional powers and functions           that it is preparing exposure draft legislation
    the information life cycle. The principles will   for the Australian Privacy Commissioner to         to implement the announced changes. The
    deal with anonymity and pseudonymity,             investigate and resolve complaints and to          exposure draft will be released in early 2010
    openness (privacy policies and practices),        promote and enforce compliance. This will          for further consultation. The second stage
    collection, notification, use and disclosure,     include new powers to:                             of the Government’s response will consider
    data quality and security and access to           •	 Require agencies (initially, not private        the remaining 98 recommendations of the
    and correction of personal information.              sector organisations) to conduct privacy        ALRC. These include the most contentious
    The principles will also contain specific            impact assessments where appropriate;           issues, including:
    requirements for matters such as use and          •	 Undertake ‘privacy performance                  •	 The removal of exemptions for ‘small’
    disclosure for direct marketing, handling of         assessments’ (i.e. audits) of private sector       businesses and private sector employee
    government identifiers, cross border data-           organisations’ activities (this augments an
    flows (outside of Australia), health and credit      existing audit power over the public sector);
    reporting information (including, for the first                                                      •	 The introduction of a statutory cause of
                                                      •	 Handle complaints and gather information
    time, limited positive credit reporting).                                                               action for serious invasion of privacy; and
                                                         more effectively, compel appearances
                                                         or production of documents and accept           •	 Mandatory serious data breach
                                                         enforceable undertakings; and                      notifications. n
Privacy in

                                                                                                                                                     Photo David taylor
The new Zealand Privacy
Commissioner has released a guide

                                         Children, Young People and
to the new Zealand Privacy Act for
principals, teachers and boards
of trustees. The book, Privacy in
Schools, was written by kathryn
Dalziel, author of a 1995 book           Privacy Conference 2010
called The Privacy Act for Schools.      Privacy Victoria has released a Call for            does this impact on their lives? Children
The 2009 book updates that guide,        Papers for a national one-day conference on         and young people are prone to risk-taking
recognising that “in 2009, mobile        Children, young people and privacy to be            behaviour, and much of this behaviour now
technologies and the use of the          held in Melbourne on 21 May 2010.                   occurs online. How can we help young
internet (both by students and in                                                            people protect themselves without first
the classroom) have created new          Before the information technology revolution,       understanding the psychology of risk-taking?
challenges for privacy protection.       privacy protection was in many ways a part
                                         of everyday life. Public registers were leather     Recent Australian research states that
In addition there are new systems
                                         bound books located in municipal offices and        “Children and young people have a high level
for managing student enrolment,
                                         kept under the careful gaze of their keepers,       of awareness of cybersafety risks and the key
health records, and immunisation
                                         telephones were fixed and not mobile and            messages for staying safe online” and yet
                                         communication between friends, lovers,              the same research states that “The tendency
                                         schools, employers and marketers was via            toward risky behaviour rises with age.” 1

     Education and Privacy:              handwritten or typed letters protected by the
                                         Post and Telegraph Act. The only mention of
                                                                                             Conference Issues
   two fundamental aspects               ‘Big Brother’ was in George Orwell’s 1984           •	 What does privacy mean to children and
     of human development                and the only reality TV was the broadcast of           young people today?
         and human dignity.              major sporting events. Social networking was        •	 What does the law say about who can know
                                         a dance, a party or ‘drinks down the pub’.             what about children and young people?
                                                                                             •	 What is the impact of the surveillance society
In the Foreword to the book,             But today things are vastly different. Privacy         on them?
Ms Dalziel writes ”Schools rely          laws grant people privacy rights but when
                                                                                             •	 What are the potential risks to their personal
on information about people.             are children and young people capable
                                                                                                information, their health, their security and
The moment a school collects             of applying these rights to themselves? In
                                                                                                even their lives, from the use of information
information about a student, or a        Victoria there is no legal age at which a child        technologies?
                                         has privacy rights, and some children are
student’s family, there may be issues                                                        •	 What can educators, policy and law makers,
                                         more mature than others of the same age.
about the way the information is                                                                parents and even young people themselves
                                         Most parents want to know everything about             do to educate and support children and
collected, how it is stored, how it is
                                         their children, while some parents think their         young people about privacy protection, and
used and how it is disclosed. Good
                                         teenagers live in a kind of “twilight zone”            empower them to do what they need to
information handling is a foundation
                                         keeping everything to themselves, behind               protect their privacy?
stone of the trust that needs to exist
                                         closed doors or on password protected               •	 Who has what role and how are those roles
between everyone who participates
                                         computers. How do educators, health                    legitimised and disseminated?
in the life of the school. Of course
                                         professionals and law enforcement officials,
most schools are attuned to the                                                              The Children, young people and privacy one
                                         to name a few, know when to ‘draw the
needs of their students, their family                                                        day conference aims to explore these and
                                         privacy line’?
or caregivers, and their staff, so                                                           other related issues. Held during education
handling information well usually        Described as the ‘e-generation’ or ‘digital         Week 2010, the conference is sponsored by
comes naturally to them. But, as with    natives’, children and young people are being       the Victorian Department of education and
all personal relationships, situations   born into, growing up in, and have only ever        early Childhood Development. The Call for
can arise where finding the ‘right’      known, a totally connected world. They are          Papers for the conference can be accessed
answer is not so straightforward.”       surveilled on an unprecedented scale. How           at www.privacy.vic.gov.au. n

The book can be accessed at               Click and Connect - Young Australians’ Use of Online Social Media Australian Communications
www.privacy.org.nz. n                    and Media Authority, July 2009
Privacy, Myspace, Youtube and
Facebook: Can the Law Cope?
On Tuesday 1 September, the Hon Michael          individual control over personal data and
kirby AC CMG, former Justice of the              an entitlement, where appropriate, to
High Court of Australia and renowned             retrieve information that is false, damaging
international privacy advocate, delivered        or presented in a wrong light. Captured
the inaugural Privacy Victoria Oration at the    images have a measure of permanency
Australian Centre for the Moving Image,          which is something that fleeting memories
Federation Square, Melbourne. The first          lack. Video voyeurism may simply be a
of September is the date that the Victorian      generational shift, but it may be necessary
Information Privacy Act came into force in       to protect immature users against
2001.                                            irrevocable decisions that haunt them for
                                                                                                   the hon Michael
                                                 the rest of their lives. Until now, the usual     Kirby AC CMG
Mr kirby’s wide ranging address can be           answer given to such complaints is an             delivered the
listened to at www.privacy.vic.gov.au. A         appeal to the ‘binary’ distinction between        inaugural Privacy
transcript in text form, without introductory    public and private space. If it gets into         Victoria oration in
remarks, is also available.                      the public space, it is said to be beyond         Melbourne on 1
                                                                                                   September 2009
These are excerpts from Mr kirby’s address:      control. Once there, it has become public
                                                 property. If you put it there, you cannot
“Media reports constantly bombard us with        really complain. even if you did not put        technology is expanding every day. And in
stories of privacy issues in the new social      it there, but were in public when the           its regulation, Australia is a small player.
networking outlets of the internet. For many     information was captured, you are said to
of the problems that are presented, the law                                                      ... I applaud the role that the Victorian
                                                 have no legitimate complaint.
offers no, or no effective, solution...                                                          Charter of Rights & Responsibilities plays
                                                 I do not pretend that it is easy to             in also safeguarding privacy and ensuring
The media is full of stories of this kind and    safeguard privacy in the current age. But       that law-makers and officials build privacy
those experts who have examined them             surrendering the endeavour as just too          concerns into the laws and policies of this
agree that there is a need to enhance user       difficult to achieve is not an option. The      State. In this respect, Victoria is certainly
awareness (often in inexperienced, young         internet is exciting and overwhelmingly         a leader in Australia. Good citizens know
and immature persons) of the decisions           beneficial. It leaps the borders of this        that privacy is an attribute of fundamental
they make that may affect them seriously,        world. It binds our species together as         human rights and freedoms. It is an
down the track. Quite clearly, the new           never before. It provides an outlet for         assertion that, within limits that are set
facilities in cyberspace are fulfilling a huge   freedom fighters everywhere. We have            by law, individuals have an entitlement
need that old media and earlier networks         seen these features recently in Burma,          to protect their personal being, their
did not adequately serve. But somehow            Iran and many other places. We should be        immediate family and relationships, their
the new facilities must be promoted              positive and optimistic about the value of      individual space and their information
under conditions that assure respect for         the new technology. In any case, the new        penumbra...” n

Be Aware                                         Copyright held by the Office of the
                                                 Victorian Privacy Commissioner unless
                                                 otherwise indicated. Permission to
                                                                                                      GPO Box 5057
                                                                                                      Melbourne Victoria 3001
Privacy Aware is published four times            reproduce work of others should be                   DX 210643 Melbourne
a year by the Office of the Victorian            separately sought.
Privacy Commissioner. The material                                                                    Level 11, 10-16 Queen Street
in Privacy Aware is intended only to             One of the purposes of this newsletter               Melbourne Victoria 3000
inform. It should not be relied on as            is to increase public access to                      Australia
legal advice. Material is compressed             information about privacy. Articles
and simplified for newsletter purposes           in which the Office of the Victorian                 Local telephone 1300 666 444
and should not create expectations               Privacy Commissioner holds copyright                 Local fax 1300 666 445
about how the Privacy Commissioner               may be copied for non-commercial                     www.privacy.vic.gov.au
may deal with any specific matter in             use. The material should be used                     enquiries@privacy.vic.gov.au
particular circumstances under the               fairly and accurately and Privacy
Information Privacy Act 2000 (Vic).              Aware should be acknowledged as
Privacy Victoria accepts no liability for        the source. The authors of material,
loss or damage that may be suffered              where known, should be credited,
by any person or entity that relies on           consistent with moral rights provisions
information in this newsletter.                  of copyright law.

To top