Mar 18, 2014

Private, keep out: how to safeguard your personal information

New laws are being celebrated as a win for privacy, but are they all they're cracked up to be? Crikey found it a monumental challenge to raid the supposedly open database.

Cathy Alexander — Freelance journalist and PhD candidate in politics at the University of Melbourne

Cathy Alexander

Freelance journalist and PhD candidate in politics at the University of Melbourne

We all have greater rights to privacy under laws that took effect last week, a change greeted with media fanfare as a victory for the individual against telemarketers and intrusive companies. But Crikey has found the new laws may not be all they seem. The change comes via a new set of Australian Privacy Principles (APPs), which give greater rights to privacy in relation to personal information -- who collects it and what they can use it for. Sounds good; you could use the APPs to stop unwanted marketing or find out what Centrelink or Telstra has on file about you. The laws apply to all federal government agencies and all medium and large businesses. The Privacy Commissioner can fine agencies that don't obey. The problem is the laws may prove unwieldy and unenforceable. This Crikey reporter tried to use some of the APPs, with no success. And it was difficult to find someone who could explain what the APPs meant in practice and how to use them. It took 20 phone calls to eight people to find someone who was across them. "It's a lovely facade, but what is it actually going to mean?" asked Bruce Arnold, privacy expert and assistant professor in law at the University of Canberra. He likened the new APPs to the famed Potemkin villages of imperial Russia: they look fantastic, but they might be made of cardboard. So here's a guide to the most important APPs and how you can use them. They've been added to the existing Commonwealth Privacy Act. "Agency" refers to a government agency, or firm with a turnover of $3 million-plus a year. These laws do not apply to state or local governments. Agencies must have an accessible, up-to-date privacy policy. You may have been contacted by a corporation saying it has updated its privacy policy. This is why (APP 1). If the policy is not there on the website, complain. Crikey's is on the home page. An agency can only collect personal information in certain circumstances. The gist here is consent -- a consumer should know what information is being collected and what will happen to that information. Arnold says this is heading down the best-practice European path. "They need to tell you that they're collecting the information," he said. But watch out -- the agency might tell you that in the fine print. There are restrictions on what an agency can do with your information (read APPs 3 and 6). Arnold says the key is the agency must use the information for the purposes for which it was sought. For example, it might provide an optional tick-box saying "can we provide this information to marketing firms?". There are restrictions on direct marketing. An agency must meet certain conditions to use your personal information for direct marketing. Privacy Commissioner Timothy Pilgrim says companies have to provide easy opt-out mechanisms for direct marketing and tell you how your private details were obtained. He told SBS:
"People will now be able to ask when they’re contacted by someone who’s direct marketing to them, ‘how did you get my information and where did you get it from?' ... If they find that it’s been provided by a company that sells lists of people, they can then contact that organisation and say, ‘I want you to take me off that list’."
Sounds good, but Arnold says existing laws -- the Spam Act, the Do Not Call Act -- are more powerful and more likely to be useful. This APP (No. 7) seems to be aimed at direct mail and mail order spam, while people might be more bothered with e-spam and cold calling. There are restrictions on sending your personal information overseas. Let's say an Australian company wants to forward your details to its call centre in the Philippines, or an overseas marketing company. APP 8 says the company is supposed to ensure the overseas body will not do the wrong thing. This is a big issue because banks, telcos, laws firms, marketers and publishers are increasingly using offshore services. But Arnold says there's a question around whether this new law will make a difference.
"There's really a need to rethink privacy, to make it anew."
An agency must be careful with your personal information. They're supposed to take certain steps to avoid your personal information being misused, lost or hacked -- e.g. a Telstra data breach. The issue is there are still no remedies -- you can't sue an agency that does the wrong thing. "There's no teeth" to APP 11, Arnold said. You have the right to access your personal information. This could be very useful. You can ask an entity for the personal information it has about you, and it must respond within a "reasonable period", which seems to be 30 days. There are some exceptions, but the agency has to tell you which exception it's claiming. It can charge you for the information. So you can ask Telstra or Westpac what information it has about your credit rating, or ask Coles about what Flybuys information it holds on you. You can ask Centrelink what it has on your file. Arnold says APP 12 is "good, and it's common sense". Crikey tried this law out and found it's tricky. I called the Commonwealth Bank to ask what was on my record. The call centre asked for my personal details, then for my account number for a closed account, which I don't have. The representative couldn't tell me anything, and told me to take photo ID into a branch and try that. I tried a Telstra representative, who also asked for all my personal details, then for my account number, which I didn't have. Without that they couldn't help. Similarly, I tried to obtain a free copy of my personal credit rating, as I'm entitled to every year under law. But after providing a very elaborate password, answering three security questions and providing all my previous addresses and the dates I lived there, the ratings agency said those details did not work and it could not process my application. Choice has a guide to ratings agencies, but it doesn't seem easy to get a free credit rating. Arnold says these experiences are not uncommon and it's not easy to make the laws work. He says consumers will have to "jump through hoops" to access personal information, and might have to physically visit an office. To summarise these new APPs, Arnold says they will help, but "it's not going to be quite as golden as the current promo campaign". He suggests there is some uncertainty within government about how the system will work and whether people will use it. And Arnold raises questions around whether the Office of the Privacy Commissioner has the staff or the will to enforce these laws. "Would they actually come along with the big stick?" he asked. These APPs are part of the former federal Labor government's response to a mammoth 2008 report by the Australian Law Reform Commission. The gist of the 74 chapters was that privacy protection should generally take precedence over other interests, and should be boosted. Matthew Rimmer, from the ANU's college of law, says the APPs are useful but do not go far enough. They focus solely on "information privacy", Rimmer says, but people are more concerned about phone hacking by media agencies, NSA-style mass surveillance, and genetic privacy (in the face of biotech advances). The APPs don't really help face those threats. "Privacy seems so fragile at the moment ... There's really a need to rethink privacy, to make it anew," Rimmer told Crikey. Rimmer says a problem with the APPs is they don't give individuals a course of action in cases of a serious breach of privacy; people can't seek damages or force an apology. Crikey asked the Privacy Commissioner's office for an interview to explain the new APPs four times, but a spokeswoman said the office was too busy.

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

7 thoughts on “Private, keep out: how to safeguard your personal information

  1. Dennis Bauer

    In other words there useless to most of the lower class Australian Population another case of laws for some and not for others really.

  2. Salamander

    We have dropped the ball. Our Eternal Vigilance has been switched off. The Barbarians have smashed the gate, and we are in deep doggy doo.

  3. condel

    The more information they collect the more useless they become. Crikey should start a campaign that we all send The AUst government, ASIO, WhiteHouse, CIA and Pentagon a big slab of an email – just Cut and Paste any crap from wikedia. that way you can send their word search system into Mayhem. ‘wateste their time and resources’.

    From kiosks, cafe, nui etc send real important information – thats 5 years old.

    Lean to do it in Chinese – “the Chinese Cyber Hacher Mythology”

  4. AR

    Apart from knowing our tastes & secret vices in minute detail by super chewing data matching, there is only one defence against it, else all modern practice would cease.
    An individual must have instant access 25/8 to see everything compiled on them/
    The truth of the information is bad enough but a greater danger is the weaving in of incorrect information.
    Not that They know more about you than you know yourself – that horse meandered off long ago – but when you are adversely affected by error.
    All government data is classified according to the Admirality rating aystem, A-F/1-6 in which 100% correct is A1 being known directly by the reporting officer to C3 heard 2nd hand, provence unverifiable to F6 which should be the stuff one throws under the wheels when bogged.
    The populace would burn down the Bastille if the knew how much data in C3 or lower and this is what is being used to decide how to deal with you.

  5. Cathy Alexander

    That’s really interesting AR. I didn’t know about the government’s information classification system. Maybe you could tell us more in the comment stream here or email me on [email protected] .

    The new APPs 10 and 13 relate to the accuracy of personal information, but Arnold told me they would make little difference – they are not tough enough. A focus instead on taking ‘reasonable steps’ to ensure accuracy and correct errors, with the definition of reasonable left up to the Gods.

    See those APPs here

    But I think you’ll find they’ll do little or nothing to address the concerns you raise about the amount of C3 and lower information that is kept on us …

  6. Dogs breakfast

    “An agency can only collect personal information in certain circumstances”

    What a farce. Every single website already collects virtually instantaneous information about what websites I visit, what I click on, when I’m on it, etc, and as pointed out by others, there are so few limitations on them joining the dots to work out that is a person who happens to be male of a mature age that lives at my ip address which can be sourced to a particular physical address and guess what, they have me on toast.

    Is there an argument that suggests that what I do on the internet is NOT PRIVATE information?

    And that’s just the internet. Why do I have to provide my phone number and email address for even the most trivial business transaction these days? Want to buy a lollipop? “I’ll need your email address and phone number, Sir.”

    That, is an invasion of my privacy, as is the need for me to provide my personal details to buy a freaking phone.

    As suggested above, we long since became a police and business surveillance state, and I can only see this being used for what ultimately become anti-social means. This is worse than Big Brother, because it is more insidious, and they deny its existence.

  7. Cathy Alexander

    Good point Dogs breakfast. I am really surprised at how often, when making a simple transaction, I’m asked for my phone number, street address and email address (want to make an appointment for a haircut? want to buy something? want to become a member of something as you try to simply buy something?).

    I suspect this is for marketing, although if asked the staff member will often say ‘oh we need that information to confirm the booking / identify you’.

    I have taken to giving a fake email address and street address. PG Wodehouse would have Bertie say ‘the laurels, Welwyn Garden City’ and I find that works well.

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details