Menu lock

Federal

Jul 14, 2016

5 comments

The Acting Australian Information Commissioner recently said “Privacy is not secrecy. It is about giving individuals control over how their personal information is handled; creating customer confidence and trust. As such, good privacy practices and great innovation directly support each other.

Unfortunately, Australian citizens will have no “control over how their personal information is handled” in the forthcoming Census of Population and Housing. The Australian Bureau of Statistics (ABS) is collecting the name and address of each Australian, will retain that information and will match the census records with various administrative records held by government. Australians will be given no say in how their information is used as the ABS has said the provision of “name and address” is compulsory.

This, without doubt, is the most significant invasion of privacy ever perpetrated on Australians by the ABS and a direct and deliberate breach of Australia’s Privacy Principles. By doing this, the ABS has put the very success and value of the 2016 census at significant risk. From as early as 1976 to the mid-1990s the ABS has found that the Australian public is very concerned about the collection of names and addresses. More recently, the ABS’ own research shows that 19% of Australians don’t trust the ABS.

The compulsory collection and retention of names and addresses is very likely to result in a significant public backlash against the 2016 census, with people either boycotting the census or providing incorrect information. For a statistical office, this approach is just not tenable. To collect accurate information the willing co-operation of the public is required; this is an old adage, but a very true one.

[Why you should boycott the census]

However, an important legal issue is also at stake: the ABS doesn’t have the legal authority to collect “name” in the 2016 census on a compulsory basis.

The ABS is using the word “compulsory” about name-collection as if its meaning is obvious. Well, it is not, and for starters, that word isn’t mentioned in the Census and Statistics Act either. The reality is that most data collected by the ABS, even in the Population Census, is done on a voluntary basis. The term compulsory is simply used to mean that the ABS has the power to direct, in writing, any respondent to provide statistical information and then to prosecute if the person does not comply.

Before prosecution can be commenced regarding the collection of the census, several legal conditions have to be met. The first of these is the enabling provision, Section 8 (3) which, among other things, provides authority for the statistician to collect statistical information in the census. Section 8 (3) says: “For the purposes of taking the Census, the Statistician shall collect statistical information in relation to the matters prescribed for the purpose of this section.”

By regulation, the ABS has prescribed “name” as a topic on which statistical information may be collected and from which statistics are to be produced. However, as far as I can determine, no statistics are planned to be produced from the census about “name”. Therefore that statistical information, that is “name”, can’t be considered as being collected “for the purposes of taking the Census”.

I say this because the statistician is required to “compile and analyse the statistical information collected under this Act and … publish and disseminate the results of any such compilation and analysis” (See section 12 Publication etc of statistics.) With respect to “name” it is obviously impossible to meet this requirement! Hence the collection of “name”, per se, is not authorised by section 8(3) of the CSA.

“Name” can still be collected on a voluntary basis, but the ABS has no power to commence prosecution action against Australians for not providing “name”.

[Govt to store a trove of highly personal data, putting you at risk]

I should point out that I explained my conclusions on this matter to the Australian Statistician and he said he disagreed with my analysis. However, he gave no indication why he disagreed with me. He did say he had some advice from the the Australian Government Solicitor (AGS) that concluded otherwise. I asked what questions he asked the AGS to address and if he would show me the AGS advice. He declined to do so. This surprised me, as I would have thought that if the ABS had sound advice that is helpful to the ABS view, then there are some obvious advantages in using it.

I was, personally, heavily involved in the process of rewriting the Census and Statistics Act in 1981. At the time, I kept good personal records of all the discussions the ABS had with the government, the parliamentary draftsmen and the Attorney-General’s Department on all important legal matters, including this specific issue.

My notes indicate that in June 1981, Dr Roy Cameron, the then-Australian Statistician, wrote to the First Parliamentary Counsel asking, among other things, if the draft bill could provide for the ABS to “collect information and then to compile and tabulate statistics”. He also suggested that a broader term, like “information”, was necessary for the collection function as it could be argued that names, addresses, industry, etc, are not statistics.

In July 1981, the Second Parliamentary Counsel replied to Cameron that he agreed with the distinction Cameron wished to make between the collection of information and the compilation of statistics. However, he suggested that the word “information” would be too broad and proposed the use of the term “statistical information”. He thought this expression was broad enough to authorise the acquisition of names and addresses, etc, of respondents, so long as it is done for statistical purposes. This proviso is making the same point I have prosecuted above.

The Second Parliamentary Counsel’s recommendations were agreed to and embedded in the enabling statements in the Census and Statistics Act in Sections 8 (3) for the census and 9 (1) for statistics.

I suggest the discussion on this issue ends here. The ABS does not have the authority to collect “name” in the 2016 census on a compulsory basis.

*Bill McLennan was the Director of the UK Central Statistical Office and Head of the UK Government Statistical Service 1992-94. He was the Australian Statistician 1995-2000

*A longer version of this article was originally published here.

Companies

Dec 15, 2015

5 comments

Some Optus customers’ personal data has been accidentally released to more than 50 contractors on the short-term job website Freelancer.com.

Optus uses ARC Mercantile to recover outstanding debt from customers who have failed to pay bills. An employee of ARC Mercantile, against company policy, posted a job to Freelancer.com, a jobs auction website, where potential workers bid to take a variety of short-term jobs or tasks for businesses. The job was to analyse data contained in a spreadsheet containing the personal information of Optus customers who owed money.

A spokesperson for ARC Mercantile would not tell Crikey what punishment the employee who posted the data on Freelancer.com faced, but said “all necessary disciplinary action” had been taken.

Crikey has seen one of the letters sent out to customers regarding the data breach, and according to the letter, the ARC Mercantile employee posted details including name, contact number, date of birth, physical address, email address, and debt collection history information.

After Optus learned of the breach, it commenced legal action in the Supreme Court of New South Wales to force Freelancer.com to disclose how many people on the site accessed the data. Late last month the company was ordered to disclose that 51 people had accessed the customer data.

Optus has notified the Privacy Commissioner and has written to the people who accessed the data asking them to destroy the spreadsheets they might still have. ARC Mercantile has also set up a credit alert service to monitor the credit files of customers affected for potential identity fraud over the next 12 months and has suggested those affected might want to change their phone numbers.

A spokesperson for Optus would not confirm how many customers had been affected by the breach, telling Crikey in a statement:

“Optus has become aware that an employee of a third-party supplier posted a document containing customer data to a public website. This action was unauthorised by Optus and its supplier, ARC. As soon as Optus became aware of ARC’s action we acted swiftly to remove the data and conduct a full investigation into the incident. ARC is co-operating with Optus and is undertaking all due diligence requested by Optus including reporting the matter to relevant authorities.”

Australian Privacy Commissioner Timothy Pilgrim said in a statement that he was informed of the breach by both ARC Mercantile and Optus and praised them for reporting the breach.

“We are pleased to see that Optus has notified affected individuals about this incident. Notification can be an important mitigation strategy that has the potential to benefit both the organisation and the individuals affected by a data breach. The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice.”

Earlier this month Attorney-General George Brandis released an exposure draft for mandatory data breach notification legislation. Under the legislation, which was originally planned under the former Labor government in 2013, businesses with annual turnover of over $3 million and government agencies would be required to notify customers and the privacy commissioner on “serious data breaches” that created “a real risk of serious harm” to those affected by the breach.

While many companies, including Optus, are becoming more proactive in disclosing data breaches when they occur, some businesses fear the reputation damage such disclosure can have on their brands.

Online shopping giant Catch of the Day waited three years to inform customers when it suffered a data breach compromising credit card details and user login details. To date, the company has never explained why it waited so long to inform customers of the breach.

Federal

Aug 4, 2010

5 comments

Former prime minister Paul Keating is delivering a speech tonight to the Centre for Advance Journalism, University of Melbourne, on the ‘privacy imperative in the information age’.

“Privacy in a broad sense is under attack these days on a range of fronts. Electronic surveillance, terrorism laws, growing police powers, business practices associated with information mining and marketing, and new technologies.”

pic

Click to download the full speech (PDF)

Politics

Oct 3, 2008

5 comments

Special Minister of State John Faulkner has flagged a revised timetable for the Government’s consideration of the recommendations of the Australian Law Reform Commission’s recent privacy report.

Faulkner yesterday addressed the Cyberspace Law and Policy Centre Symposium and indicated that the Government’s overhaul of the Privacy Act, focussing on the Commission’s proposed “Unified Privacy Principles”, credit reporting, health and new technologies, would take until at least the end of 2009, even though Prime Minister and Cabinet had already kicked off the process. Faulkner expects Cabinet to have settled on its approach to the ALRC’s recommendations by early next year.

The more contentious second stage of reforms — involving issues like a statutory right to privacy and the removal of exemptions from the Act for political parties, will be left until after the initial overhaul is completed. This means 2010, when it will become subject to election year turbulence. On that timetable, even if the Government agrees with the ALRC that people should be able to sue for privacy breaches, there’s unlikely to be any legislative change until 2011. Which might be handy for a government anxious not to buy a fight with Big Media in the run-up to its first bid for re-election.

That’s the bad news.

The good news is that, for the second time in less than a month, John Faulkner has engaged on the issue of privacy in a way no previous Government minister has. In a speech in late August to the Privacy Awards and again yesterday, Faulkner has grappled with the problems of defining privacy in an online world and the treatment of privacy as an afterthought in policy development and new applications.

For Faulkner, the definitional challenge of privacy is resolved by empowering people to make their own decisions about what personal information becomes available — a theme that complements the Government’s focus on empowering and informing consumers. And, more nebulously, Faulkner wants a shift from privacy being addressed after everything else in new technologies and applications, to it being at the technological base, hard-wired into systems. To do this, he says, “we will need new and innovative ways of doing so, ways other than legislative fiat or paternalistic scolding.”

Quite what these new ways are, Faulkner doesn’t discuss. That’s the weak part of his speech — he doesn’t offer any solutions or flag the government’s general approach. But at least demonstrates he’s aware of and capable of analysing the problems. It’s refreshing for a senior government minister to demonstrate some of that actual intellectual rigour stuff in considering a significant public policy issue.

The big challenge will be convincing Faulkner’s Cabinet colleagues to pursue serious privacy reform in the face of what is likely to be substantial opposition from businesses, and in particular data miners and “customer information management” companies that make a motza out of collecting, manipulating and selling our personal data.

The biggest of them all, Google, is represented in Canberra by Gavin Anderson, but you can bet that others, like US-owned Acxiom, will also be arguing that existing privacy restrictions are already too much of a hindrance. Direct marketers will complain they’ve already been punished enough by the Do Not Call Register.

What’s the Coalition’s view on the ALRC report or privacy issues generally? No idea. Michael Ronaldson hasn’t troubled the scorers. Too busy counting numbers for Turnbull and fighting his Victorian Liberal Party enemies, perhaps.

News

Aug 13, 2008

5 comments

The emerging debate on privacy, sparked by the release this week of the Australian Law Reform Commission’s report on the subject, could have been avoided if we had in place a bill or charter of rights. It is beyond argument that currently the Australian law — despite what some media lawyers such as The Age’s legal adviser Peter Bartlett says — does not adequately protect the right of all individuals in our society to privacy. This is in stark contrast to two countries that have a charter or bill of rights — Canada and the UK.

One of the major reasons British F1 aficionado Max Mosley was successful in his recent legal action against News of the World, which published lurid details of a private s-x party that Mosley held earlier this year, was because the court was able to rely on the right to privacy enshrined in the European Convention on Fundamental Rights and Freedoms.

The Convention says that “Everyone has the right to respect for his private and family life, his home and his correspondence,” and says that the right to freedom of expression is qualified by the need to protect “the reputation or rights of others, for preventing the disclosure of information received in confidence.”

As Justice David Eady said in his ruling on July 24, Mosley had a reasonable expectation to privacy which was breached by News of the World.

In Canada, that country’s Charter of Rights and Freedoms provides that every person is entitled to a reasonable expectation to privacy, and the courts regularly deal with cases where individuals seek to enforce their Charter right to privacy where the media and other organs infringe that right.

But Mr Mosley and others in his position might not have the same protection in Australia. The High Court in a 2001 case involving a meat company in Tasmania that was targeted by animal rights protestors, dealt with the right to privacy and described the law as emerging but not yet defined. Last year Victorian County Court judge Felicity Hampel recognised the right to privacy in the case of a rape victim whose name was published in the media. But other courts around the nation have knocked back the idea of a right to privacy.

The ALRC’s report and the Rudd government’s commitment to introducing privacy legislation are to be welcomed, but it is another illustration of piecemeal reform in the area of human rights in Australia.

Australians deserve to know that their fundamental rights and freedoms are fully and comprehensively protected in a charter or bill of rights. They should not have to wait years for politicians and courts and law reform bodies to play catch up with other countries that already provie that certainty.

News

Sep 25, 2007

5 comments

“The public interest.” What do those words mean, particularly when used by media organisations in their own defence, or when lobbying Governments for greater freedoms? The question occurs to me as a result of this entirely reasonable Australian Press Council adjudication, which forms part of the continuing controversies link  concerning The West Australian – the wild, wild journal of the wild wild west.

The latest adjudication is a fairly simple case – or so you would think. The West Australian got fundamental facts wrong in a story about the hospital system and refused to correct. As the Press Council says, “The newspaper’s actions compromised its legitimate attempt to air a matter of obvious public concern.”

Inarguable, you would think, but that hasn’t stopped the West Australian lodging an appeal against the decision. Their defence? You guessed it – writing stories about inadequate health services is in the “public interest” and this means that the errors “were immaterial to the issue”.

Oh, really? The West Australian must take the public for fools.

The words “the public interest”, used in this way, become weasel words, full of piss, wind and self interest.

Successive generations of media moguls have argued for freedom of the media, because of the public interests involved. Our own time is no exception. Our leading media organizations earlier this year clubbed together to form Australia’s Right to Know, which has commissioned an independent audit of the state of media freedom in Australia.

Admirable, but as the Australia Privacy Foundation has pointed out in its submission:

The media are also heavily involved in commercial activity unrelated to any ‘public interest’ role, and much of their editorial output is in the area of ‘infotainment’ or pure entertainment, which can make few if any claims to special protection or privileges founded on a ‘fourth estate’ role. We also hope that the audit, and the Right to Know campaign, can avoid overly simplistic characterization of the relationship between governments and the media…the relationship cannot be reduced to a simple story of good and brave journalists fighting repressive government censorship. Press and media interests have often enthusiastically cooperated with Government efforts to mould public opinion and have often received benefits from doing so…an appropriate degree of humility, would be welcome.

I hope the Privacy Foundation isn’t holding its breath waiting for the humility.

Freedom of the media, so far as media corporations are concerned, means freedom for them to do as they wish. They are slower to defend the ability of individual journalists to write as they wish, let alone for the public to have direct access to the ability to publish.

New media changes this. A thousand blogs bloom, and now just about anyone can say anything – but this kind of freedom of speech has not been embraced by mainstream media. Rather, they rubbish it. Witness News Limited’s sensitivity to criticism in the blogosphere.

Every editor would claim to want their publication talked about around the water cooler. But when those conversations happen in public, on the web, they hate it. The notional but safely invisible readers chatting around the water cooler are characterized as “mainstream Australians” – the nice friendly public whose right to know the media casts itself as defending. But Bloggers! They are “cannibals” on the mainstream media, academics, w-nkers and wannabes, and so forth and so on. The abuse is heaped on.

Journalism academic Jay Rosen has pointed out that the famous part of the United States constitution guaranteeing freedom of the press was originally proposed, composed and codified to protect not the freedom of journalists to report, but the freedom of citizens to meet, speak, be informed and publish reports.

When it comes to the citizen’s right to be heard, the media can be both problem and solution. Too often, I think the very media organizations who complain about lack of freedom of speech are the first to bully non-media participants in public life.

The media are just one way of giving expression to freedom of speech – vitally important, yes, but not the whole box and dice, and not an unqualified blessing.

It’s hard to imagine that the West’s appeal against the Press Council decision can succeed. If it did, it would mean that any media organization could raise any issue in the public realm, whether or not it gets its facts right, and get off scot free because of “the public interest”.

But more important than this single case is that those who bang on about freedoms and public interests need to become a bit more careful about how they use the words. The concepts are too important to be used so shallowly.

What do you think? Comment at the Media Free-For-All.