Internet privacy

DEFINITION OF PRIVACY

There has been a lot of discussion about privacy with the Victorian Law Reform Commission’s Enquiry into workplace privacy, enquiries conducted by the Australian Law Reform Commission into Australian Privacy Law, and the recent release of an issues paper by the Commonwealth Attorney General’s Department exploring the introduction of a Commonwealth Statutory Cause of Action for Serious Invasion of Privacy.

The recent enactment of Victoria’s Workplace Bullying Laws and their interaction with privacy(see Victoria’s Workplace Bullying Laws & Privacy) shows how privacy touches our everyday lives in so many ways.  There are proposals to extend Victoria’s workplace bullying laws, which make provision for cyberbullying, to the Federal arena. (see Gillard Supports Federal Bullying Laws).

It becomes apparent that one cannot discuss privacy or internet privacy in a vacuum, without considering the various ways in which privacy can be invaded, such as through online defamation and abuses of privacy which occur on the internet through cyberbullying and disclosures of confidential information.

Invariably in privacy debates, the concept of freedom of expression arises as journalists raise their concerns about the  tension between privacy rights and the right of the media to report on matters of public interest.

When it comes to defining privacy, it emerges that there are many dimensions to privacy, which has proven to be somewhat of an elusive concept.  It is a truism that privacy is a private matter, which is inherently person to an individual, the meaning of which will  depend on a person’s individual values and beliefs.

However a common legal classification of privacy divides privacy into the following distinct yet overlapping categories:-

1. Information privacy – regulates the collection, management and handling of personal data.

2. Bodily privacy – relates to the protection of  a person’s bodily integrity and the protection of their physical person from invasive procedures such as genetic,  drug testing and cavity searches

3. Communications Privacy – revolves around the privacy and security associated with email, telephone, mail and other forms of communications.

4. Territorial privacy – revolves around setting boundaries relating to the encroachment into a person’s domestic and other environments such as the workplace or certain activities in public spaces.

5. Locational privacy –  concerns technologies that connect an individual to a particular geographical location

6. Associational privacy –  relates to the impact on society of political profiling.

Background and Law Reform Enquiries relating to privacy

The Australian Law Reform Commission (ALRC) released their report on privacy law reform in August 2008  titled For Your Information – Australian Privacy Law and Practice.

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 , has now been passed by the House of Representatives.

These recent privacy law reforms represent one of the most significant developments in privacy reform since the Privacy Act was first enacted in 1988.  The Government chose to act on over half of the Australian Law Reform Commission’s recommendations in the 2008 ‘For your information’ report mentioned above.

The Bill will now be introduced in the Senate where it is currently being considered by the Senate Legal and Constitutional Affairs Legislation Committee.

The Parliamentary Joint Committee on Intelligence and Security is also currently considering ways to further strengthen privacy protections as part of its Inquiry into potential reforms of National Security Legislation.

The Government may implement further amendments in the Senate in response to the Senate Legal and Constitutional Committee’s report due to be released shortly.

The legislation amends the Privacy Act 1988 (Cth) to create a single set of unifying Australian Privacy Principles (APPs), which will apply to both Commonwealth agencies and private sector organisations, replacing the Information Privacy Principles (IPPs) for the public sector and the National Privacy Principles (NPPs) for the private sector. Therefore when the legislation finally comes into operation, the information set out below on the regulatory and legal system in place for privacy in Australia will have changed.

The Bill also introduces more comprehensive credit reporting provisions which includes five kinds of personal information, accompanied by enhanced privacy protections. New provisions on privacy codes and the Credit Reporting Code will be introduced, in addition to powers for the Commissioner to register codes in the public interests which will be binding on specific agencies and organisations.

The reforms are aimed at making it easier for consumers to access and correct their personal credit information, and altering the type of information that banks and financial institutions will be able to see relating to financial consumers, enabling them to assess credit risks far more accurately. Credit providers will now be under obligations to assist consumers to correct their credit information and the legislation will make it easier for consumers to make complaints about incorrect credit reporting information. The legislation also  prohibits the collection of credit reporting information of individuals under 18.

The Bill will clarify the functions and powers vested in the Privacy Commissioner, improving the Commissioner’s ability to resolve complaints and recognise and encourage the use of external dispute resolution services, conduct investigation and generally promote compliance with privacy obligations. The Privacy Commissioner will be able to make determinations to direct an organisation to take steps to cease engaging in certain conduct, or take reasonable action to redress any loss or damage suffered.

The commissioner will have the power to obtain enforceable undertakings from organisations, meaning that a court can then make appropriate orders, including orders for compensation. Civil penalty orders against organisations will also  be at the disposal of the Privacy Commissioner upon action to a Court.

The legislation introduces a new privacy principle for direct marketing and more robust protections for consumers when companies disclose personal information overseas. The new direct marketing privacy principle will more provide stronger regulation over the use of personal information for direct marketing.

In terms of transborder data flows, privacy policies will now have to include information as to whether a company or agency is likely to disclose information to overseas recipients and, if so, which countries the information is likely to go to.

The Australian Privacy Principles will also afford stronger protection to ‘sensitive information’ which includes, amongst other things, health related information, DNA and biometric data.

The government will be allowing government agencies and industries a period of nine months to review and update their privacy policies and practices to prepare for the reforms, and the Bill will therefore not commence operation until nine months after it receives Royal Assent.

The reforms at the Federal level are significant.

In addition to Federal law reform enquiries, there have been law reform enquiries into the issues of privacy at the State level.  The  Victorian Law Reform Commission  published reports relating to   Workplace Privacy and  Surveillance in Public Places

The New South Wales Law Reform Commission has handed down several reports and consultation papers on privacy law, whilst on the international stage the New Zealand Law Commission are continuing to take an active role in reviewing privacy laws,  particularly in light of technological changes and international trends which have challenged the laws’ ability to deal with invasions of privacy.

On the 12th December the New Zealand Law Commission  announced proposals for the creation of new offences to meet challenges posed by new media.  The recommendations include the creation of  new offences for “incitement to suicide”, “maliciously impersonating other” and publishing “in some circumstances”intimate photographs of another person, even when they were taken with the subject’s  consent.

The Privacy Commissioner of Canada released a report based on a consultation process in relation to online tracking, profiling and targeting of internet users by advertisers and cloud computing.

Rapid advancements in technology and the pace of technological change have been a major focal point in the ongoing discussion about the need for new privacy regimes.  It is universally recognised that  technological advancements provide enormous benefits to society, however there are legitimate concerns about the unprecedented opportunities that new technologies provide for the commission of serious and harmful privacy invasive practices.  The taking and use of photos and images online without permission and new technologies of surveillance has also raised concerns about internet privacy, as have concerns about the accessibility of privacy protected Facebook photos.

The accessibility, affordability and capacities of  these new technologies will invariably increase dramatically.  The use of such technologies has enormous potential to affect privacy  and  blurs the distinction between public and private life.

The internet has changed the nature of  what is a  ‘public’ space.  Who controls information in cyberspace is an area of uncertainty for consumers and businesses operating on the internet.  Online privacy will continue to be a contentious area as the law endeavours to regulate the handling of information in this domain.

Pervasive CCTV surveillance, biometric identifiers, thermal imaging, RFID and other technologies are being deployed in combination on a widespread scale, leading to irreversible losses of privacy for individuals and unforeseen consequences.

The use of surveillance devices in Australia was the focus of the VLRC’s recent report, which is regulated to some extent by the Surveillance Devices Act. Surveillance devices includes both video and audio surveillance and tracking devices such as GPS monitoring.  The Act doesn’t appear to extend to biometric and other emerging technologies and the definitions of  “private conversations” and “private activities” are likely to exclude many forms of workplace related surveillance.

In the past doubt was expressed as to whether the Telecommunications Interception Act 1979 (Cth) (TIA) covered monitoring of employee internet, email usage, voicemail and SMS, and whether these technologies would fall within the definition of interceptions of a communication passing over a telecommunication system. The legal position regarding emails was clarified by the passage of the Telecommunications (Interception) Amendment (Stored Communications) Act 2004 which excluded ‘stored communications‘ such as emails from the prohibition against interception in  s7(1) of the Act.

The importance of workplace privacy has been recognised by a number of enquiries and Codes.  (See Victorian Law Reform Commission Workplace Privacy Final  Report 2005, Protection of Workers’ Personal Data: An ILO Code of Practice 1997)  The strong impetus for regulatory oversight of privacy intrusive technologies in workplaces lead to the development of  rules regulating the use of technologies in workplaces in a way which balances Employer and Employee interests. The Electronic Frontiers Foundation has produced a list of resources which are relevant to workplace privacy and surveillance.  Fair Work Australia has produced a Workplace Privacy Best Practice Guide regarding the collection and use of employee information and privacy issues relating to email and the internet.

In August 2010 the Surveillance in Public Places: Final Report was tabled before Parliament, making numerous recommendations for the revamping of the laws relating to the use of modern surveillance devices in public places to guard against serious invasions of privacy.

THE CURRENT LEGAL FRAMEWORK FOR THE REGULATION OF PRIVACY IN AUSTRALIA

Australia’s legal framework regulating privacy is highly fragmented,  consisting of a tapestry of State and Federal information privacy Acts, miscellaneous legislation and industry based codes of practice.

FEDERAL LEGISLATION

The principal piece of federal legislation regulating privacy in Australia is the Privacy Act 1988 (Cth).  The Act regulates the handling of personal information by the Australian Government, the ACT Government and the private sector.  The legislation requires compliance with  ten  National Privacy Principles (NPPs) which set  standards for how organisations should collect, secure, store, use and disclose personal information.  This website doesn’t deal with all of the NPPs which can be located on the website of the Office of The Australian Information Commissioner

There is other Commonwealth legislation which regulates the handling of personal information such as the   Freedom of Information Act 1982 (Cth) (FOI). The FOI Act states that every person has a right of access to documents held by government agencies or ministers, with the exception of   exempt documents. An agency may justify a refusal to disclose information to an Applicant based on the document being an exempt document.   For instance, under s41 of the FOI Act a document   can be classed as exempt from the regime where it’s disclosure would involve unreasonable disclosure of personal information relating to a third party.

However s41(1) provides that this exemption is subject to an exception that a person can’t be denied access to a document on the basis that it contains his or her own personal information.  The provisions of the Act set down how requests for information are processed, the operation and scope of any exemptions and how decisions are reviewed.  There is a body of case law which has evolved in relation to the FOI Act which demonstrates how the principles have been  interpreted.

Other privacy related Commonwealth legislation deals with the handling of Tax file Numbers (TFNs) and census data. There is also legislation imposing secrecy provisions upon public servants not to disclose certain information which they acquire in the course of performing their duties under the Public Service Act.  This legislation is contentious, particularly in light of the principles of transparency relating to open Government and whistleblower legislation currently under review.

Privacy related ‘Credit reporting’ provisions are located in Part IIIA of the Privacy Act enabling individuals to discover information regarding their credit reporting history and seek the correction of errors.

In the conduct of your internet or other business activities, depending on the type of transactions you enter into, you may come within the definition of  a credit provider defined as  “any business which provides finance to purchase goods, services and land or to lease goods“. Your business may be subject to obligations both under the  Consumer Credit Code applying to credit providers where businesses charges for credit for customers used mostly for the  personal, household or domestic purposes.  In addition to consumer law, you may also need to acquaint yourself with the credit reporting provisions under the Privacy Act to ensure compliance.

However, under the Privacy Act 1988 (Cth) many small businesses are exempt from having to comply with the NPPs. (see s6D) unless they choose to be treated as an organisation for the purposes of the Act. (see s6EA)

However, an individual, body corporate, partnership, unincorporated association or trust cannot take advantage of the small business exemption for anything they do as a contracted service provider for a Commonwealth contract.  The definition of ‘contracted service provider’  in section 6(1) of the Privacy Act includes the terms ‘government contract’ and ‘subcontractor’.

Even if a contracted service provider would qualify as a small business and be exempt from  the NPPs, the contracted service provider will need to comply with the Privacy Act (and the contract) in relation to its activities under the Commonwealth contract.

The Spam Act 2003 (Cth)

The Spam Act 2003 (Cth) is another piece of Commonwealth privacy related legislation which imposes prohibitions relating to the sending of unsolicited commercial electronic messages, the use of software harvested lists,  and amongst other things, the provision of functional unsubscribe facilities.

In conducted email marketing campaigns you will need to be aware of the spam legislation which is regulated by the  Australian Communications and Media Authority (ACMA).  Website operators need to be aware of the need to ensure commercial email is not sent without consent, whether explicit or inferred, and  identifies the sender adequately. Non-compliance can lead to a range of penalties.

TELECOMMUNICATIONS PRIVACY PROVISIONS

Telecommunications (Interception and Access) Act 1979 (Cth)

In a business context the Act is  most relevant to private sector businesses which have email communication systems.  It contains a prohibition against the   interception of communications that ‘pass over a telecommunications system without the knowledge of the sender‘.

Telecommunications Act 1997 (Cth)

The Act regulates the use and disclosure of information by telecommunication providers.  The protection of  the content of communications between users of telecommunications services in Australia is one of the most critical areas of privacy protection.  Lawful interception may only be provided to law enforcement and national security agencies in accordance with a warrant under the TIA.  Interception for other purposes is prohibited and  criminal penalties attach to a breach.

The ACMA administers regulatory obligations arising under the Telecommunications Act 1977 (Cth) which interact with the Privacy Act 1988 (Cth). Part 13 of the Act provides for the confidentiality of personal information and the contents of communications, including restraints on how telecommunications carriers and carriage service providers (CSPs) can use and disclose personal information.

Under Part 6 of the Act the ACMA has registered industry codes addressing privacy issues such as the handling of personal information in the IPND and in e-marketing.

The Attorney-General’s Department is responsible for administering the TIA Act which prohibiting the interception of telecommunications except in accordance with it’s provisions.  The obligations placed on telecommunications carriers and CSPs by the Act to provide assistance to law enforcement agencies include facilitating lawful interception as stated above.

Disclosure of customer information under telecommunications legislation

Customer information provided to telecommunications carriers and CSPs is protected under Part 12 of the Act. Carriers and CSPs are prevented from disclosing this information to other parties except in certain limited circumstances. These circumstances generally relate to assisting in investigations by law enforcement or national security agencies, the ACMA, the Australian Competition and Consumer Commission (ACCC) or the Telecommunications Industry Ombudsman (TIO),  where there is an imminent threat to a person’s health or life, or a need to satisfy the business needs of other carriers and CSPs.

According to the ACMA in it’s Communications Report 2008-9, there were   332,774 disclosures made under Part 13 of the TA during this reporting period. In addition, 484,416 disclosures were made under the TIA for existing and prospective information to assist law enforcement agencies under ss177-180 of the TIA Act over the same period.  There are two types of disclosures. Certified disclosures authorise the disclosure of documents or customer information where an enforcement agency has certified in writing that it is required. Uncertified disclosures usually involve an informal request by an enforcement agency for the dislosure of customer information. Such requests don’t involve a certificate being provided but are accompanied by supporting documentation.

Ch5 of the TIA Act obliges carriers and CSPs to ensure their networks, facilities and carriage services are capable of enabling communications to be intercepted when presented with an interception warrant.  This obligation includes a requirement to develop, install and maintain the interception capability.  S314 sets out the terms and conditions under which carriers and CSPs are required to provide help to an agency. The telecommunications industry is generally permitted to recover the costs of providing assistance on the basis that it neither profits nor benefits from providing assistance.  Under s196 of the TIA  carriers and CSPs must lodge an interception capability plan by 1 July every year with the Communications Access Co-ordinator situated in the Attorney-General’s Department.

OBLIGATIONS OF WEBSITE OWNERS COLLECTING INFORMATION OVER THE INTERNET

The following is a brief overview of some of the obligations deriving form the NPPs as they apply to the collection of information by website owners collecting information over the internet:-

1.  Only collect personal information which is necessary for your organisation to perform it’s functions, not personal information which you may believe could be beneficial to your organisation at a future point in time  (See NPP1.1) (‘collection limitation principle’)

2. Take reasonable steps to apprise individuals of the purpose for which you are collecting their information (see NPP1.3).  Do not use such information except for this purpose or a related purpose which an individual would reasonably expect you to use it for, unless you gain the customer’s explicit consent to do so.  (See NPP2)

3.  Take reasonable steps to keep personal information secure and  destroy it when  no   longer required (See NPP4)

4.  Enable individuals to deal with your organisation anonymously where practicable and lawful (See NPP8)

5. Do not send  personal information to another entity outside Australia unless the information will be protected by privacy laws of equivalent strength to Australia’s privacy laws, except where an individual consents (See NPP9)

6. The Information Privacy Principles (IPPs) of the NPPs under the Privacy Act apply primarily to the activities of Commonwealth Government Departments and agencies, although there are a range of exemptions in relation to small businesses, media organisations and in relation to acts performed other than in the course of business. Small businesses with an annual turnover of $3 million dollars or less are exempt from the application of the principles.  Where personal information is dealt with in the course of an individual’s personal, family or household activities it will also be exempt. The media exemption exempts organisations which are acting ‘in the ordinary course of journalism’ as long as it is publicly committed to published privacy standards.

STATE PRIVACY LEGISLATION

The  Information Privacy Act 2000 (Vic) contains the Victorian Information Privacy Principles (VIPPs) which apply to Victorian Government departments and agencies and their contractors, administered by the  Victorian Privacy Commissioner.  The Act contains a number of exemptions, including in relation to courts and tribunal proceedings, publicly available information and law enforcement

Health Records Act 2001 (Vic)

The Victorian Health Records Act 2001 (Vic) contains Health Privacy Principles (HPPs) which apply to both the private and public sector.  Private sector operators who deal with health information in Victoria must comply with both the NPPs  in addition to the HPPs.  There are exemptions for  dealing with health information for personal, family or household affairs, publicly available health information  and news media. The Act is administered by the Office of the Health Services Commissioner

Surveillance Devices Act 1999 (Vic)

The Act governs the installation, use and maintenance of optical and listening devices in addition to the  communication and publication of surveillance records.  For example the Act contains provisions precluding Employers form installing or using surveillance devices in certain private workplace areas such as toilets and change rooms.

Charter of Human Rights and Responsibilities Act 2006 (Vic)

The Charter of Human Rights and Responsibilities Act 2006 (Vic) establishes a general right to privacy enshrined in S13 of the Act. The Charter doesn’t give rise to any novel cause of action for individuals who believe their privacy has been unlawfully and arbitrarily interfered with.  There are requirements that new legislation receive a statement of compatibility with the Charter when passed through Parliament. The Charter requires that any existing laws be interpreted in a manner which is compatible with human rights.  The Act is administered  by the Victorian Human Rights And Equal Opportunity Commission (VHREOC) and it’s provisions  apply to the actions of Victorian public authorities. The right to privacy under the Charter is broader than the right to informational privacy and extends to bodily, territorial, communications and locational privacy.

INDUSTRY BASED CODES OF PRACTICE

Legislation provides for the development of privacy codes or rules which are then registered under legislation. Several codes of practice have been devised and are administered by industry bodies. 

Market and Social Research Privacy Code

Under the Federal Privacy Act organisations are able to choose to opt out of complying with the NPPs and can elect to abide by an approved Code developed by an industry body.    The Association of Market and Social Research Organisations (AMSRO) is the administrator of the Market and Social Research Privacy Code which binds members who subscribe to it irrespective of their size. It contains obligations which are more rigorous than the NPPs and was approved by the Privacy Commissioner.

Internet Industry Privacy Code

The Internet Industry Privacy Code was developed by the Internet Industry Association to regulate the activities of Internet Service Providers.  However it hasn’t yet taken effect despite the effluxion of a considerable period of time.

eMarketing Code of Practice

The code, registered in 2006,  applies to all persons, including individuals and organisations, undertaking an e-marketing activity.  Businesses which trade or market their goods and/or services through the internet need to be aware of the eMarketing Code of Practice which has been registered under the Telecommunications Act 1997.

The Code sets down rules for the sending of commercial email in addition to those contained in the Spam Act which members are also obliged to comply with. The Code is expressed to apply to certain individuals and organisations that use e-marketing as their ‘sole or principal means‘ of marketing, promoting or advertising their products or that market by email by contract or arrangement ‘on behalf’ of a third party.   ‘Sole or principal means’ has been interpreted by the ACMA as meaning the ‘first’ or ‘leading’ means of marketing  considering the number of potential customers e-marketing campaigns are expected to reach in comparison to other means of marketing over any 12 month period.

Internet Industry Spam Code of Practice

The Internet Industry Spam Code of Practice was registered under the Telecommunications Act 1997 and applies to all internet service providers in Australia in addition to global email service providers who provide services in Australia. The Code contains rules relating to how ISPs and email service providers must address the sources of spam within their networks, including actual spammers, and requires that ISPs and email service providers to provide their customers with information about their spam filtering options.

The Significance of Privacy Trust Marks

Trust marks, otherwise known as seals of approval were developed in order to identify a website operator’s position with respect to privacy to it’s potential customers. It is an advisory indicator that a site has agreed to be bound by a code of practice. However the existence of a trust mark shouldn’t be treated as a guarantee that the website operator can be trusted to engage in privacy respecting practices.

Consumers have made complaints about the performance of certifying bodies such as TRUSTe including their failure to respond generally to consumer concerns or to monitor compliance by website operators with their rules in the event of a breach. In some cases seals can be acquired as a result of a self-assessment process.  There are many competing trustmark bodies who issue privacy seals

Representations and Privacy Statements

An important source of privacy obligations which is neglected is the content businesses choose to incorporate into their privacy statements and policies. Once published they become part of their contractual documents and are legally binding.  If a statement or a representation in a published privacy statement or policy on a website  is in any way misleading, an organisation may also be deemed to have breached statutory provisions in contravention of  s52 of the Trade Practices Act 1974 (Cth).

The practical operation of the Privacy Act

What is considered personal information under the Privacy Act?

As stated above,  private sector organisations are obliged to comply with the NPPs with respect to the collection, handling and storage of ‘personal information‘.   The NPPs and the IPPs apply only to personal information which is defined under s6 of the Privacy Act as:

‘information or an opinion (including part of a database) whether true or not and whether recorded in a material form or not about an individual whose identity is apparent or can reasonably be ascertained from that information.’

This  cover almost any kind of  information that can be used to identity a person. Obvious examples include a person’s name, address, telephone number or date of birth.  However where a website operator collects only aggregate or anonymised data this is not considered to be ‘personal information’ under the NPPs.  However whether something qualifies as personal information may also depend on what other information an organisation holds about a person which can be linked to information in it’s possession to ascertain the identity of the person concerned.

Photographs

Both the Federal and State privacy commissioners have issued guidelines stating where the identity of a person can be worked out from an image, this should qualify as personal information.  It is recommended as best practice to seek the consent of the individual prior to the publication of their photo.  However the  legal requirement requires only that reasonable steps be taken to provide a privacy notice that information is being collected unless the image may impart ‘sensitive information’ as defined under the Privacy Act.  For practical purposes where a photo is published on a website it will be accessible outside Australia and thus transferred to other entities outside Australia, in which case NPP9 would need to be complied with.

Cookies and Clickstream Data

Data  aggregated to measure website usage is unlikely to constitute personal information as defined by privacy legislation if it doesn’t identify an individual. However an organisation which holds sufficient pieces of information which when viewed as a whole would be able to identify an individual would could constitute personal information.   This means cookies, web beacons or other blocks of data that may be shared between a server and a user’s browser can amount to personal information depending on what other data is held by the collecting organisation.

Disclosing personal information

Whenever an organisation is proposing to use or disclose personal information NPP2.1(a) requires that the information  not be used or disclosed except for the purpose for which it was collected or the person gives consent to it’s use or disclosure. Whenever considering whether to use or disclose personal information consider how and why the personal information was originally collected, whether the user was aware of the purpose of collecting it, and whether it would now be practical to notify them of these details.  If the information wasn’t collected for the purpose for which it is to be used or disclosed, you should consider whether it is possible to obtain the individual’s consent to the use or disclosure.

Collecting Information Over a Website

As stated above NPP1.1 mandates that only information that is ‘necessary’ to an organisation’s functions and activities can be collected. When designing a website form, consider whether it is necessary for the form to be designed in a way that requests personal information in relation to the particular transaction the user would be making use of it for.  NPP8 provides  individuals be allowed to transact anonymously with an organisation where lawful and practicable. Therefore, if an individual makes a request for information they are not necessarily required to provide their full name and address if this isn’t required to respond to a query they submit via your website.

Privacy Statements and/or Policies

Under  NPP5.1 there is a general requirement for openness through disclosure of a company’s general practices in the handling of personal information,  including a requirement to have a privacy policy.  NPP5.1 requires organisations to set out well defined policies as to how they deal with personal information and make it available to all who request it.  The Federal Privacy Commissioner has stated it should indicate whether or not the organisation is bound by the NPPs, specify any exemptions under the Privacy Act which may apply to the organisation’s personal information handling practices and inform individuals they can obtain further information regarding  how the organisation manages personal information. For the sake of convenience many organisations choose to display their privacy policy on their websites to comply with NPP5.

NPP1.3  – Privacy Statements

Under NPP1.3 organisations have an obligation to take ‘reasonable steps’ to provide privacy collection statements either at or before they collect personal information. The statement should identify the  entity collecting the information, contact details, and inform the user how to gain access to personal information held about them.  It should identify the purposes for which information is collected, and any organisations to which the entity generally discloses the data to.

The obligation is cast as one to  take ‘reasonable steps’ to bring a privacy collection statement to the user’s attention.  The privacy statement should be displayed prominently enough so that it is likely to be visible to the consumer preferably on  a web page of the site the information will be collected from. Organisations that choose to combine both NPP5 type privacy policies and more specific NPP1.3 privacy collection statements into one document need to ensure that the information is presented clearly enough to be comprehensible.

Data Security Principle

NPP4 requires an organisation take reasonable steps to keep personal information secure and  destroy it when no longer required. Compliance with NPP4 requires that more secure precautions be taken where systems are exposed to users outside an organisation. Reasonable steps should be interpreted in the context of the type of transaction engaged in. Where a financial transaction is concerned the website operator should  protect user information by the use of encryption. Another feature of data security is to focus the users attention on the risks that pertain to using the internet so that they are able to take steps to protect their information.

Email and Surveillance Policy

As stated above the Telecommunications Interception and Access Act 1979 (Cth) prohibits an interception of a communication passing over a telecommunications system without the knowledge of the sender of the communication. However an email cannot be said to be passing over a telecommunication system once it becomes accessible by the intended recipient even if the message has not yet been read.  Employers who monitor employee emails should ensure that they do not intercept email messages until this point.

An organisation  bound by the NPPs may be exempt where the ‘employee records exemption‘ applies. (s5F(1)(b) Act).  To work out whether the exemption applies to emails sent or received by the employee the following factors should be considered:

a) whether the entity monitoring the emails and performing other IT functions is the same legal entity that directly employs the employee. If they are not the exemption doesn’t apply.
b) whether the monitoring can be said to be an act or practice that is ‘directly related‘ to the employment relationship in the circumstances and
c) whether the emails monitored are ’employment records’ in the sense that they relate  to the employment relationship.

Reasonable steps‘ should be taken to mean providing employees with certain information regarding when personal information is collected about them and other information complying with the NPPs, which may be brought to their notice in acceptable use policies or as part of their employment contract.

Spam Act

The Spam Act 2003 (Cth) provides for an opt in regime where individuals can consent to commercial emails being sent to them.  In addition to the  requirements set out above, there is also  a prohibition on the use of electronic address-harvesting software and address lists generated using such software. Email lists are offered for sale over the internet and often do not contain correct or up to date information and have been obtained from email harvesting software.

What is a commercial email message?

There is a preliminary question as to whether a message qualifies as a commercial electronic message, and this will depend on whether the purpose or one of it’s purposes was to advertise or offer for sale goods or services.   The content of the message, it’s presentation including other content located using the links and information in the body of the email can be relevant to this question.

A commercial email message must be an electronic message under s5 and whilst voice calls are excluded, the ACMA recently issued an Infringement Notice in respect of missed marketing call messages. These involve the sending of short duration calls to mobile phones leaving a missed call SMS.  When the mobile phone owner returns the missed call they receive marketing information from the maker of the missed call.  Such SMS messages would be considered an electronic message.

For the purposes of the Act consent can be expressly given but  also  reasonably inferred from the conduct, business and other relationships of the individual or organisation concerned. Consent isn’t to be inferred  merely from the publication of a recipient’s email address. It can however be inferred if the address was prominently published and it would be reasonable to assume that the address was published with the addressee’s consent.

The ACMA states that cold calling or the sending of an email to ask the recipient if they would like to receive further emails is prohibited under the Act unless express or inferred consent to receiving emails already exists. Consent may not always be inferred from a pre-existing relationship between the sender and recipient particularly if only a one off transaction was involved.  Pre-ticked check boxes for example on a website where people can join a mailing list are not an acceptable way of gaining consent for receiving electronic messages.

eMarketing Code of Practice

As stated above where the  Code applies to a business, it will need to comply with a number of additional requirements to those under the Spam Act such as providing more comprehensive contact information in each message sent, including a registered or legal address which cannot be a PO box or virtual office.  The business must provide an ABN, fixed line telephone number and contact details to which enquiries or complaints may be directed.  (Rule 7.1.2).  The organisation must maintain sufficient and proper records of any consents to receive messages given by account holders. (r3.1).  The organisation must not use an ‘invite or recommend your friends’ method of gathering addresses unless such practices are in compliance with the Code. (rule 6).  There are other obligations contained within the Code which should be consulted where it applies to your organisation.

The Importance of Trust in eCommerce

Those who are engaged in e-commerce will be aware of how important respecting end users’ privacy interests is in dealing with their personal information.

Related to privacy are security concerns which are a distinct but related concern in the realm of information privacy online.  Secure payment mechanisms are discussed elsewhere on this website.

Appropriate security safeguards for personal information consider aspects of physical security, computer and network security, communications security and personnel security.  The openness of computer networks creates unique problems relating to confidentiality, the accurate identification and authentication of transacting parties and the building of trust which is essential  in an electronic business environment.

When selling goods or providing services to consumers in e-commerce you should consider providing consumers with electronic payment systems, secure payment mechanisms offering services with  appropriate levels of security for transactions where sensitive information is exchanged.

You should also clearly explain  the security and authentication methods you use so users can meaningfully assess any risks they are exposing themselves to when deciding whether to supply confidential information to you. ‘Authentication mechanisms’ are the tools and techniques for establishing the validity of a claimed identity of a user, device or another entity.

If you are entering into  internet contracts in assessing  security levels the first thing you should do is assess the  level of security required. If a business is accepting payments it should consider a higher level of security and there are professional electronic payment gateways who provide these services.

There are many forms of encryption an organisation can use from SSL (secure socket layer) to PKI (public key infrastructure). The significance of the Electronic Transactions Act  was discussed in the section dealing with contract formation.  As the legislation is ‘technologically neutral’  it does not require any  particular form of electronic signature technology be used. This means there is some flexibility for businesses to  determine the particular technology they use which is appropriate for the transactions they conduct to verify signatures. However, the choice of a particular method must be as ‘reliable as appropriate in the circumstances’.

Electronic signatures range from a digitised version of a written signature, a PIN to biometric technology.  Cryptography can be used to implement electronic signatures, the primary aim of  cryptography being to ensure that communications are private. There is a difference between symmetric and asymmetric cryptographic systems and a distinction between electronic and digital signatures.

Even if your business is exempt from the Privacy Act, it is good practice to comply with the legal principles enshrined in the Act and foster a strong culture of privacy as studies demonstrate that trust, confidence and fears about privacy breaches are critical in the minds of consumers in building a relationship with an e-commerce provider.

Consumers and net users have registered the most intense concern about their personal privacy.  86% of consumers who had bought products and services over the net were concerned about privacy according to studies referred to by the Office of the Privacy Commissioner. 62% of consumers responded that they valued privacy over convenience when buying online. 70% of consumers cite privacy concerns as the primary reason for not registering demographic information, whilst 42.1% have falsified information at one time or another when asked to register their personal information with a website.

The potential for misuse can occur on a very large scale within a very short time on the internet, underscoring the importance of displaying a compliant privacy policy and adopting privacy enhancing technologies and practices. Personal information security breaches are not limited to external malicious actions, such as theft or ‘hacking’ of information, but also often occur in relation to  errors or organisational failures in adhering to good information handling procedures

Although the Privacy Act does not apply to most small businesses, it is generally advantageous for a  small business to ensure that they derive the benefits of having a website which complies with the legislation.  The benefits could include increased consumer confidence and trust in its operations through greater transparency about information handling practices. The Privacy Act also provides a mechanism to allow an organisation that is a small business to opt in to the Privacy Act

The Privacy Commissioner has issued a  guideline  with respect to  clickstream and web data to the effect that all website privacy policies should state what kind of data is collected by them about their users, and what use is made of it.    “Clickstream data” consists of information collected automatically and logged due to the nature of the communications protocols.

In the interests of transparency your website Privacy Policy should state what clickstream data is collected.  If you use cookies, your Privacy Policy and Statements should identify this. Cookies can be used to track individuals’ activities on websites, yet like clickstream data, may not necessarily conform to the  Privacy Act definition of personal information. Nonetheless some internet users consider them to be intrusive so if you use cookies it is strongly recommended that the Privacy Statement or Policy state that they are used and for what purpose.

There is  a degree of  interaction between the Spam Act 2003 and the Privacy Act 1988, and  a number of regulatory agencies which have responsibilities to comply with Industry Codes of Practice.  Breaches of privacy often result from the proliferation of spam. The Internet Industry Association (IIA) deals with these through it’s Internet Spam Code of Practice referred to above.  The Code applies to carriage service providers and email service providers that fall within the relevant definitions under the Telecommunications Act and are involved in the  generation, transmission or delivery of spam.

Consumers would for example have a right to complain to the Privacy Commissioner if for example spam appears to be the result of misuse of personal information.  Where spam contains material which  contains misleading and deceptive material or material that is likely to mislead or deceive or otherwise contravenes the Trade Practices Act, the relevant complaints body would be the ACCC.  On the other hand in the event of a breach of the Code by a service carriage provider a complaint may be lodged with the Telecommunications Industry Ombudsman. (TIO)

Enforcing  privacy rights on the internet

There are many privacy risks associated with the internet and there are  gaps in the legal protection of privacy online which may not be fully protected by the present regulations and common law in Australia.  The legal regime in Australia deals mostly with the protection of  ‘information privacy’.

Social networking has become an extremely popular online activity that allows people to  socialise online, send messages to one another, share interests and information, chat, and post information, photos and videos. It is easy for people lose control over their personal information even if they don’t actively partake in using the internet.  The internet can be used as a tool to bully, harrass, blackmail and defame a person or corporation. There may be other laws which may be able to protect you in the latter situation.

If you have a privacy related complaint you should contact the site to explain the nature of your problem.  Depending on the circumstances you may also have recourse to make a complaint under the Privacy Act.  However, not all privacy invasive disclosures are necessarily covered by the Privacy Act and the best protection against privacy invasive disclosures is often education and awareness, coupled with the use of best practice practices.

Leave a Reply

Your email address will not be published. Required fields are marked *