Download the PDF version
Privacy Awareness Week
Privacy Training Program
Protecting Genetics Information
Education and Training Needs Survey Results
BOTPA Blooper - Fines recovery and Privacy
Regular Features
Privacy Awareness Week
This year Privacy NSW is launching the inaugural Privacy Awareness Week from 25-29 August 2003. It is the first time this has taken place in NSW and coincides with the Victorian Privacy Awareness Week.
This year’s NSW Privacy Awareness Week is starting with the public sector. Agencies are receiving a free on-line training program as well as new materials on how to explain what ‘privacy’ is in every day language. Privacy Contact Officers have also been encouraged to organise events within their own organisations. We hope that next year’s Privacy Awareness Week will have a larger scope and aim to reach wider and more diverse parts of the community.
So, enjoy Privacy Awareness Week and do send us your news and feedback so that we can make next year’s event bigger and better.
You will probably have noticed that our newsletter has a new format. Need to Know will now be coming to you every 3 months in this format. We would love to receive any comments, suggestions or feedback you may have.
Regards,
Anna Johnston
Deputy Privacy Commissioner
New Interactive Privacy Training Program
Barbara Perry MP, Member for Auburn, launched a new interactive Privacy Training Program last week on behalf of the Attorney General. Robert Wheeler, Deputy-Director General, Department of Commerce demonstrated the features of the Program, which was a joint initiative of Privacy NSW and the Office of Best Practice Information Technology and Corporate Services in the Department of Commerce.
The program is highly interactive and aims to help government employees (both State and Local) to implement the Privacy and Personal Information Protection Act (PPIP Act). It provides all staff with some basic training in the operation of the PPIP Act, enabling them to test their understanding, at their own pace and at their desks.
Its features include the ability to ‘bookmark’ progress so users can begin from the same point at the next session. It also allows users to record comments with a view to improving their organisation’s privacy policies. Users who complete the course can print up their own certificate of achievement.
A copy of the program has been sent to all NSW public sector agencies and local councils. The program is installed on the server, which means that multiple users in the one organisation can use the program at the same time.
For more information and a demonstration of the Program:
See our website.
Protecting Genetic Information
A recently released report on protecting genetic information aims to strike a balance between scientific progress and the protection of privacy. The report, 1200 pages long and containing 144 recommendations, was jointly released by Australian Law Reform Commission and the Health Ethics Committee after two years’ preparation.
The report recommends that:
- Privacy laws should be harmonised and tailored to address the particular challenges of human genetic information;
- A standing Human Genetics Commission of Australia (HGCA) should be established to provide high-level, technical and strategic advice;
- Employers should not be permitted to collect or use genetic information - except in rare circumstances;
- DNA parentage testing should be conducted only with the consent of both parents, or with a court order.
Privacy NSW made extensive input into this report during its conception phase. Our views and advice were taken into account especially in sections dealing with “Information and Health Privacy Law” and “Privacy of Genetic Samples”.
The report has been well received in the wider community, by family lawyers, geneticists and representatives of life insurance companies and other organisations affected by the legislation.
See Privacy NSW’s submissions to the report at our website.
See the report at www.alrc.gov.au
Results of the Education and Training Needs Survey
We have been overwhelmed by the response to our Education and Training Needs Survey which was sent out to all our Privacy Contact Officers in early July. The aim of the consultation was to feed into the new series of education and training materials that we will be developing.
The results of the consultation have been conclusive. Nearly 80% of the respondents stated that they would like to receive training on privacy legislation. More than 60% of Privacy Contact Officers are also FOI officers, and the overwhelming majority favoured having joint FOI/Privacy meetings.
Other comments and suggestions included:
- The need for more plain, simple guides to the Act;
- The need for more training, including in regional areas;
- Local government agencies expressed the need to explain the PPIP Act in relation to FOI and the Local Government Act; and
- The need for more concrete examples of the Act in practice and simple Q & A’s.
BOTPA Blooper – Fines recovery and Privacy
What is a BOTPA Blooper?
The phrase, coined by the New Zealand Privacy Commissioner, means “Because Of The Privacy Act” and refers to cases where privacy legislation is inaccurately or unfairly blamed for certain events or behaviour. For example….
Claim: From 27 June to 2 July 2003, in a series of articles and letters to the Editor in the Daily Telegraph, the operations of the State Debt Recovery Office (SDRO) were criticised. The allegations included failure to check the identity of a fine recipient, failure to check whether the fines had already been paid, and failure to check that the person was still alive. It was suggested by some commentators (not the SDRO itself) that “privacy law” was the cause of these failures.
Fact: Privacy laws in NSW ensure that government departments act fairly in the way in which they collect, store, use and disclose our personal information. One of the main principles of privacy protection is ensuring the accuracy of information held and used by government agencies.
Privacy laws do not prevent organisations such as the SDRO from ensuring their information is accurate before they act upon it. In fact, the law aims for the opposite. Under IPP 9 (s.16 of the PPIP Act) the SDRO, like all public sector agencies, is obliged to not use personal information without first taking reasonable steps to ensure that the information is relevant, accurate, up to date, complete and not misleading.
Both the Fines Act and the PPIP Act allow the SDRO to collect personal information from other government sources, such as the RTA, to ensure their information is correct before fines are issued. Nor do the privacy laws prevent those other government agencies from providing their information to the SDRO, where the disclosure is lawfully authorised, lawfully required, or permitted under another Act.
Regular features
Privacy in the News
Spam gets slammed
Has anyone tried to sell you Viagra lately? If they have, you have probably received one of the tens of millions of spam emails which fly around the planet every day. The federal government is proposing anti-spam legislation in an attempt to stop the flow of this intrusive electronic junk mail. However, recent studies have shown that over 99% of these emails come from overseas. What is becoming a recognised global problem will need a global solution.
Closer to home, new rules were recently introduced to control SMS spam. The Australian Direct Marketing Association has put into place a new Code of Practice which requires companies to have clear permission before sending marketing messages to phones. The Australian Communications Authority has also set up a Code which holds the telecommunications companies responsible for any misuse of their networks.
(Sydney Morning Herald, 23/06/03, 24/06/03 and 08/07/03)
Medical records in prankster’s hands
We recently came across this story from the United States. A nurse took her teenage daughter with her to visit her mother in the hospital where the nurse happened to work. During the visit, the teenager approached a computer terminal and got into the hospital’s database of patient files. She then called female patients to announce to them that they were either infected with the HIV virus or pregnant.
After receiving one such call, one distraught young victim tried to get to her father’s gun to commit suicide. Her family fortunately stopped her.
(The Limits of Privacy, Amitai Etzoni, Basic Books, New York, 1999)
30 million say “No”
Nearly thirty million people have signed up to one of the biggest anti-telemarketing initiatives ever launched. The United States Federal Trade Commissioner’s anti-telemarketing service launched the “National Do Not Call Registry” at the beginning of July. Those who sign up for the registry have their phone number removed from telemarketing lists for 5 years, which guarantees to cut most, if not all, telemarketing sales calls. There were 28.7 million sign-ups to the service in the first month alone.
See http://www.ftc.gov
From the Tribunal
GV v Office of the Director of Public Prosecutions [2003] NSWADT 177 - Decided: 25 July 2003
GV was a police officer and was required to appear as an informant in a criminal trial. However the trial date coincided with GV’s convalescence after major surgery and the DPP sought to vacate the trial date. The Judge hearing the trial was not satisfied with the medical certificate provided by GV’s doctor and requested “a complete report” of GV’s condition. The DPP obtained a more detailed report from GV’s doctor without GV’s consent. In the Tribunal, GV argued that the DPP had breached its obligations under the PPIP Act by collecting the detailed medical report.
The Tribunal found that the DPP did not breach the PPIP Act because the information was collected in connection with proceedings in a court (s.23(2) of the PPIP Act). GV’s case illustrates some of the limitations of the PPIP Act for those involved in legal proceedings, including informants and witnesses, who wish to protect their personal information privacy.
GL v Director General, Department of Education and Training [2003] NSWADT 166 - Decided: 11 July 2003
GL was a teacher who was transferred to a new school. The Department faxed a report to the new school principal “for (his) information”. The report was about a complaint received from a parent at GL’s old school. GL argued in the Tribunal that the Department had failed to check the accuracy of the report before sending it to the new principal. GL also argued that the Department breached the restrictions on disclosure of information, including sensitive information, under the PPIP Act. The Tribunal held that the Department had ‘used’ information by faxing it but had not breached section 16 of the Act. GL’s application was therefore dismissed.
However, agencies should note that the Tribunal determined that it is not precluded from reviewing conduct against a particular Information Protection Principle or provision of a Code of Practice merely because the applicant fails to identify an IPP, Public Register or Code provision in their application for Internal Review. Respondents should therefore check with applicants regarding the scope of the complaint if the application is not clear or if the applicant has not identified an IPP, Public Register provision or a Code provision.
Agencies are reminded that use of the “Privacy Complaint: Internal Review Application Form” may assist both applicants and your agency clarify the scope of an application. You can download it from our web site and adapt it to your needs.
See our website.
Publications
New Privacy NSW web site address We are changing our web site address. Please change your bookmarks to our new homepage address: http://www.lawlink.nsw.gov.au/privacynsw
Guidelines on Privacy and People with Decision-Making Disabilities
(formerly Guidelines on Consent and Capacity) are now on-line for public consultation. You can provide us with feedback on the second draft Guidelines until 19 September 2003.
See our website.
Fact Sheets - The 12 Information Protection Principles
As part of its education and training initiative, Privacy NSW will be issuing a new series of Fact Sheets. The first two fact sheets are now available and can be downloaded from our web site.
See our website.
General Code
In our last newsletter we mentioned that the Privacy Code of Practice (General) 2003, which commenced on 9 May 2003, is now available via our web site.
See our website.
Following some enquiries, we wanted to provide some explanation about the application of this Code. This “General” Code has few provisions at this stage, but provides a base on which future departures from the IPPs or Public Register provisions can be built. The Attorney General is still working on sector-wide codes covering research, investigations and inter-agency transfers.
The only provisions in the General Code to date deal with the Environment Protection Authority (EPA), the Roads and Traffic Authority (RTA) and the Sheriff’s Office.
Part 2 authorises the RTA to give vehicle registration information to the EPA so that they can give warnings to car owners/drivers if their vehicle is harming the environment. The warning does not amount to investigation or prosecution hence the need for a Code provision. Part 2 also authorises the Sheriff’s Office to verify car registration details with the RTA.
Part 3 tackles the question of making the EPA’s Public Registers available on the Internet. This provision recognises that it is in the public interest to report environmental offences, which in this case outweighs the privacy concerns. However, it has been agreed that the EPA needs to limit the publication of sensitive information.
What’s on
7 September 2003
Privacy Goes to the Movies - 4.00pm and 6:30pm at the Valhalla Cinema, Glebe Point Rd, Glebe. The Conversation and Gattaca will be screened. For more information, contact Larissa Shihoff at The Office of the Federal Privacy Commissioner - (02) 9284 9859
8 September 2003
The Body as Data International Conference, Privacy Victoria, Melbourne
8-9 September 2003
Surveillance and Privacy 2003: Terrorists and Watchdogs, Baker & McKenzie Cyberspace Law and Policy Centre, The University of NSW, Sydney
9 September 2003
FOI & Privacy Practitioners Network Seminar, The University of Sydney, Sydney
10-12 September 2003
The 25th International Conference of Data Protection & Privacy Commissioners, Sydney
See www.privacyconference2003.org
28 September - 3 October 2003
The 28th International Conference on Law and Mental Health, Sydney
20 November 2003
FOI/Privacy Practitioners Meeting, Parliamentary Theatrette, 9.30 am. All Privacy Contact Officers are welcome!
