Technology-related amendments to the Privacy Act

10.114 This section focuses on the amendments to the Privacy Act that the ALRC recommends to ensure that the Act remains technology aware. In this section, recommended content of the model UPPs and the definitions relevant to technology are discussed.

The model UPPs

10.115 The model UPPs are intended to regulate personal information throughout the information-handling cycle. In formulating the UPPs, the ALRC addressed developments in technology by recommending several additions and amendments to the existing wording in the NPPs and IPPs. Part D contains a detailed examination of each UPP.

Anonymity and pseudonymity

10.116 In Chapter 20, the ALRC recommends that the privacy principle dealing with anonymity should also include a pseudonymity requirement that states that, when an individual is interacting with an agency or organisation, the agency or organisation must give the individual, where providing this option is lawful and practicable, the clear option of identifying themselves by a pseudonym.[152] Having the option to interact anonymously provides an individual with control over what information is collected about them by an agency or organisation, particularly in an electronic environment. It may not always be practicable, however, for an agency or organisation to interact anonymously with individuals. In these circumstances it may be practicable for an individual to interact with an agency or organisation using a privacy-enhancing pseudonym.

10.117 The ‘Anonymity and Pseuonymity’ principle is the first listed principle in the UPPs. It reflects

the idea that the lifecycle of information begins before collection, when organisations and agencies should consider the fundamental question of whether they need to collect personal information at all.[153]

Collection

10.118 In Chapter 21, the ALRC recommends that the ‘Collection’ principle in the model UPPs should provide that, where an agency or organisation receives unsolicited personal information, it must either: if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had taken active steps to collect the information.[154] This recommendation provides a mechanism for dealing with circumstances when an agency or organisation might inadvertently collect information—for example, when information passes over a system electronically.

10.119 The Privacy Act does not require agencies or organisations to obtain an individual’s consent before collecting non-sensitive personal information. Sensitive information is subject to greater restrictions and consent generally is required for collection. In IP 31, the ALRC asked whether there are categories of personal information that can be collected by new technologies that should only be collected with consent.[155] Some stakeholders submitted that consent should be obtained before the collection of information by RFID or biometric systems.[156] Several stakeholders, however, opposed the introduction into the ‘Collection’ principle of a requirement that an agency or organisation needs to obtain consent prior to the collection of personal information by certain technologies. They argued that such a requirement would be inconsistent with the technological neutrality of the Privacy Act.[157]

10.120 The OPC submitted that another approach may be to ‘increase protections for particular types of information rather than particular types of technology’.[158] The ALRC agrees with this approach. In Chapter 6, the ALRC recommends that biometric information, collected for certain purposes, should be included in the definition of sensitive information.[159]

Notification

10.121 Technologies such as RFID, optical surveillance devices and computer software can allow the collection of information about an individual from that individual without his or her knowledge.[160]

10.122 In Chapter 23, the ALRC recommends that, at or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual, it must take reasonable steps to ensure that the individual is aware of, amongst other things, the fact and circumstances of collection where the individual may not be aware that his or her personal information has been collected—for example, how, when and from where the information was collected.[161] This will provide the individual with the knowledge that his or her information has been collected, and some understanding of how technology was used to collect it.

Identifiers

10.123 In Chapter 30, the ALRC notes that agencies increasingly use biometric information, including facial images, iris scans and fingerprints, as identifiers. The ALRC recommends, therefore, an amended definition of ‘identifier’ in the ‘Identifiers’ principle. The amended definition will make it clear that the definition includes biometric information that is collected for the purpose of automated identification or verification of identity.[162]

Data breach notification

10.124 In Chapter 51, the ALRC recommends that the Privacy Act be amended to include a new Part on data breach notification.[163] Breaches of data security are particularly relevant in the context of developing technology, given that technologies such as the internet can provide a vehicle for the widespread dissemination of personal information.

10.125 Generally, an agency or organisation would be required to notify the Privacy Commissioner and affected individuals when a data breach occurs that may give rise to a real risk of serious harm to any affected individual.[164]

Definitions in the Privacy Act

10.126 This section outlines the recommended amendments to definitions of terms in the Privacy Act that are relevant to technology. Detailed discussion of the following amendments is contained in Chapter 6.

Personal information

10.127 In IP 31, the ALRC asked whether the definition of personal information was adequate and appropriate in light of advances in technology.[165] The ALRC noted that, in some circumstances, information such as an individual’s internet protocol (IP) address, mobile telephone number, email address or biometric information will not be personal information because it does not enable the identity of an individual ‘reasonably [to] be ascertained from the information’.[166] In the context of RFID technology, it could be argued that information about tagged items in an individual’s possession may not be personal information if the identity of the individual cannot ‘reasonably be ascertained’. These types of information, however, may enable individuals to be monitored or profiled.

10.128 In Chapter 6, the ALRC recommends that ‘personal information’ be defined in the Privacy Act as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.[167] The recommended amendment to the definition of ‘personal information’ means that once information can be linked to an individual—and that individual is able to be monitored or targeted—it would become personal information for the purposes of the Privacy Act. The recommended definition would mean that forms of electronic communication such as telephone numbers, email addresses or IP addresses will become personal information for the purposes of the Privacy Act,once a sufficient amount of other information accretes around such points of contact.

Sensitive information

10.129 In IP 31, the ALRC asked whether the definition of sensitive information should include types of personal information collected by new technologies.[168] There was substantial support in submissions for amending the definition of ‘sensitive information’ to include biometric information. In Chapter 6, the ALRC recommends that the definition of ‘sensitive information’ in the Privacy Act should be amended to include biometric information collected for the purpose of automated biometric verification or identification, and biometric template information.[169]

10.130 Biometric information shares characteristics with other types of sensitive information and should be subject to more stringent protection than non-sensitive personal information. Biometric information can be very difficult to replace once it has been accessed improperly. Further, biometric information may reveal other sensitive information about an individual, such as health, genetic, racial or ethnic information. The ALRC notes, however, that it is neither necessary nor practicable to classify all types of biometric information as ‘sensitive information’. The recommended definition is intended to address the most serious privacy concerns around the handling of biometric information.[170]

Record

10.131 In Chapter 6, the ALRC recommends that the definition of ‘record’ in the Privacy Act should be amended to include a document (as defined in the Acts Interpretation Act 1901 (Cth)) and information stored in electronic or other format. The Acts Interpretation Act defines a document to include an image, which covers photographs and other pictorial representations.[171]

[152] Rec 21–1.

[153] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[154] Rec 21–3.

[155] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), [11.126].

[156] Health Informatics Society of Australia, Submission PR 196, 16 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[157] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Microsoft Australia, Submission PR 113, 15 January 2007.

[158] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[159] Rec 6–4.

[160] Developing technologies are discussed in Ch 9.

[161] Rec 23–2.

[162] Rec 30–3.

[163] Rec 51–1.

[164] Rec 51–1.

[165] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 3–4.

[166] In terms of the definition of ‘personal information’ in Privacy Act 1988 (Cth) s 6(1).

[167] Rec 6–1.

[168] See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), [11.124].

[169] Rec 6–4

[170] The inclusion of certain types of biometric information in the definition of ‘sensitive information’ is discussed in Ch 6.

[171] Rec 6–6.