Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)

Similar presentations


Presentation on theme: "CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)"— Presentation transcript:

1 CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)

2 No general right to privacy ie no right to be left alone Privacy laws protect invasion of privacy via abuse or disclosure of intimate personal data

3 Definitions of protected data “Personal data” means any information relating to an identified or identifiable individual (data subject) OECD Guidelines Governing Protection of Privacy and Transborder flows of Personal data 1980 “personal information” means information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion. Australian Privacy Act 1988 (Cwth)

4 Development of privacy law Need to consider privacy protection was recognised by Organisation for Economic Co-operation and Development (OECD) in 1960 because of the development of automatic data processing which enables vast quantities of data to be transmitted within seconds across national frontiers and continents. The OECD warned that there was a danger that differences in national legislations could hamper the free flow of personal data across frontiers and that restrictions on these flows could disrupt sectors of the economy such as banking and insurance. OECD Member countries considered it necessary to develop guidelines which would help harmonise national privacy legislation, uphold human rights and also prevent interruptions to international data flows.

5 Guidelines on Protection of Privacy & Transborder flows of personal Information were adopted by the OECD on 30 September 1980, contained 8 basic principles: 1. Collection limitation 2. Data quality 3. Purpose specification 4. Use limitation 5. Security Safeguards 6. Openness 7. participation 8.Accountability

6 Australia enacted the Commonwealth Privacy Act 1988. Legislation applied originally to the government “agencies” eg Cwth Ministers, departments, Federal court and the Federal police, telecommunications. Act established office of Federal Privacy Commissioner; and 11 Information Privacy principles (IPPs) These varied or added to 8 EU principles eg required that a government department publish information about the records kept and what the data is used for. Amended in 1990 to cover the credit reporting industry, banks and building societies Did not apply to state agencies or to business except where either used data protected by the Act eg Universities would acquire data from Commonwealth for research purposes.

7 Information Privacy Principles (IPPS) 1. Manner and Purpose of collection Information must be collected for a lawful purpose by fair and lawful means 2. Solicitation of personal information from individual concerned Have to make sure individual is aware that the information has been collected. 3. Solicitation of information generally Information must be relevant to the purpose, up to date and complete and must not intrude unreasonably upon an individual’s affairs. 4. Storage and security of information A record keeper must ensure that the record is protected and do everything within the record keeper’s powers to prevent unlawful use or disclosure of the information. 5.Information relating to records kept by a record keeper Record keeper must take steps to enable a person to ascertain what information is in the record keeper’s possession and the purpose for which it is used. Obligation on a record keeper to keep certain records.

8 Information Privacy Principles (IPPS) 6.Access to records contrary to personal information An individual is entitled to have access to personal information. 7. Alteration of records contrary to personal information An individual has a right to have a record amended if incorrect. 8.Record keeper to check accuracy of personal information before use A record keeper must take such steps (if any) as are reasonable to check the information before use. 9.Personal information to be used only for relevant purpose 10. Limits on use of personal information Personal information cannot be used other than for the purpose for which it was collected unless the individual consents or the record keeper believes the disclosure is necessary to protect the life or health of the individual or another person. 11.Limits on disclosure of personal information A record keeper must not disclose information to a third party unless the individual concerned was reasonably aware that this would be done when the information was collected, or the individual has consented, or the disclosure is necessary to protect life or health.

9 Act prohibits interferences with privacy “Interference” means a breach of the: -IPPs; or a breach of -Provisions relating to tax file numbers -Provisions relating to credit reporting -Data Matching Program (Tax Assistance) Act 1980 -National Health Act

10 European Union Data protection Directive, took effect 25 October 15 member states required to enact comprehensive privacy legislation to implement personal data policies to include: Transparency – Purpose limitation – Data quality - Data transfer – Special protection for sensitive data Government authority – Data controllers – Individual redress -

11 Conflict between European and US theories on privacy. US sees EU Privacy Directive as to centralized rigidly bureaucratic and expensive to implement, prefers self- regulation Might be a non tariff barrier to free trade and lead to data trade war. Doubt that it be enforced in today’s commercial environment. Negotiated compromise approved by EU in 2000 EU Privacy “Safe harbour” under which US entities can continue to collect and process data from EU by promising to implement ‘adequate’ privacy safeguards. US entities self certify that they will comply with the 7 safe harbour principles.

12 Privacy Amendment Act “interferences” with privacy means a breach of NPPs or a registered code of practice by an “organisation”. An Organisation means -An individual -Body corporate -Partnership -Other unincorporated association -A trust That is not a small business, a registered political party, or an agency of the Commonwealth, a state or territory

13 Australian response to EU Directive Enacted Privacy Amendment (Private Sector) Act 2000 to extend the Privacy Act to the private sector. Does not apply to small business (yet!) Turnover has to be over 3 million pa. Act contains 10 National Privacy principles (NPPs) These are business oriented version of the IPPs – which still apply to the government sector.

14 National Privacy Principles (NPPs) 1.Collection Necessary & fair, from individual direct if possible, let individual know how to gain access 2. Use and disclosure Use only for the primary purpose/secondary purpose or with consent. Provides some exceptions eg use of health information for research where impracticable to get consents, release of information to a law enforcement agency investigating a crime, disclosure of health information to carer

15 3. Data quality 4. Data security Have to de-identify information or destroy * information when no longer needed 5. Opennesss Have to have policy on management of * personal information & make document available*

16 6. Access & correction There are a number of exceptions to openness eg where * release of health information to individual would pose a threat to life or health, legal proceedings, would have to reveal commercially sensitive evaluative information, request is frivolous or vexatious. 7.Indentifiers An organisation must not adopt an identifier used by an * agency or an agency acting as an agent as it’s own identifier and must not use or disclose another agency’s identifier. 8. Anonymity* Wherever practicable, individuals would have opportunity to give information anonymously

17 9.Transborder flows * An Australian organisation may only transfer personal information to someone in another country if the recipient is subject to some binding law or scheme that protects privacy or the individual consents to the transfer or the transfer is necessary to perform the contract between the individual and the organisation Eg Monash’s external campuses/student data has to be transferred in order for results to be processed. 10. Sensitive information An organisation must not collect sensitive information unless the individual consents/ it is required by law etc

18 State legislation Victoria and NSW have introduced Privacy legislation. The Information Privacy Act 2000 (Victoria) applies to state government Departments. Ministers of the state Crown, courts, police – and universities set up under state legislation. Contains 10 Information Privacy Principles (IPPs) very similar to the 10 NPPs in the Federal Act. The Health Records Act 2001 (Victoria), protects privacy of health records Contains 11 Health privacy Principles (HPPs)

19 OECD Principles National Privacy Principles http://www.privacy.gov.au/publications/ … … npps01.htm http://www.privacy.gov.au/publications/


Download ppt "CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)"

Similar presentations


Ads by Google