Mandating standards?

10.100 The term ‘standardisation’ can be used to refer to consistency and interoperability between technical systems. Standards also require compliance with certain specifications and procedures that are intended to result in appropriate levels of safety, privacy or security.[136]

10.101 Local and international bodies are continuing to develop standards on privacy and security issues such as identification, authentication and encryption. There may not be adequate incentive for agencies and organisations to comply with standards, however, because of a lack of adequate enforcement mechanisms. For example, it was noted recently that 83% of large merchants using Visa are not in compliance with the Payment Card Industry (PCI) Data Security Standard.[137] In addition, a proliferation of local and international standards for technologies such as voice over internet protocol (VoIP) and RFID can result in inconsistent privacy and security protection for individuals.

10.102 In DP 72, the ALRC proposed that the Privacy Act be amended to empower the minister responsible for the Privacy Act, in consultation with the OPC, to determine which privacy and security standards for relevant technologies should be mandated by legislative instrument.[138]

10.103 In making this proposal, the ALRC’s intention was to promote the incorporation of security mechanisms and PETs in the design stage of technical systems. Empowering the minister to determine relevant standards would not require the listing of privacy and security standards in the Privacy Act. Rather, the proposal would provide the minister with the discretion to mandate in regulations certain standards where he or she considered this to be appropriate.

Submissions and consultations

10.104 There was some support for this proposal.[139] Most stakeholders, however, opposed it. Stakeholders expressed concern that technical standards could quickly become outdated.[140] The Department of Human Services submitted the proposed regulations would ‘constrain business improvement at a time when technology is rapidly changing’.[141] The Defence Signals Directorate suggested that a better instrument for determining privacy and security standards might be the regularly updated Australian Government Information Technology Security Manual (ACSI 33).[142]

10.105 Stakeholders were also concerned about the impact of the ALRC’s proposal on Australia’s technology industry. The Attorney-General’s Department noted that Australia plays a minor role in the global economy. The Department suggested that onerous regulation of security standards may impact negatively on the development of technical systems in Australia and make many globally-developed technical systems and products unavailable for use in Australia.[143] ACMA also submitted that the implementation of this proposal would require the Australian Government to consider its obligations under relevant free trade agreements and rules issued by the World Trade Organization.[144]

10.106 Other stakeholders agreed with the policy underpinning the proposal, but expressed concern about its operation. For example, the OPC submitted that mandating standards ‘might in some circumstances be consistent with the multi-faceted approach to protecting privacy in the context of new technologies’. Before it could support the proposal, however, the OPC indicated that it would require clarification and additional information on aspects of the scheme, such as monitoring and enforcing compliance.[145]

10.107 The Government of South Australia expressed concern that mandating standards in Australian Government regulations would lead to fragmentation and inconsistency for state and territory jurisdictions.[146]

ALRC’s view

10.108 Mandating standards in regulations could have unintended consequences in the face of rapid technological development. The proposed standards-making mechanism is likely to be too inflexible, with the regulations fast becoming outdated. Compliance with the proposed regulations is also likely to impact negatively on the availability of technical systems in Australia.

10.109 The ALRC remains committed to the policy goal of ensuring that privacy and security safeguards are incorporated into systems design. The early incorporation of privacy and security safeguards in technical systems is fundamental for the optimal protection of personal information handled by these systems.

10.110 In DP 72, the ALRC provided an overview of relevant privacy and security standards made by domestic and international standards-making bodies.[147] The ALRC also notes that ACSI 33 provides a useful reference for determining relevant privacy and security standards. The OPC, in carrying out its functions under the Privacy Act, should refer to the work of agencies such as the Defence Signals Directorate and national and international standards bodies. In particular, the OPC should play a proactive role in educating and providing guidance to those designing technical systems about the importance of complying with relevant standards in the design of those systems.

10.111 Relevant standards issued by national and international bodies also should be an essential consideration in the PIA process. As discussed above, PIAs are an important proactive mechanism through which to ensure that privacy and security safeguards are taken into account in the development of new projects.

[136] It has been noted that information security is increasingly relevant to privacy: P Cullen, T Hughes and M Crompton, Consultation PC 19, Sydney, 8 May 2006.

[137] D Rosenblum, ‘Achieving PCI Compliance with Storage Security Systems’ (2007) (1) Computer Technology Review <www.wwpi.com>.

[138] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 7–2.

[139] See, eg, Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.

[140] See, eg, Australian Government Department of Human Services, Submission PR 541, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007.

[141] Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[142] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 466, 13 December 2007.

[143] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007. See also BPay, Submission PR 566, 31 January 2008; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[144] Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[145] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[146] Government of South Australia, Submission PR 565, 29 January 2008.

[147] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [7.58]–[7.63].