Oversight powers of the OPC

Research and monitoring

10.33 The OPC has two research and monitoring functions that are relevant to the regulation of new and developing technologies. These are to:

  • conduct research and monitoring into data processing and computer technology (including data-matching and data-linkage) to ensure that any adverse effects of such developments on the privacy of individuals are minimised, and to report to the Minister the results of such research and monitoring;[42] and

  • monitor and report on the adequacy of equipment and user safeguards.[43]

Expert panels

10.34 In Chapter 46, the ALRC recommends that the OPC be empowered to convene expert panels to assist with the carrying out of its functions under the Privacy Act.[44] In DP 72, the ALRC suggested that such a panel could include experts in information and communication technologies.[45]

10.35 The Australian Government Attorney-General’s Department suggested that any expert panel convened by the OPC should work closely with existing government networks and committees:

The proposed expert panels appear to be very close to the IT Security Expert Advisory Group of the Trusted Information Sharing Network for Critical Infrastructure Protection. This new proposed panel may also impact upon responsibilities of the E-Security Policy and Coordination (ESPaC) committee chaired by CIP [Criticial Infrastructure Protection] Branch.[46]

10.36 The ALRC agrees that the OPC should be informed by the work of relevant government bodies when carrying out its function to research and monitor information and communication technologies. This process would be complemented by active engagement with international data protection networks. Along with participation in international fora, advice from a range of experts will assist the OPC to carry out its research and monitoring function and other powers and functions relevant to developing technology.

Privacy-enhancing technologies

10.37 In DP 72, the ALRC proposed that, in exercising its research and monitoring functions, the OPC should consider technologies that can be deployed in a privacy-enhancing way by individuals, agencies and organisations.[47]

10.38 This proposal was strongly supported.[48] The Office of the Victorian Privacy Commissioner (OVPC) noted the proposal’s focus on technology deployment, and submitted that ‘the same technology can be either privacy enhancing or extremely privacy intrusive, depending on how it is used: e.g. biometrics smartcards’.[49] The Department of Finance and Deregulation submitted that the use of PETs by agencies is important ‘to protect privacy and instil public confidence in government [Information and Communications Technology] services’.[50]

10.39 The Cyberspace Law and Policy Centre was concerned that the ALRC’s proposal did not address privacy-invasive technologies. The Centre also submitted that:

The Office of the Privacy Commissioner should pay special attention to technologies that appear to be privacy enhancing, however only offer minimal protection. For example, ‘privacy seals’ have been used as an example of technology utilised mainly to offer the illusion of privacy rather than true privacy protection. The Platform for Privacy Preferences (P3P) was also once lauded as a PET, but has been criticised widely and does not seem to have advanced.[51]

10.40 The ALRC notes that the OPC is already required by the Privacy Act to research and monitor technological developments to ensure that any adverse effects of such developments on the privacy of individuals are minimised.[52] This requires research into and monitoring of privacy-invasive technologies, and technologies that may be used in a privacy-invasive way.[53]

10.41 In the ALRC’s view, in addition to considering technologies that have an adverse impact on privacy, the OPC should consider PETs when exercising its research and monitoring function. In particular, the function to research and monitor user safeguards could be relied on to support research on PETs such as online authentication and identity management systems. In exercising this function, the OPC should consult with experts and other relevant stakeholders. The OPC should also be aware that the privacy-enhancing aspects of some technologies may be overstated, and that frequently it is the way in which technology is deployed that determines whether it is privacy enhancing or invasive.

Recommendation 10-1 In exercising its research and monitoring functions, the Office of the Privacy Commissioner should consider technologies that can be deployed in a privacy-enhancing way by individuals, agencies and organisations.

Education

10.42 The OPC is also required to undertake and coordinate educational programs for the purposes of promoting individual privacy.[54] In DP 72, the ALRC noted that the technical expertise attained by the OPC in exercising its research and monitoring functions could form the basis of educational programs. The ALRC proposed that the OPC should educate individuals, agencies and organisations about specific privacy-enhancing technologies and the privacy-enhancing ways in which technologies can be deployed.[55]

Submissions and consultations

10.43 Some stakeholders supported this proposal.[56] The Cyberspace Law and Policy Centre suggested that the OPC should also educate individuals, agencies and organisations about ‘PETs that only provide a minimal degree of privacy protection’.[57]

10.44 The OVPC submitted that, to ensure national consistency, the proposed education programs should be conducted in consultation with Privacy Commissioners in other jurisdictions.[58] It also submitted that, when conducting education programs, ‘care should be taken to preserve against seeming to endorse specific products and manufacturers’.[59]

10.45 Some stakeholders noted that education programs on privacy and information security are already conducted by agencies. The Australian Government Department of Broadband, Communications and the Digital Economy stated that the Stay Smart Online website ‘provides information to home and small business users on how to improve their security, and subsequently their privacy, when online’.[60] The Attorney-General’s Department noted the overlap between privacy and information security, and expressed concern that the implementation of the ALRC’s proposal would require significant resources and duplicate work.[61]

ALRC’s view

10.46 The OPC and relevant stakeholders should conduct education programs which focus on specific, useful PETs and the privacy-enhancing ways in which technologies can be deployed. Such education programs should be directed towards those designing technical systems; agencies and organisations that use the systems to deliver services; and individuals that use such systems.

10.47 Appropriate consultation between the OPC and other agencies will avoid the problems of duplication of work highlighted by the Attorney-General’s Department. Awareness by the OPC of relevant education programs conducted by other agencies is necessary to ensure that resources are used in a targeted and efficient way.

10.48 The ALRC also recommends that, to promote awareness of personal privacy and respect for the privacy of others, state and territory education departments should incorporate education about privacy and, in particular, privacy in the online environment, into school curricula.[62]

Recommendation 10-2 The Office of the Privacy Commissioner should develop and publish educational materials for individuals, agencies and organisations about specific privacy-enhancing technologies and the privacy-enhancing ways in which technologies can be deployed.

[42] Privacy Act 1988 (Cth) s 27(1)(c). In Ch 47, the ALRC recommends that the first function be amended to remove the word ‘computer’ to make it clear that the OPC’s research and monitoring function is not limited to computer technology: Rec 47–1.

[43] Ibid s 27(1)(q). See Ch 47 for a detailed discussion of the existing and proposed powers and functions of the OPC.

[44] Rec 46–5.

[45] In addition, the OPC is required to include on its Advisory Committee a member with extensive experience in ‘electronic data-processing’: Privacy Act 1988 (Cth) s 82(7)(c). In Ch 46, the ALRC proposes that the term ‘electronic data-processing’ in s 82(7)(c) be replaced with the term ‘information and communication technologies’: Rec 46–4.

[46] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[47] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 7–3.

[48] See, eg, Unisys, Submission PR 569, 12 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[49] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[50] The Department noted that it conducted research into PETs in 2006 and suggested that it could assist the OPC in researching and promoting the use of PETs by agencies: Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008.

[51] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[52]Privacy Act 1988 (Cth) s 27(1)(c).

[53] The impact on privacy of several technologies is discussed further in Ch 9.

[54]Privacy Act 1988 (Cth) s 27(1)(m).

[55] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 7–4.

[56] Australian Government Department of Finance and Deregulation, Submission PR 558, 11 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[57] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[58] In Ch 17, the ALRC recommends that, when an Australian Government agency is participating in an intergovernmental body or other arrangement involving state and territory agencies that handle personal information, the Australian Government agency should ensure that a memorandum of understanding or other arrangement is in place to ensure appropriate handling of personal information: Rec 17–1.

[59] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[60] Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[61] Australian Government Attorney-General’s Department, Submission PR 546, 24 December 2007.

[62] See Rec 67–3. In Ch 67, the ALRC discusses different attitudes to privacy held by members of different generations.