Part B—Developing Technology

10. Accommodating Developing Technology in a Regulatory Framework

Recommendation 10–1 In exercising its research and monitoring functions, the Office of the Privacy Commissioner should consider technologies that can be deployed in a privacy-enhancing way by individuals, agencies and organisations.

Recommendation 10–2 The Office of the Privacy Commissioner should develop and publish educational materials for individuals, agencies and organisations about specific privacy-enhancing technologies and the privacy-enhancing ways in which technologies can be deployed.

Recommendation 10–3 The Office of the Privacy Commissioner should develop and publish guidance in relation to technologies that impact on privacy. This guidance should incorporate relevant local and international standards. Matters that such guidance should address include:

(a) developing technologies such as radio frequency identification (RFID) or data-collecting software such as ‘cookies’;

(b) when the use of a certain technology to collect personal information is not done by ‘fair means’ and is done ‘in an unreasonably intrusive way’;

(c) when the use of a certain technology will require agencies and organisations to notify individuals at or before the time of collection of personal information;

(d) when agencies and organisations should notify individuals of certain features of a technology used to collect information (for example, how to remove an RFID tag contained in clothing; or error rates of biometric systems);

(e) the type of information that an agency or organisation should make available to an individual when it is not practicable to provide access to information in an intelligible form (for example, the type of biometric information that is held as a biometric template); and

(f) when it may be appropriate for an agency or organisation to provide human review of a decision made by automated means.

Recommendation 10–4 The Office of the Privacy Commissioner should develop and publish guidance for organisations on the privacy implications of data-matching.

11. Individuals, the Internet and Generally Available Publications

Recommendation 11–1 The Office of the Privacy Commissioner should develop and publish guidance that relates to generally available publications in an electronic format. This guidance should:

(a) apply whether or not the agency or organisation is required by law to make the personal information publicly available;

(b) set out the factors that agencies and organisations should consider before publishing personal information in an electronic format (for example, whether it is in the public interest to publish on a publicly accessible website personal information about an identified or reasonably identifiable individual); and

(c) clarify the application of the model Unified Privacy Principles to the collection of personal information from generally available publications for inclusion in a record or another generally available publication.

Recommendation 11–2 The Australian Government should ensure that federal legislative instruments establishing public registers containing personal information set out clearly any restrictions on the electronic publication of that information.