This is the third post in this series about privacy in the digital world. The first post centered on general concepts of privacy in the EU and the US; the second looked at a US citizen’s rights in this area. Today, we will examine the legal protections for Australians and New Zealanders.
The Australian and New Zealand legal position regarding data privacy is quite advanced. For example, Australia has seventeen principles enshrined in law as Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which built upon the fairly solid position contained in the Privacy Act 1988.
The Australian principles are based on the Organisation for Economic Co-operation and Development’s 1980 report titled “Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.”
The original 1988 act laid the foundation for personal data protection, which allowed for an Australian citizen or resident to know why personal information was being gathered and how and by whom it would be used. It also granted the right to not identify oneself or to use a pseudonym for certain situations, and more importantly, it granted the right to access one’s personal information, ask that it be corrected, and ask to be removed from direct mailing lists. Additionally, it granted the right to make a complaint about any entity that is covered by the Privacy Act, if a person feels that their personal information has been mishandled.
Like European legislation, the act notes what organizations are subject to control and, more importantly, which are exempted from that control. Interestingly, this includes government agencies, including public hospitals and health care facilities as well as public educational establishments.
There are also some exceptions regarding employee records and political parties. This raises some interesting questions about the efficacy of Australian privacy laws. A broad band of excluded entities effectively have carte blanche to hold any information about a private individual—be it truth, hearsay, or fiction—with no obligation to ascertain the information’s factual status or even to admit to holding that information in the first place.
New Zealand’s Privacy Act, by contrast, has twelve principles. These are also based on the OECD report, and the law follows the more common UK or European approach to data privacy rather than the loose US approach. As with Australia, there are some interesting exemptions.
The New Zealand Privacy Act’s twelve Information Privacy Principles (IPPs) can be categorized into four sections. The first four concern the collection of personal information. Principle five covers storage and security obligations. Principles six and seven relate to obtaining access to and correction of personal information. The final five IPPs relate to the use and disclosure of personal information.
Again, the more important principles contain a lengthy list of exceptions to the basic principle. For example, principle two states that where an agency collects personal information, the agency shall collect the information directly from the individual concerned. This is in common with the Australian principle. Also in common, noncompliance is permissible where, for example, the personal information is publicly available, there is a preexisting authorisation granting the collection of the information from someone else, noncompliance would not prejudice the interests of the individual and compliance would prejudice the purposes of collection, or compliance is not reasonably practicable in the circumstances of the particular case. This is by no means a complete list of the circumstances in which noncompliance is permissible.
I cannot help but be concerned by the number of permitted exceptions to some of the core principles. For example, the exceptions outlined in principle two are so broad that it would be simple to argue that any collection of information is authorised.
Personal privacy and personal data privacy is coming under attack across the world under the guise of security. Government organisations are gaining sweeping powers to obtain, hold, and deny knowledge of personally held information under the auspices of national security. I am not sure that I am altogether comfortable with that.