About PI - The Interim Report to Members 1990-1991
06/03/2005
PRIVACY INTERNATIONAL
(World Privacy and Data Protection Network)
INTERIM REPORT TO MEMBERS
1990-1991Privacy International
25th November 1991
Privacy International has been established to protect the peace, dignity and individual rights of people throughout the world. It seeks to raise awareness of violations of privacy rights, and to establish limits to the unreasonable surveillance of individuals. Privacy International is an independent, non-profit and non-partisan organisations that supports the principles of the Universal Declaration of Human Rights and the privacy principles of the Council of Europe and the OECD
Table Of Contents
Table of Contents 3
Convener's Message 4
Chairman's Message 6
Important notice for members 7
PART "A" : ORGANISATIONAL MATTERS 8
Overview of Privacy International 9
Objects and Functions 11
Meetings of Privacy International 12
Recent activities and campaigns 12
The people behind Privacy International 13
Background and history of Privacy International 16
- The justification for an international privacy network 17
- Aims and mandate of Privacy International 18
- Membership of non-OECD countries 19
- Membership of government officials 20
Structure and rules 21
Explanation of Functions 27
List of Committee and Working Group members 30
PART "B" : THE STATE OF THE WORLD'S PRIVACY 42
Overview of the state of the world's privacy 43
Country reports :
The United States 46
Canada 47
South Africa 48
Panama 49
Hungary 50
Australia 51
APPENDIXES
Special Report : New Zealand
Special Report : The Philippines
Special Report : Thailand
Special Report : The European Draft Data Protection directive
Membership form
CONVENER'S INTRODUCTION
Simon Davies
Convener
Privacy International
Sydney Australia
This report provides our first opportunity to communicate with all members of Privacy International, many of whom have patiently waited for eighteen months for a firm indication of the shape and direction that the organisation will take. I hope this publication will achieve that end, and that it will help to establish a firm structure for Privacy International.
As many of our members well know, Privacy International has survived an unusual and somewhat chaotic genesis. Rather than emerging from a structured process, as have a great many successful world-wide organisations, it has come about through a sort of spontaneous combustion. Members in several countries have worked in an informal manner to achieve resolution of the major issues.
The initial result, however, has surpassed our expectations. Over the past eighteen months, through a co-operative voluntary effort, we have established the most comprehensive and diverse group of privacy experts ever assembled. Experts and advocates from more than 40 countries are now involved. The network has created a much needed fusion between the new era of privacy (data protection and trans border data flow) and the more traditional area of physical and surveillance privacy.
In playing my own part in helping to establish Privacy International, I have been guided by the goal of cooperation rather than consensus. Virtually all privacy advocates agree that juridical approaches to privacy problems are unlikely to provide the sole solution, but it is equally true that an advesarial approach is only part of the answer. In the ideal world, advocates, activists and technocrats should be able to communicate, even if they never speak the same language. The international community should surely seek some degree of common ground before privacy violations become intractable. I have therefore kept foremost in mind two vital requirements, each of which I believe has successfully been reflected in our current development. First, privacy should not be regarded merely as data protection. Data protection appears to be quite clearly a sub set of privacy, and for the sake of maintaining clarity of the issues it should remain so. If all privacy matters were interpreted as data protection, solutions would generally be juridical and legal rather than being subjected to the broader range of influences. In addition, data protection surely cannot exist where there is no obtainable data, and those familiar with Foucault's principle of the panopticon representing the surveillance state will understand that privacy must surely have wider parameters.
The second principle in the development of Privacy International is the establishment of a clear nexus between civil liberties (the traditional face of privacy) and data protection (the modern face of privacy). Many members in countries ruled by totalitarian and military regimes know that invasions of privacy often intersect with violations of other fundamental rights and freedoms. The link between the traditional and modern hemispheres of privacy is vital to ensure that privacy protection remains a vital and pro-active issue for the people, and not simply the domain of technocrats. If privacy is indeed a reflection of the power relationships in society, then the pursuit of its protection must surely be groundbreaking and energetic. Such countries as Germany, the Netherlands and Australia which have witnessed extensive campaigns to protect privacy have learned that protection of these rights requires a constant testing of political limits.
The first days of our organisation have reaped an impressive result. Privacy International as a network has generated the focus for direct advocacy in several countries, and has provided assistance to a great many agencies, legal bodies, advocates and researchers. The mere existence of an international network has established a new facet within privacy.
It is indeed true that both the lack of formal structure and funding have limited the activities of the group. On the other hand, the long term success of Privacy International (contrary to popular wisdom) will have relatively little to do with the availability of institutional funding. Its success will depend more on the synergy of the network, and our capacity to make efficient use of our limited resources. I, for one, am guided by the premise that seminal concepts such as ours should concentrate first and foremost on the establishment of a consciousness. Other resources will follow.
This publication is the fore-runner of Privacy International's first annual report, which we hope to produce late in 1992. The current document has several purposes. It is designed, primarily, to provide a contact list of the organisation's key people around the world. Its secondary purpose is to set out the history of Privacy International, and to discuss options for the organisation's objects and structure. Members in several countries have also produced specific regional reports. Future annual reports will comprehensively cover country and sector reports.
We intend to establish Privacy International as an influential force for the protection of privacy and freedoms. The co-operative effort that has brought us to this point will ensure that we achieve this goal. It is tempting to be daunted or even cynical about the chance of success and few people would, I suppose, be reckless enough to make predictions or to set ambitious goals. Nevertheless, with the intention of setting some sort of benchmark for our development, I am happy to put on the record my intention to see Privacy International extended in the next two years to involve at least a thousand members from eighty countries. I would like to see us establish from 1992, a comprehensive and influential annual report, and, in 1993, for us to host the 1st World Privacy and Data Protection Conference. Such is the breadth of the privacy issue that I am certain these goals can be achieved. Given the pace of developments around the world, they must be achieved.
My best wishes and thanks go out to all those who have so firmly demonstrated their faith in the goals of PI. They are too numerous to mention here. My special thanks, however, go out to Graham Greenleaf, Marc Rotenberg, Professor David Flaherty, Pierrot Peladeau, Professor Dr Jon Bing, Dr Jan Holvast, Stephen Saxby, Tom Riley, Stewart Dresner, Professor René Laperriere, Cecilia Jimenez, Professor James Rule, Justice Michael Kirby, John Grace and William Dwyer for their keen support and encouragement. Thanks are also due to Dr Pál Könyves Tóth, Professor David McQuoid-Mason and Dr Miguel Espino Gonzalez for their input to this report.
Our warm thanks go also to the Law Faculty and the Human Rights Centre of the University of New South Wales in Sydney, and to Computer Professionals for Social Responsibility (CPSR) in Washington DC for their generous support of Privacy International. Thanks also to John Gilmore, Dr Mechai Viravaidya, the US Privacy Council, the Australian Privacy Foundation and to everyone who contributed financially and otherwise to Privacy International's activities around the world.
CHAIRMAN'S MESSAGEDr Jan Holvast
Chairman
Privacy International
Amsterdam, The Netherlands
For more than a decade, the privacy problem has continued to gain more and more attention in almost all countries of the world. A large component of this interest has been technological development, but it would be a mistake to pass all blame for privacy violations to technology itself. More important that the technology is the changing political power structure which is one of the consequences of its use. This consequence can lead to repression of those people who oppose the existing power, or who are in a situation where condemnation occurs as a result of prejudice.
This view makes clear my belief that the privacy problem is, primarily, a political problem, although in most countries with a data protection law, the emphasis is on jurisdictional measures. This juridical approach is diverting people from the real problem and the real solutions. Of course, for a political problem we need juridical solutions, but it would be naive, as has sometimes been proposed, to expect that the problem will be solved through that approach.
More important, regarding the international development, is the close cooperation of all those people who are internationally involved in the privacy problem. That's why Privacy International is not only a good idea, but above all, a necessity in a world in which technology generally is used for one purpose : namely, to strengthen the power of those who have it, and almost never for the purpose of strengthening people's rights and freedoms.
With the founding of Privacy International we have not only the obligation to cooperate, but to achieve this cooperation we need a combined approach. Therefore, it will be necessary to reformulate old questions and look at new answers. To mention some :
- Are the old definitions of privacy i.e.the old fashioned "right to be left alone" still usable in a technological age, or do we need a redefinition of privacy ?
- Is it possible to shape one universal definition of privacy, to do we need to differentiate between countries with cultural and political differences ?
- Do we need to develop a broader spectrum of countermeasures other than the common "reactive" approach ?
- What are the possibilities for anticipating future developments ?
- how can we go beyond information exchange processes and create a change in our situation ?
- Is taking about privacy in fact doing no more than using a strange word in place of saying we are afraid of control ?
These and many many other questions demand an answer before we can develop a strong base for a combined solution. And that, in my view, is a key challenge for Privacy International.
IMPORTANT MESSAGE FOR MEMBERS
Sub network and committee membership
In order to commence the task of developing a proper administration and structure for Privacy International, it is vital that all members of the network complete the form at the back of the report. These should be sent to the Sydney office. This form will assist us in the establishment of the organisation's structure and activities.
Please ensure that you let us know :
(a) which of the sub-groups (telecommunications privacy etc) you wish to join.
(b) whether you are prepared to help by joining one of the organisational committees.
(c) if you are prepared to serve as a sub-group convener or a regional or national co ordinator.
Amendments to contact details in this report
Because of the informal nature of Privacy International, certain errors may have occurred in the compilation of our membership list. Would everyone in direct receipt of this report please check the list of Working Group members at the end of Section "A".
In the event that :
(1) you are listed as a Working Group member, but do not wish to serve in this
capacity,
(2) you wish to transfer from Working Group to ordinary network membership,
(3) you are not listed, but wish to join the Working Group,
(4) you do not wish to be disclosed publicly as a member of the group, or,
(5) you wish to amend your contact details,
please contact Marc Rotenberg in Washington or Simon Davies in Sydney as rapidly as possible so that we can rectify the list.
PART "A"
ORGANISATIONAL MATTERS
OVERVIEW, BACKGROUND AND HISTORY OF PRIVACY INTERNATIONAL
OBJECTS AND FUNCTIONS
THE PEOPLE BEHIND THE ORGANISATION
STRUCTURE AND RULES
COMMITTEE AND WORKING GROUP DETAILS
A. INTRODUCTORY SECTION
1. Overview of Privacy International :
During 1990, more than a hundred leading privacy experts and Human Rights organisations from forty countries linked arms to form a World Organisation for the protection of Privacy. Members of the new body, which took the name Privacy International, had a common interest in establishing an international understanding of the importance of privacy and data protection. Meetings were held throughout that year in North America, Europe, Australasia and South East Asia, and members agreed to work toward the establishment of effective privacy protection throughout the world. A Working Group of 120 leading privacy experts and Human Rights organisations was established to develop Organisational guidelines.
The formation of Privacy International is the first successful attempt to establish a properly structured world focus on this crucial area of human rights. Privacy International is an independent, non-government organisation with the primary role of advocacy and support. As an international network, the organisation is able to raise the alarm about dangerous technology. As a formal body, it is able to establish guidelines and principles to guard against the malicious or dangerous use of technology. The organisation also assists with the establishment of effective and practicable Privacy legislation.
The work of Privacy International has already found its way into the world's press, including the pages of Time and Scientific American. The organisation has been most prominent in the South East Asian region, where it has liaised with local human rights organisations to raise awareness about the development of national surveillance systems.
Privacy International is managed by a Steering Committee of leading advocates and experts from throughout the World. These people are directly responsible for the liaison of the international Working Group. This body will function as a broadly based expert group to ensure that Privacy International develops a relevant and effective structure.
The countries represented on the Working Group are : Australia, Canada , The United States, The United Kingdom, New Zealand, Panama, Zambia, South Africa, Haiti, The Philippines, France, Germany, Thailand, Japan, Argentina, Costa Rica, India, Zimbabwe, Yugoslavia, Belgium, The Netherlands, Hungary, Poland, Egypt, Israel, Austria, Denmark, Norway, Kenya, Sweden, Hong Kong, and Chile. The Working Group has a broad range of members, and includes academics, human rights advocates, data protection experts, political scientists, journalists, the judiciary, lawyers, computer professionals, FOI experts, and a limited number of government officials.
Privacy International has a close working relationship with numerous legal and human rights organisations, many of which are represented on the Committee and Working Group of the organisation. One major affiliation is with the University of New South Wales. The directorate of Privacy International is currently housed within the Law Faculty of the University. PI's secretariat is located in Washington DC, and is sponsored by Computer Professionals for Social Responsibility (CPSR)
2. Objects and Functions of Privacy International :
Guidelines for the organisation were circulated in draft form in March 1990, and have been revised several times since. Following meetings of members in the US, Canada, Australia, the UK, France, The Netherlands, Luxembourg, Thailand, New Zealand and the Philippines, general agreement has been reached that Privacy International will have the following objects and functions :
2.1 Objects :
(i) To raise awareness internationally about privacy issues
(ii) To work toward the establishment of privacy protection measures throughout the world
(iii) To facilitate the flow of information about privacy related matters inside and outside Privacy International
(iv) To improve the level of mutual support and liaison amongst privacy advocates
(v) To provide a comprehensive linkage between privacy, data protection, and civil liberties advocates
2.2 Functions :
(i) Monitoring the nature, effectiveness and extent of measures to protect privacy and personal data;
(ii) Assessing the impact of new technologies on the privacy and freedom of the individual;
(iii) Monitoring and reporting on surveillance activities of security forces and intelligence agencies;
(iv) Monitoring the use by of universal identification systems and mass matching of computer files;
(v) Assessing the nature, extent and implications of trans border flows of information between countries.
(vi) Functioning as an international clearinghouse for privacy related information, research and issues
(vii) Engaging in advocacy at an international level, including making representations to international bodies such as the United Nations, the Council of Europe and the OECD
(viii) Monitoring the nature and extent of privacy violations country by country, both in the public and private sector
(ix) Publishing an international annual report containing description of privacy violations throughout the world
(x) Seeking ways through which information technology can be used in the protection of privacy
3 Recent activities and campaigns :
During 1991, Privacy International has had significant success in Thailand, The Philippines and New Zealand in raising public awareness about the development of surveillance and national ID systems. Simon Davies, the director of PI, returned in August from New Zealand, where, as the guest of the Auckland Council for Civil Liberties he caused a storm of protest over secret government plans to introduce a multi-purpose universal ID card and data matching programme (which was to be introduced without protecting legislation). The New Zealand Privacy Foundation was formed with 200 founding members, and this group will be the New Zealand representative on Privacy International.
Simon has also had success in the Philippines and Thailand during 1991. The Philippines Senate was considering legislation to establish a national ID card, and in a campaign trip last May hosted by the Philippines Alliance of Human Rights Advocates, submissions were made to the Senate and the Presidential Committee on Human Rights. The Privacy International network has also been used by law reform and human rights organisations in the US, Canada, Australia, Hong Kong and Europe to assist national or local privacy issues.
4. Meetings of Privacy International
A recent meeting of PI in Cambridge England considered the question of how members of the Organisation should meet. It was agreed that meetings of Privacy International would be held three times per year at each of the following annual conferences :
1. The annual Data Protection Commissioners meeting (various locations)
2. The Computers, Freedom and Privacy Conference (US)
3. The Privacy Laws and Business conference (UK)
The next meeting of Privacy International will be held in Washington DC on March 17th 1991 during the 2nd Computers, Freedom and Privacy Conference (being held in Washington between March 18 and 20). The meeting will be convened by Marc Rotenberg, secretary of Privacy International.
5. The next Phase :
Privacy International is currently seeking formal affiliations with academic and other institutions in various countries. It is envisioned that a directorate will be established in the Northern Hemisphere by the middle of 1992, and that regional centres will be formed throughout that year (Europe, Southern Asia, Northern Asia, Africa, Latin America and North America). The 1st Annual Report of the organisation will be circulated by October 1992.
6. Funding
Funding to this point has been minimal, but has been possible through the generosity of a small number of individuals and organisations. It is anticipated that by the beginning of 1992, a formal arrangement will be made for base funding. This will be achieved initially through membership subscription, and later through application for institutional funding.
THE PEOPLE BEHIND PRIVACY INTERNATIONAL
Simon Davies - Convener
Simon Davies convened Privacy International in 1990 and has subsequently fulfilled the role of Director of the organisation. He has been involved in privacy issues since 1987, when he directed Australia's massive citizens campaign against the proposed national identity card. The campaign, the biggest in recent Australian history, succeeded in defeating the government's plan. Since then, Mr Davies has been director of the non-government watchdog the Australian Privacy Foundation and has been involved in a wide spectrum of privacy issues. He has campaigned on privacy throughout the world both in developed and developing nations and has testified before numerous parliamentary, government and presidential committees on a wide range of issues including taxation administration systems, identity cards, data matching schemes and medical data Systems. By profession, Mr Davies is a journalist and consultant, and is based at the Faculty of Law of the University of New South Wales.
Jan Holvast - Chairperson
Dr Holvast is director of the Amsterdam based Stichting Waakzaamheid Persoonsregistratiie, (Privacy Alert) a national non-government watchdog group. He has been a leading figure in privacy protection since 1970, when he became involved in forming a mass movement against the national census. The movement had the effect of creating the first instance of civil disobedience in the post-war period. Privacy alert has been an active consumer organisation since the early 1970s, handling complaints of citizens and advising on matters of privacy. During 1991, a second organisation was formed The Centre for Privacy Research, which has a more scientific mandate and which strives to anticipate future developments. Dr Holvast has published more than 150 articles on privacy, and since 1975 has been chief editor of the quarterly journal "Privacy en Registratie". He is also located at the Department of Social Science Informatics of the University of Amsterdam.
Cecilia Jimenez - Deputy Chairperson
Attorney Jimenez is deputy Secretary-General for legal and international affairs for the Philippines Alliance of Human Rights Advocates, a national organisation of more than one hundred non government human rights organisations. Ms Jimenez is involved in a wide range of human rights issues and is one of the Philippines' best known and most respected advocates in the field. As representative of PAHRA she is an Alternate Member of the Presidential Human Rights Committee of the Philippines. Atty Jimenez has studied in Strasbourg at the International Institute of Human Rights and the International Center for Human Rights Teaching and Research.
David Flaherty - Deputy Chairperson
Professor Flaherty of the University of Western Ontario is one of the world's leading experts on privacy and data protection. His recent text "Protecting Privacy in Surveillance Societies" is a landmark work in the field, and has established Flaherty as an articulate analyst of government and legal mechanisms. In 1984-5 Flaherty was a member of an Advisory Panel, Office of Technology Assessment, U.S. Congress, for a study of Federal Government Information Technology and Civil Liberties. He also prepared a report for the same office on "Data Protection and Privacy - Comparative Policies." Flaherty has taught at Princeton University (1965-8) and the University of Virginia (1968-72). In 1972 he joined the faculty of the University of Western Ontario. In 1971-2 he was a Fellow in Law and History at the Harvard Law School, in 1978-79 a Visiting Fellow at Magdalen College, Oxford, and in 1985-86 a visiting scholar at Stanford Law School
Marc Rotenberg - Secretary
Marc Rotenberg is the director of the Washington office of Computer Professionals for Social Responsibility (CPSR). He is an adjunct professor of law at Georgetown Law School and was formerly counsel to the United States Senate Judiciary Committee. He frequently testifies in the United States Congress on computer and civil liberties issues. Marc is a graduate of Harvard College and Stanford Law School and a member of the bar of the United States Supreme Court. Rotenberg is a key figure in American privacy advocacy and is regarded as having made a major contribution to the growing awareness of privacy issues in the United States. He is involved in the full spectrum of privacy issues, and is a founder of the U.S. Privacy Council.
Jon Bing
Professor Dr Bing is a leading European expert in privacy and data protection. He is director of the Norweigian Research Centre for Computers and Law of the University of Oslo. He has established an extraordinary reputation as an academic lawyer and an author, and has membership of the editorial boards of a great many legal and information technology publications.
Madaleine Colvin
As legal officer and campaign director for Liberty (formerly the UK council for Civil Liberties) Madaleine has been involved over the past few years in some of Britains most crucial civil liberties issues. Previously, she practiced as a barrister for ten years specialising in discrimination cases and children's law. In 1980 she became a founder member of the Children's Legal Centre, where she worked for four years. At Liberty she is responsible for the privacy work undertaken by the organisation.
Miguel Espino Gonzalez
Dr Gonzalez is Vice President of the Centro de investigacion de los derechos humanos y Socorro Juridica de Panama (Centre for the Investigation on Human Rights and Judicial Aid) a private human rights organisation in the Republic of Panama. He completed his doctorate in Ciencias Juridicas y Siciales from the University of Belgrano, and has written extensively on numerous aspects of human rights and information.
Graham Greenleaf
Graham Greenleaf is a leading Australian figure in data protection and privacy. He is founding chairman of both the Australian Privacy Foundation and the New South Wales Society for Computers and Law. Mr Greenleaf has served as a member of the New South Wales Privacy Committee and is co-author of the Australasian Computerised Legal Information Handbook (Butterworths 1988) He is senior lecturer in information technology law at the Faculty of Law of the University of New South Wales.
David McQuoid-Mason
Professor McQuoid-Mason is dean of the Faculty of Law in the University of Natal in Durban, South Africa. He has for many years been an active campaigner for human rights, and is a leading expert on data protection. Professor McQuoid-Mason is National coordinator for street law for the Association of Law Societies and is chairman of the Durban chapter of Lawyers for Human Rights. He is a widely published author on a variety of topics, including street law, privacy, legal aid and human rights.
Pierrot Peladeau
Pierrot Peladeau is a jurist and information systems assessment consultant, and over the past several years has developed a high profile in Canada as a fearless privacy advocate. He has worked full time on privacy issues since 1982. That year, his study of tenant's blacklists in Quebec led to the creation of the Telematics and liberties Table, a network of human rights, consumers' and workers' organisations, and to a comprehensive study of private sector personal data banks entitled L'identité piratée of which he is an author. He has authored, alone or in collaboration, more than thirty publications on related issues. He is vice-president of the Canadian Rights and Liberties Federation.
Pál Könyves Tóth
Dr Pál Könyves Tóth is President of Infofilia (the Hungarian Data Protection and Freedom of Information Foundation) He is a widely acknowledged expert in the fields of statistics, data protection and freedom of Information and is heavily involved in the current moves to have privacy protection recognised in law in Eastern Central European countries.
THE DEVELOPMENT OF PRIVACY INTERNATIONAL
Background and history:
During the closing months of 1987, millions of Australians participated in one of the most extraordinary campaigns in their nation's history. The campaign was sparked by the federal government's intention to introduce a national identity card. For three months, the ID card dominated the media as thousands of people took to the streets in protest at the proposal.
The Card was to be carried by all Australian citizens and permanent residents (separately marked cards would be issued to temporary residents and visitors). The card was to contain a photograph name, unique number, signature and period of validity, and would have been used to establish the right to employment. It would be necessary for the operation of a bank account, provision of government benefits, provision of health benefits, and for immigration and passport control purposes.
An unprecedented alliance of political extremes sparked a grass-roots movement against the scheme. Rallies formed on a daily basis, culminating in a protest of 30,000 people outside Western Australia's Parliament House. Before the end of the year, in the face of major protests, a party revolt and civil disobedience, the government scrapped the ID card proposal.
The Australian Privacy Foundation, a non-partisan group which had convened and directed the campaign, was severely handicapped by the lack of international literature in this area. Throughout the campaign, vague references were constantly made to overseas protests against government ID card and surveillance schemes, but little or no substantial information was available to the campaign leaders.
Over the following years, members of the Privacy Foundation attempted to collect information from across the world on a variety of privacy related topics, but found that few international connections existed. Individual contacts were useful, but the Foundation came to realise that there existed a gap in this area of human rights on the international scene.
In March 1990, following discussions with his Australian colleagues, Privacy Foundation Director Simon Davies, a journalist and broadcaster, travelled to Europe and North America to discuss the prospect of forming a World Privacy Network. This and subsequent journeys were undertaken in a personal capacity, and were not sponsored or funded by any source.
The first of many meetings to discuss the idea was held in Luxembourg on March 26th 1990 , just prior to the joint European Commission and Council of Europe conference on Data Protection and Computer Crime. Mr Davies conducted other meetings throughout the year in Washington, New York, London, Amsterdam, Ottawa, Auckland, Belfast, Bangkok, Toronto and Strasbourg.
The response to the proposal was extremely positive. All experts and advocates agreed that an international liaison was essential, and around thirty leading privacy, civil liberties and data protection experts agreed to help form the organisation On his return to Australia in May, Davies wrote to these people in the following terms :
A wide range of views has been expressed about the most appropriate structure, membership, goals and activities of such an organisation. Decisions about these aspects must remain in the plans of the appropriate planning group. However, I feel we can assume that there is unanimous support for a greater degree of international communication and liaison in the privacy arena. We can also conclude that there is an equal degree of support for promotion and lobbying of privacy issues at an international level.
It was generally felt that, in the first stage, all those who had agreed to join the effort should form a Working Group responsible for the formation of structure and policy. By the end of 1990, this group was about eighty in number, and represented 28 countries. In an editorial in the U.K. based Computer Law and Security Report, Stephen Saxby remarked :
The development is to be warmly welcomed as a serious attempt to improve international collaboration over privacy issues. Just as international human rights groups have established themselves on the world scene, so too can a privacy oriented organisation work toward a higher level of awareness and respect of the issues involved. It is doubly important to develop the organisation now as Eastern Europe moves toward democratic institutions and participation in international fora of many kinds. While many issues still have to be resolved before the organisation can get underway, the encouraging support it has received so forebodes well for the future. The proposal for the organisation is a timely reminder that while many tangible benefits come from new technologies, risks also exist that cannot be ignored.
The justification for an International Organisation for Privacy:
The only fears expressed about the formation of an international effort related to the potential erosion of national sovereignty. Most members, however, felt that benefits far outweighed dangers.
Although general agreement had been reached on the scope of the organisation, considerable debate was undertaken with regard to the scope and nature of the organisation. Professor Ruth Gavison of the Association for Civil Rights in Israel observed:
I share the feeling that invasions of privacy through computers and surveillance will become more important in the future, and that an international organisation may have some relative advantage in dealing with these problems than national civil rights groups, committed as they may be.
The Egyptian Organisation for Human Rights saluted the initiative, and confirmed the view that the formation of a privacy network would fill a void in the international scene. In a letter to Simon Davies, Secretary General Bahey El Din Hassan said :
We are happy to hear of the formation of Privacy International. We believe that such an organisation will fill a certain gap in the structure of the international human rights movement. Giving more attention than customary to civil rights we salute your initiative in this regard and we appreciate your vigorous pursuit of a truly international scope for Privacy International.
A Hungarian expert, Dr Pal Konyves Toth, agreed that an international organisation would be valuable in supporting the struggle for recognition in law of privacy and data protection issues :
It may well be that in this period - while data protection and FOI is included in the Hungarian Constitution, but having no statutory guarantees - Privacy International playing the role planned can help us to argue the subject matter by serving the type of information it includes, not speaking about the potential weight of an international community of privacy experts and advocates and experts.
Scope of Privacy International - Aims and Mandate :
Although all members agreed that the organisation should have a primary role in international communication and support, there was some small difference of opinion concerning its proposed advocacy role. The first draft of the Working Group guidelines proposed that Privacy International would have an extremely broad mandate, becoming involved in the full spectrum of privacy issues. This prompted Professor James Rule from New York State University to warn :
My main concern, on reviewing the plans you set forth in your letter, has to do with the breadth of the activities that you are thinking of undertaking. My own preference would be for a relatively focused, strictly independent group of people with ideas of their own and no public policies to defend, who would undertake a limited but hard hitting agenda....I think a group with strong analytical independent ideas could make a significant impact by taking a few conspicuous, well considered public issues each year.
These concerns were expressed by a number of European and North American members of the Working Group. The main fear was that the organisation would be "too heavy to take off". Nevertheless, the call for a broad range of organisational interests was substantial. Professor Dr Wolfgang Kilian of Universitat Hannover wrote in the following terms :
I agree that the exchange of proposals and state of the art information should play a major role. Additionally, there should be broader understanding of the differing national backgrounds for the access of public files, information policy and data privacy protection in private business. Since national organisations exist in many countries which are registered as public lobbyists or experts for public hearings, Privacy International should emphasize the international aspects (transborder data flow, international data security aspects, ISO standards, data flow in multinational organisations). There may be interest in area oriented sub groups (research, medical field, employees data, funds transfer data, secret services).
Part of the concern of some members was the notion that the organisation should consider privacy in its broadest sense. That is, not merely data protection, but also the range of issues concerning surveillance and the relationship between the citizen and organisations. In other words, a fusion with civil liberties. Whilst some members expressed caution at such an early stage of Privacy International's development, others made quite clear their belief that the fusion would be certain to come about.
Several European members suggested that the existence of a network that could obtain expertise at short notice, test ideas, and rally international support on specific issues would be an invaluable contribution to privacy protection. It was suggested that in the first stage, working groups might be organised around subject areas which could then provide input to national legislative discussions and international organisations dealing with such subjects (eg telecommunications privacy).
Washington's David Burnham supported the broader view of privacy when he submitted :
I think that a question that should be explored is the ground we cover when we talk about "privacy". To my mind it is much more than the ability of a single individual to prevent others from obtaining information about him. Privacy concerns power, relative power, the power of large public and private organisations over the individual.
Membership of non-OECD Countries:
A very clear decision had to be made from the outset about the countries that would be involved in the organisation. This decision was dependent, largely, on the outcome of discussions relating to the scope of Privacy International. Canadian privacy advocate Pierrot Peladeau was eloquent in his argument for unrestricted membership. He wrote:
The organisation must be involved with countries which do not formally embrace privacy concerns. We cannot efficiently protect privacy interests in OECD countries without a clear vision of what is happening throughout the world, the north with responsibilities toward the south, the west toward the east. The organisation must also be involved with countries that blatantly violate privacy rights and interests. We must support those countries' civil rights organisations and advocates working on privacy issues by including them in our information links and collaboration networking, but also by giving them the expertise and international pressure they ask for. For this, a fully independent, non-governmental organisation is needed.
We engaged "Human Rights Internet" based at Harvard Law School to identify organisations in developing countries that might have an interest in the privacy and data protection area. A substantial list was compiled, and a selection of these were approached. About sixty per cent of human rights organisations in developing countries responded favourably. Mirna Anaya, General Coordinator of the Comision para la Defensa de los Derechos Humanos en CentroAmerica in Costa Rica set the following response :
In general, the privacy issue is one that we in Central America, deal with on a constant basis. Most of the organisations in the "popular sector" throughout Central America are watched and threatened by para-military and military forces. It is often the case that this surveillance and harassment, obviously an infringement of numerous rights that fall under the notion of privacy rights, is followed by illegal captures, lengthy illegal detentions with torture, and disappearance.
Others, such as the Union of Civil Liberty in Thailand, replied in more general terms :
We are also interested in the field of privacy and surveillance and also recognise the growth of importance of this field of human rights protection. Therefore we heartfully accept your invitation.
Favourable responses were received from Zambia, Argentina, Costa Rica, Chile, Thailand, The Philippines, Egypt, India and Haiti. Many expressed concern over the use by governments, security forces and private companies of information technology and modern surveillance equipment.
Membership of government officials:
Unlike the matter of membership of non OECD countries, the question of membership of government officials has not been so clearly resolved. Justice Michael Kirby, president of the New South Wales Court of Appeal, had proposed :
I would favour government officials becoming full or associated members of the network. They should certainly not be excluded. Some government officials have a great deal to contribute to the issues that will come up for discussion. They should be appointed on their own merits as individuals of the highest personal integrity.
Justice Kirby proposed an intelligent balance in what some members saw as a difficult problem. The correct course of action was clearly to avoid discriminating against government officials. However, because of the advocacy role of Privacy International it seemed that this prospect had its practical limitations. In response to an invitation to membership of the Working Group, United Kingdom Data Protection Commissioner Eric Howe wrote :
I have given careful thought to your invitation but feel that it would not be appropriate to accept it in the light of the position I hold. I do feel it would be too difficult to separate the registrar from Eric Howe and simply appear in a personal capacity.
John Eichmanis of the Ontario Information and Privacy Commissioner's Office also flagged problems when he wrote in February 1991 :
While we certainly would not want to dissuade the members of Privacy International from taking adversarial positions vis a vis governmental organisations, such a possibility places such offices as ours in a precarious position. I am sure you appreciate our predicament.
John Grace, then Canadian Privacy Commissioner, accepted an invitation to join the group, but warned :
I should also make clear that I do not want my agreement to serve now in an advisory role to pre-empt the key question as to whether membership in the network should be opened to government officials. This is a basic question which should be decided later. My own instinct, indeed, is that government people, for both their own reasons and the network's, should remain at arms length. But I remain very much open to argument on that matter.
On the other hand, Professor Rene Laperriere of the University of Quebec felt that government officials should be approached because they would make a valuable contribution to an international movement :
I think that in order to be functional, this organisation as a pressure group should invite to its membership advocates of privacy and liberties, who do not belong to government or private sector administrations or pressure groups. As to the privacy commissioners, they are in a position of watchdogs of government, and in certain cases private, actions. I suppose that this new organisation should invite them to participate, having in mind that the positions that will be adopted and the actions undertaken may be critical of the governments as well as the private firms : if they feel comfortable and mandate to work in such direction, their contribution could be most valuable.
Many members now believe that government officials should be permitted to join the Working Group of PI but excluded from the executive or office bearer positions. Their number on the Working Group would be limited to ten per cent of the total number of members. There should be no restriction on the ordinary membership of government officials.
EXPLANATION OF PROPOSED STRUCTURE, RULES AND FUNCTIONS OF PRIVACY INTERNATIONAL
STRUCTURE
Privacy International has yet to adopt a formal and legal structure. This matter must be dealt with as the priority for the Working Group and Committee. It is clear, however, that the organisation will have certain characteristics :
1. First and foremost, PI is an Association of Members. As an informal network, the organisation will avoid the establishment of concrete structures. Because privacy protection has so many intangible elements, the international structure must be informal. In a way similar to ICJ, PI can develop a more formal structure at the national or regional level. Any international structure, such as a congress, would have no special authority over national groups.
2. Special Interest Groups PI will develop a range of specialist sub-groups concerned with particular areas of privacy. These will include :
Telecommunications privacy
Data Matching
Trans border data flows
Freedom of Information
Finance and banking
Genetic and DNA
Biometric identification
Workplace surveillance
Medical data technology
Security and intelligence services
Data security
Private sector privacy
Public sector privacy
Identity cards
Legislation
Statistical and census data
Vehicle and remote tracking systems
Media privacy
Privacy protective technology
3. All development will be in the hands of the Working Group. A Working Group of more than one hundred leading figures in privacy and human rights from 33 countries will be directly responsible for making decisions about the structure and constitution of the organisation. The Group will comprise a number of committees with
responsibilities for financial arrangements, membership, legal affairs etc.
4. A coordinating Committee will manage the organisation. A committee of fifteen
members from thirteen countries will have overall responsibility for management of the Working Group. The Committee, nominated at a July 1991 meeting of Privacy International in Cambridge England, will ensure that the Working Group has the material necessary for its deliberations.
5. Regional and subject management. Because of the vast amount of material that will ultimately be generated by the network, volunteers will be sought to manage the information flow for a region or for a sector (telecommunications privacy etc).
6. Financial arrangements. Funding for the organisation will be achieved in the first instance through membership subscription. Each member of the Working Group will be asked to secure ordinary members. Regional managers will be responsible for collection, recording and banking of these moneys, and the details will be forwarded to the international finance committee.
WORKING GROUP AND COMMITTEE GUIDELINES
The first version of the guidelines for the Working Group were distributed for comment in May 1990, with four subsequent versions being developed. The following is the final version of the guidelines for the Committee and Working Group.
1. THE ROLE OF PRIVACY INTERNATIONAL
1.1 Privacy International (The World privacy and Data Protection Network) will be established by these rules as an independent, non-government, participatory international privacy advocacy and monitoring organisation.
1.2 Privacy International will be established with the following objects :
1.2.1 To raise awareness internationally about privacy issues
1.2.2 To work toward the establishment of privacy protection measures throughout the world
1.2.3 To facilitate the flow of information about privacy related matters inside and outside Privacy International
1.2.4 To improve the level of mutual support and liaison amongst privacy advocates
1.2.5 To Provide a comprehensive linkage between privacy, data protection, and civil liberties advocates;
1.3 Privacy International will support the adoption and implementation of the following international instruments :
1.3.1 The United Nations Universal Declaration on Human Rights, with particular regard to clause 12;
1.3.2 The OECD Guidelines on the Protection of Privacy and Transborder flows of Personal Data;
1.3.3 The Council of Europe's Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data;
1.4 Privacy International will perform the following functions, plus such other functions as may be decided by the Working Group :
1.4.1 Monitoring the nature, effectiveness and extent of measures to protect privacy and personal data;
1.4.2 Assessing the impact of new technologies on the privacy and freedom of the individual;
1.4.3 Monitoring and reporting on surveillance activities of security forces and intelligence agencies;
1.4.4 Monitoring the use by of universal identification systems and mass matching of computer files;
1.4.5 Assessing the nature, extent and implications of trans border flows of information between countries;
1.4.6 Functioning as an international clearinghouse for privacy related information, research and issues;
1.4.7 Engaging in advocacy at an international level, including making representations to international bodies such as the United Nations, the Council of Europe and the OECD;
1.4.8 Subject to sections 4.2.4, 4.2.5 and 4.2.6 below, monitoring the nature and extent of privacy violations country by country, both in the public and private sector
1.4.9 Publishing an international annual report containing description of privacy violations throughout the world;
1.4.10 Seeking ways through which information technology can be used in the protection of privacy;
1.4.11 Assisting local privacy advocates in any country, including countries which do not yet have privacy or data protection legislation, or adequate protection against
violations of human rights;
1.4.12 Working with other organisations having aims which are compatible with those of Privacy International.
2. AMBIT OF THE ORGANISATION
2.1 Privacy International may be concerned with a range of human rights violations and privacy related issues, but will be principally concerned with data protection and surveillance;
2.2 In determining the ambit, structure and operation of Privacy International, the Working Group must have regard to the various pre-conditions to the establishment of privacy and data protection safeguards i.e. aspects of civil and political rights, freedom of speech, freedom of conscience, and national economic and technological conditions;
2.3 In accordance with 2.2 above, the organisation's scope will include support for the development of the pre-conditions for privacy protection in countries where the adoption of data protection statutes is not practicable in the near future. Such matters may include reforms to administrative law which aid privacy protection, or particular civil or political rights such as freedom of conscience or freedom of speech, without which privacy protection might lack purpose;
2.4 The organisation will not duplicate the work of other national or international groups involved with human rights.
3. FORMATION OF THE WORKING GROUP
3.1 The Convener will establish a Working Group to determine the structure and function of Privacy International :
3.1.1 All members of the Working Group will have a credible profile in the fields of privacy, data protection, human rights, or in areas essential to the aims of Privacy International.;
3.1.2 The Working Group will have at least one hundred confirmed members from a minimum of thirty countries;
3.1.3 No single country will have more than fifteen per cent of the total membership of the Working Group;
3.1.4 A maximum of twenty per cent of the Working Group will be statutory office holders or members of government departments.;
3.1.5 Members of the Working Group will serve solely in a personal capacity, but may take steps to represent their organisations or institutions following the resolution of Section 4.1 below.
4. ROLE OF THE WORKING GROUP
4.1 The tasks to be resolved by the Working Group will be divided, for convenience, into two stages. The first and immediate stage comprises the following four issues :
4.1.1 To determine the functions of Privacy International subject to section 1.4 above;
4.1.2 To decide upon an appropriate organisational structure, rules and constitution for Privacy International.;
4.1.3 To determine the form, nature and extent of membership of the organisation;
4.1.4 To determine the method of liaison with international organisations, governments and statutory privacy bodies;
4.2 The second, and longer term, stage of the Working Group's responsibilities are as follows :
4.2.1 To develop a charter or mandate which will serve as a foundation document or set of principles in the work of Privacy International;
4.2.2 To develop a framework for effective communication, liaison and mutual support between members of the organisation;
4.2.3 To consider how the organisation will determine a formal public position on various privacy issues both at a national and international level, and whether such formal positions are desirable or necessary;
4.2.4 To determine the extent to which the organisation will establish national or regional representation;
4.2.5 To determine the limits of involvement by the organisation in the affairs of a country;
4.2.6 To consider how the organisation will determine the balance between the pursuit of universal privacy principles and the adoption at a national level of any of a number of pluralistic definitions of privacy;
4.2.7 To investigate funding options for Privacy International;
4.3 Members of the Working Group may speak publicly about Privacy International subject to the following limitations :
4.3.1 That the public statements relate solely to the charter, role, membership and function of the Working Group;
4.3.2 That the public statements do not imply a position of the organisation on particular issues unless a formal process has been undertaken to ensure that the statements reflect the wishes of members in the relevant country.
5. CO-ORDINATING COMMITTEE
5.1 A co-ordinating Committee of no more than fifteen members will be established at a meeting of members of Privacy International. Its composition will be determined in broad conformity with section 3.1 above. Members of the Committee will have the following responsibilities :
5.1.1 Assisting with communications and liaison amongst members of the Working Group;
5.1.2 Assisting with distribution of information relevant to the functions of the Working Group;
5.1.3 Where appropriate, publicly representing Privacy International;
5.1.4 Framing resolutions, developing themes for papers, and generating issues for the attention of the Working Group;
5.2 The Co-ordinating Committee will have no special powers or voting rights;
5.3 The Working Group by a three quarters majority of returned votes may delegate part of its function to individual member or groups of members;
5.4 The Co-ordinating Committee, by a three quarters majority vote, may delegate part of its functions to individual members or groups of members;
5.5 Members of the co-ordinating Committee may represent or make representations on behalf of Privacy International, but are not empowered to promote opinions or views on behalf of the organisation unless these have been approved by the Committee;
6. VOTING PROCEDURE
6.1 The Working Group will remain a single group until such time as agreement is reached on all aspects of the first stage of its functions (section 4.1). After this stage has been reached, the group may divide into specific interest committees in a manner recommended by the Co-ordinating Committee;
6.2 The full Working Group will resolve issues by voting on options presented in working papers commissioned by the Co-ordinating Committee. Voting will proceed in the following manner :
6.2.1 All matters will be decided upon through written resolution circulated to all members of the Working Group;
6.2.2 All resolutions placed before the Working Group will be accompanied by a paper commissioned by the Co-ordinating Committee, and circulated at least 21 days prior to the vote;
6.2.3 Where there is a single option in the resolution, the vote will be carried by a simple majority of returned votes;
6.2.4 Where there are more than two options, preferences will be distributed in order to determine the majority preference;
6.2.5 Wherever possible, these processes will use electronic facilities such as fax, telephone and electronic mail;
DESCRIPTION OF THE ORGANISATION'S FUNCTIONS
Function 1.4.1 Monitoring the nature, effectiveness and extent of measures to protect privacy and personal data;
Over the coming years, Privacy International will establish a grid of national groups and specific interest sub-groups to help determine whether legislative and other measures are achieving the necessary degree of privacy protection. The organisation's primary function is to assist individual countries to develop strong privacy protection. Through its annual report, Privacy International can raise awareness of the need for protections, and through its network of experts, the organisation can follow up with practical assistance.
Function 1.4.2 Assessing the impact of new technologies on the privacy and freedom of the individual;
The comprehensive assessment of technology and its impact will be conducted on a sectoral basis. A scan of the Working Group of the organisation reveals that well over fifty per cent of members have specialist expertise that should be networked internationally. During the first half of 1992, Privacy International will develop sectoral privacy sub groups in such fields as telecommunications privacy and data matching.
Existing Working Group members will be approached to occupy the position of convener of these various groups. Membership will be open and will be international in scope. The sub groups will not be bound by sovereign restrictions.
Function 1.4.3 Monitoring and reporting on surveillance activities of security forces and intelligence agencies;
This is possibly the most sensitive area of involvement for Privacy International, and great care must be exercised to ensure the protection of members who report on the activities of security and intelligence agencies. Whilst there are certain international trends (the trade in surveillance technology, international law enforcement records, regional collaboration etc) the majority of violations are likely to be noted at the national level. Members in some countries may wish to conduct the publication of reports through an international sub-group in the security service and intelligence field.
Function 1.4.4 Monitoring the use of universal identification systems and mass matching of computer files;
Both these areas will be covered by sub-groups. Universal Identification schemes will also cover the development of population databases, population numbering systems, and multiple purpose numbering systems.
Function 1.4.5 Assessing the nature, extent and implications of trans border flows of information between countries.
It is quite possible that the transborder data sub-group of Privacy International will be an amalgam of several relevant groups including finance and banking, telecommunications privacy, data matching, and data security.
Function 1.4.6 Functioning as an international clearinghouse for privacy related information, research and issues
This function is currently without definition. The various sub-groups and networks will informally serve a clearinghouse function. Depending on the availability of resources and funding, it is likely that Privacy International will publish a monthly bulletin with abbreviated references to events, material, research, legislation etc. Contact details of a subgroup member or members will be listed alongside the reference.
Function 1.4.7 Engaging in advocacy at an international level, including making representations to international bodies such as the United Nations, the Council of Europe and the OECD
The advocacy role of any international group is a sensitive process. While working toward the development of internationally recognised standards of privacy protection, Privacy International must also recognise the right of individual nations to decide the appropriate form of protection. Thus the advocacy role of Privacy International as it directly affects a nation would be limited to an extent determined by members in the country concerned. It is, however, assumed that all members of Privacy International in all countries broadly support the principles laid down in the OECD and Council of Europe guidelines. Advocacy at a national or international level for adoption of these principles should be a universally accepted role of the organisation.
Function 1.4.8 Monitoring the nature and extent of privacy violations country by country, both in the public and private sector
Privacy International will establish a monitoring procedure similar to that of Amnesty International or the International Commission of Jurists. Assessment of privacy invasions within a country will be subject to the following conditions :
(1) Reports will be prepared by members of Privacy International who are resident in the relevant country, and material will be refereed as extensively as possible by other local members;
(2) The report in draft form will be passed for comment to other members outside the subject country;
(3) The subject country is free to request whatever international support is needed in the preparation of reports;
(4) Privacy International cannot veto or edit reports prepared according to the above procedures;
Function 1.4.9 Publishing an international annual report containing description of privacy violations throughout the world
An annual report will be published containing reports on individual countries, as well as sector reports by the various sub-groups. Ultimately, the report would cover the majority of the world's countries, and would provide an important benchmark in the development of an international context for privacy protection.
Function 1.4.10 Seeking ways through which information technology can be used in the protection of privacy
This is an important function for Privacy International. A vast amount of research is undertaken each year to develop the intrusive capacity of technology, but relatively little focus is given to the privacy protective potential for technology. This function will also help to deflect criticism that the group is "anti-technology".
PRIVACY INTERNATIONAL
Executive and Steering Committee
CHAIRMAN Dr Jan Holvast, Director, Stichting Waakzaamheid Persoonsregistratiie, Schiemanstraat 2 Amsterdam, THE
NETHERLANDS
DEPUTY CHAIRS Professor David Flaherty, Professor of History, University of Western Ontario, London, Ontario, CANADA
Attny Cecilia Jimmenez, Deputy Secretary General, Philippines Alliance of Human Rights Advocates,
Room 403, 9 Balete Drive, Quezon City, Metro Manila, REPUBLIC OF THE PHILIPPINES
DIRECTOR Simon Davies, Privacy International,
Faculty of Law,
University of New South Wales,
P.O. Box 1,
Kensington NSW 2033
AUSTRALIA
SECRETARY Marc Rotenberg, Washington Director, Computer Professionals for Social Responsibility,
Suite 303,
666 Pennsylvania Ave,
Washington DC 20002
U.S.A.
STEERING COMMITTEE
Professor Dr Jon Bing, Norweigian Research Centre for Computers and Law, University of Oslo
Madeleine Colvin, Legal Officer, U.K. Council for Civil Liberties
Dr Miguel Espino Gonzalez, Director, Administrativo, Diroccion de Aeronautica Civil, Panama
Graham Greenleaf, Senior lecturer in Law, University of NSW
Professor David McQuoid-Mason, Dean, Faculty of law, University of Natal, South Africa
Pierrot Peladeau, Ligue des droits et liberties, Quebec, Canada
Dr Pl Knyves Tth, President InfoFilia (Hungarian DP and FOI Foundation), Hungary
MEMBERS OF THE WORKING GROUP
Mirna Anaya, General Coordinator, Comision Para la Defensa de los Derechos Humanos Centroamerica, Costa Rica
Associate Professor Colin Bennett, Department of Political Science, University of Victioria, CANADA
Professor Jan Berkvens, Vice President, Rabobank Nederland, THE NETHERLANDS
Mark Berthold, The Law Reform Commission of Hong Kong, HONG KONG
Jacqueline Bilodeau, Presidents Office, Canadian International Development Agency, CANADA
Dr Peter Blume, Institute of Legal Science, University of Copenhagen, DENMARK
Khun Boonsong, Union of Civil Liberty, Huaykwang, Bangkok, THAILAND
Professor Dr Klaus Brunstein, Fachbereich Informatik, Universitat Hamburg, GERMANY
Herbert Burkert, Gesellschaft Fur Mathematik Und Datenverarbeitung MBH, GERMANY
David Burnham, Transactional Records Access Clearinghouse, Syracuse University, UNITED STATES
Dr Roger Chongwe S.C., Advocate, Lusaka, ZAMBIA
Associate Professor Roger Clarke, Department of Commerce, The Australian National University, AUSTRALIA
Professor Mary Culnan, School of Business Administration, Georgetown University, Washington DC, UNITED STATES
Stewart Dresner, Publisher, Privacy Laws and Business, UNITED KINGDOM
William Dwyer II, President, Private Lines Inc, UNITED STATES
John Eichmanis, Manager, Strateigic Planning, Information and Privacy Commisioner's Office, CANADA
Robert Ellis-Smith, Publisher, Privacy Times, UNITED STATES
Sanda Erdelez, University of Osijeku, YUGOSLAVIA
Georges Festinger, Popularisation Organisation des Nouvelles Technologies, FRANCE
Maurice Frankel, Director, The Campaign for Freedom of Information, UNITED KINGDOM
Robert Freeman, Executive Director, Committee on Open Government, Department of State, UNITED STATES
Professor Serge Gauthronet, Director, ARETE, FRANCE
Professor Ruth Gavison, Association for Civil Rights in Israel, ISRAEL
David Goldberg, Faculty of Law, University of Glasgow, UNITED KINGDOM
Jan Goldman, Washington Office, American Civil Liberties Union, UNITED STATES
John Grace, Information Commissioner of Canada, CANADA
Bahey El Din Hassan, Secretary General, Egyptian Organisation for Human Rights, EGYPT
Evan Hendricks, Publisher, Privacy Times, UNITED STATES
Professor Tsuyoshi Hiramatsu, JAPAN
Jean Jacques Honorat, Director General, The Haitian Centre for Human Rights, HAITI
Yong Chai Jerd-Ampai, Director Computer and Information Service, THAILAND
Professor Dr Iur Wolfgang Kilian, Institut fur Rechtsinformatik Universitat Hannover Fachbereich Rechtswissenscchaften HanomegstraBe, GERMANY
His Honour Justice Michael Kirby, President of the Court of Appeal, AUSTRALIA
Otilia Koster, Coordinator Centro de Investigaciones de los Derechos Humanos y Socorro Juridicia de Panama, UNITED STATES
Douglas Kramer, Chairman, Privacy Committee, American Civil Liberties Union, UNITED STATES
Professor Rene Laperriere, School of Law Universite du Quebec a Montreal, CANADA
Professor Kenneth Laudon, Leonard F Stern School of Business, UNITED STATES
Prof Dr iur Bernd Lutterback, Technische Universitat, GERMANY
Tim McBride, Senior Lecturer Faculty of Law University of Auckland, NEW ZEALAND
Professor John McCamus, Osgoode Hall School of Law York University, CANADA
Wayne Madsen, UNITED STATES
Professor Gary Marx, Department of Urban Studies and Planning, Massachusetts Institute of Technology, UNITED STATES
Lucien Mehl, President Association Pour le Developpement de l'informatique Juridique, FRANCE
James Michael, Director, Centre for Communications and information law, University College of London, UNITED KINGDOM
Emulio Mignone, Presidente Centro de Estudios Legales y Sociales, ARGENTINA
Margaret Mulgan, Senior Human Rights Commissioner, Human Rights Commission, NEW ZEALAND
Jim Nolan, Barrister, AUSTRALIA
Russell Pipe, Publisher, Transnational Data Report, THE NETHERLANDS
Yves Poulett, Centre de Recherches Informatique et Droit Facultes Universitaires, Notre-Dame de la Paix Faculte de Droit Rempart de la Vierge, BELGIUM
Andrew Puddephatt, General Secretary, U.K. Council for Civil Liberties, U.K.
Bill Reddin, W.J.Reddin and Associates Management Consultants, UNITED KINGDOM
Thomas Riley, President, Riley Information Services Inc, CANADA
Professor James Rule, Department of Sociology, State University of New York at Stonybrook, UNITED STATES
Stephen Saxby, Managing Editor, The Computer Law and Security Report, Faculty of Law, Southampton University, UNITED KINGDOM
P.A.Sebastion, Principal Secretary, Indian Peoples Human Rights Commission, INDIA
Professor Peter Seipel, Swedish Law and Information Research Institute, University of Stockholm, SWEDEN
Professor Dr Spiros Simitis, Der Hessische Datenschutzbeauftragte, GERMANY
Prof Dr Laszlo Slyom President, Constitutional Court of Hungary, HUNGARY
Adrian Sterling, Barrister, UNITED KINGDOM
Nadja Tollemache, Ombudsman of New Zealand, NEW ZEALAND
Professor George Trubow, John Marshall Law School, University of Chicago, UNITED STATES
German Molina Valdivieso, Vice Presidente, Comision Chilena de Derechos Humanos Huerfanos, CHILE
Dr Mechai Viravaidya, Secretary General, Population and Community Development Association, THAILAND
Professor Raymond Wacks, Head Department of Law University of Hong Kong, HONG KONG
S. Amos Wako, KENYA
Ms Carole Wallace, Commissioner, Quebec Access to Information Commission, CANADA
Antoinette van Wezel, Project on computer law, Faculty of Law University of Utrecht, THE NETHERLANDS
Professor Alan Westin, Professor of public law and government, Colombia University, UNITED STATES
Dr Hans Zeger, Arge Daten Liechtensteinstr, AUSTRIA
PART "B"
THE STATE OF THE WORLD'S PRIVACY
OVERVIEW OF THE STATE OF THE WORLD'S PRIVACY COUNTRY REPORTS
SPECIAL REPORTS PRIVACY INTERNATIONAL SUBMISSIONS AND DOCUMENTS
OVERVIEW OF THE STATE OF THE WORLD'S PRIVACY
The state of privacy protection world-wide is a mixed picture. While privacy and data protection is being taken seriously by more and more countries, advances in technology increase the spectrum of privacy violations. While international relations have generally warmed, minimising certain elements of surveillance of populations, numerous civil and regional conflicts continue to nurture extensive surveillance.
New Information Technology is able to deal with personal data faster, more extensively, and at a cheaper cost than ever before. Vast amounts of information are being transacted by systems that are more compatible and networks that are more "open".
Sadly, while some of this technology (smart cards, encryption etc) has the capacity to help protect personal privacy, relatively little is spent on research in these areas. The vulnerability of information and the consequent loss of privacy are seen as the trade-offs against greater speed, efficiency, and cost effectiveness.
Protections in law, where they exist, are sometimes ineffective and even counter productive. Extensive information holdings by government are invariably allowed under exemptions and protections in law. The existence of statutory privacy bodies, rather than impeding such trends, sometimes legitimates intrusive information practices.
There are, however, some encouraging trends in privacy. The release of the European Commission's Draft Directive on Data Protection has created shock waves throughout the world, particularly within those countries with no effective privacy legislation. The Draft Directive will enforce minimum standards of protection throughout the European Community, and will provide for the veto of information trade with non European countries with a lesser standard of data protection. The potential impact of such a mechanism was recently seen when the U.K. Data Protection Commissioner vetoed certain information based transactions between the U.K. and the United States. There is uncertainty about the date of final drafting of the Directive, although it appears almost certain that this will be achieved by the end of 1992. It is likely that the Directive will give form and force to the cliche "Information as a commodity".
However, while the European Directive will exert a positive influence in one direction, the flow of surveillance technology from first world to third world is creating significant problems for human rights in developing countries. While much of this technology has an important and legitimate role to play in economic development, the establishment in the third world of hi-tech population numbering systems and identity card systems is subject to abuse and manipulation. The vast majority of these systems are designed and sold by information technology organisations and brokers in first world countries. Protection of rights in the recipient country often does not exist, and even if a constitutional protection of privacy does exist, it may be unenforceable. A recent decision by the Hungarian Constitutional court to veto a national ID system is a rare example of enforcement of such a document.
A recent award for "Brave use of technology" given to the government of Thailand by the Smithsonian Institute was condemned by the U.S. Privacy Council (see special report on Thailand in this document). However, while ethical guidelines of the Information Technology industry are little more than paper tigers, the problem of unethical "peddling" of technology will continue.
One of the most interesting and controversial privacy issues is the development of genetic and DNA coding. There have been calls in several countries for the development of national genetic databases, but privacy implications aside, the procedures involved in such technology appear to be embryonic and often haphazard. The absence of uniform licencing, proficiency testing, procedural controls and legislative mechanisms combine to make this technology vulnerable to error, inconsistency or abuse. Even if these procedures and standards were to be perfected, the public interest in the establishment of such databases would appear to limited. The experience of other specific technologies is that the information gained is applied for unforeseen purposes, thus breaching generally held privacy principles, but often exempted under the provisions of law enforcement or public revenue.
Such embryonic technology exists in several other areas. Vehicle tracking systems, for example, are being embraced throughout the world without general regard to the potential for extension of use. The imminent capacity to track and log vehicles on a metropolitan-wide basis to assist traffic management has applications that go well beyond traffic control. The same syndrome applies across the spectrum of technology.
The problems arising from such new and seductive technologies often stem from the perceived losses arising from non-implementation, rather than the costs arising from their hasty introduction.
One critical measure of a country's privacy law is the adequacy of protection for the confidentiality of telecommunications. Many countries have established some restrictions on wire surveillance by government agents. The United States wiretap statute requires that government authorities obtain permission before conducting a wiretap. after the order is issued, there are specific guidelines that must be followed to ensure that the surveillance is "minimised". Other countries have similar requirements, though provisions that allow for wire surveillance simply when a "national Security" concern is suggested should not be considered adequate. Such provisions should be subject to judicial or parliamentary scrutiny.
The Caller ID service, allowing the recipient of a call to identify the number of the caller, is generally considered by privacy advocates as a threat to privacy. It tends to transfer control over personal information from the phone subscriber to the phone company. In the United States some phone companies sell both the right to receive the phone number and the right to withhold the disclosure of the phone number. Claims that the Caller ID service would reduce harassing calls appear not to be generally supported. Other phone services address the problem more effectively. Callers should retain the right to decide when to disclose their identities. In advanced telecommunications networks such as ISDN the disclosure of a callers phone number may also result in the disclosure of other personal information, including age, address, profession, income, and marital status.
Several new problems are emerging on the communications privacy front. With regard to government spying, there is growing concern that governments will seek to restrict the use of cryptography and other methods that allow a person to protect the confidentiality of communications. In the United States, the government sought to require that communication service providers make available the "plain text" version of encrypted communications. This effort was successfully opposed by privacy advocates, and computer and communications companies. Cryptography will remain one of the battlegrounds for communications privacy for the foreseeable future.
A separate problem is the prospect that communications companies will routinely sell the records of specific calls to third parties. This is a new development that arises from the growth of direct marketing and the creation of a digital network that logs individual calls. There are two aspects of this problem. First, the privacy risk is the disclosure of the record of a call, and not the content of a call. Secondly, the information is typically sold to marketing firms and businesses for commercial gain. It is not sought by government in the first instance, though it should be assumed that government may ultimately seek to secure the information. In the U.S. for example, the Internal Revenue Service has purchased detailed lists from private mailing firms to undertake tax audits.
There is a strong argument that privacy advocates should oppose the disclosure of both communications content and communications records to private and public parties. When Government seeks this information, it should be disclosed only pursuant to clear legal authority that may be challenged openly in a court of law. When a private company seeks this information, both parties to the communication must provide explicit consent.
Failure to enforce strong privacy safeguards for communication networks is likely to undermine the core value of a communications service - the assurance that confidential information exchanged between two parties will not be disclosed to others.
In considering these issues, privacy advocates are confronted with sensitive matters of public interest. Technology brings great benefits, but the vulnerabilities are often overlooked. While striving to apply the international principles of data protection, and allowing for the right of sovereign law, it is difficult to avoid concluding that privacy protection is often controlled by the exception rather than the rule. Privacy is often one of the first rights to be traded off in favour of other perceived benefits, yet, once traded, it can rarely be recovered. Sadly, some governments have openly challenged privacy advocacy on the basis of innuendo - "nothing to hide, nothing to fear".
The mass collection and matching of personal information on the basis of law enforcement and public revenue is a feature of modern economies. The dilemma facing advocates is that while there is general concern in many countries over this growing informational canopy, there are few avenues to meet the threats and the challenges of this new technology. Law, by itself, is clearly inadequate. A new consciousness is perhaps a more realistic solution. This means that citizens who have come to accept that information is truly a commodity, might have to become aware of the implications of the general availability and use of this commodity.
REPORTS ON THE STATE OF PRIVACY BY COUNTRY AND REGION
THE UNITED STATES OF AMERICA :
Support for privacy protection has increased dramatically in the U.S. in recent years. Consumers have joined forces with civil libertarians to oppose the sale of personal information and the misuse of data by the private sector. In the most striking example, more than 30,000 people successfully lobbied against the release of Lotus Marketplace, a CD ROM package containing detailed information and personal buying habits of 120 million American consumers.
The United States has a long privacy tradition, but current law is inadequate and requires extensive revision. The Privacy Act of 1974 which protects only records held by government agencies, is not adequately enforced. The Privacy Act does not cover records held by the private sector or records held by government agencies on foreign citizens. The Electronic Communications Privacy Act of 1986 restricts the ability of government agents to wiretap communications, but allows telephone companies to sell records of phone calls to businesses and direct marketing firms. There is no comprehensive protection for medical records, insurance records or employment records in the United States. Court remedies for existing privacy laws are expensive and beyond the reach of most people. State agencies are now also selling personal data.
There is no data protection authority in the United States, nor has a constitutional right of information privacy been established. As a result, there is no coordinated effort within the government to improve privacy protection. There is also no core privacy right established firmly in law. The establishment of a Federal Privacy Board was the cornerstone of legislation introduced by Senator Sam Ervin in 1974. His bill became the Privacy Act, the foundation of privacy protection in the United States. However, strong opposition from the Ford White House led to the demise of the proposed Board before final passage. In its place, a privacy protection study commission was formed. When the Commission completed its study of privacy protection in 1977, the same conclusion was reached. The Commission recommended the creation of the Federal Privacy Board. Fourteen years later, there can be no doubt that the United States needs a Data Protection Board. There is no mechanism to assess the new uses of transactional data. Current privacy safeguards are simply inadequate
New technologies have also raised concern in the United States. Caller ID is widely opposed, with many states requiring strict safeguards before the service can be offered. The collection of genetic information and the proposal that the Federal Bureau of Investigation should establish a national database has also drawn criticism from privacy advocates, civil libertarians and the medical community. There is growing opposition to the use of the Social Security Number (SSN) as a national identifier. Several states have passed laws to restrict the use of the SSN. Direct marketing remains unregulated, though consumer opposition to the sale of personal information is widespread.
Marc Rotenberg
Washington DC
CANADA
A general constitutional right to privacy against the state is emerging though jurisprudence of the Supreme Court of Canada on a Section of the Canadian Charter of Rights and Freedoms which gives protection against unreasonable search and seizure. There are comprehensive data protection laws for government and public agencies at federal level and in only two of the ten provinces, Quebec and Ontario. Credit reporting laws exist in seven provinces. In 1987, Quebec adopted a new charter in its civil code setting general standards and principles of privacy and data protection but it has not yet come into force.
In the last year or so new commissioners were appointed in all three existing data protection agencies: Bruce Phillips as Privacy Commissioner of Canada, Paul André Comeau as President of the Commission d'access á l'information of Quebec, and Tom Wright as Information and Privacy Commissioner of Ontario.
A disquieting privacy situation is emerging in Quebec that is worth comment. In 1990 a bill was introduced that would in practice have dismantled Quebec's Access to Information and Data Protection Act which was adopted in 1982. On data protection the bill would have permitted the transmission of personal data on any person "capable" of breaking a law. Since any such person has this potential, the many critics of the bill feared it might create a limitless privacy intrusion. Other sections would have suspended the application of the Act for a variety of data banks. In the wake of controversy over the bill, many sections were deferred. However, it appears that some ministers are re-introducing the sections on a piecemeal basis. . For example, a comprehensive new act on health and welfare was adopted and one section removes it from the ambit of the data protection Act and the jurisdiction of the Commission.
There appears to be a trend toward surveillance that can be traced to 1989 with the adoption of an act permitting intrusive controls over the lives of welfare recipients. Since then, the Health and Welfare minister has been considering the adoption of some form of citizens' ID card. Comprehensive legislation covering the private sector was promised in 1988, and public hearings began last October. The enthusiasm of the government appeared to be somewhat diluted, however, and one minister openly talked about allowing the continuation of self regulation. The hearings soon after were postponed until the Spring of 1992.
In 1990 Caller ID was iintroduced in two Canadian cities, and the service is slowly being made available across the country. Blocking is provided on a call by call basis for a cost of .75˘. Only services such as women's shelters were given free and universal blocking. This decision was opposed by a large coalition of human rights and consumers associations, shelters and transition homes, women's groups, professional bodies and others. Many instances of breaches of medical and professional confidentiality have since been reported, and the position is now being challenged before the Federal court on the grounds of infringement of the rights of privacy, equality, and freedom of speech.
The Federal Department of Transport has suspended plans for mandatory drug testing in the transport industry but there are a growing number of individual employers using drug testing procedures in the workplace. Many public and private employers now impose intrusive - and sometimes degrading - medical investigations before and during employment. Critics are warning that this trend could pave the way for more invasive technologies such as genetic screening.
There are several experiments on smart cards being conducted or under preparation. One Quebec project envisions the smart card as a portable medical file. Fears have been expressed over the capacity for surveillance. A federal project would give unemployment insurance recipients a card for information transaction with the bureaucracy and payment transactions (credit and retail direct debit).
Pierrot Peladeau
Montreal
SOUTH AFRICA
Privacy in South Africa is protected by the common law under the broad principles of the actio injuiarum which deals with wrongs involving an intentional and unlawful infringement of a person's personality rights, including the right to privacy. These principles are flexible enough to protect citizens from intrusions, public disclosures of private facts, being placed in a false light, and having their image and likeness appropriated. The common law, however, is not always sufficient to protect citizens from surveillance by government, security and law enforcement agencies.
There is no statutory protection of privacy in South Africa, although there is some limited protection in those statutes which require citizens to make certain private disclosures for the purposes of statistics, census or income tax. The most blatant statutory invasion of privacy is the Identification Act of 1986 which requires all citizens to provide a great deal of personal information in order to obtain identity documents.
The Post Office Act authorises salaried officials to intercept and read the contents of correspondence in certain circumstances e.g. where there is no address on the envelope or the article is suspected of lotteries, sports pools, or obscene or indecent matter, or the interception is necessary in the interests of state security. The latter is the biggest threat to the individual's privacy regarding correspondence because it is not controlled by the courts. Telegrams may also be intercepted on the same basis and certain delegated officials may listen in to telephone conversations. Again, there is no judicial control over wire-tapping procedures in South Africa. This needs to be urgently addressed.
The right to privacy in South Africa has also been undermined by the wide powers of the police in terms of the Internal Security Act of 1982, the Criminal Procedure Act of 1977 and the Public Safety Act of 1983. Security laws have given the police wide powers to intrude into people's private lives.
Surveillance in the private sector by persons such as private detectives has been outlawed by the courts. The biggest threat to citizens in the private sector is that of credit bureaux. Most credit bureaux in South Africa would probably allow the subject of an enquiry to inspect his or her file, but usually the former will not disclose the identity of the latter to the subject. This means that not only are subjects unaware that they may inspect their files, but they may also experience difficulty in locating the agency concerned. There is an urgent need for legislation to ensure that consumers are notified that an agency is holding their personal files, informed by any users of a credit agency as to the latest name and address, given the right to inspect, correct and update their files, notified by the agency each time their data is released, and to whom, and given the right to enquire of any credit agency whether it holds a file on them.
At present there is no proposed legislation concerning privacy in the pipeline, although when a Bill of Rights and new Constitution is negotiated, it is likely to contain an article dealing with privacy. Two versions have been proposed: one by the African National Congress and the other by the South African Law Commission.
A bill of rights and constitution which enshrines the protection of privacy will provide a sound foundation upon which to introduce legislation to protect citizens in South Africa from unnecessary invasions of privacy and surveillance by both the state and private organisations.
Professor David McQuoid-Mason
Durban
PANAMA
On December 20, 1990, US Army troops invaded Panama and overthrew the regime of General Manuel Antonio Noriega. Only a few months before, in May 1989, Noriega's army (Fuerzas de defensa) annulled that year's presidential elections, violating Panamanian people's electoral rights. Noriega was the last of the military dictators who governed without respect for human rights.
After the US invasion, the civilian candidates who had won by an overwhelming majority (more than 80 per cent) in the 1989 elections, assumed political power and inaugurated the Democratic Government for National Reconstruction and Reconciliation, headed by Guillermo Endara.
With the formation of the new Democratic government, violations of human rights such as freedom of the press and political rights came to a stop. The development of democratic institutions and the separation of the three classical powers was commenced, and continues to this point.
Nevertheless, Endara's regime has been accused (a year later) of human rights violations such as telephonic espionage against political opponents. A National Attorney General prosecution obtained no results. On the other hand, the National Assembly (Congress) has shown some concern over the existence of a National Security Bureau in the Presidential Office.
Among other accusations are the photographing of demonstrators during the Manifestations.
There has been progress in human rights in Panama and slow but sustained advances in the judicial systems. There are, however, complaints at all levels over alleged lack of will and honesty in the prosecution of crimes by the former military. And while some of the opposition leaders are claiming an injustice (that is, the prosecution of Noriega's allies) others are denouncing government persecution.
Dr Miguel Espino Gonzalez
Panama
HUNGARY
The Hungarian Republic, a former member of the Warsaw Pact, which is no more in existence, is in the state of transition from a totalitarian communist dictatorship to a democratic welfare society. Free parliamentary elections were held in the Spring of 1990 following the introduction of a plural political party system, and a new government was formed by the coalition of the Hungarian Democratic Forum, the Christian Democrats, and the Small Holders' Party with the majority of votes in the new Parliament. Another three parties and some independent MPs are in opposition.
Hungary became a full member of the Council of Europe on the 6th November 1990 and signed an agreement with the Commission of the European Communities for Associated Membership in November 1991.
All these processes called "systems change" requires an almost completely new legislation, especially concerning statutes regulating policy procedures, public administration, basic human and civil rights, as well as laws on privatisation, the newly established and constantly growing private sphere etc i.e. the promotion of the market economy as contrasted with the centrally planned and directed people's economy.
In this situation it is quite understandable that the Parliament and the Government have given privacy matters a considerably low priority.
Although the new constitution was promulgated as early as the Autumn of 1989, and amended since then several times, and it declares privacy in general and the right to personal data protection and freedom of information in particular (art 59 and 61) the new laws assuring the exercise of these rights, though ready to be tabled in the Parliament, are still delayed. What is being discussed however, is the possibility of a law on the old state security files (similar to the stasi files in Germany).
Nevertheless, there is a decision of the Constitutional Court [No 15/1991 (IV 13) AB] declaring as unconstitutional the collection and processing of personal data without specified purposes and for future use at will on the one hand, and the unlimited use of a general and unified personal identification number - introduced in Hungary in the mid 1970s - on the other. This hopefully shall speed up the legislation procedure of certain draft bills. In that respect, the following drafts can be taken into account : Personal and Domicile Registration, Police, National Security, Freedom of Press, Official statistics, and last, but not least, Protection of personal data and access to data of Public Interest. The latter should be regarded as a DP and FOI bill, very strong, complementing the constitution, to be passed by the Parliament with a qualified (two thirds) majority of votes. When in force, it should serve as a foundation for all other legal instruments and provisions on DP and FOI. Consequently it should be passed before any other such, be it on police files or on data collected for statistics production, to avoid a difficult to handle "filius ante patrem" situation.
The draft bill was complete at the end of 1990 because the former government decided in January 1989 to submit it to the Parliament till the deadline just mentioned. The bill still pending takes account of the principles laid down in Convention no. 108 on data protection of the Council of Europe. and for that reason it is also in harmony with the draft directive on DP of the CEC issued last year. It covers both manual and automated files kept and used by both public and private agencies. The usual rights of individuals - to know about, to inspect, to correct their data etc - are guaranteed, based on the notion of informational self determination which can be limited by the force of law only. A parliamentary Commissioner shall control the implementation of the law and keep a file of the existing data handlings.
The other side of the coin i.e. freedom of information, as far as data held by public bodies are concerned, are also regulated by the draft, providing for the free access to all data if not protected for being personal or state secret according to the law. The Parliamentary Commissioner shall investigate the complaints in that respect too.
Dr Pál Könyves Tóth
Budapest
AUSTRALIA
The most significant feature of the Australian privacy scene in 1991 has been the continuing expansion of data matching and other forms of data surveillance by the Commonwealth (federal) government. The Data Matching Program (Assistance and Tax) Act 1990 commenced operation. It authorises and requires most Commonwealth benefit-granting agencies (social security, veteran's benefits, student assistance, and housing assistance) to match beneficiary information between themselves and with the taxation department, in an an attempt to reduce 'double-dipping", income understatement and identity fraud by benefit recipients and taxpayers. The agencies involved have recently reported to Parliament on the initial operation of the scheme.
The Commonwealth Attorney-General's Department is attempting to set up a Law Enforcement Access Network (LEAN) which will aggregate so-called 'publicly available information" - initially from State land information systems and from company records, but later from other sources as well - in order to provide 'one stop shopping' for government agencies who wish to trace assets and transactions in which people of interest to them are involved. Access to LEAN is to be provided to government agencies with loosely-defined 'law enforcement' responsibilities - including the social security department as well as more traditional law enforcement agencies. Access by State government agencies is also envisaged. The government has authorised LEAN to go ahead without any legislative authority (and therefore without any Parliamentary scrutiny), because it claims that such information falls outside the Privacy Act and therefore LEAN does not breach it. The Australian Privacy Foundation challenged this view in a complaint to the Privacy Commissioner, but the compliant has not yet been resolved. The fate of LEAN will be one of the principal privacy issues of 1992.
Privacy advocates had a significant win to end the year - the defeat of the 'Black Box" proposal. The Commonwealth government had been trying for some years to require pharmacies to verify on-line with the Health Insurance Commission (who were responsible for the 'Australia Card' proposal) the eligibility of anyone who was to be supplied pharmaceuticals at a concessional rate. Because they were attempting to prevent non residents from obtaining a subsidy available only to Australian residents, the proposal had the potential for surveillance of the whole community. Although the legislation to implement the system was passed in June (Health Legislation (Pharmaceutical Benefits) Amendment Act 1991), it was made conditional upon the Auditor-General and the Finance Department verifying the government's estimated cost savings. In fact, he showed that the estimates were patently false, and the government was forced to abandon the scheme entirely. In a delightful irony, the only part of the legislation which has survived is that giving the Privacy Commissioner powers to regulate the whole of the Medicare information system (health insurance and pharmaceutical benefits).
The Commonwealth Privacy Commissioner's role during 1991 has not involved any major public confrontations with the government.
No Australian State has yet enacted comprehensive legislation. All states have either enacted Freedom of Information legislation, which also provides rights of correction of personal information in government files, or are in the process of so doing. Beyond that there is confusion. A Bill for an ill-defined "Privacy Tort" was introduced in South Australia but seems to have been deservedly shelved. In New South Wales a bill to create criminal offences for trafficking in personal information in government files has been introduced, and it also provides some extensions to the 'privacy ombudsman" functions of the NSW Privacy Committee.
The most significant role in exposing invasions of privacy has fallen to the New South Wales Independent Commission Against Corruption (ICAC) which, in a long-running series of public hearings has revealed an 'information exchange club" operating both clandestinely and semi-openly between State and Federal public sector agencies, finance and insurance companies, banks, private investigators and other private sector organisations. In a number of cases, one government agency would pay for the officers of other government agencies to be corrupted. The ICAC report on corrupt disclosures is due around March 1992, and may be the impetus for major reforms in both NSW and Federal legislation. ICAC has already been far more effective at exposing illegal invasions of privacy than any privacy protection agency has ever been in Australia, and its report may be of interest beyond these shores.
In relation to the private sector, national credit reporting legislation which is claimed (by the credit industry) to be the most restrictive in the western world has come into force and will be fully operative in February 1992. The legislation (the Privacy Amendment Act 1990) provides the normal range of individual rights, backed up by both criminal offences and provision for damages. The legislation effectively prevents credit information from being used for any significant non-credit purpose. Beyond that, there is as yet, still no significant enforceable privacy law affecting the private sector. The irony of this is that while our credit reporting laws may well provide 'adequate protection" in the terms of the European Community draft directive on data protection, the rest of the Australian private sector will be exposed to restrictions on personal data flows from Europe when the directive comes into force.
Telecommunications privacy is just starting to become a significant issue. A competitive telecommunications carrier (OPTUS) has been selected, and the previous monopoly carrier (Telecom / OTC) is to be removed form the reach of the Privacy ACT. AUSTEL, the telecommunications regulatory body, has started an inquiry into Calling Line Identification, caller ID and other privacy related technological issues. The need for a new legislative structure for telecommunications privacy is urgent.
The Australian Privacy Foundation, the only non-government organisation in Australia involved exclusively in privacy protection, has continued to play a significant role in raising public awareness of privacy issues, and in campaigning on specific issues. It played a major role in organising the successful opposition to the pharmaceutical "black-box" and in campaigning for credit reporting legislation. Jim Nolan has recently succeeded Graham Greenleaf as Chairman, and Simon Davies has stepped down as APF director in order to concentrate on his work for Privacy International.
In summary, the Australian position is similar to other comparable countries. Improvements in data protection laws are occurring in tandem with significant extensions of data surveillance as a principal toll of both government and business. The task of finding and installing appropriate limits on the development of a surveillance society continues to be frustrating, but is not hopeless.
Graham Greenleaf
Sydney
NEW ZEALAND
The following text is taken from a document entitled "The Kiwicard, data matching, and the end of privacy" published in October 1991 by the newly established New Zealand Privacy Foundation.
The Unmasking of a plot.
On the evening of September 11th, 1991, viewers of TV3 watched in amazement as a senior bureaucrat revealed that the Government was in the final stage of planning a secret, high-tech universal ID card. The card would link major Government departments and would have the capacity to track all financial dealings and even geographical movements. The plan was known as "social bank".
The rest is history. Branding the claim as "absolute hysteria", Prime Minister Bolger said no work was proceeding on such a scheme. He was immediately contradicted by the deputy head of Social Welfare, and also by former Prime Minister David Lange, who revealed that work on a "smart card" (a card containing a computer chip) had been going on for four years.
The news should have come as no surprise. Australian privacy campaigner Simon Davies had been warning New Zealand media since 1989 that the country stood a grave risk of such a move. Countries throughout the world have been moving to such a system. Most, however, have much stronger parliamentary and constitutional safeguards than does New Zealand.
The facts uncovered in recent weeks are these :
1. The New Zealand Government plans to extend the Kiwi card to all people, not just those on low incomes.
2. The functions of the Kiwi Card will be extended beyond health benefits so that it will be required for all government benefits, including Social welfare, housing and education.
3. The card will be required to open and operate a bank account, and will ultimately be demanded by employers (those people who do not produce their card will almost certainly be required to pay the highest tax rate).
4. The revelations on TV3 indicate that the card will also be used in a "user pays" road toll system.
5. There are absolutely no limits, safeguards or restrictions on the use of the Kiwicard. It can be demanded by anybody - police, government officials or banks - for any purpose.
6. The Government plans to introduce a data matching program in which files held by seperate government departments will be matched. This plan is occuring without consultation or justification, and in the face of evidence that such programs are fraught with costs and dangers.
Why the Kiwi Card and Data Matching are so dangerous.
New Zealand has a political system based almost entirely on trust and good faith. There is no parliamentary house of review, no enforceable constitution, and no established process of government accountability. When governments in New Zealand propose any measure to monitor or control the population, New Zealanders should demand an exhaustive justification. This simply has not happened. There is no cost benefit justification in the data matching proposal. Remember that when the Government compares all its files on you, it is doing what police could not do unless they had secured a warrant. We are talking here of mass search without warrant. It must not be done unless careful thought has been given to the consequences.
Perhaps the gravest ramification of the governments proposals is the damage that will be done to the relationship between the citizen and the state. We must remember that in any democratic nation, it is the government that is accountable to the people, not the other way round. Governments that argue on the basis of "nothing to hide nothing to fear" are resorting to a flimsy and dangerous argument. No civilised population
should be blackmailed into accepting a revenue measure.
The recent secret plans have revealed that New Zealand policy is being driven by a small clique of elite bureaucrats. Members of parliament, by and large, have little or no idea about the workings or ramifications of these proposals. Policy is no longer made in the party room. It is made by non-elected people. MPs have less and less influence over their government's policy.
You might believe that the situation is New Zealand is different. You might believe our government really cherishes Privacy. Wrong. What has been revealed in recent weeks is nothing short of the sabotage of democracy and trust.
The New Zealand Privacy Foundation is committed to fighting the slow and stealthy intrusion occurring right now in New Zealand. We are not ashamed to make our fears public. We believe that New Zealand without Privacy will be a country without freedom.
The Privacy of Information Bill, 1991
Abridged version of Privacy International's submission to the Parliament of New Zealand.
1. Introduction to the Submission
1.1 Because of the limited time available to Privacy International for analysis of the Bill, this submission is neither detailed nor comprehensive. Instead, we will confine the submission to general points. We would, however, be prepared to present an oral submission to the Committee.
1.2 Privacy International welcomes the initiative of the New Zealand Government in presenting the Privacy of Information Bill. It is a much needed and long awaited measure to deal with a complex and urgent set of problems.
1.3 Notwithstanding the specific concerns set out in this submission, we believe that the Bill satisfies many of the requirements to adequately protect personal privacy in the 1990s. The Bill is generally a positive and practicable initiative which should be warmly received by the people and the Parliament of New Zealand.
1.4 Although the Bill establishes generally satisfactory mechanisms for Privacy protection, there exist a number of deficiencies and ambiguities, and these will be dealt with in this submission. We are particularly concerned by five matters which give rise to concerns about the overall effectiveness of the Bill. Those are
1.4.1 The establishment of unique numbering systems,
1.4.2 The "Kiwi Card",
1.4.3 Data matching programs existing prior to the commencement of the Act,
1.4.4 Requirements relating to application for and determination of requests to establish data matching programmes,and
1.4.5 The Commissioner's jurisdiction relating to the private sector.
2. GENERAL COMMENTS RELATING TO THE BILL
2.1 Privacy International believes that protections against data surveillance and privacy intrusion should be a key concern to the governments of all countries. These issues are, in our view, at least as important as protection of other basic human rights or protection of the environment. Privacy legislation should thus be subject to careful consideration and rigorous scrutiny. The purpose of a Privacy Act is to establish safeguards and limitations to activities that would impinge on the privacy and rights of the individual. However, Privacy International is mindful that legislation can also have the unintended effect of legitimating privacy intrusions by establishing a legal basis for the construction of intrusive information programs. The mere existence of legislation is not, in itself, sufficient to satisfy the expectations of a modern, information based society. Nor does the mere existence of legislation provide any guarantee that privacy violations will be subject to sufficient limitation. In some countries, privacy legislation has been less than successful in limiting the erosion of privacy. Wholesale exemptions provided by legislation, (such as that in IPP 13 (e) of the New Zealand Bill), coupled with the allowance for establishment of non legislative regulations, have weakened the core principles of the Acts of many countries. New Zealand should strive to avoid this example.
2.2 We believe the New Zealand Bill is fundamentally strong, but is likely to be undermined in time through the establishment of precedent, the extension of regulation, and the application of various exemptions. The Parliament should take these factors into consideration when determining whether adequate safeguards are in place in the legislation
2.3 Privacy International is aware that the enforcement of criminal law and the pursuit of public revenue are important elements for the proper functioning of society. However we also believe that a community should understand the cost that sometimes applies to the unreasonable or irrational pursuit of these objects. There are many examples of revenue or efficiency initiatives which have negative elements that outweigh the benefits. In the Pacific region, the massive 1987 protest against the proposed Australia Card is the most well known example of controversy over this balance of interests. In such countries as the Netherlands and West Germany, the general population has outrightly rejected some government information collection schemes that breached the fundamental balance of public interest. The recent proliferation of information technology based schemes within government prompts the conclusion that there is no limit to the the extent of measures intended to pursue law enforcement and revenue. It follows that there is no limit to the possible spectrum of intrusions on privacy. Safeguards must be thoughtfully entrenched in the legislation and subject to public scrutiny.
2.4 The establishment of Information Privacy Principles in the Privacy laws of various countries is an attempt to create a benchmark to assist in determining where to draw the line at intrusion on personal privacy. In Australia, these principles are embodied in the Privacy Act 1988. The New Zealand Bill embodies similar principles. The Australian Act was passed in an environment of suspicion and concern about the proliferation of information within government, and the degree of power exercised by bureaucrats. However, because of broad exemptions and limits to the practicability of the principles, privacy laws are, as much as anything, instruments of good faith. It is our view that the New Zealand Government should view the Privacy of Information Bill not merely as a legal instrument, but also as an ethical guide to the proper and acceptable limits of information collection and use. The technical application of the Information Privacy Principles is no guarantee that in every case the balance of public interest will be served.
2.5 Part IX of the Bill dealing with data matching is inadequate. We are concerned that justification for data matching tends to gravitate to a cost benefit rationale, with other values gradually being excluded. We believe a requirement for the presentation of a "Social Impact Statement" by the applicant agencies might redress some of the problems found in other countries. Such an analysis would assist in the process of determining public interest and would also increase an agencies sensitivity about the range of impacts of information proposals. In addition, applicant agencies should be required to provide detailed technical and program specifications, details of appeal and administrative processes, an assessment of the impact of the program on the agency itself, and a synopsis of procedures for assessment of the impact of the programs. Applicant agencies should also provide an understanding of the algorithms (the logic and basis) of the program. The procedures for dealing with applications should be subject to a degree of public scrutiny.
2.6 The Bill is unclear about requirements relating to existing data matching programs. We believe the first task of the Commissioner should be to conduct a full National Audit of New Zealand Information systems, with a requirement that all existing data matching systems apply under Part IX of the Act within ninety days of notification by the Commissioner.
2.7 Part X of the Bill is entirely unacceptable. The establishment of regulations to govern the setting up of unique identifiers is entirely inappropriate. Unique identifiers are a core concern for privacy protection, and any establishment of such systems should be subject to legislation.
2.8 Privacy International is deeply concerned about the implications in the establishment of the "Kiwi Card" and we believe this initiative should be subject to scrutiny by a Select Committee of Parliament. Following extensive public debate and consultation, any such system should then be established within law and be subject to strict guidelines and limitations.
3. THE EXTENT OF CORRUPT AND ILLEGAL DEALINGS WITH CONFIDENTIAL INFORMATION : THE AUSTRALIAN EXPERIENCE
3.1 Many of our comments and recommendations in this submission are made in the light of the extraordinary evidence revealed during a recent Independent Commission Against Corruption hearing in New South Wales. This inquiry (Operation Tamba) investigated the extent of the illegal sale and trade of personal information held by private organisations and government departments, especially the Police and the Roads and Traffic Authority. In its submission to the inquiry, the Australian Privacy Foundation expressed its deep concern at the magnitude of admissions of such illegal activities. Some bureaucrats had admitted to earning tens of thousands of dollars selling personal information on departmental files. Police had admitted routinely trading information with private investigators, banks, the finance industry and insurance companies. While the Foundation had feared that disclosure of personal information was widespread, the extent of such practices could not have been guessed at. Operation TAMBA is without doubt the most wide-ranging inquiry ever undertaken in Australia into the illegal trade in official information. It has established beyond question that an immediate comprehensive response to such trade is necessary.
3.2 It has become abundantly clear that there is widespread ignorance both in the private and public sector, of the requirements relating to confidentiality of personal information. Coupled with what appears to be large scale institutionalised corruption, people who are the subject of this information are left with grossly ineffective and inadequate privacy protections.. At the time of writing, Australia and New Zealand are equally vulnerable to this corruption.
3.3 The evidence uncovered by Operation TAMBA is relevant to other western nations. Careful consideration must be gives as to whether conditions in similar organisations in other countries are significantly different to those existing in New South Wales. We believe there must be intelligent debate as to whether New Zealand has the same level of endemic and epidemic corruption within some organisations. We believe there are no special conditions existing in New Zealand that would provide immunity from the type and extent of corruption existing in Australia.
3.4 Operation TAMBA has revealed a state of affairs in New South Wales which may well exist in New Zealand. Issues raised in evidence to the inquiry reveal the following :
3.4.1 There is a widespread attitude of casualness in respecting personal and confidential information. No doubt an explanation for this is the belief that information held by government authorities is squarely in the public domain. Over recent decades many police and NSW bureaucrats seem to have formulated a self-serving and unacceptable definition of 'publicly available' information.
3.4.2 A widespread ignorance of the legal regulations relating to the management of personal information has been revealed through numerous admissions both by members of the legal profession and private/mercantile agents. Two and a half years after the enactment of Information Privacy Principles ('IPPs') in Commonwealth legislation, the rationale and contents of the Principles appear to have remained largely the domain of esoteric administrative law. The fact that the NSW Crimes Act did not respond to computerisation of personal records until July 1989 has not helped in this respect. The one official watchdog of the privacy of the people of the State, the NSW Privacy Committee has been forced to adopt a predominantly reactive approach to these issues, through lack of resources and legal power to enforce its guidelines;.
3.4.3 We are forced to conclude because of the magnitude of admissions by witnesses that there are pockets of institutionalised corruption within the NSW Public Service. The absence of effective legal regulation and the ready access to personal information facilitates and promotes such corruption. It appears that demand for such information rises with its ease of availability.
3.4.4 A major factor in the corruption uncovered by ICAC is the lax or virtually non-existent security procedures relating to sensitive personal information. The rationale embodied in such procedures as exist seems to go unrecognised by many members of government instrumentalities and law enforcement authorities. It is clear that security procedures are rarely scrutinised or subject to audits (external or internal). This represents a major shortcoming on the part of administrators, given the relative ease of imposition of multiple levels of security clearance. Security protocols have failed to take advantage of the capabilities afforded by modern technologies.
3.4.5 The collection of personal information by law enforcement authorities may have exceeded its acceptable bounds. It is difficult to suggest reasons for 6.5 million accesses by police to the Roads and Traffic Authority (RTA) database in one year aand in excess of 100,000 number-to-name requests to Telecom by police in the same period. In respect of police inquiries of the RTA database there may well be a breach of the Commonwealth Crimes Act (section 76D) if the inquiry is for an unauthorised purpose, as the access is likely to be by way of a 'Commonwealth facility' (ie. Telecom phone line). These issues go to the heart of the effectiveness of the IPPs as a means of limiting the volume of information collected.
4. THE ESSENTIAL PROBLEM
4.1 The corruption uncovered throughout Operation TAMBA has prospered through recent years because of an environment of carelessness and managerial arrogance within the public service. A general lack of accountability and a lax attitude to consultation and communication within departments gives rise to ignorance and lack of respect to procedures and laws. Some departmental staff cannot comprehend the significance of their actions with regard to the sale and trading of personal information.
4.2 The state of legislation accounts for only a portion of the problem. The trade in personal information has continued - perhaps even expanded - despite the existence since 1989 of specific penalties in the NSW Crimes Act. The responsibility for this state of affairs rests to a large extent with departmental heads who have consistently failed to respond to the need for education. The extent of awareness within the NSW Government appears to be extremely poor when compared with awareness of information privacy requirements at Federal level.
4.3 One of the most valuable effects of legislation is its impact on community attitudes. The existence of privacy laws in New Zealand would go a long way toward bringing awareness of the need for stringent protection of confidential information. But the revelations of Operation TAMBA have established that the existence of law is, by itself, not a sufficient force. The establishment of a pro-active jurisdiction is necessary to focus public attention on particular problems and issues.
5 THE ROLE OF A PRIVACY AND DATA PROTECTION COMMISSIONER
5.1 Based on the experience of Australia and some other western countries such as Canada and Germany, Privacy International believes that a New Zealand Privacy and Data Protection Commissioner should be as much an advocate as a regulator. Certainly, if the Australian Commonwealth jurisdiction has been used as a model for the development of New Zealand legislation, a New Zealand Commissioner should aim to be more of a public advocate for privacy protection than the Australian Commissioner has been to date. The Bill should specify expectations in this regard. The pace of development of information technology applications and the seductive nature of the technology require a strong and well resourced public advocate.
6. RECOMMENDATIONS
Our specific submissions follow:
6.1 Amendments to Information Privacy Principles :
6.1.1 IPP 1. We suggest a clause (c) specifying that an agency wishing to collect information must have inquired into the desirability, alternative options, and public interest in such an activity. The requirement that information collection must be "necessary for" an agency is an impractical limitation on the general collection of information. In Australia, that justification has been contentious, and in recent times has been strengthened by amendments to Health legislation requiring that one information collection scheme be subject to an options and cost benefit report presented to parliament prior to the commencement of the information scheme.
6.1.2 IPP 5 The following should be included in the section :
(c) stored for specific, explicit, and lawful purposes and used in a way consistent with those purposes;
(d) adequate relevant and not excessive in relation to the purposes for which it is stored;
(e) processed fairly and lawfully,
6.1.3 IPP 6 We suggest that (1) of IPP 5 of the Australian Privacy Act be included here. Additionally, this IPP should ensure that record keepers are required to specify whether the record keeper has possession or control of such records relating to the person.
6.1.4 Nature of information. We submit that perhaps through an additional IPP or amending an existing IPP, limitations be placed on use and disclosure of ethnic or racial origin political opinions, religious or philosophical beliefs, trade union membership, and health or sexual life without the express written consent, freely given, of the individual concerned.
6.2 Part IX of the Bill dealing with data matching is inadequate. Fundamental objections to data matching can reasonably be raised on the grounds that data matching programs tend to (a) operate on an assumption of guilt, (b) have uncertain outcomes, (c) be based on a set of incorrect assumptions, and (d) allow rights of search which would be illegal with regard to physical property or privately held files. We are concerned that justification for data matching tends to gravitate to a cost benefit rationale, with other values gradually being excluded. We believe a requirement for the presentation of a "Social Impact Statement" by the applicant agencies might redress some of the problems found in other countries. Such an analysis would assist in the process of determining public interest and would also increase an agency's sensitivity about the range of impacts of information proposals. In addition, applicant agencies should be required to provide detailed technical and program specifications, details of appeal and administrative processes, an assessment of the impact of the program on the agency itself, and a synopsis of procedures for assessment of the impact of the programs. The procedures for dealing with applications should be subject to a degree of public scrutiny.
6.3 The Bill is unclear about requirements relating to existing data matching programs. We believe the first task of the Commissioner should be to conduct a full National Audit of New Zealand Information systems, with a requirement that all existing data matching systems apply under Part IX of the Act within ninety days of notification by the Commissioner.
6.4 Part X of the Bill is entirely unacceptable. The establishment of regulations to govern the setting up of unique identifiers is entirely inappropriate. Unique identifiers are a core concern for privacy protection, and any establishment of such systems should be subject to legislation.
6.5 Privacy International is deeply concerned about the implications in the establishment of the "Kiwi Card" and we believe this initiative should be subject to scrutiny by a Select Committee of Parliament. After extensive public debate and consultation, any such system should then be established within law and be subject to strict guidelines and limitations. The Parliament should be aware of the following major risks associated with identification cards :
6.5.1 The risk that the card will be subject to a range of unforseen applications (function creep)
6.5.2 The danger of the card becoming a general and unofficial identification document demanded by a variety of agencies and officials;
6.5.3 Change in the nature of the relationship between citizen and the state if the card develops into a more general facility;
6.5.4 Problems relating to lost, damaged or stolen cards (which may account for up to ten per cent of cards each year);
6.5.5 The creation of an underclass of people who for a variety of reasons are unwilling or unable to obtain the card (and who, therefore, may be denied services etc)
6.6 Private sector uses of personal data should be regulated by sectoral Codes of Conduct, drawn up by the Privacy Commissioner where authorised by the Act or by Parliamentary resolution, and subject to parliamentary disallowance. Where such Codes exist, compliance with them should be mandatory under the Act.;
6.7 Any aspect of privacy which is not regulated by mandatory IPPs or Codes should be subject to the 'ombudsman-style' powers of investigation and recommendation similar to those possessed by the NSW Privacy Committee. This involves grafting the NSW Privacy Committee model onto the New Zealand Privacy Act model, in order to provide comprehensive but flexible privacy and data protection legislation.
6.8 Offences should be created such as those in sections 1316, 1317 and 1318 of the Australian Social Security Act 1991 relating to the solicitation, disclosure and offering of confidential information.;
6.9 That consideration be given by Parliament for Regulation of privacy intrusive practices which might not be regarded as 'data protection' issues, such as physical surveillance, telecommunication interception and drug-testing.;
6.10 Specific monitoring and approval procedures for any proposed data-matching programs, not just an obligation to notify the Commissioner.;
6.11 A requirement on agencies to provide comprehensive information on request concerning the uses to which information is put, and the various information pathways within government. An adjunct to this should be a requirement to publish an intelligible register of personal information, specifying precisely the uses to which the information is put. A vivid example of the Commonwealth Personal Information Digest's shortcomings is class 118, dealing with occurrence sheets, of the Australian Federal Police's 1989 entry, which shows that personal information of the most sensitive nature may be held on 2 million Australians, but gives an extremely limited indication of its use.. Such a directory is specified in s.20 of the New Zealand Bill, but would appear to be entirely inadequate as a guideline for a useful and instructive directory of information. .Section 20 should specify that the directory will describe paths of information flow between agencies.
6.12 Regulation of trans-border flows of data both within Australia and to overseas destinations should be dealt with specifically in the Bill.
6.13 We believe that funding of the Commissioner should be by way of direct appropriation from consolidated revenue. It is vital that the Commissioner be entirely independent, and not be responsible to a Minister. Rather, the Commissioner should report to the Speaker of the Parliament. Additionally we recommend that a Joint Parliamentary Committee have oversight of the Commissioner's activities.
6.14 A Nation-wide personal information audit be should be immediately established. This would involve an analysis of the magnitude, nature and extent of personal information held within the public sector. Important elements of this audit might be:
* the extent of personal information databases;
* the flow of information between different arms of the New Zealand administration (including law enforcement authorities), between public and private sectors, and between New Zealand and overseas;
* the relevance and necessity of the information held by the various agencies;
* the availability and use of publicly available records containing personal information;
* the security protocols and practices employed in respect of the collection and disclosure of personal information and;
* general compliance with existing legislation regulating such matters.
It is suggested that the audit would be carried out in a relatively short time-frame (approximately 3 months) by a small team of specialist consultants. The object of the audit would not be to produce detailed findings. Rather, it is envisaged that a 'snapshot' of the holdings of and practices relating to personal information be obtained.
6.15 That a special budgetary allocation be made to enable the Commissioner to embark on a three year extensive education program. The targets of this program should be members of the legal profession, members of the police and public service, and private inquiry and mercantile agents.
6.16 Section 4(b) of the Bill should specify the nature and categories of Publicly Available Information. There exists a division of legal opinion in Australia as to whether, for example, certain applications of PAI should be disallowed under the Privacy Act, and whether files containing some PAI are then considered to be, in their entirety, within the public domain. Additionally, it has been argued that IPPs should apply to Publicly Available Information. (particularly IPPs relating to collection and use).
6.17 Section 12(j) of the Bill should be amended to provide the Commissioner with the power of audit without request from the agency concerned
6.18 Section 25 of the Bill should be amended so that the review is conducted by a Select Committee of the Parliament.
6.19 Section 78, specifying that investigations shall be conducted in private, is a cause for some concern, particularly where matters of public interest are being considered. We believe the processes of the Commissioner should be subject to transparency and should therefore be subject to public scrutiny. There should be some debate by the Select Committee as to where the acceptable line of transparency should fall.
6.20 The proceedings of the Privacy Commissioner should embrace formality. The informal procedures adopted by some Privacy Commissioners tend to provide advantage in favour of agencies.
6.21 The Bill should provide that in matters of public interest determination, privacy and other advocates with a specific interest should have a right to appear before the Commissioner. Section 78 should be amended accordingly.
Related:
About PI - Early Documents and Welcome by Justice Kirby
About PI - Early Documents on General Information
|
