Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Unsolicited Commercial E-mails ("Spam")

Spam legislation (Spam Act 2003) became effective April 2004, outlawing unsolicited marketing messages on electronic mediums including email, SMS (short message service), MMS (multimedia messaging service), and instant messaging; requiring opt-out facilities and an accurate sender address.1 Penalties range up to AUD 1.1 million (~USD 832,000) for businesses that repeatedly violate the law. Emailers must have prior consent of the recipient, although consent can be inferred from prior conduct and relationships.2 The Australian Communications and Media Authority will enforce the law, which has begun establishing enforcement capabilities, although early goals target compliance rather than prosecution.3 Civil liberties organizations have criticized the Spam Act because the search and seizure provisions allow some government employees and police to seize an individual's computer without a search warrant.4

The first infringement notice issued under the Spam Act resulted in a car sales company paying a AUD 6,600 (~USD 5,000) fine for unwanted SMS text messages that were sent to the mobile telephones of people who had listed their numbers in classified advertisements to sell their cars.5 In the first two years of operation of the Spam Act, ACMA issued formal warning letters to 10 companies, entered into enforceable undertakings with five companies, issued 13 infringement notices, and launched its first major prosecution.6 ACMA claims that since the introduction of the Spam Act, spam received in Australia has fallen by 50%.7

In October 2006 ACMA won a landmark prosecution against Clarity1 Pty Ltd, which was alleged to have sent out at least 231 million commercial emails in the first twelve months after the Spam Act commenced, with most of these messages unsolicited and in breach of the Act. The company was ordered to pay AUD $4.5 million, and the company’s director was ordered to pay a further AUD $1 million.8

In May 2007 a Do Not Call register was launched, with 50,000 registrants in the first few hours alone. Unlike similar schemes in the UK and USA, telemarketing firms in Australia will, from June 2007, need to provide their databases to the register, and the register operators will ‘wash’ the databases for them – for a fee.9 Companies contacting people who have listed themselves on the register face fines of up to AUD $1.1 million. However, exempt groups, which include charities, political parties, social researchers and educational institutions, are said to account for 80% of the 800 million telemarketing calls made each year.10

Health privacy

The National E-Health Transition Authority (NeHTA) was created in July 2005 to develop national health information management and information and communication technology standards and specifications. NeHTA is jointly funded by the States, Territories and Australian Governments, and its governance ensures equal participation by all jurisdictions.11

NeHTA is working on a number of initiatives, many of which are the necessary first steps towards a national electronic health records system – things like ensuring different IT systems are interoperable, that there is a system for identifying patients and clinicians accurately and uniquely, and that everyone uses the same ‘language’ when describing medical conditions and medicines. One of NeHTA’s projects is to develop a national model of E-Health Consent for the States and Territories to follow when implementing their systems. That model has not yet been finalised. A key question will be whether the model will follow an "opt in" or an "opt out" model of consent

Meanwhile the New South Wales State Government has been working on its own electronic health records project, Healthelink.12 Despite the NSW health privacy law requiring express consent before a patient is placed on a system to link electronic health records across organizations, it was revealed in June 2005 that pilots planned for late 2005 were being developed instead on the basis of a compulsory record, with only an "opt out" choice as to the sharing of the record with other health service providers.13 The Government exempted itself from the "express consent" requirement by way of regulation, and began the pilots in 2006. Participation by General Practitioners has been low because of their privacy concerns about the system’s design.14

An emerging health privacy issue is the use of software in General Practitioners’ offices, which automatically extract patient data, for sale to pharmaceuticals companies. The Federal Privacy Commissioner dismissed a complaint because the patient data was being de-identified.15 However, the political reaction to the Commissioner’s decision was strong enough that she made a clarifying media statement.16 The federal Minister for Health, the Opposition’s Shadow Minister, and minor parties, all criticized the practice based on the risk of de-identification.17

A major report on genetic privacy was issued in March 2003 by the Australian Law Reform Commission and the Australian Health Ethics Committee of the National Health and Medical Research Council. "Essentially Yours" makes 144 recommendations about the ethical, legal and social implications of genetic privacy.18 The report recommends that privacy laws be harmonized and tailored to address the particular challenges of human genetic information, including extending protection to genetic samples, and acknowledging the familial dimension of genetic information. Employers should not be permitted to collect or use genetic information ­– except in those rare circumstances where this is necessary to protect the health and safety of workers or third parties, and the action complies with stringent standards set by a new Human Genetics Commission of Australia (HGCA). The insurance industry should be required to adopt a range of improved consumer protection policies and practices with respect to its use of genetic information (including family history) for underwriting purposes. A new criminal offense should be created to prohibit someone submitting another person's sample for genetic testing knowing that this is done without consent or other lawful authority. DNA parentage testing should be conducted only with the consent of each person sampled (or both parents in the case of young children), or pursuant to a court order

The Australian Government is preparing a response to the "Essentially Yours" report, although a number of recommendations have already been acted on.19

Financial privacy

A new legislative framework for widespread financial surveillance and secret reporting has recently been put in place. The proposed Anti-Money Laundering and Counter-Terrorism Financing Act 2006 imposes a number of obligations on businesses when they provide certain services, including customer due diligence (identification, verification of identity and ongoing monitoring of transactions), reporting (suspicious matters, threshold transactions and international funds transfer instructions), and record keeping. The Act is due to commence in December 2007

The first series of reforms covers the financial sector (including banks, credit unions and building societies), as well as gaming services (casinos, clubs and wagering service providers) and bullion dealers. The second series of reforms will cover real estate agents, dealers in precious metals and dealers in precious stones and a range of non-financial transaction provided by accountants, lawyers and trust and company service providers.20

Identity Management and Biometrics

In November 2003, Australia introduced the "M-Series" tamper resistant passports.21 In order to meet the requirements of the United States Visa Waiver Program, the Australian government fast-tracked legislation amending the Australian Passports Act in order to provide facial biometric features in passports.22 A Passports Legislation Consultation Group was established, including members from privacy and human rights groups as well as travel, financial and biometrics industries.23

The federal Department of Foreign Affairs and Trade began issuing biometric e-passports, incorporating an unencrypted RFID chip in October 2005, to meet the demands of the US.24 Privacy advocates warned of the dangers of "skimming" and "eavesdropping."25 The Department finally acknowledged these concerns and changes were made to the e-passport’s design.26

The Australian Government, in conjunction with the States and Territories, developed a National Identity Security Strategy in 2005. The projects under way under the auspices of this strategy include the development of a common range of proof of identity documents which government agencies will be able to use to identify clients who register with them for services, the identification of appropriate security standards on those key proof of identity documents, the identification of key data matching elements to improve the integrity of identity information held on existing government databases; and authentication of individuals accessing services

A further project being developed under the National Identity Security Strategy is the Document Verification Service (DVS). The DVS has been described as an online service to check the validity of proof of identity documents against the issuing agency. The DVS project is therefore about flushing out fake foundation documents, such as a fake driver's license or birth certificate, which is then used to apply for a passport or for social security benefits.27

The Australian Government announced in the 2006–07 Budget that the DVS will be rolled out with funding of $28.3 million, building on a prototype service trialed during 2006. The DVS is intended to be a secure, electronic, online system accessible by all key Australian Government, State and Territory agencies, and potentially by the private sector. Agencies authorized to use the DVS will be able to check in real time whether a document presented to them as a proof-of-identity by an individual applying for high value benefits and services was issued by the relevant agency, and that the details on the document are true and accurate. 28

Very little information about the DVS is available publicly, and no independent Privacy Impact Assessment has been done. Any internal privacy impact assessment, or evaluation of the pilot (if either has even been done), has not been published.29 Amendments to electoral laws commencing in April 2007 will require new forms of ‘proof of identity’ for people wishing to enroll to vote, re-enroll, or change their address or other details.30

In April 2005, the NSW Government introduced a new law, to allow the motor vehicle and driver-licensing agency, the Roads and Traffic Authority, to start issuing photographic identity cards to non-drivers. The Photo Card Act 2005 allows the Authority to hold personal information about non-drivers on the same database as for all drivers in the State, and to issue cards using the same unique numbering system.31 The Australian Privacy Foundation campaigned against the proposal, seeing it as introducing a State-based universal identity card by stealth.32

The Access Card

The Australian Government announced in April 2006 that it would introduce a new ‘Access Card’ in 2008. The Access Card is intended to replace a number of existing cards, including the universal Medicare health benefits card, and various social security benefit cards issued by Centrelink and the Department of Veterans’ Affairs. The card would be compulsory from 2010 for anyone who wished to access any of his or her health or social security entitlements.33

The Government proposes to use smart card technology to hold large amounts of data on a chip inside the card. In addition, some information would be clearly visible on the face and back of the card, including the cardholder’s name, photograph, signature and card number

The Access Card would be supported by a new centralised, national population database, the Access Card Register. The database would hold details of children as well as adults, but only adults would be issued with a card (with some exceptions). The database would include biometric photographs, with the intended purpose being facial recognition for a variety of benefits administration, immigration and general law enforcement purposes. Registration for the card is intended to begin in 2008, and will require adults to attend a government office, prove their identity, and be photographed

A wide variety of groups has criticized the proposal as a de facto national ID card.34 In March 2007 the authorizing legislation was withdrawn from the Senate by the Government, following unanimous criticism from a multi-party Senate Committee.35 The Government has announced its intention to re-introduce legislation in June 2007.