CHAPTER 6
PRIVACY ISSUES
Introduction
The contracting out of information technology has the potential
to place in the hands of private sector contractors sensitive personal
or security information. In some cases, that personal information may
have been compulsorily acquired by government, as in the case of tax records
and social security information. There is a natural concern on the part
of the general public particularly about the security of such information
but also about rights of access to it when it is no longer under the obvious
and direct control of government. Concern has also been expressed that
if the same contractor were to win contracts to provide IT services to
a range of agencies, the potential for data matching would be facilitated.
The contracts themselves, which could be expected to provide provisions
for data security and privacy, might be commercial-in-confidence. And
the means of seeking redress by aggrieved individuals who fear their privacy
has been breached is unclear, as they are not parties to the contract.
In this chapter, the committee considers the present situation regarding
the privacy of information held by government, the current levels of privacy
abuse, the potential problems in an outsourced IT environment, and options
for the future.
The Current Situation
At present, a range of laws and remedies exist to protect privacy and
provide redress in the case of a breach of privacy. The Privacy Act
1988 (C'wealth) places legal obligations on Commonwealth agencies,
amongst other things, to protect the personal information they collect.
Eleven Information Privacy Principles in s.14 of the Act cover the collection
of information, the storage of information and access to it, the accuracy
and use of the information, and the limits on its use and disclosure.
The Privacy Act only covers the private sector in relation to credit reporting
and tax file numbers. In addition, the Employment Services Act 1994
(C'wealth) extends the provisions of the Privacy Act to private
sector case managers of the long-term unemployed. No State or Territory
Government has comparable legislation, though a number adopt privacy clauses
in contracts.
On 12 September 1996 the Attorney-General released a discussion paper
on the extension of privacy protection to the private sector; in March
1997 the Government decided not to go down that path 'to avoid unnecessary
increases in the regulatory burden on industry'.[1]
A variety of privacy codes exists within the Australian private sector
- for example, those of the Australian Direct Marketers Association. There
is, however, no legislation which would prevent a private organisation
from selling customer information or which would enable a customer to
prosecute the company for doing so, though a concern to maintain consumer
confidence would militate against such action.
A number of Australia's Pacific neighbours have introduced comprehensive
privacy protection laws for personal information held within both the
public and the private sectors: New Zealand in 1993; Hong Kong and Taiwan
in 1995. In October 1995 the European Union passed a Directive on data
protection, whose terms oblige EU countries to enact legislation prohibiting
the international transfer of personal data to non-EU nations which do
not have an adequate level of privacy protection. Concern has been expressed
about the implications of this for Australia.
Commonwealth public servants into whose custody much private information
is compulsorily entrusted may be charged with misconduct if they misuse
that information and, if the charge is proven, may face penalties, including
dismissal. Unauthorised disclosures can be a criminal offence, covered
by the provisions of section 70 of the Crimes Act (C'wealth) which provides
for a maximum two-year term of imprisonment for the offence.
Where an individual's privacy has been breached, the affected individual
can make a complaint about the breach to the Privacy Commissioner, who
has the power to investigate the matter provided the alleged breach was
by an 'agency' covered by the Privacy Act - that is, Commonwealth or ACT
Government organisations excluding government business enterprises. After
investigation, the Privacy Commissioner may pursue a number of options
if a breach of privacy has occurred, including making determinations regarding
compensation.
In the private sector, there is currently no such protection. If a breach
of privacy occurs, the affected individual may be able to sue for damages
under tort law, take legal action under provisions of the Trade Practices
Act, or utilise complaints-handling mechanisms - if any - established
by the service provider or industry association. If a contractor or an
employee of a contractor is at fault, and there is no specification in
the contract providing otherwise, an individual whose privacy has been
breached will have no contractual rights of redress because he or she
is not a party to the contract which is between the government agency
and the service provider.
Current Levels of Abuse of Privacy in the IT area
The incidence of security or privacy breaches relating to private information
held by government is unknown. A certain number of breaches, particularly
the casual 'browsing' of information with no harmful intent, undoubtedly
go undetected. Others which are detected are handled by the agencies concerned
and are not reported to the Privacy Commissioner. The Privacy Commissioner
investigates the complaints received by her office and undertakes own
motion investigations of issues that are brought to her attention by the
press or the Parliament, but it is unclear what proportion of all breaches
of privacy this represents.
The 1992 Report on the Unauthorised Release of Government Information
by the New South Wales Independent Commission Against Corruption disclosed
'a massive illicit trade in government information' much of which was
obtained via computer searches.[2]
The Deputy Ombudsman, Mr John Wood, outlined to the committee evidence
of unauthorised disclosure of private information within the police force,
despite the highly disciplined context and the significant audit trails
available to identify the perpetrator.[3]
The House of Representatives Standing Committee on Legal and Constitutional
Affairs, in its 1995 report In Confidence: a report of the inquiry
into the protection of confidential personal and commercial information
held by the Commonwealth, suggested that 'almost on a daily basis,
there are very public examples of disregard for privacy concerns, sometimes
concerning information collected by the Commonwealth'. It cited, as examples,
Comcare material printed from a stolen computer, given to the CPSU and
offered by the CPSU to the media; and the release, by the then Department
of Human Services and Health, without the consent of the individuals concerned,
of information about pituitary hormone recipients to a number of blood
banks.[4]
Since the commencement of operations of the Privacy Act in 1989, the
Privacy Commissioner has recorded, as of 4 July 1997, the following allegations
of breaches of the Information Privacy Principles by government agencies,
excluding complaints about credit providers or tax file number recipients:
Category Complaint files opened Other major investigations
Collection of data
|
131
|
3
|
Security
|
106
|
4
|
Use of inaccurate or irrelevant data
|
109
|
1
|
Disclosure of data or use of data for another purpose
|
411
|
20
|
TOTAL
|
757
|
28
|
Ms Scollay drew attention to the 13 incidents of computer printing errors
which led to personal information being posted to the wrong persons, commenting
that such 'mail-out errors generally create considerable media interest
and understandably undermine public confidence in the ability of the government
to protect such personal information'.[5]
Despite the wide range of privacy breaches reflected in the table above,
Mr Nigel Waters of the Human Rights and Equal Opportunity Commission stressed
that the cases in which his organisation had had to intervene were the
exception, rather than the rule, and that he would not expect the range
of privacy risks to be any different in an outsourced environment.[6]
Regardless of the exact incidence of breaches of privacy relating to
government-held private information, it is of a level to cause concern.
Potential Problems in an Outsourced IT Environment
Given the level of privacy abuse which currently exists despite the constraints
of the public service act and the criminal law, the committee questions
whether the problem is likely to be exacerbated under an outsourced regime.
A major issue at the start of the committee's inquiry was the fear that
if a contract went to a multinational firm, some data processing might
be conducted offshore, and very possibly in countries which did not have
adequate privacy protection and to which the Commonwealth Privacy Act,
even if extended to cover contractors, would not apply. The Government
has recognised these very real concerns and announced that no offshore
processing of information would be allowed under outsourced IT contracts.[7]
The Privacy Commissioner is sufficiently concerned about the potential
for outsourcing to cause problems that she indicated to the committee
that she would be wanting to investigate early in the life of an outsourced
contract that the contractor had in place appropriate procedures to maintain
the same level of privacy protection as existed under government provision
of the service.[8]
A number of witnesses questioned whether the same awareness of the need
to handle private information gathered by government with respect existed
in the private sector, particularly following the findings of the 1992
ICAC inquiry. The committee has no firm evidence which indicates that
either sector now is inherently more or less trustworthy in this regard.
It notes, however, that even under an extended Privacy Act a complainant
might not obtain redress for a privacy breach if the company whose 'rogue'
employee had caused the breach had taken all reasonable steps to ensure
that the employee had been fully aware of his or her responsibilities.
Under the Privacy Act, only an organisation can be liable for a breach
of the Act.[9]
One issue which might well be worse under an outsourced IT environment
is the problem of buck-passing. As Professor Marcia Neave, President of
the Administrative Review Council, pointed out, complainants could get
passed backwards and forwards between the government department and the
contractor, with each body saying it was the other body's problem.[10]
On the other hand, the committee accepts that there are sound commercial
arguments for IT outsourcing contractors to maintain a strict privacy
protection regime, including contractual penalties for privacy breaches
and, as the ultimate deterrent, the threat of termination or non-renewal
of the contract.
Options for the Future
The committee is in agreement with the Industry Commission when it stated
that:
A change from direct to contracted provision ought not undermine the
ability of individuals and organisations to seek redress for decisions
or actions for which governments are accountable.[11]
The question is how to achieve this. The present options are primarily
through clauses in the contract itself. The Attorney-General's Department
pointed to the privacy protection clauses included in the Commonwealth's
standard form contracts as providing 'some measure of privacy protection
for personal information handled by contractors' in the private sector.
It did not proffer a view on whether such clauses were a satisfactory
mechanism.[12] In 1994 the Privacy
Commissioner published model privacy clauses[13]
for use in contracts which the committee understands have been widely
used.
It is unclear to the committee whether the privacy clauses contained
in the IT contracts already in place are a sufficient protection, in the
absence of amendments to the Privacy Act. The 'conditions of contract'
in the Department of Veterans' Affairs October 1996 Request for Tender
document, which the committee understands varies little from the actual
contract, contains a lengthy section, clause 40, on privacy. Paraphrased,
it provides for the following:
* the contractor must take all reasonable measures to ensure that personal
information is protected against loss, unauthorised access, disclosure
or other misuse;
* the contractor must use personal information only for the purposes
of fulfilling its obligations and must not disclose it without the written
authority of the contract manager;
* the contractor must not transfer personal information outside Australia
without the written approval of the contract manager;
* contractors' employees must make an undertaking in writing not to disclose
personal information;
* the contractor must cooperate with reasonable requests from DVA regarding
Privacy Commissioner activities;
* the contractor agrees to indemnify DVA for any liability arising from
a breach of this clause;
* complaints about breaches to either DVA or the contractor must be notified
in writing to the other party, as must progress with the complaint.
The committee has not heard of any specific breaches of privacy under
the present DVA outsourcing contract. It notes, however, the preference
expressed by many witnesses to the inquiry for amendments to the Privacy
Act to cover contractors. Mr John Wood, Deputy Ombudsman (Commonwealth)
was one who advocated amendments to the Privacy Act rather than building
specific privacy provisions into individual contracts:
People have spoken, as they have in submissions to the committee, about
being able to build certain things into the contract. That may be fine
in terms of promoting the specific interests of the Commonwealth in relation
to the handling of that information, but the person who is the subject
of the record kept in the database, because they are not party to the
contract, has actually no right at all.
That is where the difficulty really arises. In our view, the Privacy
Act extensions are so important because they establish a right for the
subject person of the database. To us it is quite critical in that process
of trust in the delivery of services that that person has a right just
as much as the Commonwealth has a right against the contractor if there
should be a breach of the privacy provisions.
So you can stipulate it and you can say, 'Yes, if we discover that you
have released information about X, Y or Z, then prima facie that is a
breach of the contract,' but that leads to no settlement, no recourse
or even something as basic as an apology to the person who is the subject
of that record that was disclosed.[14]
On 28 April 1997, the Minister for Finance indicated that it was the
government's intention to amend the Privacy Act to ensure that it applies
to contractors supplying services to the Government in relation to personal
information held by them on behalf of the government.[15]
It has not done so as yet and the committee has not seen drafts of the
proposed amendments to extend the coverage of the Privacy Act to contractors.
The committee is unaware whether such amendments are intended to cover
IT contractors or all contractors providing services to the federal government.
Presumably the intention is to ensure that the same level of access to
complaint mechanisms and access to compensation is available, whether
the information is handled by an agency or by a contractor. In the view
of the Privacy Commissioner, there should be amendments to the definition
of 'agency' in s.6 and consequential amendments throughout the Act; there
should also be an amendment to s.8, dealing with the issue of vicarious
liability.[16]
The committee notes that it is the intention of the government to introduce
amendments to the Privacy Act in the current parliamentary sittings.
The committee acknowledges the very real difficulties faced by the government
in ensuring that any proposed amendments to the Privacy Act are precise
and workable. In the event that the amended legislation is not considered
in the present parliamentary sittings, the committee is of the view that
no IT outsourcing contract should be entered into by any government agency
until the amended legislation is gazetted.
Footnotes:
[1] Senate Hansard, 24 March
1997, p. 2232.
[2] ICAC, Report on Unauthorised
Release of Government Information, 1992, vol. 1, p. 3.
[3] Mr John Wood, Committee Hansard,
4 April 1997, p. F&PA 119.
[4] House of Representatives Standing
Committee on Legal and Constitutional Affairs, In Confidence, 1995,
pp. 161-174.
[5] Finance and Public Administration
References Committee, Submissions, vol.3, p. 568.
[6] Committee Hansard, 4
July 1997, p. F&PA 571.
[7] See evidence, Dr Macdonald,
Committee Hansard, 4 July 1997, p. F&PA
[8] Committee Hansard, 4
July 1997, p. F&PA 406.
[9] Finance and Public Administration
References Committee, Submissions, vol. 3, p. 571.
[10] Committee Hansard,
16 May 1997, p. F&PA 239.
[11] See Mr Horton-Stephens,
Committee Hansard, 19 May 1997, p. F&PA 362.
[12] Finance and Public Administration
References Committee, Submissions, vol. 2, p. 377.
[13] Privacy Commissioner, Outsourcing
and Privacy, 1994.
[14] Committee Hansard,
4 April 1997, p. F&PA 118.
[15] The Hon. John Fahey, PM
program, ABC radio, 28 April 1997.
[16] Finance and Public Administration
References Committee, Submissions, vol. 3, p. 570.
Top
|