CHAPTER 6
PRIVACY ISSUES
Introduction
The contracting out of information technology has the potential
to place in the hands of private sector contractors sensitive personal
or security information. In some cases, that personal information may
have been compulsorily acquired by government, as in the case of tax records
and social security information. There is a natural concern on the part
of the general public particularly about the security of such information
but also about rights of access to it when it is no longer under the obvious
and direct control of government. Concern has also been expressed that
if the same contractor were to win contracts to provide IT services to
a range of agencies, the potential for data matching would be facilitated.
The contracts themselves, which could be expected to provide provisions
for data security and privacy, might be commercial-in-confidence. And
the means of seeking redress by aggrieved individuals who fear their privacy
has been breached is unclear, as they are not parties to the contract.
In this chapter, the committee considers the present situation regarding
the privacy of information held by government, the current levels of privacy
abuse, the potential problems in an outsourced IT environment, and options
for the future.
The Current Situation
At present, a range of laws and remedies exist to protect privacy and
provide redress in the case of a breach of privacy. The Privacy Act
1988 (C'wealth) places legal obligations on Commonwealth agencies,
amongst other things, to protect the personal information they collect.
Eleven Information Privacy Principles in s.14 of the Act cover the collection
of information, the storage of information and access to it, the accuracy
and use of the information, and the limits on its use and disclosure.
The Privacy Act only covers the private sector in relation to credit reporting
and tax file numbers. In addition, the Employment Services Act 1994
(C'wealth) extends the provisions of the Privacy Act to private
sector case managers of the long-term unemployed. No State or Territory
Government has comparable legislation, though a number adopt privacy clauses
in contracts.
On 12 September 1996 the Attorney-General released a discussion paper
on the extension of privacy protection to the private sector; in March
1997 the Government decided not to go down that path 'to avoid unnecessary
increases in the regulatory burden on industry'.[1]
A variety of privacy codes exists within the Australian private sector
- for example, those of the Australian Direct Marketers Association. There
is, however, no legislation which would prevent a private organisation
from selling customer information or which would enable a customer to
prosecute the company for doing so, though a concern to maintain consumer
confidence would militate against such action.
A number of Australia's Pacific neighbours have introduced comprehensive
privacy protection laws for personal information held within both the
public and the private sectors: New Zealand in 1993; Hong Kong and Taiwan
in 1995. In October 1995 the European Union passed a Directive on data
protection, whose terms oblige EU countries to enact legislation prohibiting
the international transfer of personal data to non-EU nations which do
not have an adequate level of privacy protection. Concern has been expressed
about the implications of this for Australia.
Commonwealth public servants into whose custody much private information
is compulsorily entrusted may be charged with misconduct if they misuse
that information and, if the charge is proven, may face penalties, including
dismissal. Unauthorised disclosures can be a criminal offence, covered
by the provisions of section 70 of the Crimes Act (C'wealth) which provides
for a maximum two-year term of imprisonment for the offence.
Where an individual's privacy has been breached, the affected individual
can make a complaint about the breach to the Privacy Commissioner, who
has the power to investigate the matter provided the alleged breach was
by an 'agency' covered by the Privacy Act - that is, Commonwealth or ACT
Government organisations excluding government business enterprises. After
investigation, the Privacy Commissioner may pursue a number of options
if a breach of privacy has occurred, including making determinations regarding
compensation.
In the private sector, there is currently no such protection. If a breach
of privacy occurs, the affected individual may be able to sue for damages
under tort law, take legal action under provisions of the Trade Practices
Act, or utilise complaints-handling mechanisms - if any - established
by the service provider or industry association. If a contractor or an
employee of a contractor is at fault, and there is no specification in
the contract providing otherwise, an individual whose privacy has been
breached will have no contractual rights of redress because he or she
is not a party to the contract which is between the government agency
and the service provider.
Current Levels of Abuse of Privacy in the IT area
The incidence of security or privacy breaches relating to private information
held by government is unknown. A certain number of breaches, particularly
the casual 'browsing' of information with no harmful intent, undoubtedly
go undetected. Others which are detected are handled by the agencies concerned
and are not reported to the Privacy Commissioner. The Privacy Commissioner
investigates the complaints received by her office and undertakes own
motion investigations of issues that are brought to her attention by the
press or the Parliament, but it is unclear what proportion of all breaches
of privacy this represents.
The 1992 Report on the Unauthorised Release of Government Information
by the New South Wales Independent Commission Against Corruption disclosed
'a massive illicit trade in government information' much of which was
obtained via computer searches.[2]
The Deputy Ombudsman, Mr John Wood, outlined to the committee evidence
of unauthorised disclosure of private information within the police force,
despite the highly disciplined context and the significant audit trails
available to identify the perpetrator.[3]
The House of Representatives Standing Committee on Legal and Constitutional
Affairs, in its 1995 report In Confidence: a report of the inquiry
into the protection of confidential personal and commercial information
held by the Commonwealth, suggested that 'almost on a daily basis,
there are very public examples of disregard for privacy concerns, sometimes
concerning information collected by the Commonwealth'. It cited, as examples,
Comcare material printed from a stolen computer, given to the CPSU and
offered by the CPSU to the media; and the release, by the then Department
of Human Services and Health, without the consent of the individuals concerned,
of information about pituitary hormone recipients to a number of blood
banks.[4]
Since the commencement of operations of the Privacy Act in 1989, the
Privacy Commissioner has recorded, as of 4 July 1997, the following allegations
of breaches of the Information Privacy Principles by government agencies,
excluding complaints about credit providers or tax file number recipients:
Category Complaint files opened Other major investigations
Collection of data
|
131
|
3
|
Security
|
106
|
4
|
Use of inaccurate or irrelevant data
|
109
|
1
|
Disclosure of data or use of data for another purpose
|
411
|
20
|
TOTAL
|
757
|
28
|
Ms Scollay drew attention to the 13 incidents of computer printing errors
which led to personal information being posted to the wrong persons, commenting
that such 'mail-out errors generally create considerable media interest
and understandably undermine public confidence in the ability of the government
to protect such personal information'.[5]
Despite the wide range of privacy breaches reflected in the table above,
Mr Nigel Waters of the Human Rights and Equal Opportunity Commission stressed
that the cases in which his organisation had had to intervene were the
exception, rather than the rule, and that he would not expect the range
of privacy risks to be any different in an outsourced environment.[6]
Regardless of the exact incidence of breaches of privacy relating to
government-held private information, it is of a level to cause concern.
Potential Problems in an Outsourced IT Environment
Given the level of privacy abuse which currently exists despite the constraints
of the public service act and the criminal law, the committee questions
whether the problem is likely to be exacerbated under an outsourced regime.
A major issue at the start of the committee's inquiry was the fear that
if a contract went to a multinational firm, some data processing might
be conducted offshore, and very possibly in countries which did not have
adequate privacy protection and to which the Commonwealth Privacy Act,
even if extended to cover contractors, would not apply. The Government
has recognised these very real concerns and announced that no offshore
processing of information would be allowed under outsourced IT contracts.[7]
The Privacy Commissioner is sufficiently concerned about the potential
for outsourcing to cause problems that she indicated to the committee
that she would be wanting to investigate early in the life of an outsourced
contract that the contractor had in place appropriate procedures to maintain
the same level of privacy protection as existed under government provision
of the service.[8]
A number of witnesses questioned whether the same awareness of the need
to handle private information gathered by government with respect existed
in the private sector, particularly following the findings of the 1992
ICAC inquiry. The committee has no firm evidence which indicates that
either sector now is inherently more or less trustworthy in this regard.
It notes, however, that even under an extended Privacy Act a complainant
might not obtain redress for a privacy breach if the company whose 'rogue'
employee had caused the breach had taken all reasonable steps to ensure
that the employee had been fully aware of his or her responsibilities.
Under the Privacy Act, only an organisation can be liable for a breach
of the Act.[9]
One issue which might well be worse under an outsourced IT environment
is the problem of buck-passing. As Professor Marcia Neave, President of
the Administrative Review Council, pointed out, complainants could get
passed backwards and forwards between the government department and the
contractor, with each body saying it was the other body's problem.[10]
On the other hand, the committee accepts that there are sound commercial
arguments for IT outsourcing contractors to maintain a strict privacy
protection regime, including contractual penalties for privacy breaches
and, as the ultimate deterrent, the threat of termination or non-renewal
of the contract.
Options for the Future
The committee is in agreement with the Industry Commission when it stated
that:
A change from direct to contracted provision ought not undermine the
ability of individuals and organisations to seek redress for decisions
or actions for which governments are accountable.[11]
The question is how to achieve this. The present options are primarily
through clauses in the contract itself. The Attorney-General's Department
pointed to the privacy protection clauses included in the Commonwealth's
standard form contracts as providing 'some measure of privacy protection
for personal information handled by contractors' in the private sector.
It did not proffer a view on whether such clauses were a satisfactory
mechanism.[12] In 1994 the Privacy
Commissioner published model privacy clauses[13]
for use in contracts which the committee understands have been widely
used.
It is unclear to the committee whether the privacy clauses contained
in the IT contracts already in place are a sufficient protection, in the
absence of amendments to the Privacy Act. The 'conditions of contract'
in the Department of Veterans' Affairs October 1996 Request for Tender
document, which the committee understands varies little from the actual
contract, contains a lengthy section, clause 40, on privacy. Paraphrased,
it provides for the following:
* the contractor must take all reasonable measures to ensure that personal
information is protected against loss, unauthorised access, disclosure
or other misuse;
* the contractor must use personal information only for the purposes
of fulfilling its obligations and must not disclose it without the written
authority of the contract manager;
* the contractor must not transfer personal information outside Australia
without the written approval of the contract manager;
* contractors' employees must make an undertaking in writing not to disclose
personal information;
* the contractor must cooperate with reasonable requests from DVA regarding
Privacy Commissioner activities;
* the contractor agrees to indemnify DVA for any liability arising from
a breach of this clause;
* complaints about breaches to either DVA or the contractor must be notified
in writing to the other party, as must progress with the complaint.
The committee has not heard of any specific breaches of privacy under
the present DVA outsourcing contract. It notes, however, the preference
expressed by many witnesses to the inquiry for amendments to the Privacy
Act to cover contractors. Mr John Wood, Deputy Ombudsman (Commonwealth)
was one who advocated amendments to the Privacy Act rather than building
specific privacy provisions into individual contracts:
People have spoken, as they have in submissions to the committee, about
being able to build certain things into the contract. That may be fine
in terms of promoting the specific interests of the Commonwealth in relation
to the handling of that information, but the person who is the subject
of the record kept in the database, because they are not party to the
contract, has actually no right at all.
That is where the difficulty really arises. In our view, the Privacy
Act extensions are so important because they establish a right for the
subject person of the database. To us it is quite critical in that process
of trust in the delivery of services that that person has a right just
as much as the Commonwealth has a right against the contractor if there
should be a breach of the privacy provisions.
So you can stipulate it and you can say, 'Yes, if we discover that you
have released information about X, Y or Z, then prima facie that is a
breach of the contract,' but that leads to no settlement, no recourse
or even something as basic as an apology to the person who is the subject
of that record that was disclosed.[14]
On 28 April 1997, the Minister for Finance indicated that it was the
government's intention to amend the Privacy Act to ensure that it applies
to contractors supplying services to the Government in relation to personal
information held by them on behalf of the government.[15]
It has not done so as yet and the committee has not seen drafts of the
proposed amendments to extend the coverage of the Privacy Act to contractors.
The committee is unaware whether such amendments are intended to cover
IT contractors or all contractors providing services to the federal government.
Presumably the intention is to ensure that the same level of access to
complaint mechanisms and access to compensation is available, whether
the information is handled by an agency or by a contractor. In the view
of the Privacy Commissioner, there should be amendments to the definition
of 'agency' in s.6 and consequential amendments throughout the Act; there
should also be an amendment to s.8, dealing with the issue of vicarious
liability.[16]
The committee notes that it is the intention of the government to introduce
amendments to the Privacy Act in the current parliamentary sittings.
The committee acknowledges the very real difficulties faced by the government
in ensuring that any proposed amendments to the Privacy Act are precise
and workable. In the event that the amended legislation is not considered
in the present parliamentary sittings, the committee is of the view that
no IT outsourcing contract should be entered into by any government agency
until the amended legislation is gazetted.
Footnotes:
[1] Senate Hansard, 24 March
1997, p. 2232.
[2] ICAC, Report on Unauthorised
Release of Government Information, 1992, vol. 1, p. 3.
[3] Mr John Wood, Committee Hansard,
4 April 1997, p. F&PA 119.
[4] House of Representatives Standing
Committee on Legal and Constitutional Affairs, In Confidence, 1995,
pp. 161-174.
[5] Finance and Public Administration
References Committee, Submissions, vol.3, p. 568.
[6] Committee Hansard, 4
July 1997, p. F&PA 571.
[7] See evidence, Dr Macdonald,
Committee Hansard, 4 July 1997, p. F&PA
[8] Committee Hansard, 4
July 1997, p. F&PA 406.
[9] Finance and Public Administration
References Committee, Submissions, vol. 3, p. 571.
[10] Committee Hansard,
16 May 1997, p. F&PA 239.
[11] See Mr Horton-Stephens,
Committee Hansard, 19 May 1997, p. F&PA 362.
[12] Finance and Public Administration
References Committee, Submissions, vol. 2, p. 377.
[13] Privacy Commissioner, Outsourcing
and Privacy, 1994.
[14] Committee Hansard,
4 April 1997, p. F&PA 118.
[15] The Hon. John Fahey, PM
program, ABC radio, 28 April 1997.
[16] Finance and Public Administration
References Committee, Submissions, vol. 3, p. 570.
In this section
Senate CommitteesMaking a submissionAttending a public hearingSenate committee activityAppropriations, Staffing and SecurityCommunity AffairsEconomicsEducation and EmploymentEnvironment and CommunicationsFinance and Public AdministrationCompleted inquiries and reportsRecent reportsAnnual ReportsAdditional Estimates 2024–25Annual Report (No. 2 of 2024)Annual reports (No. 1 of 2025)Remuneration Tribunal Amendment (There For Public Service, Not Profit) Bill 2025The operation and appropriateness of the superannuation and pension schemes for current and former members of the Australian Defence Force (ADF)Budget Estimates 2024–25Workplace Gender Equality Amendment (Setting Gender Equality Targets) Bill 2024Supporting the development of sovereign capability in the Australian tech sectorInquiry into management and assurance of integrity by consulting servicesNet Zero Economy Authority Bill 2024 [Provisions] and the Net Zero Economy Authority (Transitional Provisions) Bill 2024 [Provisions]Access to Australian Parliament House by lobbyistsAdditional Estimates 2023–24Annual reports (No. 1 of 2024)Annual reports (No. 2 of 2023)Public Governance, Performance and Accountability Amendment (Vaccine Indemnity) Bill 2023Budget Estimates 2023–24Administration of the referendum into an Aboriginal and Torres Strait Islander VoiceCOAG Legislation Amendment Bill 2023 [Provisions]Electoral Legislation Amendment (Fairer Contracts and Grants) Bill 2023Governor-General Amendment (Cessation of Allowances in the Public Interest) Bill 2023Emergency Response Fund Amendment (Disaster Ready Fund) Bill 2022 [Provisions]Public Service Amendment Bill 2023 [Provisions]Workplace Gender Equality Amendment (Closing the Gender Pay Gap) Bill 2023Budget Estimates 2022–23Upcoming HearingsAboriginal Land Rights (Northern Territory) Amendment (Economic Empowerment) Bill 2021COAG Legislation Amendment Bill 2021 [Provisions]Corporations (Aboriginal and Torres Strait Islander) Amendment Bill 2021 The current capability of the Australian Public Service (APS)Data Availability and Transparency Bill 2020 [Provisions] and Data Availability and Transparency (Consequential Amendments) Bill 2020 [Provisions]Commonwealth Electoral Amendment (Integrity of Elections) Bill 2021Investment Funds Legislation Amendment Bill 2021[Provisions]Social Security Legislation Amendment (Remote Engagement Program) Bill 2021 [Provisions]Social Security Legislation Amendment (Remote Engagement Program) Bill 2021 [Provisions]Territories Stolen Generations Redress Scheme (Facilitation) Bill 2021 and Territories Stolen Generations Redress Scheme (Consequential Amendments) Bill 2021The planning, construction and management of the Western Sydney Airport projectThe administration and expenditure of funding under the Urban Congestion Fund (UCF)Operation and management of the Department of Parliamentary ServicesCommonwealth Electoral Amendment (Banning Dirty Donations) Bill 2020Intelligence and Security Legislation Amendment (Implementing Independent Intelligence Review) Bill 2020Commonwealth Electoral Amendment (Donation Reform and Other Measures) Bill 2020Public Governance, Performance and Accountability Amendment (Tax Transparency in Procurement and Grants) Bill 2019National Integrity (Parliamentary Standards) Bill 2019Lessons to be learned in relation to the Australian bushfire season 2019-20Ministers of State (Checks for Security Purposes) Bill 2019Emergency Response Fund Bill 2019Compliance by former Ministers of State with the requirements of the Prime Minister's Statement of Ministerial StandardsFuture Drought Fund Bill 2018 and Future Drought Fund (Consequential Amendments) Bill 2018Corporations (Aboriginal and Torres Strait Islander) Amendment (Strengthening Governance and Transparency) Bill 2018Aboriginal and Torres Strait Islander Amendment (Indigenous Land Corporation) Bill 2018, Aboriginal and Torres Strait Islander Land and Sea Future Fund Bill 2018 and the Aboriginal and Torres Strait Islander Land and Sea Future Fund (Consequential Amendments) Bill 2018 [Provisions]Government Procurement (Judicial Review) Bill 2017 [provisions]Prime Minister and Cabinet Legislation Amendment (2017 Measures No. 1) Bill 2017Parliamentary Business Resources Bill 2017 and the Parliamentary Business Resources (Consequential and Transitional Provisions) Bill 2017 [Provisions]Digital delivery of government servicesArrangements for the postal surveyDelivery of National Outcome 4 of the National Plan to Reduce Violence Against Women and Their ChildrenThe appropriateness and effectiveness of the objectives, design, implementation and evaluation of the Community Development Program (CDP)Circumstances in which Australians’ personal Medicare information has been compromised and made available for sale illegally on the ‘dark web’The operation, effectiveness, and consequences of the Public Governance, Performance and Accountability (Location of Corporate Commonwealth Entities) Order 2016Gender segregation in the workplace and its impact on women's economic equalityOperation of the Administrative Arrangements Order, the effectiveness of the division and performance of responsibilities under it, and any other related mattersCommonwealth funding of Indigenous TasmaniansDomestic violence and gender inequalityAccess to legal assistance servicesAccess of small and medium business (particularly those in rural and regional Australia) to Federal Government contracts, and how this access could be improved Commonwealth Electoral Amendment (Political Donations and Other Measures) Bill 2016Commonwealth procurement procedures – paper procurementDomestic violence and gender inequalityAccess to legal assistance servicesCommonwealth legislative provisions relating to oversight of associated entities of political partiesOutcomes of the 42nd meeting of the Council of Australian Governments held on 1 April 2016Commonwealth Grants Commission Amendment (GST Distribution) Bill 2015Social Security Legislation Amendment (Community Development Program) Bill 2015Parliamentary Expenses Amendment (Transparency and Accountability) Bill 2015Omnibus Repeal Day (Spring 2015) Bill 2015The proposed Parliament House security upgrade worksOmnibus Repeal Day (Autumn 2015) Bill 2015Domestic violence in AustraliaGovernance of Australian Government Superannuation Schemes Legislation Amendment Bill 2015Public Governance and Resources Legislation Amendment Bill (No. 1) 2015 Parliamentary Service Amendment Bill 2014Parliamentary Entitlements Legislation Amendment Bill 2014Asset Recycling Fund Bill 2014Flags Amendment Bill 2014Public Governance, Performance and Accountability Amendment Bill 2014Omnibus Repeal (Autumn 2014) Bill 2014Commonwealth Electoral Amendment (Above the Line Voting) Bill 2013Schedule 2 of the Social Services and Other Legislation Amendment Bill 2013Commonwealth procurement proceduresSenate order for departmental and agency contractsOrder on ContractsRole of the CommitteeReport Foreign Affairs, Defence and TradeLegal and Constitutional AffairsMeasuring Outcomes for First Nations CommunitiesPFAS (per and polyfluoroalkyl substances)PrivilegesProcedurePublicationsRural and Regional Affairs and TransportScrutiny of BillsScrutiny of Delegated LegislationSelection of BillsSenators' InterestsSenate Committee MembershipSenate committee evidence, parliamentary privilege and Royal CommissionsSenate Committees: Upcoming Public HearingsToday's public hearingsRecent Senate Committee reportsFormer Senate CommitteesGovernment responses outstanding to committee reports
Top
|